About the certificate to be used for adding a trusted master server

Source or target master servers may use NetBackup CA-signed certificates (host ID-based certificates) or external CA-signed certificates.

For more information on NetBackup host ID-based certificates and external CA support, refer to the NetBackup Security and Encryption Guide.

To establish trust between source and target master servers, NetBackup verifies the following:

Can the source master server establish trust using external CA-signed certificate?

If the external CA configuration options - ECA_CERT_PATH, ECA_PRIVATE_KEY_PATH, and ECA_TRUST_STORE_PATH - are defined in the NetBackup configuration file of the source master server, it can establish the trust using an external certificate.

In case of Windows certificate trust store, only ECA_CERT_PATH is defined.

For more information on the configuration options, refer to the NetBackup Administrator's Guide, Volume I.

Which certificate authorities (CA) does the target master server support?

The target master server may support external CA, NetBackup CA, or both. The following settings show the CA usage information of the master server:

In the NetBackup Administration Console - NetBackup Management > Security Management > Global Security Settings
In the NetBackup web user interface - Security > Global Security Settings > Secure Communication.

The following table lists CA support scenarios and certificate to be used to establish trust between the source and the target master servers.

Table: Certificate to be used for trust setup

Source master server capability to use external certificate	CA usage of the target master server	Certificate to be used for trust setup
Yes The source master server can use NetBackup CA and external CA for communication with a remote master server	External CA	External CA See Adding a trusted master server using external CA-signed certificate.
	NetBackup CA	NetBackup CA See Adding a trusted master server using NetBackup CA-signed (host ID-based) certificate.
	External CA and NetBackup CA	NetBackup prompts to select the CA that you want to use for trust setup If you choose to use external CA, do the following: See Adding a trusted master server using external CA-signed certificate. If you choose to use NetBackup CA, do the following: See Adding a trusted master server using NetBackup CA-signed (host ID-based) certificate.
No The source master server can use only NetBackup CA for communication with a remote maser server	External CA	No trust is established
	NetBackup CA	NetBackup CA See Adding a trusted master server using NetBackup CA-signed (host ID-based) certificate.
	External CA and NetBackup CA	NetBackup CA See Adding a trusted master server using NetBackup CA-signed (host ID-based) certificate.

About the certificate to be used for adding a trusted master server

Feedback

Feedback