About secure communication in NetBackup
NetBackup 8.1 and later hosts can communicate with each other only in a secure mode. NetBackup 8.1 hosts must have a Certificate Authority (CA) certificate and a host ID-based certificate for successful communication. NetBackup uses Transport Layer Security (TLS) protocol for host communication where each host needs to present its security certificate and validate the peer host's certificate against the Certificate Authority (CA) certificate.
All control communication (or control channel) between NetBackup hosts are secured using Transport Layer Security (TLS) protocol version 1.2 and X.509 certificates. The NetBackup software uses Control communication to initiate, control, and monitor backup, archive, and restore operations.
Data communication consists of the data that is backed up using NetBackup. The security policies require the Backup Administrators to ensure that the channel on which NetBackup clients send metadata and data to NetBackup servers be secure. In NetBackup 10.0 and later, the backup images and metadata are encrypted over the wire by secure communications. This feature is referred to as Data Channel Encryption or Data In-Transit Encryption (DTE).
The following channels are classified as data channels:
Tar stream (client to media server): This channel is the channel over which the tar or the data stream flows between the client and the media server. During a backup operation, the media server receives the data from the client and sends it to storage (for example, by an OST plug-in). The direction is reversed during a restore.
Tar stream (media server to media server): This channel is used during duplication.
Catalog Info (client to media server): This channel is the channel over which the catalog information and control commands flow between the client and the media server. The amount of data that is transmitted over this channel is proportional to the number of files and directories that are part of the backup. The media server sends the catalog information that is received from the client to the primary server.
Catalog Info (media server to primary server): This channel is the channel over which the catalog information flows from the media server to the primary server.
Secure communication settings are available in Settings > Global security.
See Adding host ID to host name mappings.
See About global security settings.
See About secure communication settings.
See About disaster recovery settings.
Two commands, nbhostmgmt and nbhostidentity, along with enhancements to nbcertcmd and nbseccmd, provide options to manage certificate deployment and other security settings.