Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.

Client Based Encryption (Master: Windows, Client: Linux)

Created: 17 May 2013 • Updated: 18 May 2013 | 3 comments
This issue has been solved. See solution.

Encryption mode: Client encryption

Recently upgrade the master server to 7.5.0.5 but clients are yet to be migrated/upgraded to this level, currently clients are in the 6.5.x versions.

I have a need to build a new client (linux server) with a requirement to maintain the environment as close to the production as possible, hence went ahead and installed 6.5.6 but realised something has changed in how the setup of the clients encryption is meant to work. Previous versions, I needed to run the following, a process that copies files to the client

bpinst -ENCRYPTION <client>

following which, I would set the passphrase using following command

bpkeyutil -insert -clients <client>

These were in my documentation but realised now that the master servers bpinst has changed and does not have the -ENCRYPTION option, anyone done this?

At this point it means I can't proceed with the client setup which needs the encryption set to be able to restore from production media.

Please note still need to maintain many clients at 6.5.6 for now hence a solution that would allow me to setup this new server is required.

Regards.

Karwak

Operating Systems:

Comments 3 CommentsJump to latest comment

CRZ's picture

In 7.x, client encryption is automatically installed (along with a lot of other previously separate packages).

You will either need a 6.5 server from which you can run the bpinst command, or see if you can find a 6.5 "UNIX Options" CD or ISO image you can mount for a local installation (and afterwards, you'll need to apply the 6.5.6 "ENC" Release Update, which you can find attached to TECH129331.)  More information on how to install 6.5 CEO (Client Encryption Option) can be found starting on page 256 of the 6.5 Security and Encryption Guide:

Veritas NetBackup (tm) 6.5 Security and Encryption Guide: Provides security configuration and administration information for NetBackup 6.5 administrators, including: - Security Deployment Models - Access control security - Firewall Configuration - Firewall ports used for communication - How to back up data through a firewall
 http://symantec.com/docs/TECH52825

Release Update NB_ENC_6.5.6.tar provides fixes for the Veritas NetBackup (tm) Enterprise Server / Server 6.5 Encryption Agent on UNIX clients.
 http://symantec.com/docs/TECH129331

Good luck!

 


bit.ly/76LBN | APPLBN | 75LBN

SOLUTION
Karwak Kotin's picture

Thanks Chris,

Gone ahead and temporarily installed windows 6.5 Master server and "pushed" the encryption to the linux client. Will progress with a fresh install of windows 7.5.0.5 Master server and confirm that I can restore to the linux client now that the encryption has been set.

Will confirm with bpkeyutil -display -client <client name> that in the new servers environment, the settings still exists.

Thanks again,

Karwak.

Karwak Kotin's picture

Completed the upgrade to 7.5.0.5, and hit another issue.

I am running on a server with a standalone drive, when I try and do a catalog recovery from a tape from production server, the jobs appears to run but nothing much happening.

Queried at cmd prompt, bpdbjobs -report, and identified the jobid, and on query, shows the following

 

C:\Documents and Settings\ops>bpdbjobs -report -most_columns -jobid 4
4,2,1,,,,w3bhobxx01,w3bhobxx01,1369044505,0000000039,0000000000,,1,0,,,,0,3008,root,,,,90000,,w3bhobxx01,,,,0,0,0,0,,,,,,,,,,
w3bhobxx01,CAT004,,,0,0,,,,,1,,,,Required media server is offline for tape (NetBackup HCART1, w3bhobxx01),
 

I only have a standalone tape drive, and the server is both master and media, all processes under services shows as running, not sure what else to check.

Under Devices -> Media Servers, the current shown status of Active for disk, and using technote TECH168379, I have run command

nbemmcmd -updatehost -machinename <mediaserver hostname> -machinetype media -machinestateop set_tape_active -masterserver <masterserver hostname>

this changes that status to read Active for Tape and Disk and subsequently trying a catalog restore got an error as below.

image_1.png

Was not sure if I needed to take this route but that's my effort so far. Puzzled in error showing path for a unix path while this server is on windows.

Regards,

Karwak