Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  3. NetBackup™ Deduplication Guide
  5. Configuring deduplication
  7. Configuring MSDP replication to a different NetBackup domain
  9. Adding a trusted primary server using a NetBackup CA-signed (host ID-based) certificate
NetBackup™ Deduplication Guide

Adding a trusted primary server using a NetBackup CA-signed (host ID-based) certificate

Replication operations require that a trust relationship exists between the NetBackup servers in the different domains.

Before you begin

Perform the following steps on both the source and the target server:

  • Identify the NetBackup versions that are installed on the source and the target servers.

  • Obtain the authorization tokens of the remote server.

    Use the bpnbat command to log on and nbcertcmd to get the authorization tokens.

  • Obtain the fingerprints for the remote server.

    To obtain the SHA1 fingerprint of root certificate, use the nbcertcmd -displayCACertDetail command.

  • Ensure that you have one of the following permissions:

    • System administrator permissions with root permissions for UNIX, administrator permissions for Windows, or a NetBackupCLI user for appliances with software versions 3.1 and later.

    • Access to the NetBackup Administration Console, where you have <username> ADMIN=ALL permissions through auth.conf.

    • Enhanced Auditing (EA) user permissions through authalias.conf.

    • For remote Windows primary server, if the user's domain is not same as that of the authentication service, you must add the domain with LDAP using the vssat addldapdomain command. See the NetBackup Commands Reference Guide.

Adding a trusted primary server, when both the source and the target servers are NetBackup version 8.1 or later

Use this procedure to add a trusted primary server when both the source and target servers are NetBackup version 8.1 or later.

See Adding a trusted primary server using external CA-signed certificate.

To add a trusted primary server, when both the source and the target servers are NetBackup version 8.1 or later

  1. In the NetBackup Administration Console, expand NetBackup Management > Host Properties > Master Servers in the left pane.
  2. In the right pane, select the primary server and Actions > Properties.
  3. In the properties dialog box left pane, select Servers.
  4. On the Trusted Master Servers tab, click Add.
  5. Enter the fully-qualified host name of the remote primary server and click Validate Certificate Authority.
  6. In the Validate Certificate Authority dialog box, verify if the CA certificate fingerprint of the remote server is correct.

    To proceed, click Yes.

    If the fingerprints don't match, click No. Contact the remote server admin to provide the correct fingerprints.

  7. Enter the trusted primary server details using one of the following methods.

    • (Recommended) Select Specify authentication token of the trusted primary server and enter the token details of the remote primary server.

    • Select Specify credentials of the trusted primary server and enter the user name and password. Note that this method may present a possible security breach. Only an authentication token can provide restricted access and allow secure communication between both the hosts.

      To establish trust with a 3.1 NetBackup primary appliance, use the NetBackup CLI credentials.

  8. Click OK.
  9. Perform the same procedure on the remote primary server that you added in step 5.
Adding a trusted primary server, when both the source and the target server are NetBackup version 8.0

Use this procedure to add a trusted primary server when both the source and target servers are NetBackup version 8.0.

To add a trusted primary server, when both the source and the target server are NetBackup version 8.0

  1. Ensure that the Enable insecure communication with NetBackup 8.0 and earlier hosts option is enabled in the global security settings.
  2. In the NetBackup Administration Console, expand NetBackup Management > Host Properties > Master Servers in the left pane.
  3. In the right pane, select the primary server and Actions > Properties.
  4. In the properties dialog box left pane, select Servers.
  5. On the Trusted Master Servers tab, click Add.
  6. Enter the fully-qualified host name of the remote primary server and click Validate Certificate Authority.
  7. Enter the Username and Password of the remote primary server host.
  8. Click OK.
More information

See About trusted primary servers for Auto Image Replication.

See Configuring MSDP replication to a different NetBackup domain.

For details on usage reporting in the web UI, see the NetBackup Web UI for Administrator's Guide.

For more information on commands, see the NetBackup Commands Reference Guide. For details on the authalias.conf, see the NetBackup Security and Encryption Guide.

Feedback

Was this page helpful?
Previous

About the certificate to be used for adding a trusted master server

Next

Adding a trusted primary server using external CA-signed certificate

Feedback

Was this page helpful?