About the certificate to use to add a trusted primary server
A source or a target primary server may use NetBackup CA-signed certificates (host ID-based certificates) or external CA-signed certificates.
For more information on NetBackup host ID-based certificates and external CA support, refer to the NetBackup Security and Encryption Guide.
To establish trust between source and target primary servers, NetBackup verifies the following:
|
Can the source primary server establish trust using an external CA-signed certificate? |
If the external CA configuration options - ECA_CERT_PATH, ECA_PRIVATE_KEY_PATH, and ECA_TRUST_STORE_PATH - are defined in the NetBackup configuration file of the source primary server, it can establish the trust using an external certificate. In the case of the Windows certificate trust store, only the option ECA_CERT_PATH is defined. |
|
Which certificate authorities (CA) does the target primary server support? |
The target primary server may support external CA, NetBackup CA, or both. See View the Certificate authority for secure communication. |
The following table lists the CA support scenarios and the certificate to use to establish trust between the source and the target primary servers. The instructions assume that you use the NetBackup web UI for the configuration.
Table: Certificate to use for the trust setup
Can the primary server use an external certificate? | Which CA does the target primary server use? | Certificate to use for the trust setup |
|---|---|---|
|
Yes The source primary server can use the NetBackup CA and an external CA for communication with a remote primary server. |
External CA |
External CA |
|
NetBackup CA |
NetBackup CA | |
|
External CA and NetBackup CA |
NetBackup prompts to select the CA that you want to use for trust setup. | |
|
No The source primary server can only use the NetBackup CA for communication with a remote primary server. |
External CA |
No trust is established. |
|
NetBackup CA |
NetBackup CA | |
|
External CA and NetBackup CA |
NetBackup CA |