Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  3. NetBackup™ Web UI Administrator's Guide
  5. Section VII. Configuring replication
  7. About NetBackup replication
  9. About NetBackup Auto Image Replication
  11. About trusted primary servers for Auto Image Replication
NetBackup™ Web UI Administrator's Guide

About trusted primary servers for Auto Image Replication

NetBackup provides the ability to establish a trust relationship between replication domains. A trust relationship is optional for the Media Server Deduplication Pool as a target storage. Before you configure a storage server as a target storage, establish a trust relationship between the source A.I.R. and the target A.I.R operations.

The following items describe how a trust relationship affects Auto Image Replication:

No trust relationship

NetBackup replicates to all defined target storage servers. You cannot select a specific host or hosts as a target.

Trust relationship

You can select a subset of your trusted domains as a target for replication. NetBackup then replicates to the specified domains only rather than to all configured replication targets. This type of Auto Image Replication is known as targeted A.I.R.

About adding a trusted primary server using NetBackup CA-signed certificate

With targeted A.I.R., when trust is established between the source and the remote target server, you need to establish trust in both the domains.

  1. In the source primary server, add the target primary server as a trusted server.

  2. In the target primary server, add the source primary server as a trusted server.

Note:

The NetBackup web UI does not support adding a trusted primary server using an external CA-signed certificate.

See Add a trusted primary server.

See About the certificate to use to add a trusted primary server.

The following diagram illustrates the different tasks for adding trusted primary servers when NetBackup CA-signed certificate (or host ID-based certificate) is used to establish trust between the source and the target primary servers.

Figure: Tasks to establish a trust relationship between primary servers for targeted A.I.R. using NetBackup CA-signed certificate

Tasks to establish a trust relationship between primary servers for targeted A.I.R. using NetBackup CA-signed certificate

Table: Tasks to establish a trust relationship between primary servers for targeted A.I.R.

Step

Task

Procedure

Step 1

Administrators of both the source and the target primary servers must obtain each other's CA certificate fingerprint and authorization tokens or the user credentials. This activity must be performed offline.

Note:

It is recommended to use an authentication token to connect to the remote primary server. An authentication token provides restricted access and allows secure communication between both the hosts. The use of user credentials (user name and password) may present a possible security breach.

To obtain the authorization tokens, use the bpnbat command to log on and nbcertcmd to get the authorization tokens.

To obtain the SHA1 fingerprint of root certificate, use the nbcertcmd -displayCACertDetail command.

To perform this task, see the NetBackup Commands Reference Guide.

Note:

When you run the commands, keep the target as the remote server.

Step 2

Establish trust between the source and the target domains.

  • On the source primary server, add the target primary server as trusted server.

  • On the target primary server, add the source primary server as trusted server.

To perform this task in the NetBackup web UI, see the following topic:

See Add a trusted primary server.

To perform this task using the nbseccmd, see the NetBackup Commands Reference Guide.

Step 3

After you have added the source and target trusted servers, they have each other's host ID-based certificates. The certificates are used during each communication.

Primary Server A has a certificate that Primary Server B issued and vice versa. Before communication can occur, Primary Server A presents the certificate that Primary Server B issued and vice versa. The communication between the source and the target primary servers is now secured.

To understand the use of host ID-based certificates, see the NetBackup Security and Encryption Guide.

Step 3.1

Configure the source media server to get the security certificates and the host ID certificates from the target primary server.

 

Step 4

Create an import storage lifecycle policy in the target domain.

Note:

The import storage lifecycle policy name should contain less than or equal to 112 characters.

See About storage lifecycle policies.

Step 5

On the source MSDP server, add the credentials of the target storage server.

 

Step 5.1

Create a replication storage lifecycle policy in the source domain using the specific target primary server and storage lifecycle policy.

The backups that are generated in one NetBackup domain can be replicated to storage in one or more target NetBackup domains.

See About storage lifecycle policies.

Step 6

The backups that are generated in one NetBackup domain can be replicated to storage in one or more target NetBackup domains. This process is referred to as Auto Image Replication.

See About NetBackup Auto Image Replication.

Feedback

Was this page helpful?
Previous

Sample volume properties output for OpenStorage backup replication

Next

About the storage lifecycle policies required for Auto Image Replication

Feedback

Was this page helpful?