Verify storage array certificate
NetBackup version 10.3.0.1 and later lets you verify the storage array certificate for any communication between NetBackup Snapshot Manager for Data Center and the storage array. For successful verification, the root certificate of the storage array must be maintained in the trust store of NetBackup Snapshot Manager for Data Center.
You must manually download the storage array certificate and add it to the NetBackup Snapshot Manager for Data Center trust store. Once the certificate is added to the trust store; during the plug-in configuration or plug-in update operations, select the Verify Certificate option to enable certificate verification.
To add and list certificates to the NetBackup Snapshot Manager for Data Center trust store:
- Sign on to the host NetBackup Snapshot Manager for Data Center .
- Using the mechanism provided by the storage array, download the root certificate of the storage array.
- Run this command to add a certificate to NetBackup Snapshot Manager for Data Center:
flexsnap_configure truststore --ca <PATH TO STORAGE ARRAY CERT>
- Run this command to list the certificates added in the truststore:
flexsnap_configure truststore
Here is an example configuration:
root@r7515-112v26:/root/Downloads# flexsnap_configure truststore --ca dspure09.pem CN=dspure09,O=Pure Storage,L=Default City,ST=MN,C=US ... done root@r7515-112v26:/root/Downloads# flexsnap_configure truststore CN=VeritasStorageArrayRootCA,O=Veritas,OU=NetBackup ... ok CN=r7515-088v01.<domainName>.com,O=Isilon,ST=Some-State,C=AU ... ok CN=StorageArrayRootCA,O=Veritas,OU=NetBackup ... ok CN=dspure09,O=Pure Storage,L=Default City,ST=MN,C=US ... ok
To add storage array certificates using the tpconfig utility
- Run the command:
modify_plugin -snapshot_manager
- Run the command:
add_plugin --snapshot_manager
In the tpconfig utility, enter true or false manually for the option Enter Verify Certificate, depending on whether the certificate needs to be verified or not.
In the web UI, use the option in the Plug-in configuration page or the Edit credentials dialog.
By default, the Verify Certificate feature is inactive for the existing plug-ins after a NetBackup Snapshot Manager for Data Center upgrade. To enable this option for the existing plug-ins, you must add the root certificate to the NetBackup Snapshot Manager for Data Center trust store after the upgrade.
The Verify Certificate feature is not supported for Qumulo and NetApp storage arrays if configured using ZAPI.