Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  3. NetBackup™ Web UI Administrator's Guide
  5. Section II. Managing security
  7. Managing master server security settings
  9. About NetBackup certificate deployment security levels
NetBackup™ Web UI Administrator's Guide

About NetBackup certificate deployment security levels

Security levels for certificate deployment are specific to NetBackup CA-signed certificates. If the NetBackup web server is not configured to use NetBackup certificates for secure communication, the security levels cannot be accessed.

The NetBackup certificate deployment level determines the checks that are performed before the NetBackup CA issues a certificate to a NetBackup host. It also determines how frequently the NetBackup Certificate Revocation List (CRL) is refreshed on the host.

NetBackup certificates are deployed on hosts during installation (after the host administrator confirms the master server fingerprint) or with the nbcertcmd command. Choose a deployment level that corresponds to the security requirements of your NetBackup environment.

Table: Description of NetBackup certificate deployment security levels

Security level

Description

CRL refresh

Very High

An authorization token is required for every new NetBackup certificate request.

The CRL that is present on the host is refreshed every hour.

High (default)

No authorization token is required if the host is known to the master server. A host is considered to be known to the master server if the host can be found in the following entities:

  1. The host is listed for any of the following options in the NetBackup configuration file (Windows registry or the bp.conf file on UNIX):

    • APP_PROXY_SERVER

    • DISK_CLIENT

    • ENTERPRISE_VAULT_REDIRECT_ALLOWED

    • MEDIA_SERVER

    • NDMP_CLIENT

    • SERVER

    • SPS_REDIRECT_ALLOWED

    • TRUSTED_MASTER

    • VM_PROXY_SERVER

    For more details on the NetBackup configuration options, refer to the NetBackup Administrator's Guide, Volume I.

  2. The host is listed as a client name in the altnames file (ALTNAMESDB_PATH).

  3. The host appears in the EMM database of the master server.

  4. At least one catalog image of the client exists. The image must not be older than 6 months.

  5. The client is listed in at least one backup policy.

  6. The client is a legacy client. This is a client that was added using the Client Attributes host properties.

The CRL that is present on the host is refreshed every 4 hours.

Medium

The certificates are issued without an authorization token if the master server can resolve the host name to the IP address from which the request was originated.

The CRL that is present on the host is refreshed every 8 hours.

Feedback

Was this page helpful?
Previous

Disable automatic mapping of NetBackup host names

Next

Select a security level for NetBackup certificate deployment

Feedback

Was this page helpful?