Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  2. NetBackup™ for Nutanix AHV Administrator's Guide
  3. Managing AHV clusters
  4. Configure secure communication between the AHV cluster and NetBackup host and Nutanix Prism Central and NetBackup host
NetBackup™ for Nutanix AHV Administrator's Guide

Configure secure communication between the AHV cluster and NetBackup host and Nutanix Prism Central and NetBackup host

NetBackup can now validate AHV cluster and Prism Central server certificates using their root or intermediate certificate authority (CA) certificates.

Only PEM certificate format is supported for virtualization servers.

The following procedure is applicable for the NetBackup media servers acting as backup hosts and all AHV access hosts.

To configure secure communication between AHV cluster and AHV access host and AHV Prism Central Server and AHV access host:

  1. Use the openssl s_client -connect Nutanix Cluster FQDN:9440 -showcerts < /dev/null command from a Linux system to obtain the Nutanix certificates.

    For Nutanix Prism Central use the openssl s_client -connect Nutanix Prism Central FQDN:9440 -showcerts < /dev/null

  2. Scroll to the end of the results and copy the last certificate which starts from:
    -----BEGIN CERTIFICATE----- 
    <Certificate> 
    -----END CERTIFICATE----- 
    

    Note:

    Ensure to copy the five dashes before and after the BEGIN and END CERTIFICATE.

  3. Paste the information to a text file and then rename it as certificate file name.pem and copy it to a path to your backup host. Recommended path is:
    • For Linux: /usr/openv/netbackup.

    • For Windows: install_path\NetBackup.

    • For Linux: Enter the PEM file path ECA_TRUST_STORE_PATH=/usr/openv/netbackup/certificate file name.pem in the bp.conf on the backup host.

    • For Windows: Run the command install_path\NetBackup\bin\nbsetconfig.

  4. Use the nbsetconfig command to configure the following NetBackup configuration options on the access host:

    For more information on the configuration options, refer to the NetBackup Administrator's Guide, Volume I.

    For more information on external CA support, refer to the NetBackup Security and Encryption Guide.

Table:

ECA_TRUST_STORE_PATH

Specifies the file path to the certificate file that contains all trusted root CA certificates.

This option is specific to file-based certificates. You should not configure this option if Windows certificate store is used.

If you have already configured this external CA option, append the Nutanix AHV CA certificates to the existing external certificate trust store.

If you have not configured the option, add all the required Nutanix AHV server CA certificates to the trust store and set the option.

ECA_CRL_PATH

Specifies the path to the directory where the certificate revocation lists (CRL) of the external CA are located.

If you have already configured this external CA option, append the AHV CRLs to the CRL cache.

If you have not configured the option, first add all the required CRLs to the CRL cache. Then set the option.

VIRTUALIZATION_HOSTS_SECURE_CONNECT_ENABLED

This option affects AHV, RHV, and VMware secure communication. Without this option, the secure or insurce communication with workload is decided by each workload and plug-in separately.

For Nutanix AHV, secure communication is enabled by default.

This option lets you skip the security certificate validation.

Disabling this option lets you skip the security certificate validation.

Cohesity recommends that you enable secure communication using the ECA_TRUST_STORE_PATH option.

VIRTUALIZATION_CRL_CHECK

Lets you validate the revocation status of the virtualization server certificate against the CRLs.

By default, the option is enabled.

Feedback

Was this page helpful?
Previous

Quick configuration checklist to protect AHV virtual machines

Next

Enable the iSCSI initiator service on windows backup host

Feedback

Was this page helpful?