Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  2. NetBackup™ Snapshot Manager for Cloud Install and Upgrade Guide
  3. Section I. NetBackup Snapshot Manager for Cloud installation and configuration
  4. Deploying NetBackup Snapshot Manager for Cloud using container images
  5. Installing NetBackup Snapshot Manager in the Docker/Podman environment
NetBackup™ Snapshot Manager for Cloud Install and Upgrade Guide

Installing NetBackup Snapshot Manager in the Docker/Podman environment

From NetBackup version 10.3 onwards, the credential based authentication has been replaced with certificate based TLS authentication between NetBackup primary server and Snapshot Manager. This requires the user to provide the following details during NetBackup Snapshot Manager deployment:

  • (For NBCA): Mandatory options such as primary server hostname, security authentication token and Snapshot Manager FQDN hostname.

  • (For ECA): Additional options such as CA, key, chain and CRL path.

The minimum key size requirement for TLS certificates is 2048-bits governed by the Linux Host crypto policies where NetBackup Snapshot Manager is installed.

(For Red Hat Enterprise Linux 8 platform) Refer to Red Hat Knowledgebase article.

(For other supported operating system platforms) Refer to the operating system vendor's documentation.

Note:

When you deploy NetBackup Snapshot Manager, you may want to copy the commands below and paste them in your command line interface. If you do, replace the information in these examples that is different from your own: the product and build version, the download directory path, and so on.

NetBackup Snapshot Manager installation prerequisites on Podman:

Run the following commands to install the required packages (podman-plugins, lvm2, systemd-udev, udica, and policycoreutils-devel) on the hosts:

# yum install -y lvm2-<version>

# yum install -y systemd-udev-<version>

# yum install -y podman-plugins

# yum install -y udica policycoreutils-devel

Installing NetBackup Snapshot Manager

Perform the following appropriate steps depending on the Docker or Podman environment.

To install NetBackup Snapshot Manager

  1. Download the NetBackup Snapshot Manager image to the system on which you want to deploy NetBackup Snapshot Manager. Navigate to the Veritas Technical Support website.

    Note:

    You must log on to the support site to download tar.gz image file.

    From the Products drop-down, select NetBackup and select the required version from the Version drop-down. Click Explore. Click Base and upgrade installers.

    The NetBackup Snapshot Manager image name resembles the following format for Docker and Podman environment:

    NetBackup_SnapshotManager_<version>.tar.gz

    Note:

    The actual file name may vary depending on the release version.

  2. Un-tar the image file using the following command:

    tar -xvf NetBackup_SnapshotManager_11.1.x.x-xxxx.tar.gz

    List the contents using the following command:

    # ls
    NetBackup_SnapshotManager_11.1.x.x-xxxx.tar.gz
    netbackup-flexsnap-11.1.x.x-xxxx.tar.gz
    flexsnap_preinstall.sh
    
  3. Run the following command to prepare the NetBackup Snapshot Manager host for installation:

    # sudo ./flexsnap_preinstall.sh

  4. Use the following command options to configure and install help:

    Configure: # flexsnap_configure -h

    Usage: flexsnap_configure [OPTIONS] <COMMAND> [CMD_OPTIONS]
    NetBackup Snapshot Manager (11.1.x.x-xxxx) configuration script
    
    
    Options:
      -h, --help
            Print this message and exit
    
    Command:

    backup

    To create backup of Snapshot Manager metadata.

    certs

    List and analyze certificate data.

    crl

    To list or update Snapshot Manager's CRL database.

    dm

    To recreate and login to the provided datamover ID.

    install

    To install or upgrade the Snapshot Manager stack on a host.

    recover

    To recover backup of Snapshot Manager metadata using provided tar.

    renew

    To renew Snapshot Manager certificate(s).

    restart

    To restart the Snapshot Manager services on a host.

    serverinfo

    Troubleshooting CLI to get NetBackup and Snapshot Manager server information.

    start

    To start the Snapshot Manager services on a host.

    status

    To get Snapshot Manager or extension health status.

    stop

    To stop the Snapshot Manager services on a host.

    truststore

    To list or update Snapshot Manager truststore.

    uninstall

    To uninstall the Snapshot Manager stack on a host.

    updatecil

    To update SELinux policy for resolving permission denial issue.

    updatedb

    To update 'client' database with NetBackup details.

    verify

    To verify Snapshot Manager internal, external or provided certificate.

    verifycert

    To perform certificate validation check.

    Run flexsnap_configure <COMMAND> --help for more information.

    Install: # flexsnap_configure install -h

    Usage: flexsnap_configure install [OPTIONS]

    Options

    Description

    --add-host <string>

    (Optional) Add a custom host-to-IP mapping (host:ip). Can be passed multiple times for each host:ip combination.

    --ca <ca>

    Absolute path of root CA file.

    --chain <chain>

    Absolute path of certificate chain containing all intermediate CAs and server certificate except the Root CA certificate.

    --crlcheck <level>

    Controls how Snapshot Manager is going to perform certificate revocation status check using CRL. Value can be 0 (disable), 1 (leaf) or 2 (chain). Default is 1 (leaf).

    --crlpath <directory>

    Specify CRL directory location for non CDP based CRL validation. Useful if Certificate Authority is not accessible from Snapshot Manager host.

    --extension

    Install Snapshot Manager extension. Must be accompanied by --extname and --snapshot-manager in case of fresh installation.

    --extname <name>

    Snapshot Manager extension name identifier.

    --hostnames <IP/FQDN>

    Comma separated IP/FQDNs for Snapshot Manager.

    --http-proxy <URI>

    (Optional) Pass the http proxy to deployment.

    Proxy input format: {http}://[username:password@]{fqdn|ip}[:port]

    --https-proxy <URI>

    (Optional) Pass the https proxy to deployment.

    Proxy input format: {https}://[username:password@]{fqdn|ip}[:port]

    -i

    For interactive installation.

    --key <key>

    Server certificate private key path.

    --no-proxy <URI>

    (Optional) Pass the no proxy to deployment.

    --no-proxy <hostnames>

    (Optional) Hosts that are allowed to bypass the proxy server. For example, localhost,mycompany.com,<ip address>.

    Must be accompanied by --http-proxy and --https-proxy.

    --level <level>

    Controls how certificate revocation check will be performed. Possible values can be leaf (default), chain or disable.

    --path <install_path>

    Install path for Snapshot Manager (default: /cloudpoint).

    --passphrase <file>

    Specifies the path of file that contains the passphrase to access the keystore. The first line in the file is used as passphrase.

    --port <port_number>

    Nginx port for Snapshot Manager(default: 443).

    --primary <IP/FQDN>

    NetBackup primary server IP or FQDN.

    --snapshot-manager <IP/FQDN>

    IP/FQDN/Private hostname of NetBackup Snapshot Manager server.

    --subnet4 <string>

    (Optional) IPv4 subnet in CIDR format.

    --subnet6 <string>

    (Optional) IPv6 subnet in CIDR format.

    --token <token>

    Reissue or standard token. For Snapshot Manager extension it acts as workflow token.

    (Mandatory) For interactive installation.

    (Optional) For Snapshot Manager deployment if NetBackup primary security setting is medium or low.

    --kind <kind>

    Display certificate chain only if chain option is provided. Complete certificate details will be printed if all option is provided (default). Display minimal certificate details if 'basic' option is provided.

  5. Interactive and non interactive installation of NetBackup Snapshot Manager:

    Interactive installation of NetBackup Snapshot Manager (NBCA/ECA)

    • NetBackup Snapshot Manager host is behind a proxy server:

      # flexsnap_configure install -i --no-proxy <no_proxy_value> --http-proxy <http_proxy_value> --https-proxy <https_proxy_value>

    • NetBackup Snapshot Manager/Primary server is configured with private hostname:

      # flexsnap_configure install -i --add-host <nbsm_hostname>:<IP> --add-host <primary_hostname>:<IP>

    • NetBackup Snapshot Manager installation on custom path:

      # flexsnap_configure install -i --path <installation_path>

      Note:

      The flexsnap_configure CLI uses privilege flag implicitly (-u 0).

      The installer displays messages similar to the following for interactive CLI (NBCA):

      # flexsnap_configure install -i
      Please provide NetBackup Primary details:
      NetBackup primary server IP Address or FQDN: <nbu_primary_fqdn>
      Start configuring with NetBackup CA certificate.
      Provide NetBackup authentication token: <security_token>
      NetBackup Snapshot Manager hostname for TLS certificate (64 char FQDN limit): <snapshot_manager_fqdn>
      Port (default:443):
      Configuration started at time: Wed Jan  3 05:33:08 UTC 2024
      Podman server version: 4.2.0
      This is a fresh install of NetBackup Snapshot Manager 11.1.x.x-xxxx
      Creating network: flexsnap-network ...done
      Starting container: flexsnap-fluentd ...done
      Creating container: flexsnap-postgresql ...done
      Creating container: flexsnap-rabbitmq ...done
      Creating container: flexsnap-certauth ...done
      Creating container: flexsnap-api-gateway ...done
      Creating container: flexsnap-coordinator ...done
      Creating container: flexsnap-listener ...done
      Creating container: flexsnap-agent ...done
      Creating container: flexsnap-onhostagent ...done
      Creating container: flexsnap-scheduler ...done
      Creating container: flexsnap-policy ...done
      Creating container: flexsnap-notification ...done
      Creating container: flexsnap-nginx ...done
      Waiting for Snapshot Manager configuration to complete (21/21) ...done
      Configuration complete at time Wed Jan  3 05:37:54 UTC 2024!
      Please register Snapshot Manager with NetBackup primary server
      
      

      The installer displays messages similar to the following for interactive CLI under ECA:

      # flexsnap_configure install -i
      Please provide NetBackup Primary details:
      NetBackup primary server IP Address or FQDN: <nbu_primary_fqdn>
      Start configuring external CA certificate.
      Absolute path of the root CA certificate file: <root_ca_file>
      Absolute path of server private key file: <server_key_file>
      Absolute path of server certificate chain: <server_chain_file>
      Absolute path of key passphrase file (Press ENTER if keyfile is non encrypted): <server_passphrase_file>
      Absolute path of CRL directory (Press ENTER for CDP based CRL check): <crl_path>
      CRL check level, Press ENTER for default 1 i.e. LEAF (0: DISABLE, 1: LEAF and 2:CHAIN): <crl_level>
      NetBackup Snapshot Manager hostname for TLS certificate (64 char FQDN limit): <snapshot_manager_fqdn>
      Port (default:443): <snapshot_manager_port>
      Configuration started at time: Tue Jan  2 10:44:07 UTC 2024
      Podman server version: 4.2.0
      This is a fresh install of NetBackup Snapshot Manager 11.1.x.x-xxxx
      Creating network: flexsnap-network ...done
      Starting container: flexsnap-fluentd ...done
      Creating container: flexsnap-postgresql ...done
      Creating container: flexsnap-rabbitmq ...done
      Creating container: flexsnap-certauth ...done
      Creating container: flexsnap-api-gateway ...done
      Creating container: flexsnap-coordinator ...done
      Creating container: flexsnap-listener ...done
      Creating container: flexsnap-agent ...done
      Creating container: flexsnap-onhostagent ...done
      Creating container: flexsnap-scheduler ...done
      Creating container: flexsnap-policy ...done
      Creating container: flexsnap-notification ...done
      Creating container: flexsnap-nginx ...done
      Waiting for Snapshot Manager configuration to complete (21/21) ...done
      Configuration complete at time Tue Jan  2 10:49:02 UTC 2024!
      Please register Snapshot Manager with NetBackup primary server

    Non interactive installation of NetBackup Snapshot Manager with NetBackup CA (NBCA)

    • NetBackup primary server security level is MEDIUM or Snapshot Manager hostname is known to primary server:

      # flexsnap_configure install --primary <primary> --hostnames <nbsm_ip_or_fqdn>

    • NetBackup primary server security level is HIGH or VERY HIGH:

      # flexsnap_configure install --primary <primary> --token <standard_token> --hostnames <nbsm_ip_or_fqdn>

    • NetBackup Snapshot Manager host is behind a proxy server:

      # flexsnap_configure install --primary <primary> --token <standard_token> --hostnames <nbsm_ip_or_fqdn> --no-proxy <no_proxy_value> --http-proxy <http_proxy_value> --https-proxy <https_proxy_value>

    • NetBackup Snapshot Manager/Primary server is configured with private hostname:

      # flexsnap_configure install --primary <primary> --token <standard_token> --hostnames <nbsm_ip_or_fqdn> --add-host <nbsm_hostname:IP> --add-host <primary_hostname:IP>

    • NetBackup Snapshot Manager installation on custom path/port:

      # flexsnap_configure install --primary <primary> --token <standard_token> --hostnames <nbsm_ip_or_fqdn> --path <installation_path> --port <port>

      The installer displays messages similar to the following for non-interactive CLI (NBCA):

      # flexsnap_configure install --primary <nbu_primary_fqdn> --token <security_token> --hostnames <snapshot_manager_fqdn>
      Start configuring with NetBackup CA certificate.
      Configuration started at time: Wed Jan  3 05:33:08 UTC 2024
      Podman server version: 4.2.0
      This is a fresh install of NetBackup Snapshot Manager 11.1.x.x-xxxx
      Creating network: flexsnap-network ...done
      Starting container: flexsnap-fluentd ...done
      Creating container: flexsnap-postgresql ...done
      Creating container: flexsnap-rabbitmq ...done
      Creating container: flexsnap-certauth ...done
      Creating container: flexsnap-api-gateway ...done
      Creating container: flexsnap-coordinator ...done
      Creating container: flexsnap-listener ...done
      Creating container: flexsnap-agent ...done
      Creating container: flexsnap-onhostagent ...done
      Creating container: flexsnap-scheduler ...done
      Creating container: flexsnap-policy ...done
      Creating container: flexsnap-notification ...done
      Creating container: flexsnap-nginx ...done
      Waiting for Snapshot Manager configuration to complete (21/21) ...done
      Configuration complete at time Wed Jan  3 05:37:54 UTC 2024!
      Please register Snapshot Manager with NetBackup primary server

    Non interactive installation of NetBackup Snapshot Manager with external CA (ECA)

    • Encrypted private key:

      # flexsnap_configure install --primary <primary> --hostnames <nbsm_ip_or_fqdn> --ca <path_of_root_CA> --key <path_of_private_key_file> --chain <server_chain_file> --passphrase <file>

    • Non encrypted private key:

      # flexsnap_configure install --primary <primary> --hostnames <nbsm_ip_or_fqdn> --ca <path_of_root_CA> --key <path_of_private_key_file> --chain <server_chain_file>

    • With user provided CRL path/CRL check:

      # flexsnap_configure install --primary <primary> --hostnames <nbsm_ip_or_fqdn> --ca <path_of_root_CA> --key <path_of_private_key_file> --chain <server_chain_file> --crlpath <directory> --crlcheck <level>

    • NetBackup Snapshot Manager host is behind a proxy server:

      # flexsnap_configure install --primary <primary> --hostnames <nbsm_ip_or_fqdn> --ca <path_of_root_CA> --key <path_of_private_key_file> --chain <server_chain_file> --no-proxy <no_proxy_value> --http-proxy <http_proxy_value> --https-proxy <https_proxy_value>

    • NetBackup Snapshot Manager/Primary server is configured with private hostname:

      # flexsnap_configure install --primary <primary> --hostnames <nbsm_ip_or_fqdn> --ca <path_of_root_CA> --key <path_of_private_key_file> --chain <server_chain_file> --add-host <nbsm_hostname:IP> --add-host <primary_hostname:IP>

    • NetBackup Snapshot Manager installation on custom path/port:

      # flexsnap_configure install --primary <primary> --hostnames <nbsm_ip_or_fqdn> --ca <path_of_root_CA> --key <path_of_private_key_file> --chain <server_chain_file> --path <installation_path> --port <port>

      The installer displays messages similar to the following for non-interactive CLI (ECA):

      # flexsnap_configure install --primary <nbu_primary_fqdn>  --hostnames <snapshot_manager_fqdn> --ca <root_ca_file> --key <server_key_file> --chain <server_chain_file> --passphrase <server_passphrase_file> --crlpath <crl_path> --crlcheck <level>
      Start configuring external CA certificate.
      Configuration started at time: Tue Jan  2 11:35:21 UTC 2024
      Podman server version: 4.2.0
      This is a fresh install of NetBackup Snapshot Manager 11.1.x.x-xxxx
      Creating network: flexsnap-network ...done
      Starting container: flexsnap-fluentd ...done
      Creating container: flexsnap-postgresql ...done
      Creating container: flexsnap-rabbitmq ...done
      Creating container: flexsnap-certauth ...done
      Creating container: flexsnap-api-gateway ...done
      Creating container: flexsnap-coordinator ...done
      Creating container: flexsnap-listener ...done
      Creating container: flexsnap-agent ...done
      Creating container: flexsnap-onhostagent ...done
      Creating container: flexsnap-scheduler ...done
      Creating container: flexsnap-policy ...done
      Creating container: flexsnap-notification ...done
      Creating container: flexsnap-nginx ...done
      Waiting for Snapshot Manager configuration to complete (21/21) ...done
      Configuration complete at time Tue Jan  2 11:40:12 UTC 2024!
      Please register Snapshot Manager with NetBackup primary server

    Parameter

    Description

    Following parameters are required only if the instance uses a proxy server

    <http_proxy_value>

    Represents the value to be used as the HTTP proxy for all connections.

    For example, "http://proxy.mycompany.com:8080/".

    <https_proxy_value>

    Represents the value to be used as the HTTPS proxy for all connections.

    For example, "http://proxy.mycompany.com:8080/".

    <no_proxy_value>

    Represents the addresses that are allowed to bypass the proxy server. You can specify host names, IP addresses, and domain names in this parameter.

    Use commas to separate multiple entries. For example, "localhost,mycompany.com,192.168.0.10:80".

    Note:

    If NetBackup Snapshot Manager is being deployed in the cloud, ensure that you set the following respective values in this parameter:

    • For an AWS instance: 169.254.169.254

    • For a GCP virtual machine: 169.254.169.254,metadata,metadata.google.internal

    • For an Azure virtual machine: 169.254.169.254

    NetBackup Snapshot Manager uses these addresses to gather instance metadata from the instance metadata service.

    Setting the root CA certificate of the SSL based proxy server

    (Applicable only for Azure based VM deployment) The root CA certificate of proxy can be provided after NetBackup Snapshot Manager deployment using the following command:

    flexsnap_configure truststore --ca <Root CA Cert File>

  6. Use the following docker command to view the docker images that are loaded on the host:
    • (For Docker) # sudo docker images

    • (For Podman) # sudo podman images

    The output resembles as follows:

    REPOSITORY             TAG            IMAGE ID       CREATED       SIZE
    veritas/flexsnap-deploy       11.1.x.x-xxxx   5260748d9eab   18 minutes ago   586MB
    veritas/flexsnap-rabbitmq     11.1.x.x-xxxx   cff89dc78a2f   18 minutes ago   546MB
    veritas/flexsnap-postgresql   11.1.x.x-xxxx   0b87fe88cf94   18 minutes ago   537MB
    veritas/flexsnap-nginx        11.1.x.x-xxxx   ee1cf2a3159e   18 minutes ago   649MB
    veritas/flexsnap-fluentd      11.1.x.x-xxxx   a384e3fc4167   19 minutes ago   681MB
    veritas/flexsnap-core         11.1.x.x-xxxx   2393b221bf19   20 minutes ago   916MB
    veritas/flexsnap-datamover    11.1.x.x-xxxx   8254c537bdb4   38 hours ago     1.18GB
  7. Provide the following details when prompted on the command prompt:

    Parameter

    Description

    Authorization token

    If NetBackup Certificate Authority is used, the installer requires an authorization token to successfully deploy security certificates.

    Host name for TLS certificate

    Specify the IP address or the Fully Qualified Domain Name (FQDN) of the NetBackup Snapshot Manager host.

    The specified name or IP address is added to the list of host names to use for configuring NetBackup Snapshot Manager. The installer uses this name to generate a server certificate for the NetBackup Snapshot Manager host.

    Port

    Specify the port through which the NetBackup Snapshot Manager can communicate. Default is port 443.

    The installer then displays messages similar to the following:

    Configuring admin credentials ...done
    Waiting for Snapshot Manager configuration to complete (22/22) ...done
    Configuration complete at time Thu Jun 9 06:15:43 UTC 2022!

    Note:

    After the deployment of NetBackup Snapshot Manager, ensure that the IPv6 interface on the system is not disabled.

  8. This concludes the NetBackup Snapshot Manager deployment process. The next step is to register the NetBackup Snapshot Manager with the Cohesity NetBackup primary server.

    If NetBackup Snapshot Manager is deployed in the cloud, refer to the NetBackup Web UI Cloud Administrator's Guide for instructions.

Note:

If you ever need to restart NetBackup Snapshot Manager, use the flexsnap_configure restart command so that your environmental data is preserved.

See Restarting NetBackup Snapshot Manager.

Specifying the CRL path
  • Non-CDP based CRL validations: User can specify the path to the directory containing revoked certificates of the external CA during installation. The ECA_CRL_PATH parameter would be added to the /cloudpoint/openv/netbackup/bp.conf file. The path always points to the /cloudpoint/eca/crl directory where the certificate revocation lists (CRL) of the external CA are located.

  • CDP based installation: Snapshot Manager uses CRL Distribution Point (CDP) to verify revocation status of the peer host's certificate.

Note:

The CIL policy for Podman based deployments would be automatically loaded and applied for RHEL 8 and 9.

Feedback

Was this page helpful?
Previous

Before you begin installing NetBackup Snapshot Manager

Next

Installing NetBackup Snapshot Manager on CIS Level 2 v2 configured host

Feedback

Was this page helpful?