About external certificate configuration for a clustered primary server
You can now use X.509 certificates that your trusted certificate authority (CA) has issued, for a clustered primary server.
You should first enable your NetBackup domain to use external CA-signed certificates by configuring the NetBackup web server.
You can then configure the NetBackup clustered primary server to use external CA-signed certificates for secure host communication.
See Workflow to use external certificates for a clustered primary server.
Review the following notes before you configure NetBackup to use external certificates:
NetBackup certificate or host ID-based certificate is deployed on the primary server during NetBackup installation. You need to manually configure an external certificate on the clustered primary server after installation.
In a clustered primary server setup, you require to configure one external certificate for each cluster node, which resides on the local disk of each node. Additionally, you need to configure one certificate for the virtual name, which resides on the shared disk of the cluster.
The NetBackup configuration options (for example, CLUSTER_ECA_CERT_PATH) that are required for external certificate enrollment for the virtual name are stored in the
nbcl.conffile. This file resides on the shared disk and external certificate configuration options for each cluster node are stored in thebp.conffile or Windows registry.Windows certificate store is not supported as an external certificate source for virtual name. It can be used as a source for certificates for cluster nodes.
There is no separate CRL configuration option for the virtual name. Based on the ECA_CRL_CHECK configuration option on the node, certificate revocation lists (CRLs) - ECA_CRL_PATH or CDP - of the cluster nodes are used to verify the revocation status of the peer host's certificate during communication. Therefore, the CRL configuration options should be set before using an external certificate for the primary server virtual name.