About trusted master servers for Auto Image Replication
NetBackup provides the ability to establish a trust relationship between replication domains. A trust relationship is optional for Media Server Deduplication Pool and PureDisk Deduplication Pool as a target storage. Before you configure a CloudCatalyst storage server as a target storage, establish a trust relationship between the source A.I.R. and the target A.I.R operations.
The following items describe how a trust relationship affects Auto Image Replication:
With targeted A.I.R., when establishing trust between the source and the remote target server, you need to establish trust in both the domains.
In the source master server, add the target master server as a trusted server.
In the target master server, add the source master server as a trusted server.
Note:
The does not support adding a trusted master server using an external CA-signed certificate.
See Adding a trusted master server using external CA-signed certificate.
See About the certificate to be used for adding a trusted master server.
The following diagram illustrates the different tasks for adding trusted master servers when NetBackup CA-signed certificate (or host ID-based certificate) is used for establishing trust between the source and the target master servers.
Figure: Tasks to establish a trust relationship between master servers for targeted A.I.R. using NetBackup CA-signed certificate
Table: Tasks to establish a trust relationship between master servers for targeted A.I.R.
Step | Task | Procedure |
|---|---|---|
Step 1 | Administrators of both the source and target master servers must obtain each other's CA certificate fingerprint and authorization tokens or the user credentials. This activity must be performed offline. Note: Veritas recommends using an authentication token to connect to the remote master server. An authentication token provides restricted access and allows secure communication between both the hosts. The use of user credentials (user name and password) may present a possible security breach. | To obtain the authorization tokens, use the bpnbat command to login and nbcertcmd to get the authorization tokens. To obtain the SHA1 fingerprint of root certificate, use the nbcertcmd -displayCACertDetail command. To perform this task, see the NetBackup Commands Reference Guide. Note: When you run the commands, keep the target as the remote server. |
Step 2 | Establish trust between the source and the target domains.
| To perform this task in the Veritas Administration Console, see the following topic: See Adding a trusted master server using NetBackup CA-signed (host ID-based) certificate. To perform this task using the nbseccmd, see the NetBackup Commands Reference Guide. |
Step 3 | After you have added the source and target trusted servers, they have each other's host ID-based certificates. The certificates are used during each communication. Master Server A has a certificate issued by Master Server B and vice versa. Before communication can occur, Master Server A presents the certificate issued by Master Server B and vice versa. The communication between the source and target master servers is now secured. | To understand the use of host ID-based certificates, see the Veritas Security and Encryption Guide. |
Step 3.1 | Configure the source media server to get the security certificates and the host ID certificates from the target master server. | |
Step 4 | Create an import storage lifecycle policy in the target domain. | |
| Step 5 | On the source MSDP server, use the tab from the Change Storage Server dialog box to add the credentials of the target storage server. | |
Step 5.1 | Create a replication storage lifecycle policy in the source domain using the specific target master server and storage lifecycle policy. The backups that are generated in one NetBackup domain can be replicated to storage in one or more target NetBackup domains. | |
Step 6 | The backups that are generated in one NetBackup domain can be replicated to storage in one or more target NetBackup domains. This process is referred to as Auto Image Replication. |
If your source and target trusted servers use different NetBackup versions, consider the following.
Note:
When you upgrade both the source and the target master server to version 8.1 or later, you need to update the trust relationship. Run the following command:
nbseccmd -setuptrustedmaster -update
See the NetBackup Commands Reference Guide.
Table: Trust setup methods for different NetBackup versions
Source server version | Target server version | Trust setup method |
|---|---|---|
8.1 and later | 8.1 and later | Add a trusted master server using authorization token. Complete action on both the servers. |
8.1 and later | 8.0 or earlier | On the source server, add the target as the trusted master server using the remote (target) server's credentials. |
8.0 or earlier | 8.1 and later | On the source server, add the target as the trusted master server using the remote (target) server's credentials. |