Securing the connection to NetBackup Snapshot Manager
Supported scenarios:
Primary server and Snapshot Manager must be with ECA or NBCA.
For NBCA and ECA mixed mode continue with ECA mode for NetBackup Snapshot Manager installation.
Unsupported scenario: Primary with NBCA and NetBackup Snapshot Manager with ECA and vice versa.
In the NetBackup Snapshot Manager, you can upload CRLs of the external CA at /cloudpoint/eca/crl file. The uploaded CRL does not work, if the crl directory is not present or is empty.
For data mover container, add /cloudpoint/eca/crl path against the ECA_CRL_PATH parameter in the /cloudpoint/openv/netbackup/bp.conf file.
Following three parameters are tuneable, you can add the entry under eca section in the /cloudpoint/flexsnap.conf file.
Table: ECA parameters
Parameter | Default | Value | Remarks |
|---|---|---|---|
eca_crl_check | 0 (Disable) | 0 (disable) 1 (leaf) 2 (chain) | Certificate check level. Used to control the CRL/OCSP validation level for NetBackup Snapshot Manager host connecting to On-prem/cloud workloads.
|
eca_crl_refresh_ hours | 24 | Numerical value between 0 and 4830 | Time interval in hours to update the NetBackup Snapshot Manager CRLs cache from CA through the certificate CDP URL. Option is not applicable if |
eca_crl_path_sync_ hours | 1 | Numerical value between 1 and 720 | Time interval in hours to update the NetBackup Snapshot Manager CRL cache from |
For more information, refer to the following sections of the NetBackup™ Security and Encryption Guide.
About the host ID-based certificate revocation list
When an authorization token is required during certificate deployment
Note:
Cache is not validated if any of ECA tuneable are added or modified manually inside the /cloudpoint/flexsnap.conf file.
For detailed information on NetBackup CA and certificates, refer to the "NetBackup CA and NetBackup certificates" chapter of NetBackup™ Security and Encryption Guide.
The following table provides the regeneration steps to be performed for revoking the certificates in Snapshot Manager:
Use case | Commands |
|---|---|
| CA migration |
|
Post revoke certificate regeneration for NBCA | # flexsnap_configure renew --token <reissue-token> Generating new NetBackup Host-ID certificate... Snapshot Manager certificate is renewed. |
Post revoke certificate regeneration for ECA | # flexsnap_configure renew --ca /eca2/trusted/cacerts.pem --key /eca2/private/key.pem --chain /eca2/cert_chain.pem Enrolling external CA certificates with NetBackup... Snapshot Manager certificate is renewed. |
Post migration regenerate certificates for ECA/NBCA | # flexsnap_configure renew --hostnames new-nbsm.veritas.com --token <authentication-token> Generating new NetBackup Host-ID certificate... Snapshot Manager certificate is renewed. Please run 'flexsnap_configure renew --internal --hostnames <nbsm_fqdn> to renew Snapshot Manager's internal CA and certificates. |
Certificate regeneration for extension | # flexsnap_configure renew --extension --primary <nbsm_fqdn> --token <extension_token> |
Certificate rotation | # flexsnap_configure renew --force Generating new NetBackup Host-ID certificate... Snapshot Manager certificate is renewed. |
Internal flexsnap CA certificate in case of migration, Disaster Recovery scenarios | # flexsnap_configure renew --internal --hostnames <nbsm_fqdn> Renewed Flexsnap CA ... skip Renewed rabbitmq certificate ... done Renewed postgresql certificate ... done Renewed listener certificate ... done Renewed workflow certificate ... done Renewed scheduler certificate ... done Renewed agent certificate ... done Renewed client certificate ... done Renewed certmaster certificate ... done Renewed agent certificate ... done Renewed notification certificate ... done Renewed client certificate ... done Renewed client certificate ... done Renewed mongodb certificate ... done Renewed coordinator certificate ... done Renewed config certificate ... done Renewed idm certificate ... done Renewed agent certificate ... done Renewed client certificate ... done Renewed policy certificate ... done Snapshot Manager's CA and certificates are renewed. Restart the Snapshot Manager stack using 'flexsnap_configure restart' to take effect. |
You need to rotate the passphrase manually for BYO and Cloud scale deployments.
For BYO deployments, stop the NetBackup Snapshot Manager, and use the flexsnap_configure command with the following options:
flexsnap_configure renew --rotate-passphrase
When prompted, press y to give consent.
This operation performs the rotation of the passphrase that encrypts the private key of the host ID-based certificates.
For Cloud scale deployments, use the flexsnap_configure, with these options:
kubctl exec -it <certauth pod> -n <namespace> flexsnap-config renew --rotate-passphrase
Restart the NetBackup Snapshot Manager.
Note:
Private keys generated for ECA can be or cannot be encrypted. It depends on user to provide encrypted private key at the time of installation.