Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  2. Veritas NetBackup™ Security and Encryption Guide
  3. Security management in NetBackup
  4. About host ID-based certificates
  5. About NetBackup certificate deployment security levels
Veritas NetBackup™ Security and Encryption Guide

About NetBackup certificate deployment security levels

The NetBackup certificate deployment level determines the checks that are performed before the NetBackup CA issues a certificate to a NetBackup host. It also determines how frequently the NetBackup Certificate Revocation List (CRL) is refreshed on the host.

Certificates are deployed on hosts during installation (after the host administrator confirms the master server fingerprint) or with the nbcertcmd command. Choose a deployment level that corresponds with the security requirements of your NetBackup environment.

Table: Description of NetBackup certificate deployment security levels

Security level

Description

CRL refresh

Very High

An authorization token is required for every new NetBackup certificate request.

See Creating authorization tokens.

The CRL that is present on the host is refreshed after every one hour.

See About the host ID-based certificate revocation list.

High (default)

No authorization token is required if the host is known to the master server. A host is considered to be known to the master server if the host can be found in the following entities:

  1. The host is listed for any of the following options in the NetBackup configuration file (Windows registry or the bp.conf file on UNIX):

    • APP_PROXY_SERVER

    • DISK_CLIENT

    • ENTERPRISE_VAULT_REDIRECT_ALLOWED

    • MEDIA_SERVER

    • NDMP_CLIENT

    • SERVER

    • SPS_REDIRECT_ALLOWED

    • TRUSTED_MASTER

    • VM_PROXY_SERVER

    For more details on the NetBackup configuration options, refer to the NetBackup Administrator's Guide, Volume I.

  2. The host is listed as a client name in the altnames file (ALTNAMESDB_PATH).

  3. The host appears in the EMM database of the master server.

  4. At least one catalog image of the client exists. The image must not be older than 6 months.

  5. The client is listed in at least one backup policy.

  6. The client is a legacy client. This is a client that was added using the Client Attributes host properties.

See Creating authorization tokens.

The CRL that is present on the host is refreshed after every 4 hours.

Medium

The certificates are issued without an authorization token if the master server can resolve the host name to the IP address from which the request was originated.

The CRL that is present on the host is refreshed after every 8 hours.

Feedback

Was this page helpful?
Previous

Viewing host ID-based certificate details

Next

Configuring the certificate deployment security levels

Feedback

Was this page helpful?