Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  3. NetBackup™ Web UI Administrator's Guide
  5. Section IX. Managing security
  7. Managing the global security settings for the primary server
  9. About NetBackup certificate deployment security levels
NetBackup™ Web UI Administrator's Guide

About NetBackup certificate deployment security levels

Security levels for certificate deployment are specific to NetBackup CA-signed certificates. If the NetBackup web server is not configured to use NetBackup certificates for secure communication, the security levels cannot be accessed.

The NetBackup certificate deployment level determines the checks that are performed before the NetBackup CA issues a certificate to a NetBackup host. It also determines how frequently the NetBackup Certificate Revocation List (CRL) is refreshed on the host.

NetBackup certificates are deployed on hosts during installation (after the host administrator confirms the primary server fingerprint) or with the nbcertcmd command. Choose a deployment level that corresponds to the security requirements of your NetBackup environment.

Note:

During NetBackup certificate deployment on a NAT client, you must provide an authorization token irrespective of the certificate deployment security level that is set on the primary server. This is because, the primary server cannot resolve the host name to the IP address from which the request is sent.

For more information about NAT support in NetBackup, refer to the NetBackup Administrator's Guide, Volume I.

Table: Description of NetBackup certificate deployment security levels

Security level

Description

CRL refresh

Very High

An authorization token is required for every new NetBackup certificate request.

The CRL that is present on the host is refreshed every hour.

High (default)

No authorization token is required if the host is known to the primary server. A host is considered to be known to the primary server if the host can be found in the following entities:

  1. The host is listed for any of the following options in the NetBackup configuration file (Windows registry or the bp.conf file on UNIX):

    • APP_PROXY_SERVER

    • DISK_CLIENT

    • ENTERPRISE_VAULT_REDIRECT_ALLOWED

    • MEDIA_SERVER

    • NDMP_CLIENT

    • SERVER

    • SPS_REDIRECT_ALLOWED

    • TRUSTED_MASTER

    • VM_PROXY_SERVER

    • MSDP_SERVER

    For more details on the NetBackup configuration options, refer to the NetBackup Administrator's Guide, Volume I.

  2. The host is listed as a client name in the altnames file (ALTNAMESDB_PATH).

  3. The host appears in the EMM database of the primary server.

  4. At least one catalog image of the client exists. The image must not be older than 6 months.

  5. The client is listed in at least one backup policy.

  6. The client is a legacy client. This is a client that was added using the Client Attributes host properties.

The CRL that is present on the host is refreshed every 4 hours.

Medium

The certificates are issued without an authorization token if the primary server can resolve the host name to the IP address from which the request was originated.

The CRL that is present on the host is refreshed every 8 hours.

Feedback

Was this page helpful?
Previous

Configure the global data-in-transit encryption setting

Next

Select a security level for NetBackup certificate deployment

Feedback

Was this page helpful?