Validating KMS credentials
If incorrect credentials are configured in NetBackup, communication with external KMS server may fail. To avoid such failures, you can carry out certain validations before a credential can be configured for the KMS use. If a validation check is not passed, the credential cannot be configured.
See Configuring KMS credentials.
See Checking the compatibility of KMS vendor with NetBackup.
The -validate command option is useful when the KMS vendor is listed as a supported KMS vendor in the NetBackup hardware compatibility list.
The following validations are carried out while you configure a new credential or update an existing one.
It is not recommended to configure credentials if one or more checks fail:
The certificate path is valid
The truststore path is valid
The private key path is valid
The certificates in certificate chain are readable
The certificates in a truststore are readable
The private key is readable
The Common Name field is not empty
The certificate is not expired
The certificate is currently valid
The private key matches the certificate
The certificates are in the appropriate order
The following CRL validation checks are performed, if the ECA_CRL_PATH is configured and the CRL check level is other than DISABLE:
The CRL directory consists of CRL files
The CRL check level is valid
The CRL path is valid
The available CRLs are readable
To validate KMS credentials and KMS functionality
- Run the following command:
nbkmiputil -validate -kmsServer kms_server_name -port port -certPath cert_path -privateKeyPath private_key_path -trustStorePath trust_store_path
The nbkmiputil command validates the KMS functionality including connection to the KMS server.
It also tests operations like list keys, fetch keys, set attributes, and fetch attributes. For set attributes, you must have the 'write' permission for the KMS server. The nbkmiputil command also validates CA fingerprint on the server certificate that is exchanged through TLS handshake. nbkmiputil uses TLS 1.2 or later protocol for secure communication with external KMS server.
- If the check fails, contact Veritas Technical Support.