Certificate validation against Certificate Revocation List (CRL)
For all the cloud providers, NetBackup provides a capability to verify the SSL certificates against the CRL (Certificate Revocation List). If SSL is enabled and the CRL option is enabled, each non-self-signed SSL certificate is verified against the CRL. If the certificate is revoked, NetBackup does not connect to the cloud provider.
You can enable validation against CRL using one of the following ways:
csconfig CLI: crl parameter is added with the SSL parameters. The option is available when you add or update the storage server. CRL value can be changed only through csconfig CLI before creating an alias.
Storage server properties dialog: Update the USE_CRL property from the storage server properties dialog. From the GUI, you can only disable the CRL option, after configuration.
You can also use to the nbdevconfig CLI with getconfig and setconfig options to enable or disable verification against CRL.
Note:
Post upgrade, for the cloud and cloud catalyst storage servers with SSL enabled, the CRL validation is enabled by default.
CRL distribution endpoints are http thus, turn off any firewall rule that block http (port 80) connection to external network. For example, http://crl3.provider.com/server-g2.crl
CRL download URL is dynamically fetched from the certificate thus, disable any firewall rule that blocks unknown URLs.
Typically, CRL URLs (distribution endpoints) support IPV4. For IPV6 environments disable the CRL option.
Private Clouds typically have a self-signed certificate. Thus, for private clouds, CRL check is not required. The check is skipped even if CRL option is enabled.
CRL distribution point must be present in the x.509 certificate. The type of distribution point must http.
More Information