Veritas NetBackup™ Appliance Security Guide

Last Published:
Product(s): Appliances (5.1.1)
Platform: NetBackup Appliance OS
  1. About the NetBackup appliance Security Guide
      About the NetBackup appliance Security Guide
  2. User authentication
    1. About user authentication on the NetBackup appliance
        User types that can authenticate on the NetBackup appliance
    2. About configuring user authentication
        Generic user authentication guidelines
      About authenticating LDAP users
      About authenticating Active Directory users
    5. About authentication using smart cards and digital certificates
        Smart card Authentication for NetBackup Web UI
        Smart card authentication for NetBackup Appliance Web UI
        Smart card authentication for NetBackup Appliance Shell Menu
        Configure role-based access control
        Configure authentication for a smart card or digital certificate for the NetBackup Web UI
    6. About single sign-on (SSO) authentication and authorization
        Configure single sign-on (SSO) for a NetBackup Appliance
      About the appliance login banner
    8. About user name and password specifications
        About STIG-compliant password policy rules
  3. User authorization
      About user authorization on the NetBackup appliance
    2. About authorizing NetBackup appliance users
        NetBackup appliance user role privileges
      About the Administrator user role
      About the NetBackupCLI user role
      About user authorization in NetBackup
  4. Intrusion prevention and intrusion detection systems
      About Symantec Data Center Security on the NetBackup appliance
      About the NetBackup appliance intrusion prevention system
      About the NetBackup appliance intrusion detection system
      Reviewing SDCS events on the NetBackup appliance
      Running SDCS in unmanaged mode on the NetBackup appliance
      Running SDCS in managed mode on the NetBackup appliance
  5. Log files
      About NetBackup appliance log files
      Viewing log files using the Support command
      Where to find NetBackup appliance log files using the Browse command
      Gathering device logs on a NetBackup appliance
      Log Forwarding feature overview
  6. Operating system security
      About NetBackup appliance operating system security
      Major components of the NetBackup appliance OS
      Disable user access to the NetBackup appliance operating system
      Manage support access to the maintenance shell
  7. Data security
      About data security
      About data integrity
      About data classification
    4. About data encryption
        KMS support
  8. Web security
      About SSL usage
      About implementing external certificates
  9. Network security
      About Network Access Control
      About IPsec Channel Configuration
      About NetBackup appliance ports
      About the NetBackup Appliance firewall
  10. Call Home security
    1. About AutoSupport
        Data security standards
    2. About Call Home
        Configuring Call Home from the NetBackup Appliance Shell Menu
        Enabling and disabling Call Home from the appliance shell menu
        Configuring a Call Home proxy server from the NetBackup Appliance Shell Menu
        Understanding the Call Home workflow
    3. About SNMP
        About the Management Information Base (MIB)
  11. Remote Management Module (RMM) security
      Introduction to IPMI configuration
      Recommended IPMI settings
      RMM ports
      Enabling SSH on the Remote Management Module
      Replacing the default IPMI SSL certificate
      Implementing an external IPMI SSL certificate
  12. STIG and FIPS conformance
      OS STIG hardening for NetBackup appliance
      FIPS 140-2 conformance for NetBackup appliance
      About FIPS compliant ciphers

About implementing external certificates

NetBackup appliance's web service uses the PKCS#12 standard and requires certificate files to be in the X.509 (.pem) format. If the certificate files are in the .der, .DER, or .p7b formats, NetBackup appliance automatically converts the files to an accepted format.

Certificate requirements

To prevent errors while importing certificates, ensure that the external certificate files meet the following requirements.

  • Certificate files are in the .pem file format and begin with "-----BEGIN CERTIFICATE-----".

  • Certificate files contain the host name and FQDN in the subject alternative name (SAN) field of the certificate. If the certificate is used in an HA environment, the SAN field must contain VIP, host name, and FQDN.

  • Subject name and common name fields are not empty.

  • Subject fields are unique for each host.

  • Subject fields contain a maximum of 255 characters.

  • Server and client authentication attributes are set in the certificate.

  • Only ASCII 7 characters are used in the subject and SAN fields of the certificate.

  • The private key file is in the PKCS#8 PEM format and begins with -----BEGIN ENCRYPTED PRIVATE KEY----- or -----BEGIN PRIVATE KEY-----.

Certificate Signing Request (CSR)

Although optional, you can use the Settings > Security > Certificate > CertificateSigningRequest > Create command to generate a CSR. Copy the CSR content from the command line to your external certificate portal to obtain the required external certificate files.

Enter specified value or use the default value.
Common Name (eg, your name or your server's hostname) [Default abc123]:
Organizational Unit Name (eg, section) []:Appliance
Organization Name (eg, company) [Default Company Ltd]:YourCompanyName
Locality Name (eg, city) [Default City]:YourCity
State or Province Name (full name) []:YourStateorProvince
Country Name (2 letter code) [XX]:YourCountryName
Email Address []
Please enter the following 'extra' attributes
to be sent with your certificate request.
A challenge password []:123456
An optional company name []:ABCD
Subject Alternative Name (DNS Names and/or IP Addresses comma separated):
Subject Alternative Name (email comma separated):
Certificate Signing Request Name [Default abc123.csr]:
Validity period (in days) [Default 365 days]:
Ensure that the Distinguished Name (DN) is specified as a string consisting 
of a sequence of key=value pairs separated by a comma:
Then the generated certificate signing request will be shown on the screen.
Register the external certificate

Starting from version 4.1, you can register an external certificate on both NetBackup appliance and NetBackup using the Settings > Security > Certificate > Import command.

Perform the following steps to import the host certificate, host private key, and trust store to register the external certificate on NetBackup and NetBackup appliance. Both NetBackup and NetBackup appliance layers use the same host certificate, host private key, and trust store.

  1. Log in to the appliance as an Administrator user.
  2. From the NetBackup Appliance Shell Menu, run the Settings > Security > Certificate > Import command. The following NFS and CFS share locations are now accessible:
    • NFS: /inst/share

    • CFS: \\<ApplianceName>\general_share

  3. Upload the certificate file, trust store file, and private key file to either of the share locations and enter the paths to the files.
  4. Choose how to access the certificate revocation list (CRL). A CRL comprises a list of external certificates that have been revoked by the external certificate and should not be trusted. Select either of the following options:
    • Use the CRL location provided in the certificate file.

    • Provide the location of a CRL file (.crl ) in the local network.

    • Do not use a CRL.

  5. Confirm the location of the certificate files you want to register on the appliance.

A detailed example of how to import the certificates is provided here.

  • Identify the certificate which should be imported.

  • Import the certificate.

    Enter the certificate:
    Enter the following details for external certificate configuration:
    Enter the certificate file path: cert_chain.pem
    Enter the trust store file path: cacerts.pem
    Enter the private key path: key.pem
    Enter the password for the passphrase file path or skip security 
    configuration (default: NONE):
    Should a CRL be honored for the external certificate?
    1) Use the CRL defined in the certificate.
    2) Use the specific CRL directory.
    3) Do not use a CRL.
    q) Skip security configuration.
    CRL option (1): 2
    Enter the CRL location path: crl
    Then confirm input information and answer the subsequent questions.
Adding and removing certificates

You can manage external certificates on NetBackup appliance using the Certificate commands.

You can use the Settings > Security > Certificate > Add CACertificate command to add a server CA, HTTPS proxy CA, or LDAP CA certificate to the certificate authority list. Ensure that you paste the CA certificate content in the PEM or P7B format. The Appliance appends this CA certificate to the certificate authority list. Before appending the CA certificate, the appliance verifies whether the CA certificate is already being used on the appliance. If yes, the appliance quits with a message.

You can use the Settings > Security > Certificate > Remove CACertificate command to remove a server CA certificate from the certificate authority list. The available CA certificates are listed and you can select the certificate that you want to remove.