Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  2. NetBackup™ Snapshot Manager for Cloud Install and Upgrade Guide
  3. Section I. NetBackup Snapshot Manager for Cloud installation and configuration
  4. Deploying NetBackup Snapshot Manager for Cloud using container images
  5. Securing the connection to NetBackup Snapshot Manager
NetBackup™ Snapshot Manager for Cloud Install and Upgrade Guide

Securing the connection to NetBackup Snapshot Manager

  • Supported scenarios:

    • Primary server and Snapshot Manager must be with ECA or NBCA.

    • For NBCA and ECA mixed mode continue with ECA mode for NetBackup Snapshot Manager installation.

  • Unsupported scenario: Primary with NBCA and NetBackup Snapshot Manager with ECA and vice versa.

In the NetBackup Snapshot Manager, you can upload CRLs of the external CA at /cloudpoint/eca/crl file. The uploaded CRL does not work, if the crl directory is not present or is empty.

For data mover container, add /cloudpoint/eca/crl path against the ECA_CRL_PATH parameter in the /cloudpoint/openv/netbackup/bp.conf file.

Following three parameters are tuneable, you can add the entry under eca section in the /cloudpoint/flexsnap.conf file.

Table: ECA parameters

Parameter

Default

Value

Remarks

eca_crl_check 

0 (Disable) 

0 (disable) 

1 (leaf) 

2 (chain) 

Certificate check level. Used to control the CRL/OCSP validation level for NetBackup Snapshot Manager host connecting to On-prem/cloud workloads. 

  • 0 (disable): No CRL/OCSP is performed during validation 

  • 1 (leaf): CRL/OSCP validation is performed only for leaf 

  • 2 (chain): CRL/OSCP validation is performed for the whole chain 

eca_crl_refresh_ hours 

24

Numerical value between 0 and 4830 

Time interval in hours to update the NetBackup Snapshot Manager CRLs cache from CA through the certificate CDP URL. Option is not applicable if /cloudpoint/eca/crl file is present and contains CRL files. If it is set as 0, cache does not refresh. 

eca_crl_path_sync_ hours 

1

Numerical value between 1 and 720 

Time interval in hours to update the NetBackup Snapshot Manager CRL cache from /cloudpoint/eca/crl file. Option is not applicable if /cloudpoint/eca/crl file is not present or empty. 

For more information, refer to the following sections of the NetBackup™ Security and Encryption Guide.

  • About the host ID-based certificate revocation list

  • When an authorization token is required during certificate deployment

Note:

Cache is not validated if any of ECA tuneable are added or modified manually inside the /cloudpoint/flexsnap.conf file.

Certificate revoking for Snapshot Manager

For detailed information on NetBackup CA and certificates, refer to the "NetBackup CA and NetBackup certificates" chapter of NetBackup™ Security and Encryption Guide.

The following table provides the regeneration steps to be performed for revoking the certificates in Snapshot Manager:

Use case

Commands

CA migration

  • NBCA to ECA:

    # flexsnap_configure renew --ca /eca2/trusted/cacerts.pem --key /eca2/private/key.pem --chain /eca2/cert_chain.pem
    Enrolling external CA certificates with NetBackup...
    Snapshot Manager certificate is renewed.
  • ECA to NBCA:

    # flexsnap_configure renew --token <reissue-token>
    Generating new NetBackup Host-ID certificate...
    Snapshot Manager certificate is renewed.

Post revoke certificate regeneration for NBCA

# flexsnap_configure renew --token <reissue-token>
Generating new NetBackup Host-ID certificate...
Snapshot Manager certificate is renewed.

Post revoke certificate regeneration for ECA

# flexsnap_configure renew --ca /eca2/trusted/cacerts.pem --key /eca2/private/key.pem --chain /eca2/cert_chain.pem
Enrolling external CA certificates with NetBackup...
Snapshot Manager certificate is renewed.

Post migration regenerate certificates for ECA/NBCA

# flexsnap_configure renew --hostnames new-nbsm.veritas.com --token <authentication-token>
Generating new NetBackup Host-ID certificate...
Snapshot Manager certificate is renewed.
 
Please run 'flexsnap_configure renew --internal --hostnames <nbsm_fqdn>
to renew Snapshot Manager's internal CA and certificates.

Certificate regeneration for extension

# flexsnap_configure renew --extension --primary <nbsm_fqdn> --token <extension_token>

Certificate rotation

# flexsnap_configure renew --force
Generating new NetBackup Host-ID certificate...
Snapshot Manager certificate is renewed.

Internal flexsnap CA certificate in case of migration, Disaster Recovery scenarios

# flexsnap_configure renew --internal --hostnames <nbsm_fqdn>

Renewed Flexsnap CA                    ... skip
Renewed rabbitmq certificate           ... done
Renewed postgresql certificate         ... done
Renewed listener certificate           ... done
Renewed workflow certificate           ... done
Renewed scheduler certificate          ... done
Renewed agent certificate              ... done
Renewed client certificate             ... done
Renewed certmaster certificate         ... done
Renewed agent certificate              ... done
Renewed notification certificate       ... done
Renewed client certificate             ... done
Renewed client certificate             ... done
Renewed mongodb certificate            ... done
Renewed coordinator certificate        ... done
Renewed config certificate             ... done
Renewed idm certificate                ... done
Renewed agent certificate              ... done
Renewed client certificate             ... done
Renewed policy certificate             ... done

Snapshot Manager's CA and certificates are renewed. Restart the Snapshot Manager stack using 'flexsnap_configure
restart' to take effect.
Rotating the passphrase of NetBackup Snapshot Manager that encrypts the private key for NetBackup HostID certificate

You need to rotate the passphrase manually for BYO and Cloud scale deployments.

  • For BYO deployments, stop the NetBackup Snapshot Manager, and use the flexsnap_configure command with the following options:

    flexsnap_configure renew --rotate-passphrase

    When prompted, press y to give consent.

    This operation performs the rotation of the passphrase that encrypts the private key of the host ID-based certificates.

  • For Cloud scale deployments, use the flexsnap_configure, with these options:

    kubctl exec -it <certauth pod> -n <namespace> flexsnap-config renew --rotate-passphrase

  • Restart the NetBackup Snapshot Manager.

Note:

Private keys generated for ECA can be or cannot be encrypted. It depends on user to provide encrypted private key at the time of installation.

Feedback

Was this page helpful?
Previous

Installing NetBackup Snapshot Manager on CIS Level 2 v2 configured host

Next

Verifying that NetBackup Snapshot Manager is installed successfully

Feedback

Was this page helpful?