How secure communication works with primary server cluster nodes
Review the following scenarios about certificate deployment if you have a clustered primary server:
In the case of fresh NetBackup installation, the certificate on an active node is deployed automatically. You must manually deploy certificates on all inactive nodes.
The private key of the NetBackup host ID-based certificate is stored in an encrypted format using AES_256_CBC encryption.
In the case of disaster recovery, certificates for active and inactive nodes are not recovered. After you install NetBackup in a disaster recovery mode after a disaster, you must manually deploy certificates on all nodes using a reissue token.
In the case of upgrade, active or inactive nodes may already have a certificate. You can verify whether a cluster node has a certificate or not by viewing the certificate details with the nbcertcmd -listCertDetails command.
The private key of the host ID-based certificate is stored in an encrypted state, which can be verified using the nbcertcmd -listCertDetails command. The 'Private Key Encryption State' field in the command output shows the encrypted status of the private key.
Note:
If you have configured NetBackup Access Control (NBAC) on a primary server cluster node, you also need to manually deploy host name-based certificates on all nodes.
In a cluster setup, the same virtual name is used across multiple cluster nodes. Therefore, the virtual name should be mapped with all associated cluster nodes.