Upgrading KMS for MSDP

Before you upgrade KMS encryption from NetBackup version earlier than 8.1.1, complete the following steps. During the NetBackup upgrade, KMS rolling conversion runs along with MSDP encryption rolling conversion.

For NetBackup version earlier than 8.1.1, the supported NetBackup upgrade paths are:

NetBackup 7.7.3 to 8.1.2 or later
NetBackup 8.0 to 8.1.1 or later
NetBackup 8.1 to 8.1.1 or later

For additional information, refer to the Configuring KMS section in the Veritas NetBackup Security and Encryption Guide.

Before you upgrade KMS, complete the following steps:

Note:

The following steps are not supported on Solaris OS. For Solaris, refer to the following article:

Upgrade KMS encryption for MSDP on the Solaris platform

Create an empty database using the following command:
- For UNIX:
  /usr/openv/netbackup/bin/nbkms -createemptydb
- For Windows:
  <install_path>\Veritas\NetBackup\bin\nbkms.exe -createemptydb
  Enter the following parameters when you receive a prompt:
  - Enter the HMK passphrase
    Enter a password that you want to set as the host master key (HMK) passphrase. Press Enter to use a randomly generated HMK passphrase. The passphrase is not displayed on the screen.
  - Enter HMK ID
    Enter a unique ID to associate with the host master key. This ID helps you to determine an HMK associated with any key store.
  - Enter KPK passphrase
    Enter a password that you want to set as the key protection key (KPK) passphrase. Press Enter to use a randomly generated HMK passphrase. The passphrase is not displayed on the screen.
  - Enter KPK ID
    Enter a unique ID to associate with the key protection key. This ID helps you to determine a KPK associated with any key store.
After the operation completes successfully, run the following command on the master server to start KMS:
- For UNIX:
  /usr/openv/netbackup/bin/nbkms
- For Windows:
  sc start NetBackup Key Management Service
Create a key group and an active key by entering the following commands:
- For UNIX:
  /usr/openv/netbackup/bin/admincmd/nbkmsutil -createkg -kgname msdp
  /usr/openv/netbackup/bin/admincmd/nbkmsutil -createkey -kgname msdp -keyname name - activate
- For Windows:
  <install_path>\Veritas\NetBackup\bin\admincmd\nbkmsutil.exe -createkg -kgname msdp
  <install_path>\Veritas\NetBackup\bin\admincmd\nbkmsutil.exe -createkey -kgname msdp -keyname name -activate
Enter a password that you want set as the key passphrase.
Create a kms.cfg configuration file at the following location on the NetBackup media server where you have configured the MSDP storage:
- On UNIX:
  /usr/openv/pdde/kms.cfg
- On Windows:
  <install_path>\Veritas\pdde\kms.cfg
Add the following content to the kms.cfg file:
```
[KMSOptions]
KMSEnable=true
KMSKeyGroupName=YourKMSKeyGroupName
KMSServerName=YourKMSServerName
KMSType=0
					
```
For KMSServerName, enter the hostname of the server where the KMS service runs, mainly the master server hostname.

After completing the steps, you can upgrade MSDP.

Upgrading KMS for MSDP

Feedback

Feedback