Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  3. Veritas NetBackup™ Deduplication Guide
  5. Configuring deduplication
  7. Configuring MSDP replication to a different NetBackup domain
  9. About the certificate to be used for adding a trusted master server
Veritas NetBackup™ Deduplication Guide

About the certificate to be used for adding a trusted master server

Source or target master servers may use NetBackup CA-signed certificates (host ID-based certificates) or external CA-signed certificates.

For more information on NetBackup host ID-based certificates and external CA support, refer to the NetBackup Security and Encryption Guide.

To establish trust between source and target master servers, NetBackup verifies the following:

Can the source master server establish trust using external CA-signed certificate?

If the external CA configuration options - ECA_CERT_PATH, ECA_PRIVATE_KEY_PATH, and ECA_TRUST_STORE_PATH - are defined in the NetBackup configuration file of the source master server, it can establish the trust using an external certificate.

In case of Windows certificate trust store, only ECA_CERT_PATH is defined.

For more information on the configuration options, refer to the NetBackup Administrator's Guide, Volume I.

Which certificate authorities (CA) does the target master server support?

The target master server may support external CA, NetBackup CA, or both. The following settings show the CA usage information of the master server:

  • In the NetBackup Administration Console - NetBackup Management > Security Management > Global Security Settings

  • In the NetBackup web user interface - Security > Global Security Settings > Secure Communication.

The following table lists CA support scenarios and certificate to be used to establish trust between the source and the target master servers.

Table: Certificate to be used for trust setup

Source master server capability to use external certificate

CA usage of the target master server

Certificate to be used for trust setup

Yes

The source master server can use NetBackup CA and external CA for communication with a remote master server

External CA

External CA

See Adding a trusted master server using external CA-signed certificate.

NetBackup CA

NetBackup CA

See Adding a trusted master server using NetBackup CA-signed (host ID-based) certificate.

External CA and NetBackup CA

NetBackup prompts to select the CA that you want to use for trust setup

  • If you choose to use external CA, do the following:

    See Adding a trusted master server using external CA-signed certificate.

  • If you choose to use NetBackup CA, do the following:

    See Adding a trusted master server using NetBackup CA-signed (host ID-based) certificate.

No

The source master server can use only NetBackup CA for communication with a remote maser server

External CA

No trust is established

NetBackup CA

NetBackup CA

See Adding a trusted master server using NetBackup CA-signed (host ID-based) certificate.

External CA and NetBackup CA

NetBackup CA

See Adding a trusted master server using NetBackup CA-signed (host ID-based) certificate.

Feedback

Was this page helpful?
Previous

About trusted master servers for Auto Image Replication

Next

Adding a trusted master server using NetBackup CA-signed (host ID-based) certificate

Feedback

Was this page helpful?