How to configure Netbackup KMS

 

Configuration of NetBackup KMS

 

 NetBackup security and encryption provide protection for all parts of NetBackup
operations. The parts that are made secure include the NetBackup master server,
media server, and attached clients. Also made secure are the operating systems
on which the servers and clients are running. The backup data is protected through
encryption processes and vaulting. NetBackup data that is sent over the wire is
protected by dedicated and secure method.

 

Here we are going to configure the tape based encryption, Please note that there is Media sever level encryption as well.

1)    Tape Library Configuration

 

a.      Application Managed Encryption (AME) does not require a key.

Library Managed Encryption (LME) and System Managed Encryption (SME) require a license key which is available by purchasing Feature Code 5900. Minimum

 

·        Prerequisites for Application Managed Encryption (AME) - LTO 6

·        SAS and Fibre Channel LTO Ultrium 6 Tape Drive (Full High or Half High)

·        Ultrium 6 Tape Cartridge

·        Library firmware level B.50 or higher

·        Drive firmware level C800 or higher, for reference go to http://www.ibm.com/fixcentral.

·        Encryption Key Manager application

b.      Tape Library:

                                                    i.     Click Configure Library > Encryption in the left navigation panel.

                                                   ii.     On the Encryption screen, select an Encryption method for each logical library. Without an encryption license key, select None or Application Managed Encryption.

                                                  iii.     Click Submit to apply the changes.

 

2)    Overriding the Symantec Intrusion Security policy (IPS)

 

a.      Use SSH to login to the appliance as an Administrator

b.      Go to Support > Maintenance menu. If you try to access the elevate command the following message is displayed:

 

Permission Denied !! Access to the root account requires overriding the Symantec Intrusion Security Policy. Please refer to the appliance security guide for overriding

c.      Run the Support > Maintenance command.

d.      To enter your Maintenance account, run the following command, and provide the password when you receive a prompt.

 NBAppl.Support > Maintenance

<!--Maintenance Mode--!>

maintenance’s password:

 
e.      In the Maintenance mode, type the following command to override the Symantec

Intrusion Security Policy:

/opt/Symantec/scspagent/IPS/sisipsoverride.sh

 To override the policy and disable protection, enter your login password.

Password:

f.       Enter your maintenance password.

 The appliance then displays the following options:

Choose the type of override that you wish to perform:

1. Override Prevention except for Self Protection

2. Override Prevention Completely

Choice?

 g. Enter 1 to override prevention except for self protection.

 The appliance displays the following options:

Choose the amount of time after which to automatically re-enable:

1. 15 minutes

2. 30 minutes

3. 1 hour

4. 2 hours

5. 4 hours

6. 8 hours

7. never

 h.      Enter the appropriate number from 1 to 7 based on the time required to debug the Symantec support case.

The appliance displays the following message:

Enter a comment. Press Enter to continue.

i. Enter a relevant comment as to why the override is required.

 The appliance overrides the policy and displays the following message:

Please wait while the policy is being overridden.

........

The policy was successfully overridden.

 maintenance - !> elevate

 You should now have access to the root account for debugging the appliance.

 3)    Installation and Configuration of KMS

 
a. Run the following command to change directory:

 maintenance - !> cd /opt/openv/netbackup/bin

 b. Run the nbkms -createemptydb command.

c. Enter a passphrase for the host master key (HMK). You can also press Enter to create a randomly generated key.

d. Enter an ID for the HMK. This ID can be anything descriptive that you want to use to identify the HMK.

e. Enter a passphrase for the key protection key (KPK).

f. Enter an ID for the KPK. The ID can be anything descriptive that you want to use to identify the KPK.

g.The KMS service starts when after you enter the ID and press Enter.

h. Start the service by running the following command:

 nbkms

i. Use the grep command to ensure that the service has started, as follows:

 ps -ef | grepnbkms

 j.       Create the key group. The key group name must be an identical match to the volume pool name. All key group names must have a prefix ENCR_.

 To create a key group use the following command syntax.

 nbkmsutil -createkg -kgname ENCR_volumepoolname

 The ENCR_ prefix is essential. When BPTM receives a volume pool request that includes the ENCR_ prefix, it provides that volume pool name to KMS. KMS identifies it as an exact match of the volume pool and then picks the active key record for backups out of that group.

k.      Create a key record by using the -createkey option.

nbkmsutil -createkey -kgname ENCR_volumepool -keyname keyname -activate -desc "message"

 The key name and message are optional; they can help you identify this key when you display the key. The -activate option skips the prelive state and creates this key as active.

l.       Provide the passphrase again when the script prompts you.

 In the following example the key group is called ENCR_pool1 and the key name is Q1_2008_key. The description explains that this key is for the months January, February, and March.

 nbkmsutil -createkey -kgname ENCR_pool1 -keyname Q1_2008_key -activate -desc "key for Jan, Feb, & Mar"

 m.    You can create another key record using the same command; a different key name and description help you distinguish they key records:

 nbkmsutil -createkey -kgname ENCR_pool1 -keyname Q2_2008_key -activate –desc "key forApr, May, & Jun"

 Note: If you create more than one key record by using the command nbkmsutil -kgname name -activate, only the last key remains active.

 n.      To list all of the keys that belong to a key group name, use the following command:

 nbkmsutil -listkeys -kgname keyname

Note: Symantec recommends that you keep a record of the output of the nbkmsutil -listkeys command. The key tag that is listed in the output is necessary if you need to recover keys.

 

 

Power Off procedure for BROCADE Switches and Directors

 

To avoid corrupting your file system, it is recommended that you perform graceful shutdowns of switches and Directors.  

For Directors running Fabric OS versions prior to 5.1.x, the following procedure describe how to gracefullyshut down a Director:

1.Verify which CP is the active CP, and log in to the active CP using a Serial Console connection.

2.On the standby CP, set the slider switch to the off position, or eject the standby CP from the chassis. Thisdisables the standby CP.

3.Enter the reboot command from the active CP. This will gracefully take down the system.When you see the "Press escape within 4 seconds to enter boot interface" message, press ESC to

4.suspend the active CP.

5.Power off the chassis by flipping both AC power switches to "0" (LEDs inside AC power switches shouldturn off). To maintain the ground connection, leave both power cords connected to the chassis and to electrical outlet.


For both switches and Directors running Fabric OS 5.1.0 and later, it is recommended that you use the following graceful shutdown procedures


1. Connect to the switch and log in as admin.

2.Enter the sysShutdown command.At the prompt, type y.

3.switch:admin> sysshutdownThis command will shutdown the operating systems on your switch.You are required to power-cycle the switch in order to restore operation.Are you sure you want to shutdown the switch [y/n]?y

4.Wait until the following message displays:Broadcast message from root (ttyS0) Wed Jan 25 16:12:09 2006...The system is going down for system halt NOW !!INIT: Switching to run level: 0INIT: Sending processes the TERM signal Unmounting all file systems. The system is halted flushing ide devices: hda Power down.

5. Power off the switch

Prerequisites for GRT Backup/Restore NetBackup 7.5 and Windows 2008 R2 Domain Controller

Pre-Requisites

NFS must be installed on Media Server and All AD Domain Controllers which are to be backed up with GRT enabled

Install NFS Services on Media Server and All the Active Domain Controllers Windows 2008/R2

For NFS, Add File Service Server Role

Select Services for Network File System as Role Service , Complete the wizard

From Media Server configure portmap service to start automatically after server restart

From CMD execute “sc config portmap start= auto”

From Service.msc console Stop and Disable below services

Server for NFS on both Active Domain Controller and Media Server And Disable Client for NFS on Media Server

If Active Domain controller is also Media Server disable both Client/Server for NFS Service

Create No.Restrictions Touch (empty) File on Media Server under /veritas/netbackup/db/altnames

If altnames directory does not exist, create it

Make sure Touch file does not have suffix of .txt it should be No.Restrictions only

To rename extension of file, from windows explorer navigate to Folder Option (Alt+T+O)

Folder options=> View => Uncheck Hide Extensions for known file types => Apply => Ok

Make sure you revoke above change after file is created.

Privileged Account for GRT

NetBackup Client Services at Active Domain Controller must be running with Domain Admin Privileged Account

How to identify the disk name in Netapp

We all pretty well know every disk will have a universal unique identifier UUID or serial number , but  each disk will have a unique name depending on how they are connected to the storage system.

Note :- Always remember For internal disks, the slot number is zero, and the internal port number depends on the system model.

First knowing the basics each disk shelf will have bay's to hold the disk

Ex:- A Netapp DS4243 is a 24 bay disk shelf which is 4U in size.

Now each disk shelf will be identified with a name based on the Shelf ,Bay and the port to which the shelf is connected and we have different methodology for different type of DISK CONNECTION
                 
For the SAS, Direct Attached type of disk connection the disk name will  be based on

<slot><port>.<shelf ID>.<bay>  ( In short i remember it as SPSB ) 


Ex:- Which means say if i have a disk in bay 12 of Shelf 1 which is connected to onboard port A

My disk ID would be :- 0a.1.12 

For the FC-AL, direct-attached type of disk connection the name is based on

<slot><port>.<loopID> ( In short i remember it as SPL )

Ex:- If my disk loop ID is 20 connected to expansion card on slot 8 to port C

My disk ID would be :- 8c.20

For FC-AL , Switch attached type of connection the name is based as below

<switch_name>.<switch_port>.<loopID>


Ex:- If my disk loop ID is 40 connected to port 4 of a switch 4

My Disk ID would be :- SW4.4.40








  

Disk Physical Size Vs Usable Size

Tool to analyze Netapp Perfstat Output

Wondering how to analyze Netapp Perfstat , The tool below will help you out to know the CPU , Disk Overhead etc...

Download Link :- http://www.everythingvm.com/sites/default/files/SCPerfstatAnalyzer.exe

1) Download and run the .exe from the link above 

2) It will open a your command prompt in windows machine to key in the Perfstat file name 

3) Enter the perfstat file name with complete location

 4) Now enter the controller name for which you want to analyze the perfstat

This will generate three text files for NETWORK , CPU & DISK in the same folder where your perfstat_analyzer.exe was present 

Difference Between Netbackup and Backupexec

Well we know Netbackup is for Enterprise level and Backup is for Mid-sized environments , I would like to highlight few more difference's which are mainly considered while discussing about these two leading backup products from Symantec.

  

Category	Backup_Exec	Netbackup
Latest Version	2014	7.6.0.2
Database in the backend	Microsoft SQL	Sybase
Tape Format	BKF	TAR
Reporting	Native	OpsCenter
Management	CASO (Central Admin Server Option) can manage multiple media server deployed across Domain.	NetBackup Master Server, can manage multiple media server, SAN media servers and clients centrally.
Can read from NetBackup/Backup Exec	Not supported to read NetBackup images to Backup Exec	Supported until BE 2012 , later versions not supported
NDMP	Supported	Supported
De-Duplication	Supported	Supported
GRT	Supported	Supported
BMR	Supported	Supported
Tape Library, VTL and autoloader	Supported	Supported
Tape-out protocols FC & ISCSi	Supported	Supported
Multistreaming backups	Not Supported	Supported
Multiplexed backups	Not Supported	Supported
Vmware and Hyper-V Environments	Supported	Supported
Offline and Online backups	Supported	Supported
Automatic scheduled and Manual Backups	Supported	Supported
Media Server Support	Windows Only	Windows as well as UNIX
Client Support	Windows and Linux Only	Windows as well as UNIX
Disk Based Backups	Supported	Supported
Encryption	Supported	Supported
SAN backups	Supported	Supported
Convert backups to virtual machines	Supported	Supported

Difference between Snapmirror and Snapvault

Most of my clients had this doubt about Snapmirror and Snapvault

1) What are the differences between these two as both these perform a copy from source to destination

2) why we need to have two products for backup

3) Why do i need to buy two product license , Instead i can just have one product

4) What is my RTO and RPO with these products and which one is better for DR

Here i am trying to tell the exact difference between Snapmirror and Snapvault, First going in to basics

What is Snapvault ?

A SnapVault backup is a collection of Snapshot copies on a Flex volume that you can restore data from if the primary data is not usable. Snapshot copies are created based on a Snapshot policy. The SnapVault backup backs up Snapshot copies based on its schedule and SnapVault policy rules.

A SnapVault backup is a disk-to-disk backup solution that you can also use to offload tape backups. In the event of data loss or corruption on a system, backed-up data can be restored from the SnapVault secondary volume with less downtime and uncertainty than is associated with conventional tape backup and restore operations.

What is Snapmirror ?

SnapMirror is a feature of Data ONTAP that enables you to replicate data. SnapMirror enables you to replicate data from specified source volumes or qtrees to specified destination volumes or qtrees, respectively. You need a separate license to use SnapMirror.

You can use SnapMirror to replicate data within the same storage system or with different storage systems.

Now we see what is the difference between Snapvault and Snapmirror

First statement i would say the difference is "Snapvault is a backup solution where snapmirror is a DR solution"

Snapvault is a backup solution where we can have long snapshot retention periods on the destination filer and slower disks can be used at the destination side with low RPM's to minimize the budget , In case of disaster occurrence we can restore data from destination filer to source filer, But we cannot make the destination as source to serve the data as Snapvault destinations are READ ONLY.

Snapmirror is a DR solution where we can use Sync and Semi-Sync , Async relationships  and also we can easily restore the accidentally deleted, or lost data to source filer, if there are no updates were performed meanwhile. If there is a total disaster on the source side we can immediately perform a reverse snapmirror in case of total disaster of source we can make the destination volume/qtree as read-write and provide access to the clients. Which means low RTO and RPO , Which means low outages. Once the Source is ready we can resync the destination to source and continue with source as before.

Notable difference

Qtree SnapMirror

More suitable for providing immediate failover capability.

Uses the same functionality and licensing on the source and destination systems.

Transfers can be scheduled at a maximum rate of once every minute.

Relationships can be reversed. This allows the source to be re-synchronized with changes made at the destination.

Snapvault

More suitable where data availability is less critical, and immediate failover is not required.

Uses SnapVault source system and SnapVault destination system, which provide different functionality.

Transfers can be scheduled at a maximum rate of once every hour.

Snapshot copies are retained and deleted on a specified schedule.

Relationships cannot be reversed. It provides the capability to transfer data from the destination to the source only to restore data. The direction of replication cannot be reversed.

To Summarize 

Snapvault is moreover a Backup solution rather than a disaster recovery solution but imagine in case if you are  in deep trouble and need to have your production up asap then go for converting Snapvault qtree in to a Snapmirror qtree.( I haven't tried but it can be done from DIAG mode with Snapvault convert command ).

Snapmirror is purely replication solution which saves us in case of disaster.

So based on differences above we can easily judge which solution will have more RTO & RPO.

License structure was designed by Netapp , As we already know we need to have primary as well as secondary license.

Hope this helped !!