About trusted primary servers for Auto Image Replication
NetBackup provides the ability to establish a trust relationship between replication domains. A trust relationship is optional for the Media Server Deduplication Pool as a target storage. Before you configure a storage server as a target storage, establish a trust relationship between the source A.I.R. and the target A.I.R operations.
The following items describe how a trust relationship affects Auto Image Replication:
No trust relationship | NetBackup replicates to all defined target storage servers. You cannot select a specific host or hosts as a target. |
Trust relationship | You can select a subset of your trusted domains as a target for replication. NetBackup then replicates to the specified domains only rather than to all configured replication targets. This type of Auto Image Replication is known as targeted A.I.R. |
With targeted A.I.R., when trust is established between the source and the remote target server, you need to establish trust in both the domains.
In the source primary server, add the target primary server as a trusted server.
In the target primary server, add the source primary server as a trusted server.
Note:
The does not support adding a trusted primary server using an external CA-signed certificate.
See Add a trusted primary server.
See About the certificate to use to add a trusted primary server.
The following diagram illustrates the different tasks for adding trusted primary servers when NetBackup CA-signed certificate (or host ID-based certificate) is used to establish trust between the source and the target primary servers.
Figure: Tasks to establish a trust relationship between primary servers for targeted A.I.R. using NetBackup CA-signed certificate
Table: Tasks to establish a trust relationship between primary servers for targeted A.I.R.
Step | Task | Procedure |
|---|---|---|
Step 1 | Administrators of both the source and the target primary servers must obtain each other's CA certificate fingerprint and authorization tokens or the user credentials. This activity must be performed offline. Note: It is recommended to use an authentication token to connect to the remote primary server. An authentication token provides restricted access and allows secure communication between both the hosts. The use of user credentials (user name and password) may present a possible security breach. | To obtain the authorization tokens, use the bpnbat command to log on and nbcertcmd to get the authorization tokens. To obtain the SHA1 fingerprint of root certificate, use the nbcertcmd -displayCACertDetail command. To perform this task, see the NetBackup Commands Reference Guide. Note: When you run the commands, keep the target as the remote server. |
Step 2 | Establish trust between the source and the target domains.
| To perform this task in the NetBackup web UI, see the following topic: See Add a trusted primary server. To perform this task using the nbseccmd, see the NetBackup Commands Reference Guide. |
Step 3 | After you have added the source and target trusted servers, they have each other's host ID-based certificates. The certificates are used during each communication. Primary Server A has a certificate that Primary Server B issued and vice versa. Before communication can occur, Primary Server A presents the certificate that Primary Server B issued and vice versa. The communication between the source and the target primary servers is now secured. | To understand the use of host ID-based certificates, see the NetBackup Security and Encryption Guide. |
Step 3.1 | Configure the source media server to get the security certificates and the host ID certificates from the target primary server. | |
Step 4 | Create an import storage lifecycle policy in the target domain. Note: The import storage lifecycle policy name should contain less than or equal to 112 characters. | |
| Step 5 | On the source MSDP server, add the credentials of the target storage server. | |
Step 5.1 | Create a replication storage lifecycle policy in the source domain using the specific target primary server and storage lifecycle policy. The backups that are generated in one NetBackup domain can be replicated to storage in one or more target NetBackup domains. | |
Step 6 | The backups that are generated in one NetBackup domain can be replicated to storage in one or more target NetBackup domains. This process is referred to as Auto Image Replication. |