Securing the connection to NetBackup Snapshot Manager
In the NetBackup Snapshot Manager, you can upload CRLs of the external CA at /cloudpoint/eca/crl. The uploaded CRL does not work, if the crl directory is not present or empty.
For data mover container, add this path against the ECA_CRL_PATH parameter in the /cloudpoint/openv/netbackup/bp.conf file.
Following three parameters are tuneable, you can add the entry under eca section in the /cloudpoint/flexsnap.conf file.
Table: ECA parameters
Parameter | Default | Value | Remarks |
|---|---|---|---|
eca_crl_check | 0 (Disabled) | 0 (disabled) 1 (leaf) 2 (chain) | Certificate check level. Used to control the CRL/OCSP validation level for NetBackup Snapshot Manager host connecting to On-prem/cloud workloads.
|
eca_crl_refresh_ hours | 24 | Numerical value between 0 and 4830 | Time interval in hours to update the NetBackup Snapshot Manager CRLs cache from CA through the certificate CDP URL. Option is not applicable if |
eca_crl_path_sync_ hours | 1 | Numerical value between 1 and 720 | Time interval in hours to update the NetBackup Snapshot Manager CRL cache from |
Note:
Cache is invalidated if any of ECA tuneable are added or modified manually inside the /cloudpoint/flexsnap.conf .
Note:
The scope of CRL check is limited to Azure Stack only.