About MSDP FIPS compliance

The Federal Information Processing Standards (FIPS) define U.S. and Canadian Government security and interoperability requirements for computer systems. The FIPS 140-2 standard specifies the security requirements for cryptographic modules. It describes the approved security functions for symmetric and asymmetric key encryption, message authentication, and hashing.

For more information about the FIPS 140-2 standard and its validation program, see the National Institute of Standards and Technology (NIST) and the Communications Security Establishment Canada (CSEC) Cryptographic Module Validation Program website at https://csrc.nist.gov/projects/cryptographic-module-validation-program.

The NetBackup MSDP is now FIPS validated and can be operated in FIPS mode.

Note:

You must run FIPS mode on a new installation of NetBackup 8.1.1. You can only enable OCSD FIPS on NetBackup 10.0 and newer versions.

Enabling MSDP FIPS mode

Ensure that you configure the storage server before you enable the MSDP FIPS mode.

Caution:

Enabling MSDP FIPS mode might affect the NetBackup performance on a server with the Solaris operating system.

Enable the FIPS mode for MSDP by running the following commands:

For UNIX:
/usr/openv/pdde/pdag/scripts/set_fips_mode.sh 1
For Windows:
<install_path>\Veritas\pdde\set_fips_mode.bat 1
Restart the NetBackup service on the server and the client.
- For UNIX:
  - /usr/openv/netbackup/bin/bp.kill_all
  - /usr/openv/netbackup/bin/bp.start_all
- For Windows:
  - <install_path>\NetBackup\bin\bpdown
  - <install_path>\NetBackup\bin\bpup

Enable the FIPS mode for MSDP or OpenCloudStorageDaemon (OCSD) by performing the following:

Use existing tool to enable or disable OCSD FIPS. Using this method changes the entire MSDP FIPS configuration.
- For Windows:
  <install_path>\Veritas\pdde\set_fips_mode.bat 1
- For UNIX:
  /usr/openv/pdde/pdag/scripts/set_fips_mode.sh 1
In NetBackup, OCSD FIPS is disabled by default. Enable or disable OCSD FIPS by changing the OpenCloudStorageDaemon/FIPS:
/etc/pdregistry.cfg

Restart the NetBackup services on the server and the client for these changes to take effect:

For Windows:
- <install_path>\NetBackup\bin\bpdown
- <install_path>\NetBackup\bin\bpup
For UNIX:
- /usr/openv/netbackup/bin/bp.kill_all
- /usr/openv/netbackup/bin/bp.start_all

Warning:

For security reasons, the recommendation is that you do not disable the MSDP FIPS mode once it has been enabled.

Getting the status of MSDP FIPS mode

To get status of the MSDP FIPS mode, enter the following commands:

For UNIX:

/usr/openv/pdde/pdcr/bin/crcontrol --getmode

For Windows:

<install_path>\Veritas\pdde\crcontrol.exe --getmode

Other things to note:

FIPS must be enabled on all the NetBackup components to establish a connection. When the FIPS mode is not enabled, communication can occur between the NetBackup clients and the servers that have earlier, supported NetBackup versions.

About MSDP FIPS compliance

Feedback

Feedback