Configuration options for external CA-signed certificates
To configure a NetBackup primary server, media server, or client to use external CA-signed certificate for host communication, you must define certain configuration options in the NetBackup configuration file (bp.conf on UNIX platform or Windows registry).
For external certificate configuration, for file-based certificates, the following configuration options are mandatory:
ECA_CERT_PATH
ECA_TRUST_STORE_PATH
ECA_PRIVATE_KEY_PATH
If the private key of the external certificate is encrypted, ECA_KEY_PASSPHRASEFILE is also mandatory:
For Windows certificate store, the following configuration options are mandatory:
ECA_CERT_PATH
The following options are optional:
ECA_CRL_CHECK
If the option is set to DISABLE (or 0) the ECA_CRL_PATH option is ignored and revocation status of a peer host's certificate is not verified.
If the option is set to a value other than DISABLE and 0, revocation status of a peer host's certificate is verified based on ECA_CRL_PATH.
ECA_DR_BKUP_WIN_CERT_STORE
For Windows certificate store, specify this option if you want to backup the external certificates during catalog backup.
ECA_CRL_PATH_SYNC_HOURS
This option is used when ECA_CRL_CHECK is enabled and ECA_CRL_PATH is defined.
ECA_CRL_REFRESH_HOURS
This option is used when ECA_CRL_CHECK is enabled, but ECA_CRL_PATH is not defined (when CDP is used as a CRL source).