Configuring FortKnox for NetBackup Amazon and Amazon Government using the CLI

Use the following procedure to configure FortKnox for NetBackup for Amazon and Amazon Government using the CLI.

Table: Steps for configuring FortKnox for Amazon and Amazon Government with the CLI

Steps	Task	Instructions
Step 1	Retrieve credentials.	Retrieve FortKnox credentials from your Cohesity NetBackup account manager.
Step 2	Add credentials using the Credential management option.	Log into NetBackup web UI and perform the following: On the left, click Credential management. On the Named credentials tab, click Add and provide the following properties: Credential name The Credential name must use alphanumeric characters with hyphens or underscores and cannot contain spaces or illegal characters. Tag Description Click Next. In the drop-down, select FortKnox. Click FortKnox Amazon. Add the Refresh token. Select or add a role that can access this credential. Review the information and click Finish.
Step 3	Create an MSDP storage server.	See Configuring media server deduplication in NetBackup.
Step 4	Create a cloud instance alias.	Use the following examples depending on your environment: Creating an FortKnox Amazon cloud instance alias: /usr/openv/netbackup/bin/admincmd/csconfig cldinstance -as -in FortKnox-Amazon -sts `<storage server>` -lsu_name `<lsu name>` The cloud alias name is `<storage server>_<lsu name>`, and is used to create a bucket.
Step 6	Create a configuration file, then run nbdevconfig command.	Configuration file content for adding a new cloud LSU (configuration setting and description): V7.5 `"operation" "add-lsu-cloud"` string - Specifies the value `"add-lsu-cloud"` for adding a new cloud LSU. V7.5 `"lsuName" " "` string - Specifies the LSU name. V7.5 `"cmsCredName" " "` string - Specifies the Credential name created using credential management. V7.5 `"lsuCloudBucketName" " "` string - Specifies the cloud bucket name. V7.5 `"lsuCloudBucketSubName" " "` string - Multiple cloud LSUs can use the same cloud bucket. This value distinguishes different cloud LSUs. V7.5 `"lsuEncryption" " "` string - Optional value and the default is `NO`. Sets the encryption property for the current LSU. V7.5 `"lsuKmsEnable" " "` string - Optional value and the default is `NO`. Enables KMS for the current LSU. V7.5 `"lsuKmsKeyGroupName" " "` string - Optional value. Key group name is shared among all LSUs. Key group name must have valid characters: `A-Z, a-z, 0-9, _ (underscore), - (hyphen), : (colon), . (period), and space`. V7.5 `"lsuKmsServerName" " "` string - Optional value. KMS server name is shared among all LSUs. V7.5 `"lsuKmsServerType" " "` string - Optional value. For an example of a configuration file with encryption disabled, refer to the Azure section. See Configuring FortKnox for NetBackup Azure and Azure Government using the CLI. Note: All encrypted LSUs in one storage server must use the same `keygroupname` and `kmsservername`. If you use the nbdevconfig command to add a new encrypted cloud LSU and one exists in this MSDP, the `keygroupname` must be the same as the `keygroupname` in the previous encrypted LSU. After you create the configuration file, run the nbdevconfig command: /usr/openv/netbackup/bin/admincmd/nbdevconfig -setconfig -storage_server `<storage server>` -stype PureDisk -configlist `<configuration file path>` Note: The parameter `<storage server>` must be the same as the parameter `<storage server>` in Step 4.
Step 7	Create disk pool.	Create disk pool by running the nbdevconfig command. The following are examples of using the nbdevconfig command: Example 1: /usr/openv/netbackup/bin/admincmd/nbdevconfig -previewdv -storage_servers `<storage server name>` -stype PureDisk \| grep `<LSU name>` > /tmp/dvlist Example 2: /usr/openv/netbackup/bin/admincmd/nbdevconfig -createdp -dp `<disk pool name>` -stype PureDisk -dvlist /tmp/dvlist -storage_servers `<storage server name>` Note: You can also create the disk pool from the NetBackup web UI or NetBackup Administration Console.
Step 8	Create storage unit.	Create storage unit by using bpstuadd command. The following are examples of using the bpstuadd command: /usr/openv/netbackup/bin/admincmd/bpstuadd -label `<storage unit name>` -odo 0 -dt 6 -dp `<disk pool name>` -nodevhost Note: You can also create the storage server from the NetBackup web UI or NetBackup Administration Console.

Note:

Use the web UI and update the refresh token within Credential management.

About csconfig cldinstance changes for FortKnox for Amazon and Amazon Government

The csconfig cldinstance command displays the Need Token Renew flag that retrieves alias information (Yes/No). When Yes, the FortKnox expects the storage account and refresh token credentials instead of storage account and access key.

The cloud instance has an option to disable (0) or enable (1) the need token renew (-ntr) option which has a default value of yes (1) for FortKnox-Amazon and FortKnox-Amazon-Gov.

Example usage of csconfig cldinstance with -ntr:

csconfig cldinstance -us -in <instance name> -sts <alias name> -ntr <0,1>

Note:

When you add the cloud LSU on a back-level media server using the CLI, the -ntr option must be set to No (0). You must set the option to No because older versions of the media server don't have support for token based credentials. When you use a NetBackup storage server version 10.3.1 or newer, the cloud alias instance must have the -ntr option set to Yes. The setting cannot be set to No.

About nbcldutil changes for FortKnox for Amazon and Amazon Government

Starting with NetBackup 10.3.1, the nbcldutil command does not support -validatecreds options when you configure FortKnox for Amazon and Amazon Government.

About msdpcldutil changes for FortKnox for Amazon and Amazon Government

To use this utility, you must create a credential name using the NetBackup web UI and also create a cloud alias using the csconfig command similar to the following example:

/usr/openv/netbackup/bin/admincmd/csconfig cldinstance 
-as -in FortKnox-Amazon -sts <storage_server_name> 
-stype PureDisk -lsu_name test1

Successfully added storage server(s): <storage_server_name>_test1

Added the --enable_sts option to use for FortKnox Amazon. Additionally, if the --enable _sts option is used you must export the following environment variables:

MSDPC_MASTER_SERVER - This option is name of the NetBackup primary server.
MSDPC_ALIAS - This option is the cloud alias created using csconfig.
MSDPC_ACCESS_KEY - A credential name and MSDPC_SECRET_KEY is a dummy string.
In addition to access key and secret key, NetBackup supports the MSDPC_CMS_CRED_NAME variable.
MSDPC_CMS_CRED_NAME - This is a credential name.

Example output

export MSDPC_PROVIDER=vamazon
export MSDPC_REGION="us-east-1"
export MSDPC_CMS_CRED_NAME=<credential name>
export MSDPC_MASTER_SERVER=<primary server>
export MSDPC_ALIAS=<storage_server_name>_testnew

/usr/openv/pdde/pdcr/bin/msdpcldutil create -b rv-worm1 
-v dv-worm --mode GOVERNANCE --min 1D --max 3D --enable_sts

Alternatively, you can provide an access token that you receive from Cohesity to create the WORM bucket or volume. This option is not recommended because the media server must connect to the Recovery Vault web server and Cohesity has to provide the Recovery Vault web server URI.

MSDPC_RVLT_API_URI - A new environment parameter for use when Cohesity provides a different endpoint.
MSDPC_ACCESS_TOKEN - An access token which is part of the credentials that Cohesity provides.

Configuring FortKnox for NetBackup Amazon and Amazon Government using the CLI

Feedback

Feedback