Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  3. NetBackup™ Web UI Administrator's Guide
  5. Section IX. Managing security
  7. Configuring authentication options
  9. Configure NetBackup for single sign-on (SSO)
  11. Configure the SAML KeyStore
NetBackup™ Web UI Administrator's Guide

Configure the SAML KeyStore

To establish a trust between the NetBackup primary server and the IDP server, you must configure an SAML KeyStore on the NetBackup primary server. Depending on whether you are using the NetBackup CA or an external certificate authority (ECA), refer to either of the following sections:

Note:

If you are using a combination of an ECA and NetBackup CA in your environment, by default, the ECA is considered while establishing trust with the IDP server.

Note:

The SAML KeyStore configuration using batch files, such as configureCerts.bat, configureCerts, configureSAMLECACert.bat, configureSAMLECACertand their corresponding options is deprecated.

Configure a NetBackup CA KeyStore

If you are using the NetBackup CA, create the NetBackup CA KeyStore on the NetBackup primary server.

To create a NetBackup CA KeyStore

  1. Log on to the NetBackup primary server as root or administrator.
  2. Run the following command:

    nbidpcmd -cCert -M master_server -f

    -f is optional. Use the option for the forceful update.

Once the NetBackup CA KeyStore is created, ensure that you update the NetBackup CA KeyStore every time the NetBackup CA certificate is renewed.

To renew the NetBackup CA KeyStore

  1. Log on to the NetBackup primary server as root or administrator.
  2. Run the following command:

    nbidpcmd -rCert -M master_server

  3. Download the new SP metadata XML file from the NetBackup primary server by entering the following URL in your browser:

    https://primaryserver/netbackup/sso/saml2/metadata

    Where primaryserver is the IP address or host name of the NetBackup primary server.

  4. Upload the new SP metadata XML file to the IDP.

    See Enroll the NetBackup primary server with the IDP.

To remove the NetBackup CA KeyStore

  1. Log on to the NetBackup primary server as root or administrator.
  2. Run the following command

    nbidpcmd -dCert -M master_server

  3. Download the new SP metadata XML file from the NetBackup primary server by entering the following URL in your browser:

    https://primaryserver/netbackup/sso/saml2/metadata

    Where primaryserver is the IP address or host name of the NetBackup primary server.

  4. Upload the new SP metadata XML file to the IDP.
  5. See Enroll the NetBackup primary server with the IDP.
Configure an ECA KeyStore

If you are using an ECA, import the ECA KeyStore to the NetBackup primary server.

Note:

If you are using a combination of an ECA and the NetBackup CA in your environment, by default, the ECA is considered while establishing trust with the IDP server. To use the NetBackup CA, you must first remove the ECA KeyStore.

To configure an ECA KeyStore

  1. Log on to the primary server as root or administrator.
  2. Depending on whether you want to configure SAML ECA keystore using the configured NetBackup ECA KeyStore or you want to provide the ECA certificate chain and private key, run the following commands:

    • Run the following command to use NetBackup ECA configured KeyStore:

      nbidpcmd -cECACert -uECA existing ECA configuration [-f] [-M primary_server]

    • Run the following command to use ECA certificate chain and private key provided by the user:

      nbidpcmd -cECACert -certPEM certificate chain file -privKeyPath private key file [-ksPassPath Keystore Passkey File] [-f] [-M <master_server>]

    • Certificate chain file specifies the certificate chain file path. The file must be in PEM format and must be accessible to the primary server on which the configuration is being performed.

    • Private key file specifies the private key file path. The file must be in PEM format and must be accessible to the primary server on which the configuration is being performed.

    • KeyStore passkey file specifies the KeyStore password file path and must be accessible to the primary server on which the configuration is being performed.

    • Primary server is the host name or IP address of primary server on which you want to perform SAML ECA KeyStore configuration. The NetBackup primary server where you run the command is selected by default.

To remove the ECA KeyStore

  1. Log on to the primary server as root or administrator.
  2. Download the new SP metadata XML file from the NetBackup primary server by entering the following URL in your browser:

    https://primaryserver/netbackup/sso/saml2/metadata

    Where primaryserver is the IP address or host name of the NetBackup primary server.

  3. Upload the new SP metadata XML file to the IDP.

    See Enroll the NetBackup primary server with the IDP.

Feedback

Was this page helpful?
Previous

Configure NetBackup for single sign-on (SSO)

Next

Configure the SAML keystore and add and enable the IDP configuration

Feedback

Was this page helpful?