Migrating the KMS vendor
Best practice is to perform KMS vendor migration during a maintenance window.
To migrate the KMS vendor
- List the current KMS service to determine the KMS service priority.
/usr/openv/netbackup/bin/nbkmscmd -listKMSConfig
- Update the priority on the current KMS service to greater than 0.
/usr/openv/netbackup/bin/nbkmscmd -updateKMSConfig -name configuration_name [-server primary_server_name] [-priority priority_of_KMS_server]
- Set up the new KMS service with the same key group name the current KMS service is using.
- Create an active KMS key in the new KMS service.
- Configure new KMS service in NetBackup with priority of 0.
- Verify that NetBackup reports both KMS services on the primary server.
/usr/openv/netbackup/bin/nbkmscmd -listKMSConfig
- Update the priority of the new KMS service to a priority greater than the priority that is set on the previous KMS service.
/usr/openv/netbackup/bin/nbkmscmd -updateKMSConfig -name configuration_name [-server primary_server_name] [-priority priority_of_KMS_server]
- Start the KMS vendor migration process in MSDP.
/usr/openv/pdde/pdcr/bin/crcontrol --migratekmsprovider
- Use kek_tag_reporting tool to verify the kms_key_tag in the most recent entry matches the "Key ID" reported by nbkmscmd for active key in the new KMS service.
/usr/openv/pdde/pdcr/bin/kek_tag_reporting.py -r
/usr/openv/netbackup/bin/nbkmscmd -listKeys -name nbkms