About secure communication in NetBackup
This chapter provides critical information about secure communication in NetBackup. It is strongly recommended that you read this information before you upgrade NetBackup to a version that supports secure communication (8.1 or later).
NetBackup 8.1 and later hosts can communicate with each other only in a secure mode.
NetBackup uses Transport Layer Security (TLS) protocol for host communication where each host needs to present its security certificate and validate the peer host's certificate against the certificate authority (CA) certificate. NetBackup security certificates that are used to authenticate NetBackup hosts conform to the X.509 Public Key Infrastructure (PKI) standard. NetBackup supports two types of certificates:
NetBackup CA-signed certificates: A NetBackup primary server acts as the certificate authority (CA) and issues digital certificates to hosts.
External CA-signed certificates: Starting with NetBackup 8.2, you can also configure external CA-signed certificates (or external certificates) on the NetBackup hosts.
Depending on the configuration of NetBackup, a host needs one or both types of certificates for successful communication with other hosts.
You can choose to deploy a certificate on a host during NetBackup installation. If, for some reason, a certificate cannot be deployed on a host during installation, the host cannot communicate with other hosts. In that case, you must manually deploy a NetBackup certificate on the host using the nbcertcmd command to start host communication after installation.
Alternatively, you can configure external CA-signed certificates.
The following nodes in the NetBackup Administration Console provide secure communication settings: Host Management and Global Security Settings.
The following commands provide options to manage certificate deployment and other security settings: nbhostmgmt, nbhostidentity, nbcertcmd, and nbseccmd.
If you have NetBackup 8.0 or earlier hosts in your environment, you can enable legacy communication with them.
See How NetBackup 8.1 or later hosts communicate with NetBackup 8.0 and earlier hosts.
Note:
A host name-based certificate is required in the following scenarios:
NetBackup Access Control or NBAC-enabled hosts require host name-based certificates.
The NetBackup CloudStore Service Container requires that the host name-based certificate be installed on the media server.