Validating KMS credentials
If incorrect credentials are configured in NetBackup, communication with external KMS server may fail. To avoid such failures, you can carry out certain validations before a credential can be configured for the KMS use. If a validation check is not passed, the credential cannot be configured.
The following validations are carried out while you configure a new credential or updating an existing one and it is not recommended to configure credentials if any of the checks fail:
The certificate path is valid
The trust store path is valid
The private key path is valid
The certificate(s) in certificate chain are readable
The certificate(s) in trust store are readable
The private key is readable
The Common Name field is not empty
The certificate is not expired
The certificate is currently valid
The private key matches the certificate
The certificates are in the appropriate order
The following CRL validation checks are performed, if the ECA_CRL_PATH is configured and the CRL check level is other than DISABLE:
The CRL directory consists of CRL files
The CRL check level is valid
The CRL path is valid
The available CRLs are readable
To validate KMS credentials and KMS compatibility
- Run the following command:
nbkmiputil -kmsServer kms_server_name -port port -certPathcert_path -privateKeyPath private_key_path -trustStorePathtrust_store_path -validate
The nbkmiputil command validates the KMS functionality including connection to the KMS server.
It also tests operations like list keys, fetch keys, set attributes, and fetch attributes. For set attributes, you must have the 'write' permission for the KMS server. The nbkmiputil command also validates CA fingerprint on the server certificate that is exchanged through TLS handshake. nbkmiputil uses TLS 1.2 and later protocol for secure communication with external KMS server.
- (This step is conditional). If the KMS vendor is not listed as a supported KMS vendor in the NetBackup hardware compatibility list and you want to verify the compatibility of the vendor with NetBackup, use the following command:
The command requires you to have the 'write' privileges for the external KMS server. The command creates eight Symmetric keys on the external KMS server and performs various KMIP operations to check the compatibility. After the compatibility check, you need to explicitly delete the keys that are created.
- Check if the NetBackup master server is compatible with the KMS vendor and it can communicate with the KMS vendor using the KMIP protocol. Run the following command:
nbkmiputil -kmsServer kms_server_name -port port -certPathcert_path -privateKeyPath private_key_path -truststorepathtrust_store_path -ekmsCheckCompat
It is recommended that you run the -ekmsCheckCompat option to check whether you can successfully configure KMS in your environment.
This option creates eight test keys on the specified KMS server that you can manually delete later.
- If a check fails, contact Veritas Technical Support.