Lab 06: NetBackup Certificate Administration

In this lab, you deploy CA and host-id based certificates on the clients. You also learn about ECA and its
configuration.

This lab includes the following exercises:

• Exercise A: Viewing host ID-based certificate details

• Exercise B: Manually deploying the CA certificate on a NetBackup client
• Exercise C: Manually deploying the host-ID certificate on a NetBackup host
• Exercise D: Revoking host ID-based certificates
• Exercise E: Configuring External Certificate Authority (ECA) on the NetBackup Master Server
• Exercise F: Configuring a NetBackup host to use an ECA-signed certificate
• Exercise G: Disabling an external CA in a NetBackup domain

Exercise A: Viewing host ID-based certificate details

In this lab exercise, you will view details of NetBackup host ID-based certificate. Details for each host ID-based
certificate can be viewed in the NetBackup Administration Console or in NetBackup Web UI or by using the
nbcertcmd command.

Using the NetBackup Administration console to view host ID-based certificate details

1. Login to the console system using the credentials below.

console.vrtsedu.lab User Name: VRTSEDU\Administrator Password: P@ssw0rd

2. Double-click the NetBackup Administration Console shortcut located on the desktop.

3. Enter the following credentials to login :

Host Name:lnxmaster.vrtsedu.lab User Name: root Passeord: P@ssw0rd

4. In the NetBackup Administration Console, expand Security Management > Certificate

Management. The certificate details are displayed in the right pane.
5. By default, 7 coulmns are displayed namely Certificate state,Host,Host Type,Issued on,Valid
From,Valid Until,Days Remaining.
6. To display or hide columns, right-click anywhere in the pane and select Columns >Layout.
7. In the resulting menu, select the check box for NetBackup HostID and click OK.
8. Scroll at right until you find the NetBackup Host ID column.
9. Minimize the NetBackup Administration Console window.
Viewing the host ID-based certificate details using the nbcertcmd command

10. From the desktop, locate and double click the shortcut command prompt .
11. Enter the following command to list the certificate details.

Command: nbcertcmd -listCertDetails

12. Observe the output of the command.

13. What additional information is seen here if you compare it with the information you collected in
the earlier steps?
14. Close the command prompt window.

Viewing the host ID-based certificate details using NetBackup WebUI

15. Locate and double-click NetBackup Web UI login shortcut on the desktop of the console vm.
16. Use the following credentials to login and click sign in:

User Name: root

Password: P@ssw0rd

17. Scroll-down in the left pane, navigate to Security>Certificates

18. Click NetBackup Certificates.
19. Take a note of the information here. Observe the columns which are displayed by default.
20. Click the show or hide columns icon. Select the checkbox for Host ID and click anywhere in
the WebUI.
21. You may have to scroll to the right side to observe the changes made to WebUI.
22. Minimize the NetBackup WebUI.

Exercise B: Manually deploying the CA certificate on a NetBackup client

In this exercise, you will deploy a CA certificate manually on a NetBackup host.

1. Login to the console system using the credentials below.

console.vrtsedu.lab User Name: VRTSEDU\Administrator Password: P@ssw0rd

2. Double-click the Putty shortcut found on the desktop.

3. From the saved sessions, connect to lnxmedia.vrtsedu.lab system using the following
credentials:
 lnxmedia.vrtsedu.lab User Name: root Password: P@ssw0rd

4. Run the following command to add the CA certificate to the NetBackup host's trust store:

Command: nbcertcmd -getCACertificate

5. In the confirmation output, enter y to proceed as shown below:

6. To confirm the CA certificate was deployed execute the following command:

Command: nbcertcmd -displayCACertDetail

Your output should be similar to following:

7. Minimize the Putty session.

Exercise C: Manually deploying the host-ID certificate on a NetBackup host

In this exercise, you will deploy the host-ID certificate manually on a NetBackup host. You will learn about reissue
token and its use.

1. Login to the console system using the credentials below.

console.vrtsedu.lab User Name: VRTSEDU\Administrator Password: P@ssw0rd

2. Double-click the Putty shortcut found on the desktop.

3. From the saved sessions, connect to lnxmedia.vrtsedu.lab system using the following
credentials:

lnxmedia.vrtsedu.lab User Name: root Password: P@ssw0rd

 4. Run the following command to fetch the certificate from the master server:

Command: nbcertcmd -getcertificate

5. You should receive a warning saying that "Reissue Token is mandatory.."

A certificate must be reissued in any of the following cases:

• The certificate was revoked, and you later determine that you can trust that host again.
• The certificate was expired.
• NetBackup was reinstalled on the host where a certificate was already issued.
• The name of the host was changed. .-The key pair for the host was changed.

Creating a reissue token

A reissue token is a type of token that can be used to reissue a certificate. Since a reissue token is bound to a
specific host, the token cannot be used to request certificates for additional host.

In the steps that follow , you will use NetBackup WebUI to reissue a token for the host lnxmedia.

6. Minimize the Putty window.

7. Double-click the Firefox shortcut found on the console system.
8. Enter the following URL in the address bar.

URL: https://lnxmaster/webui/login

9. If you receive security warning, click Advanced and then click Accept the Risk and Continue.
10. Use the following credentials for login:

User Name: root

Password: P@ssw0rd

11. In the left pane, navigate to Security>Hosts.

12. Select the host lnxmedia.vrtsedu.lab and then click Generate reissue token from the menu
bar. Refer to following figure:
 13. Povide following information in the Generate Reissue Token and click Generate.

Token Name: lnxmedia_reissue

14. Reissue Token Created Successfully dialogue box is displayed.

15. Copy the token value to clipboard by clicking the small icon near the token value and
click Close
16. Return to the Putty session connected to lnxmedia server.
17. Run the following command:

Command: nbcertcmd -getcertificate -token

18. When prompted for the Authorization Token, paste the value from your clipboard.

The token value is not displayed.

19. Press Enter. Ensure the following message is displayed:

20. Use the following command to list the host-ID certificate details:

Command: nbcertcmd -listcertdetails

Exercise D: Revoking host ID-based certificates

NetBackup administrators may consider revoking a host ID-based certificate under various conditions. For
example, if the administrator detects that client security has been compromised, if a client is decommissioned, or
if NetBackup is uninstalled from the host. In this exercise, you will revoke the certificate from a client, observe the
effects and reissue the certificate.

1. Login to the console system using the credentials below.

console.vrtsedu.lab User Name: VRTSEDU\Administrator Password: P@ssw0rd

2. Access the command prompt and refresh NetBackup CRL before you proceed using the
following command:

nbcertcmd -getcrl

3. Locate and double-click NetBackup Web UI login shortcut on the desktop of the console vm.
4. Use the following credentials and click sign in:

User Name: root

Password: P@ssw0rd

5. In the left pane, navigate to Security>Certificates>NetBackup Certificates.

6. Scroll-down and select Console.vrtsedu.lab.
7. Click Revoke certificate.
8. The Revoke Certificate dialogue box is displayed.
9. Select a reason from the drop-down menu and click Yes.

10. Certificate revoked successfully is displayed.

Observing the effects of revoked certificate

10. Minimize the WebUI.

 11. Launch a new Putty session to lnxmaster.
12. Login to lnxmaster using following credentials:

-Login as: root

-Password: P@ssw0rd

13. Open the command prompt window and run following command:

Command: bptestbpcd -client console -verbose

14. Following message is displayed:

In such case, backup of the client will not be possible. All the scheduled backups for this client will
fail.

15. Minimize the Putty window.

Reissuing the certificate to revoked host

16. Access the command prompt window on the Console system and use following command to
fetch the certificate from master.

Command: nbcertcmd -getcertificate -force

17. Does it allow to fetch the certificate? No. In this case, a reissue token is mandatory.

In previous exercise, we have learnt to generate the reissue token and have used it. In the steps that
follow, you will learn about Allow auto reissue certifiate option.

18. Minimize the command prompt.

19. Access the NetBackup WebUI. Navigate to Security>Hosts.
20. Select Console.vrtsedu.lab and click Allow auto Reissue certificate.
 21. Allow auto Reissue certificate dialogue box is displayed.
22. Read the message carefully. This option gives you 48 hours to reissue a certifcate, without a
token.
23. Click Allow.
24. Minimize the NetBackup WebUI.
25. Return to the command prompt and run the following command:

Command: nbcertcmd -getcertificate -force

26. Ensure the host certificate is received successfully without token.

27. You may verify the communication has been re-established between
the console and lnxmaster using the steps below:
a. Access the Putty session connected to lnxmaster system.
b. In the command prompt , execute following command:

Command: bptestbpcd -client console -verbose

c. Verify the command completes successfully.

d. Minimize the command prompt.

Exercise E: Configuring External Certificate Authority (ECA) on the NetBackup Master Server

In this exercise, you will learn to setup ECA on the NetBackup Master server.

These steps are a set of basic commands for a simplified procedure. It is possible that real environment may
require more settings than specified below. For information on configuring ECA's (for example, supported file
types, CRL updates, etc), please see Veritas NetBackup™ Security and Encryption Guide: UNIX, Windows, and
Linux.

1. Login to the console system using the credentials below.

console.vrtsedu.lab User Name: VRTSEDU\Administrator Password: P@ssw0rd

For the purpose of this lab, we have done following pre-configuration tasks on the lnxmaster and lnxmedia
systems:
 • Downloaded and extracted the certificates and crls
• Created and modified the registry keys related to ECA configuration

Understanding the pre-configuration for ECA

2. Double-click the Putty shortcut and connect to lnxmaster.

3. Change the directory to eca using following command :

Command: cd /eca/

4. List the contents of the directory using following command :

Command: ls -la

This directory contains various subfolders along with certificate chain,private key,trust store,crl etc.

Do not make any changes to any file(s).

5. To view the changes made to the bp.conf file, use following command :

Command: cat /usr/openv/netbackup/bp.conf

6. Note the lines which begin with the word ECA.

Configuring ECA

8. Change the directory to /usr/openv/wmc/bin/install using following command:

Command: cd /usr/openv/wmc/bin/install

9. Configure the ECA to be used by the NetBackup by using the below command:

Command: ./configureWebServerCerts -addExternalCert -all -certpath /eca/cert_chain.der.p7b -

privatekeypath /eca/private/key-pkcs8_ENCRYPTED.der -truststorepath /eca/trusted/cacerts.der.p7b
-passphrasepath /eca/private/passphrase.txt

10. Ensure the command completes successfully.

11. Restart the "NetBackup Web Management Console" service using following commands:

Command: nbwmc stop

Command: nbwmc start

It will take couple of minutes to start NetBackup Web Management Console services.

12. Minimize the Putty session.

13. Access the NetBackup WebUI.

If you see a message Unable to connect to server, you are required to sign-out and sign-in.

14. Navigate to Settings>Global Security.

15. Note that the master server is now configured in Mixed Mode.
16. Minimize the NetBackup WebUI and return to the Putty window connected
to lnxmaster server.
17. Similary you can use following command to check the status of ECA.

Command: nbcertcmd -getSecConfig -caUsage

Note that the NBCA and ECA mode is ON.

18. Next, you need to Enroll the Master server ECA certificate using the following command:

Command: nbcertcmd -enrollcertificate

 19. Verify the command completes successfully.

Exercise F: Configuring a NetBackup host to use an ECA-signed certificate

In this exercise you will examine how media server is configured to use the External Certificates.

Verifying ECA configuration on the media server

For the purpose of this lab, we have done following pre-configuration tasks on the lnxmedia systems:
• Downloaded and extracted the certificates and crls
• Created and modified the registry keys related to ECA configuration

1. Access the desktop of the console system.

2. Double-click the Putty shortcut and connec to lnxmedia system using the following
credentials:

lnxmedia.vrtsedu.lab User Name: root Password: P@ssw0rd

3. Change the directory to eca using following command :

Command: cd /eca/

4. List the contents of the directory using following command :

Command: ls -la

This directory contains various subfolders along with certificate chain,private key,trust store,crl etc.

Do not make any changes to any file(s).

5. To view the changes made to the bp.conf file, use following command :

Command: cat /usr/openv/netbackup/bp.conf

6. Note the lines which begin with the word ECA.

 7. Minimize the Putty window.

It is not required to run the script or the enroll command on any NetBackup host(s).

Comparing the communication between lnxmaster-lnxmedia and lnxmaster-console

8. Access the Putty session connected to lnxmaster system.

9. In the terminal window, enter the following command:

Command: bptestbpcd -client lnxmedia -verbose

10. Observe the output closely. Which certificate is in use?

11. Next, enter the following command:

Command: bptestbpcd -client console -verbose

Compare the output with previous command.

Viewing the ECA -signed certificates in NetBackup WebUI

12. Minimize the Command Prompt and return to the NetBackup Web UI
13. Navigate to Security>Certificates
14. Click External certificates.
15. Select the host lnxmedia.vrtsedu.lab. (You may need to scroll-down.)
16. Click View details.
17. Take a note of the information displayed.
18. Minimize the WebUI.

Exercise G: Disabling an external CA in a NetBackup domain

In this exercise, you will disable an external CA in a NetBackup domain.

1. Login to the console system using the credentials below.

console.vrtsedu.lab User Name: console\Administrator Password: P@ssw0rd

2. Aceess the Putty session connected to lnxmaster.

3. Execute following command to remove the ECA enrollment:

Command: nbcertcmd -removeenrollment

4. Execute following command to remove the external certificates:

Command: cd /usr/openv/wmc/bin/install

Command: ./configureWebServerCerts -removeexternalcert -all

5. Read the message carefully and enter Y.

You have to restart the NetBackup Web Management Console service for the changes to take effect.

6. Restart the NetBackup Web Management Console service using following commands:

Command: nbwmc stop

Command: nbwmc start

7. Use the following command to verify that ECA is now OFF in the NetBackup domain:

Command: nbcertcmd -getSecConfig -caUsage

You should receive the output as below:

8. Minimize the Putty session.

9. Access the NetBackup WebUI. If you receive connection error, logout and login.
10. In the left pane, click Security>Certificates.
11. Click External Certificates. Notice that the certificate has been removed.
12. Click NetBackup Certificates. Scroll-down and select lnxmedia.vrtsedu.lab and then
select View details.
13. Which certificate is in use?

You should see a new NetBackup certificate deployed with the <=365 days validity.

14. Sign out from the WebUI and close the Firefox window.

In the production environment, before disabling the ECA , great care has to be taken. You need to
ensure that each host in the domain is configured to use NetBackup host ID-based certificates. You
are also required to delete the registry keys related to ECA from the master and clients. Refer to the
Security and Encryption guide for more information on this.
End of Lab