Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  3. NetBackup™ Security and Encryption Guide
  5. Section II. Encryption of data-in-transit
  7. NetBackup CA and NetBackup certificates
  9. About host name-based certificates
  11. Deploying host name-based certificates
NetBackup™ Security and Encryption Guide

Deploying host name-based certificates

Choose one of the following procedures to deploy a host name-based security certificate on NetBackup hosts. Only a NetBackup administrator can deploy certificates.

Table: Deploying host name-based certificates

Procedure

Description and link to procedure

Deploying a host name-based security certificate for a primary server in a cluster

Use this procedure to deploy the host name-based security certificates on all of the nodes in a NetBackup primary server cluster.

Deploying a host name-based security certificate for media servers or clients

This procedure uses IP address verification to identify the target NetBackup host and then deploy the certificate.

With this procedure, you can deploy a host name-based certificate for an individual host, for all media servers, or for all clients.

Note:

Deploying a host name-based certificate is a one-time activity for a host. If a host name-based certificate was deployed for an earlier release or for a hotfix, it does not need to be done again.

Deploying a host name-based certificate for a primary server in a cluster

Use this procedure to deploy host name-based certificates on all cluster nodes.

Ensure the following before you deploy a host-name based certificate:

  • All nodes of the cluster have a host ID-based certificate.

  • All Fully Qualified Domain Names (FQHN) and short names for the cluster nodes are mapped to their respective host IDs.

To deploy a host name-based security certificate for a NetBackup primary server in a cluster

  1. Run the following command on the active node of the primary server cluster:

    On Windows: Install_path\NetBackup\bin\admincmd\bpnbaz -setupat

    On UNIX: /usr/openv/netbackup/bin/admincmd/bpnbaz -setupat

  2. Restart the NetBackup Service Layer (nbsl) service and the NetBackup Vault Manager (nbvault) service on the active node of the primary server.
Deploying a host name-based certificate on media servers or clients

This procedure works well when you deploy host name-based security certificates to many hosts at one time. As with NetBackup deployment in general, this method assumes that the network is secure.

To deploy a host name-based security certificate for media servers or clients

  1. Run the following command on the primary server, depending on your environment. Either specify a host name, or deploy to all media servers or clients.

    On Windows: Install_path\NetBackup\bin\admincmd\bpnbaz -ProvisionCert host_name|-AllMediaServers|-AllClients

    On UNIX: /usr/openv/netbackup/bin/admincmd/bpnbaz -ProvisionCert host_name|-AllMediaServers|-AllClients

  2. Restart the NetBackup Service Layer (nbsl) service on the media server.

    No services need to be restarted if the target host is a NetBackup client.

Note:

In you use dynamic IPs on the hosts (DHCP), ensure that the host name and the IP address are correctly listed on the primary server. To do so, run the following NetBackup bpclient command on the primary server:

On Windows: Install_path\NetBackup\bin\admincmd\bpclient -L -All

On UNIX: /usr/openv/netbackup/bin/admincmd/bpclient -L -All

Feedback

Was this page helpful?
Previous

About host name-based certificates

Next

About host ID-based certificates

Feedback

Was this page helpful?