Configuring FortKnox for NetBackup Azure and Azure Government using the CLI

Use the following procedure to configure FortKnox for NetBackup for Azure and Azure Government using the CLI.

Table: Steps for configuring FortKnox for Azure and Azure Government with the CLI

Steps	Task	Instructions
Step 1	Retrieve credentials.	Retrieve FortKnox credentials from your Cohesity NetBackup account manager.
Step 2	Add credentials using the Credential management option.	Log into NetBackup web UI and perform the following: On the left, click Credential management. On the Named credentials tab, click Add and provide the following properties: Credential name The Credential name must use alphanumeric characters with hyphens or underscores and cannot contain spaces or illegal characters. Tag Description Click Next. In the drop-down, select FortKnox. Click FortKnox Azure. Add the Storage account and Refresh token. Select or add a role that can access this credential. Review the information and click Finish.
Step 3	Create an MSDP storage server.	See Configuring media server deduplication in NetBackup.
Step 4	Create a cloud instance alias.	Use the following examples depending on your environment: Creating an FortKnox Azure cloud instance alias: /usr/openv/netbackup/bin/admincmd/csconfig cldinstance -as -in FortKnox-Azure -sts `<storage server>` -lsu_name `<lsu name>` Creating an FortKnox Azure Cold Vault cloud instance alias: /usr/openv/netbackup/bin/admincmd/csconfig cldinstance -as -in FortKnox-Azure -sts `<storage server>` -lsu_name `<lsu name>` -storage_tier FortKnox-Azure-Cold-Vault -post_rehydration_period 3 The cloud alias name is `<storage server>_<lsu name>`, and is used to create a bucket.
Step 5	(Optional) Create a new bucket.	Create a new bucket if needed. /usr/openv/netbackup/bin/nbcldutil -createbucket -storage_server `<storage server>_<lsu name>` -username `<cloud user>` -bucket_name `<bucket name>`
Step 6	Create a configuration file, then run nbdevconfig command.	Configuration file content for adding a new cloud LSU (configuration setting and description): V7.5 `"operation" "add-lsu-cloud"` string - Specifies the value `"add-lsu-cloud"` for adding a new cloud LSU. V7.5 `"lsuName" " "` string - Specifies the LSU name. V7.5 `"cmsCredName" " "` string - Specifies the Credential name created using credential management. V7.5 `"lsuCloudBucketName" " "` string - Specifies the cloud bucket name. V7.5 `"lsuCloudBucketSubName" " "` string - Multiple cloud LSUs can use the same cloud bucket. This value distinguishes different cloud LSUs. V7.5 `"lsuEncryption" " "` string - Optional value and the default is `NO`. Sets the encryption property for the current LSU. V7.5 `"lsuKmsEnable" " "` string - Optional value and the default is `NO`. Enables KMS for the current LSU. V7.5 `"lsuKmsKeyGroupName" " "` string - Optional value. Key group name is shared among all LSUs. Key group name must have valid characters: `A-Z, a-z, 0-9, _ (underscore), - (hyphen), : (colon), . (period), and space`. V7.5 `"lsuKmsServerName" " "` string - Optional value. KMS server name is shared among all LSUs. V7.5 `"lsuKmsServerType" " "` string - Optional value. Example of a configuration file with encryption disabled: V7.5 "operation" "add-lsu-cloud" string V7.5 "lsuName" "nbrvltazure1" string V7.5 "cmsCredName" "RVLT-creds" string V7.5 "lsuCloudBucketName" "bucket1" string V7.5 "lsuCloudBucketSubName" "sub1" string Example of a configuration file with encryption enabled: V7.5 "operation" "add-lsu-cloud" string V7.5 "lsuName" "nbrvltazure2" string V7.5 "cmsCredName" "RVLT-creds" string V7.5 "lsuCloudBucketName" "bucket1" string V7.5 "lsuCloudBucketSubName" "sub2" string V7.5 "lsuEncryption" "YES" string V7.5 "lsuKmsEnable" "YES" string V7.5 "lsuKmsKeyGroupName" "test" string V7.5 "lsuKmsServerName" "test" string Note: All encrypted LSUs in one storage server must use the same `keygroupname` and `kmsservername`. If you use the nbdevconfig command to add a new encrypted cloud LSU and one exists in this MSDP, the `keygroupname` must be the same as the `keygroupname` in the previous encrypted LSU. After you create the configuration file, run the nbdevconfig command: /usr/openv/netbackup/bin/admincmd/nbdevconfig -setconfig -storage_server `<storage server>` -stype PureDisk -configlist `<configuration file path>` Note: The parameter `<storage server>` must be the same as the parameter `<storage server>` in Step 4.
Step 7	Create disk pool.	Create disk pool by running the nbdevconfig command. The following are examples of using the nbdevconfig command: Example 1: /usr/openv/netbackup/bin/admincmd/nbdevconfig -previewdv -storage_servers `<storage server name>` -stype PureDisk \| grep `<LSU name>` > /tmp/dvlist Example 2: /usr/openv/netbackup/bin/admincmd/nbdevconfig -createdp -dp `<disk pool name>` -stype PureDisk -dvlist /tmp/dvlist -storage_servers `<storage server name>` Note: You can also create the disk pool from the NetBackup web UI or NetBackup Administration Console.
Step 8	Create storage unit.	Create storage unit by using bpstuadd command. The following are examples of using the bpstuadd command: /usr/openv/netbackup/bin/admincmd/bpstuadd -label `<storage unit name>` -odo 0 -dt 6 -dp `<disk pool name>` -nodevhost Note: You can also create the storage server from the NetBackup web UI or NetBackup Administration Console.

Note:

If an update to the refresh token for an existing storage account is needed, you must edit the credentials that are associated with the storage account. Use the web UI and update the refresh token within Credential management.

You cannot have multiple credentials for the same storage account. Credentials must be unique to the storage account. If you do not have unique credentials, you can encounter issues such as the disk volume going down or backup and restore failures to that disk volume.

About csconfig cldinstance changes for FortKnox for Azure and Azure Government

The csconfig cldinstance command displays the Need Token Renew flag that retrieves alias information (Yes/No). When Yes, FortKnox expects the storage account and refresh token credentials instead of storage account and access key.

The cloud instance has an option to disable (0) or enable (1) the need token renew (-ntr) option which has a default value of yes (1) for FortKnox-Azure and FortKnox-Azure-Gov.

Example usage of csconfig cldinstance with -ntr:

csconfig cldinstance -us -in <instance name> -sts <alias name> -ntr <0,1>

Note:

When you add the cloud LSU on a back-level media server using the CLI, the -ntr option must be set to No (0). You must set the option to No because older versions of the media server don't have support for token based credentials. When you use a NetBackup storage server version 10.2 or newer, the cloud alias instance must have the -ntr option set to Yes. The setting cannot be set to No.

About nbcldutil changes for FortKnox for Azure and Azure Government

The nbcldutil command has new inputs for the -createbucket and -validatecreds options when you configure FortKnox for Azure and Azure Government.

Example usage:

nbcldutil -createbucket storage_server storage-server-name_lsu-name 
-username rvlt-creds -bucket_name sl-bucket-cli

Instead of putting the storage account name for -username, use the name of the credentials created using Credential Management. Also, when prompted for a password, provide a dummy input because no password is needed.

About msdpcldutil changes for FortKnox for Azure and Azure Government

To use this utility, you must create a credential name using the NetBackup web UI and also create a cloud alias using the csconfig command similar to the following example:

/usr/openv/netbackup/bin/admincmd/csconfig cldinstance 
-as -in FortKnox-Azure -sts <storage_server_name> 
-stype PureDisk -lsu_name test1

Successfully added storage server(s): <storage_server_name>_test1

Added the --enable_sas option to use for FortKnox Azure. Additionally, if the --enable _sas option is used you must export the following environment variables:

MSDPC_MASTER_SERVER - This option is name of the NetBackup primary server.
MSDPC_ALIAS - This option is the cloud alias created using csconfig.
MSDPC_ACCESS_KEY - A credential name and MSDPC_SECRET_KEY is a dummy string.

Example output:

export MSDPC_PROVIDER=vazure
export MSDPC_REGION="East US"
export MSDPC_ENDPOINT="https://<storage-account>.blob.core.windows.net/"
export MSDPC_ACCESS_KEY=<credential name>
export MSDPC_SECRET_KEY="dummy<any non-null string>
export MSDPC_MASTER_SERVER=<primary server>
export MSDPC_ALIAS=<storage_server_name>_test1

/usr/openv/pdde/pdcr/bin/msdpcldutil create -b rv-worm1 
-v dv-worm --mode ENTERPRISE --min 1D --max 3D --enable_sas

Alternatively, you can provide an access token that you receive from Cohesity to create the WORM bucket or volume. This option is not recommended because the media server must connect to the Recovery Vault web server and Cohesity has to provide the Recovery Vault web server URI.

MSDPC_RVLT_API_URI - A new environment parameter for use when Cohesity provides a different endpoint.
MSDPC_ACCESS_TOKEN - An access token which is part of the credentials that Cohesity provides.

MSDPC_CMS_CRED_NAME - The credential name provided for storing the credentials.

Example output

export MSDPC_CMS_CRED_NAME=your_cms_credential_name
export MSDPC_ALIAS=your_alias_name
export MSDPC_REGION=your_region
export MSDPC_PROVIDER=vazure
export MSDPC_ENDPOINT="https://your_storage_account.blob.core.windows.net/"
export MSDPC_MASTER_SERVER=<primary server>

Configuring FortKnox for NetBackup Azure and Azure Government using the CLI

Feedback

Feedback