How NetBackup CA-signed certificates (or host ID-based certificates) are deployed during installation
The following diagram illustrates how NetBackup CA-signed certificates are deployed on hosts during installation:
NetBackup certificate deployment occurs in the following order:
A NetBackup certificate is automatically deployed on the NetBackup primary server during installation. The primary server is the NetBackup CA.
A NetBackup certificate is deployed on Host 1 during installation after confirming the CA fingerprint that is made available by the installation wizard or the script.
An authorization token is not required because the certificate deployment security level on the primary server is set to High and Host 1 is known to the primary server.
Note:
A fingerprint is used to authenticate the CA of the primary server before it is added to the trust store of a host. The primary server administrator communicates the CA fingerprint to the host administrators by email or file, or publishes it on a website.
Note:
An authorization token is used as a mechanism to authorize a host's certificate request that is sent to the NetBackup primary server. An authorization token is confidential and only the primary server administrator can create it. The primary server administrator then passes it on to the administrator of the host where you want to deploy a certificate. A reissue token is a special authorization token that is used to redeploy a certificate on a host to which a certificate was previously issued.
If you continued with the NetBackup installation without confirming the primary server fingerprint, you need to carry out manual steps before backups and restores can occur.
A NetBackup certificate is deployed on Host 2 during installation after the primary server fingerprint is confirmed. An authorization token is required, because the certificate deployment security level on the primary server is set to High and Host 2 is not known to the primary server.
The host-ID based certificate is generated using the encrypted private key for all the hosts.
The private key of the NetBackup certificate is stored in an encrypted format using AES_256_CBC encryption. The password that is used to encrypt the private keys is stored in file storage and is encrypted using AES_256_GCM encryption.
The form factors of NetBackup such as NetBackup Appliance, NetBackup Flex, NetBackup Flex Scale, NetBackup Scale Out are fully secured on on-disk using the host-ID based certificate. ITA Data Collector 11.4.03 enables the consumption of the encrypted private keys. The ITA Data Collector must be 11.4.03 or later if the collection method is set to the Data Collector installed on NetBackup Primary Server option for successful data collections from NetBackup 10.4.1 primary server.
Older versions of ITA Data Collector are able to collect data if the collection method is SSH or WMI protocol to communicate with NetBackup primary server.