Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  2. NetBackup™ Snapshot Manager for Cloud Install and Upgrade Guide
  3. Section I. NetBackup Snapshot Manager for Cloud installation and configuration
  4. NetBackup Snapshot Manager for Cloud security
  5. Configuring the cloud connector for Azure Stack
NetBackup™ Snapshot Manager for Cloud Install and Upgrade Guide

Configuring the cloud connector for Azure Stack

The cloud connector component connects to the workloads through a secure mechanism. You need to perform the following configurations.

SSL peer and host validations

By default, peer and host validations are enabled. You can disable peer and host validations only for Azure Stack.

To disable peer and host validation, set the parameter VIRTUALIZATION_HOSTS_SECURE_CONNECT_ENABLED=NO in the /cloudpoint/openv/netbackup/bp.conf file in the NetBackup Snapshot Manager. You must use HTTPS protocol, even after you disable peer and host validation.

For cloud workloads, the public root certificates are a part of the container image. NetBackup maintains the cacert.pem file which has root certificates of public cloud, at the following location:

/usr/openv/var/global/wmc/cloud/cacert.pem

For Azure Stack, you must specify the file path of the root certificates using the ECA_TRUST_STORE_PATH parameter in the /cloudpoint/openv/netbackup/bp.conf file in the NetBackup Snapshot Manager. The value of ECA_TRUST_STORE_PATH must be in the /cloudpoint/eca/trusted/cacerts.pem file.

Configuring CRL validations

From release 10.1 onwards NetBackup Snapshot Manager will be treated as NetBackup entity while communicating with NetBackup. Certificate Revocation List (CRL) check is enabled by default while communication happens between NetBackup entities.

  • ECA_CRL_CHECK: This flag is used while communicating between two NetBackup entities. By default CRL check is enabled for ECA_CRL_CHECK flag. In case NetBackup Snapshot Manager machines certificate revoked then communication between NetBackup and NetBackup Snapshot Manager will fail with the following error:

    "The Snapshot Manager's certificate is not valid or doesn't exist.(9866)"

  • VIRTUALIZATION_CRL_CHECK: Before 10.1 NetBackup Snapshot Manager was considered as workload while communication happens with NetBackup. Value of VIRTUALIZATION_CRL_CHECK flag is used for CRL check whenever communication happens between NetBackup and workload. By default CRL check is disabled for VIRTUALIZATION_CRL_CHECK flag.

    Note:

    If NetBackup is upgraded from version 9.1 to 10.4 or later, then user can delete the VIRTUALIZATION_CRL_CHECK flag which was enabled for CRL check between NetBackup and NetBackup Snapshot Manager.

Feedback

Was this page helpful?
Previous

Configuring security for Azure Stack

Next

CA configuration for Azure Stack

Feedback

Was this page helpful?