Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  3. Veritas NetBackup™ Deduplication Guide
  5. Configuring deduplication
  7. Configuring MSDP replication to a different NetBackup domain
  9. Configuring NetBackup CA and NetBackup host ID-based certificate for secure communication between the source and the target MSDP storage servers
Veritas NetBackup™ Deduplication Guide

Configuring NetBackup CA and NetBackup host ID-based certificate for secure communication between the source and the target MSDP storage servers

MSDP now supports secure communications between two media servers from two different NetBackup domains. The secure communication is set up when you run Auto Image Replication (A.I.R.). The two media servers must use the same CA to do the certificate security check. The source MSDP server uses the CA of the target NetBackup domain and the certificate that is authorized by the target NetBackup domain. You must manually deploy CA and the certificate on the source MSDP server before using Auto Image Replication.

Note:

After you upgrade to NetBackup 8.1.2 or later, manually deploy NetBackup CA and the NetBackup host ID-based certificate on the source MSDP server to use the existing Auto Image Replication.

To configure the NetBackup CA and a NetBackup host ID-based certificate, complete the following steps:

  1. On the target NetBackup master server, run the following command to display the NetBackup CA fingerprint:

    • Windows

      install_path\NetBackup\bin\nbcertcmd -displayCACertDetail

    • UNIX

      /usr/openv/netbackup/bin/nbcertcmd -displayCACertDetail

  2. On the source MSDP storage server, run the following command to get the NetBackup CA from target NetBackup master server:

    • Windows

      install_path\NetBackup\bin\nbcertcmd -getCACertificate -server target_master_server

    • UNIX

      /usr/openv/netbackup/bin/nbcertcmd -getCACertificate -server target_master_server

    When you accept the CA, ensure that the CA fingerprint is the same as displayed in the previous step.

  3. On the source MSDP storage server, run the following command to get a certificate generated by target NetBackup master server:

    • Windows

      install_path\NetBackup\bin\nbcertcmd -getCertificate -server target_master_server -token token_string

    • UNIX

      /usr/openv/netbackup/bin/nbcertcmd -getCertificate -server target_master_server -token token_string

  4. Use either of these two methods to obtain the authorization tokens:

    • NetBackup Administration Console

      • Log on the target NetBackup master server and open Security Management > Certificate Management > Token Management.

      • Click the Create Token option to create a token, or right-click the blank area of the Token records list view and select the New Token menu item to create a token.

    • NetBackup Commands

      • Use the bpnbat command to log on the target NetBackup master server.

      • Use the nbcertcmd command to get the authorization tokens.

      For more information on the commands, refer to the NetBackup Commands Reference Guide.

Feedback

Was this page helpful?
Previous

Enabling NetBackup clustered master server inter-node authentication

Next

Configuring external CA for secure communication between the source MSDP storage server and the target MSDP storage server

Feedback

Was this page helpful?