How to configure Netbackup KMS

 

Configuration of NetBackup KMS

 

 NetBackup security and encryption provide protection for all parts of NetBackup
operations. The parts that are made secure include the NetBackup master server,
media server, and attached clients. Also made secure are the operating systems
on which the servers and clients are running. The backup data is protected through
encryption processes and vaulting. NetBackup data that is sent over the wire is
protected by dedicated and secure method.

 

Here we are going to configure the tape based encryption, Please note that there is Media sever level encryption as well.

1)    Tape Library Configuration

 

a.      Application Managed Encryption (AME) does not require a key.

Library Managed Encryption (LME) and System Managed Encryption (SME) require a license key which is available by purchasing Feature Code 5900. Minimum

 

·        Prerequisites for Application Managed Encryption (AME) - LTO 6

·        SAS and Fibre Channel LTO Ultrium 6 Tape Drive (Full High or Half High)

·        Ultrium 6 Tape Cartridge

·        Library firmware level B.50 or higher

·        Drive firmware level C800 or higher, for reference go to http://www.ibm.com/fixcentral.

·        Encryption Key Manager application

b.      Tape Library:

                                                    i.     Click Configure Library > Encryption in the left navigation panel.

                                                   ii.     On the Encryption screen, select an Encryption method for each logical library. Without an encryption license key, select None or Application Managed Encryption.

                                                  iii.     Click Submit to apply the changes.

 

2)    Overriding the Symantec Intrusion Security policy (IPS)

 

a.      Use SSH to login to the appliance as an Administrator

b.      Go to Support > Maintenance menu. If you try to access the elevate command the following message is displayed:

 

Permission Denied !! Access to the root account requires overriding the Symantec Intrusion Security Policy. Please refer to the appliance security guide for overriding

c.      Run the Support > Maintenance command.

d.      To enter your Maintenance account, run the following command, and provide the password when you receive a prompt.

 NBAppl.Support > Maintenance

<!--Maintenance Mode--!>

maintenance’s password:

 
e.      In the Maintenance mode, type the following command to override the Symantec

Intrusion Security Policy:

/opt/Symantec/scspagent/IPS/sisipsoverride.sh

 To override the policy and disable protection, enter your login password.

Password:

f.       Enter your maintenance password.

 The appliance then displays the following options:

Choose the type of override that you wish to perform:

1. Override Prevention except for Self Protection

2. Override Prevention Completely

Choice?

 g. Enter 1 to override prevention except for self protection.

 The appliance displays the following options:

Choose the amount of time after which to automatically re-enable:

1. 15 minutes

2. 30 minutes

3. 1 hour

4. 2 hours

5. 4 hours

6. 8 hours

7. never

 h.      Enter the appropriate number from 1 to 7 based on the time required to debug the Symantec support case.

The appliance displays the following message:

Enter a comment. Press Enter to continue.

i. Enter a relevant comment as to why the override is required.

 The appliance overrides the policy and displays the following message:

Please wait while the policy is being overridden.

........

The policy was successfully overridden.

 maintenance - !> elevate

 You should now have access to the root account for debugging the appliance.

 3)    Installation and Configuration of KMS

 
a. Run the following command to change directory:

 maintenance - !> cd /opt/openv/netbackup/bin

 b. Run the nbkms -createemptydb command.

c. Enter a passphrase for the host master key (HMK). You can also press Enter to create a randomly generated key.

d. Enter an ID for the HMK. This ID can be anything descriptive that you want to use to identify the HMK.

e. Enter a passphrase for the key protection key (KPK).

f. Enter an ID for the KPK. The ID can be anything descriptive that you want to use to identify the KPK.

g.The KMS service starts when after you enter the ID and press Enter.

h. Start the service by running the following command:

 nbkms

i. Use the grep command to ensure that the service has started, as follows:

 ps -ef | grepnbkms

 j.       Create the key group. The key group name must be an identical match to the volume pool name. All key group names must have a prefix ENCR_.

 To create a key group use the following command syntax.

 nbkmsutil -createkg -kgname ENCR_volumepoolname

 The ENCR_ prefix is essential. When BPTM receives a volume pool request that includes the ENCR_ prefix, it provides that volume pool name to KMS. KMS identifies it as an exact match of the volume pool and then picks the active key record for backups out of that group.

k.      Create a key record by using the -createkey option.

nbkmsutil -createkey -kgname ENCR_volumepool -keyname keyname -activate -desc "message"

 The key name and message are optional; they can help you identify this key when you display the key. The -activate option skips the prelive state and creates this key as active.

l.       Provide the passphrase again when the script prompts you.

 In the following example the key group is called ENCR_pool1 and the key name is Q1_2008_key. The description explains that this key is for the months January, February, and March.

 nbkmsutil -createkey -kgname ENCR_pool1 -keyname Q1_2008_key -activate -desc "key for Jan, Feb, & Mar"

 m.    You can create another key record using the same command; a different key name and description help you distinguish they key records:

 nbkmsutil -createkey -kgname ENCR_pool1 -keyname Q2_2008_key -activate –desc "key forApr, May, & Jun"

 Note: If you create more than one key record by using the command nbkmsutil -kgname name -activate, only the last key remains active.

 n.      To list all of the keys that belong to a key group name, use the following command:

 nbkmsutil -listkeys -kgname keyname

Note: Symantec recommends that you keep a record of the output of the nbkmsutil -listkeys command. The key tag that is listed in the output is necessary if you need to recover keys.