Certificate revocation lists for CyberArk server
Certificate revocation list (CRL) for an external certificate authority (CA) contains a list of digital certificates that the external CA has revoked before the scheduled expiration date and should no longer be trusted. NetBackup supports PEM and DER formats for CRLs for external CA. CRL's for all CRL issuers or external CA's are stored in the NetBackup CRL cache that resides on each host. During secure communication, NetBackup host verifies the revocation status of the peer host's external certificate with the CRL that is available in the NetBackup CRL cache, based on the CRL check level configuration option. For external CMS server, NetBackup supports CDP based server certificates.
NetBackup downloads the CRLs from the URLs that are specified in the peer host certificate's CDP and caches them in the NetBackup CRL cache.
To use CRL's from CDP:
Ensure that the host can access the URLs that are specified in the peer host's CDP.
Ensure that the configuration option is set to a value other than .
By default, CRLs are downloaded from the CDP after every 24 hours and updated in the CRL cache. To change the time interval, set the configuration option to a different value. To manually delete the CRL's from the CRL cache, run the nbcertcmd -cleanupCRLCache command. The NetBackup CRL cache contains only the latest copy of a CRL for each CA (including root and intermediate CAs). The bpclntcmd -crl_download service updates the CRL cache during host communication in the following scenarios irrespective of the time interval set for the options:
When CRLs in the CRL cache are expired.
If CRLs are available in the CRL source, but they are missing from the CRL cache.
For details of , refer to ECA_CRL_REFRESH_HOURS for NetBackup servers and clients section from NetBackup Security and Encryption Guide.
Note:
By default, the flag is enabled (set to true). If this flag is enabled, the certificate deployed on the external CMS server must have Common Name or Subject Alternative Name that matches the host name of the external CMS server. Else, the connection to the external CMS server fails. For more information, see the ECMS_HOSTS_SECURE_CONNECT_ENABLED section in NetBackup™ Administrator's Guide, Volume I.