Upgrading KMS for MSDP
Before you upgrade KMS encryption from NetBackup version earlier than 8.1.1, complete the following steps. During the NetBackup upgrade, KMS rolling conversion runs along with MSDP encryption rolling conversion.
For NetBackup version earlier than 8.1.1, the supported NetBackup upgrade paths are:
NetBackup 8.0 to 8.1.1 or later
NetBackup 8.1 to 8.1.1 or later
For additional information, refer to the Configuring KMS section in the NetBackup Security and Encryption Guide.
Before you upgrade KMS, complete the following steps:
Note:
The following steps are not supported on Solaris OS. For Solaris, refer to the following article:
- Create an empty database using the following command:
For UNIX:
/usr/openv/netbackup/bin/nbkms -createemptydb
For Windows:
<install_path>\Veritas\NetBackup\bin\nbkms.exe -createemptydb
Enter the following parameters when you receive a prompt:
Enter the HMK passphrase
Enter a password that you want to set as the host master key (HMK) passphrase. Press Enter to use a randomly generated HMK passphrase. The passphrase is not displayed on the screen.
Enter HMK ID
Enter a unique ID to associate with the host master key. This ID helps you to determine an HMK associated with any key store.
Enter KPK passphrase
Enter a password that you want to set as the key protection key (KPK) passphrase. Press Enter to use a randomly generated HMK passphrase. The passphrase is not displayed on the screen.
Enter KPK ID
Enter a unique ID to associate with the key protection key. This ID helps you to determine a KPK associated with any key store.
After the operation completes successfully, run the following command on the primary server to start KMS:
For UNIX:
/usr/openv/netbackup/bin/nbkms
For Windows:
sc start NetBackup Key Management Service
- Create a key group and an active key by entering the following commands:
For UNIX:
/usr/openv/netbackup/bin/admincmd/nbkmsutil -createkg -kgname msdp
/usr/openv/netbackup/bin/admincmd/nbkmsutil -createkey -kgname msdp -keyname name - activate
For Windows:
<install_path>\Veritas\NetBackup\bin\admincmd\nbkmsutil.exe -createkg -kgname msdp
<install_path>\Veritas\NetBackup\bin\admincmd\nbkmsutil.exe -createkey -kgname msdp -keyname name -activate
Enter a password that you want set as the key passphrase.
- Create a
kms.cfgconfiguration file at the following location on the NetBackup media server where you have configured the MSDP storage:On UNIX:
/usr/openv/pdde/kms.cfgOn Windows:
<install_path>\Veritas\pdde\kms.cfg
Add the following content to the
kms.cfgfile:[KMSOptions] KMSEnable=true KMSKeyGroupName=YourKMSKeyGroupName KMSServerName=YourKMSServerName KMSType=0
For KMSServerName, enter the hostname of the server where the KMS service runs, mainly the primary server host name.
After completing the steps, you can upgrade MSDP.