Configure the Java KeyStore
To establish a trust between the NetBackup master server and the IDP server, you must configure an SAML Java KeyStore (JKS) on the NetBackup master server. Depending on whether you are using the NetBackup CA or an external certificate authority (ECA), refer to either of the following sections:
Note:
If you are using a combination of an ECA and NetBackup CA in your environment, by default, the ECA is considered while establishing trust with the IDP server.
If you are using the NetBackup CA, create the NetBackup CA JKS on the NetBackup master server.
To create a NetBackup CA JKS
- Log on to the NetBackup master server as root or administrator.
- Depending on whether you are on a Windows or Linux operating system, run the configureCerts script as follows:
On Windows: Installation_Path\wmc\bin\install\configureCerts.bat -configure_saml_cert_jks
On Linux: Installation_Path/wmc/bin/install/configureCerts -configure_saml_cert_jks
Where Installation_Path is the path where NetBackup is installed.
Once the NetBackup CA JKS is created, ensure that you update the NetBackup CA JKS every time the NetBackup CA certificate is renewed.
To renew the NetBackup CA JKS
- Log on to the NetBackup master server as root or administrator.
- Depending on whether you are on a Windows or Linux operating system, run the configureCerts script as follows:
On Windows: Installation_Path\wmc\bin\install\configureCerts.bat -renew_saml_cert_jks
On Linux: Installation_Path/wmc/bin/install/configureCerts -renew_saml_cert_jks
Where Installation_Path is the path where NetBackup is installed.
- Download the new SP metadata XML file from the NetBackup master server by entering the following URL in your browser:
https://<NBU_Master_Server>/netbackup/sso/saml2/metadata
Where <NBU_Master_Server> is the IP address or host name of the NetBackup master server.
- Upload the new SP metadata XML file to the IDP. For steps on uploading the SP metadata XML file to the IDP, See Enroll the NetBackup master server with the IDP.
If you are using an ECA, import the ECA JKS to the NetBackup master server.
Note:
If you are using a combination of an ECA and the NetBackup CA in your environment, by default, the ECA is considered while establishing trust with the IDP server. To use the NetBackup CA, you must first remove the ECA JKS.
To import an ECA JKS
- Log on to the master server as root or administrator.
- Depending on whether you are on a Windows or Linux operating system, run the configureSAMLECACert script as follows:
On Windows: : Installation_Path\wmc\bin\install\configureSAMLECACert.bat -addExternalCert -keystorefile <External JKS path> -keystorepassfile <Path to JKS password file>
On Linux: Installation_Path/wmc/bin/install/configureSAMLECACert -addExternalCert -keystorefile External JKS path -keystorepassfile JKS password file path
Replace the variables as described below:
Installation_Path is the path where the product is installed.
External JKS path is the path to the ECA JKS file.
JKS password file path is the path to a file containing the password for the ECA JKS.
To remove the ECA JKS
- Log on to the master server as root or administrator.
- Depending on whether you are on a Windows or Linux operating system, run the configureSAMLECACert script as follows:
On Windows: : Installation_Path\wmc\bin\install\configureSAMLECACert.bat - removeExternalCert
On Linux: Installation_Path/wmc/bin/install/configureSAMLECACert - removeExternalCert
Where Installation_Path is the path where the product is installed.
- Download the new SP metadata XML file from the NetBackup master server by entering the following URL in your browser:
https://<NBU_Master_Server>/netbackup/sso/saml2/metadata
Where <NBU_Master_Server> is the IP address or host name of the NetBackup master server.
- Upload the new SP metadata XML file to the IDP. For steps on uploading the SP metadata XML file to the IDP, See Enroll the NetBackup master server with the IDP.