About external CA support in NetBackup
You can now use X.509 certificates that your trusted certificate authority (CA) has issued.
NetBackup supports file-based certificates and Windows certificate store as sources for external certificates for NetBackup hosts. It supports certificates in PEM, DER, and P7B formats.
Note:
NetBackup does not support Windows certificate store as source for the NetBackup web server certificate.
Note:
The following API is used to configure an external certificate for WORM container on NetBackup Flex: /security/external-certificates/hosts/{hostUUID}.
The following terms that are specific to security certificates are used in NetBackup:
A certificate authority (CA) other than the NetBackup CA is referred to as an external CA.
Certificates that are issued by a CA other than the NetBackup CA are referred to as external CA-signed certificates or external certificates.
Certificates that the NetBackup CA has issued are referred to as NetBackup CA-signed certificates or NetBackup certificates.
A NetBackup certificate that is used for secure communications over control channel is also referred to as host ID-based certificate.
A host ID-based certificate is deployed on the primary server during NetBackup installation. You need to manually configure an external certificate on the primary server after installation.
See Configuring the primary server to use an external CA-signed certificate.
You can configure an external certificate on a NetBackup host (media server or client) either during installation or after installation.
Host ID-based certificates are required on all NetBackup 8.1 and higher hosts for enabling mutually authenticated secure communications. Starting 8.2, NetBackup CA-signed host ID-based certificates can be replaced by external CA-signed certificates.
In addition to the host ID-based certificate, a host name-based certificate may need to be deployed on some hosts in domains that have NetBackup Access Control (NBAC) enabled. The host name-based certificates are issued by the NetBackup CA.
On Windows platform, if external certificates are used for host communication, the NT AUTHORITY\SYSTEM user must be able to access the certificates that are located at ECA_CERT_PATH. The ECA_CERT_PATH configuration option is available in the Windows registry.
On Windows platform, Universal Naming Convention (UNC) paths (or network paths) are not supported for the following external CA parameters: Certificate chain, certificate's private key, trust store, passphrase file for certificate's private key, and CRL cache.
The following requirement is applicable for the NetBackup web server certificate:
If the subject alternative name (SAN) is not empty, the certificate should contain all host names that the primary server is known by (the host names that are listed in the SERVER configuration option entries of other hosts in the domain) in the SAN field of the certificate.
Requirements for the subject name of the certificate:
Subject name should not be empty.
Common name of the subject name should not be empty.
Subject name should be unique for each host.
Subject name should be fewer than 255 characters.
Only ASCII 7 characters are supported for the certificate subject and the subject alternative name (SAN).
Requirements for key usage purposes:
If the certificate has a X509v3 Key Usage extension present, it must include the following key usage purposes:
For the web server certificate: At least one of the Digital Signature or Key Encipherment should be present.
For a NetBackup host certificate: Digital Signature purpose should be present. Key Encipherment may or may not be present.
For a certificate that is used for both web server and NetBackup host: Digital Signature purpose should be present. Key Encipherment may or may not be present.
The certificate may have other key usage purposes listed in addition to the purposes specified here. These additional purposes are ignored.
The X509v3 Key Usage extension may be either critical or non-critical.
A certificate without a X509v3 Key Usage extension is also usable with NetBackup.
If the certificate has a X509v3 Extended Key Usage extension present, it must include the following key usage purposes:
For the web server certificate: TLS Web Server Authentication.
For a NetBackup host certificate: TLS Web Server Authentication and TLS Web Client Authentication.
For a certificate that is used for both web server and NetBackup host: TLS Web Server Authentication and TLS Web Client Authentication.
The certificate may have other key usage purposes listed in addition to the purposes specified here. These additional purposes are ignored.
The X509v3 Extended Key Usage extension may be either critical or non-critical.
A certificate without a X509v3 Extended Key Usage extension is also usable with NetBackup.
If the certificate does not meet these requirements, contact your certificate provider to obtain a new certificate.