Configure secure communication between the AHV cluster and NetBackup host and Nutanix Prism Central and NetBackup host
NetBackup can now validate AHV cluster and Prism Central server certificates using their root or intermediate certificate authority (CA) certificates.
Only PEM certificate format is supported for virtualization servers.
The following procedure is applicable for the NetBackup media servers acting as backup hosts and all AHV access hosts.
To configure secure communication between AHV cluster and AHV access host and AHV Prism Central Server and AHV access host:
- Use the openssl s_client -connect Nutanix Cluster FQDN:9440 -showcerts < /dev/null command from a Linux system to obtain the Nutanix certificates.
For Nutanix Prism Central use the openssl s_client -connect Nutanix Prism Central FQDN:9440 -showcerts < /dev/null
- Scroll to the end of the results and copy the last certificate which starts from:
-----BEGIN CERTIFICATE----- <Certificate> -----END CERTIFICATE-----
Note:
Ensure to copy the five dashes before and after the BEGIN and END CERTIFICATE.
- Paste the information to a text file and then rename it as
certificate file name.pemand copy it to a path to your backup host. Recommended path is:For Linux:
/usr/openv/netbackup.For Windows:
install_path\NetBackup.
For Linux: Enter the PEM file path
ECA_TRUST_STORE_PATH=/usr/openv/netbackup/certificate file name.pemin thebp.confon the backup host.For Windows: Run the command install_path\NetBackup\bin\nbsetconfig.
- Use the nbsetconfig command to configure the following NetBackup configuration options on the access host:
For more information on the configuration options, refer to the NetBackup Administrator's Guide, Volume I.
For more information on external CA support, refer to the NetBackup Security and Encryption Guide.
Table:
ECA_TRUST_STORE_PATH | Specifies the file path to the certificate file that contains all trusted root CA certificates. This option is specific to file-based certificates. You should not configure this option if Windows certificate store is used. If you have already configured this external CA option, append the Nutanix AHV CA certificates to the existing external certificate trust store. If you have not configured the option, add all the required Nutanix AHV server CA certificates to the trust store and set the option. |
ECA_CRL_PATH | Specifies the path to the directory where the certificate revocation lists (CRL) of the external CA are located. If you have already configured this external CA option, append the AHV CRLs to the CRL cache. If you have not configured the option, first add all the required CRLs to the CRL cache. Then set the option. |
VIRTUALIZATION_HOSTS_SECURE_CONNECT_ENABLED | This option affects AHV, RHV, and VMware secure communication. Without this option, the secure or insurce communication with workload is decided by each workload and plug-in separately. For Nutanix AHV, secure communication is enabled by default. This option lets you skip the security certificate validation. Disabling this option lets you skip the security certificate validation. Cohesity recommends that you enable secure communication using the ECA_TRUST_STORE_PATH option. |
VIRTUALIZATION_CRL_CHECK | Lets you validate the revocation status of the virtualization server certificate against the CRLs. By default, the option is enabled. |