Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Verify KMS Encryption NetBackup 7.5

Created: 26 Sep 2012 • Updated: 02 Oct 2012 | 15 comments
This issue has been solved. See solution.

I hope this helps others, I just spent the last 2 weeks searching around trying to find this answer.

Here are steps to verify KMS encryption on tapes with NetBackup 7.5;
Find the jobs on a particular tape you think may be encrypted;
/usr/openv/netbackup/bin/admincmd/bpimmedia -L -mediaid <media name>
get the "Backup-ID" in the first column
then run;
/usr/openv/netbackup/bin/admincmd/bpimagelist -backupid <Backup-ID> -L | grep "Flags:"
if tape is encrypted with KMS this will display;
" Flags: 0x40 (Tape Encrypted)"
and if tape is NOT encrypted this will display;
" Flags: 0x0"

Comments 15 CommentsJump to latest comment

Nicolai's picture

Thanks for sharing.

Assumption is the mother of all mess ups.

If this post answered your'e qustion -  Please mark as a soloution.

Mark_Solutions's picture

Many tape libraries also detect the encryption via the firmware and when you view the media in the tape library web GUI it also reports which tapes are encrypted

Hope this also helps

Authorised Symantec Consultant

Don't forget to "Mark as Solution" if someones advice has solved your issue - and please bring back the Thumbs Up!!.

MikeSB's picture

Mark,

Thanks for the feedback.. as you say "Many tape libraries" detect encryption, mine does not fall into the Many catagory.

Regards,

Mike

CRZ's picture

Did none of the procedures listed in this TechNote work for you?

How to verify KMS encrypted the backup
 http://www.symantec.com/docs/TECH127166

(Did you know this TechNote existed?)

There's also this TechNote based on pages 324-325 from the Encryption Guide:

Example of verifying an encryption backup
 http://www.symantec.com/docs/HOWTO46852

Symantec NetBackup 7.5 Security and Encryption Guide
 http://www.symantec.com/docs/DOC5185

 


bit.ly/76LBN | APPLBN | 75LBN

MikeSB's picture

Chris,

This is what took me 2 weeks to wade through, and in the TechNote (TECH127166) you provided .

OPTION 1 Was not great (Since I had the KeyGroup / Key / Pool and Policy all called ENCR_tmp), until I looked further down in the output from "bpimagelist" command and seen the light.

OPTION 2 shows me "0" for the "Encryption Key Tag" in the GUI, this is what made it so difficult to track down.

OPTION 3 I had also found a different TechNote that had a different suggestion of removing the Key and try the restore, but again the TechNote had notes saying output should look like this "blah..blah..blah.., and that is not what I see :-(

and as far as HOWTO46852 again it points me to OPTION 2 above :-(

and of course pages 324-325 from the Encryption Guide are the same as OPTION 2 above.

Are you seeing why it took me 2 weeks to track this down.. to verify.

Regards,

Mike.

CRZ's picture

Thanks for that very valuable feedback, Mike!  I'll have to see if we can incorporate your information into our documentation (or at least a TechNote) and try to save other folks a couple weeks.


bit.ly/76LBN | APPLBN | 75LBN

CRZ's picture

Hi Mike,

I JUST learned there's a defect in bpimmedia which you might be hitting.  This entry is in the 7.5.0.4 Release Notes (page 48):

Etrack Incident: 2826378
■ Description:
A missing Key Management Server tag in the bpimmedia output has been added.

NetBackup 7.5.0.4 Release Notes
 http://symantec.com/docs/DOC5514

Is there any chance you could apply 7.5.0.4?  (If not, there may be an EEB available under Etrack 2793446 depending on which version you're at.)  I believe your "0" will change to a real tag after that, which would make a little more sense, now that I think about it...


bit.ly/76LBN | APPLBN | 75LBN

MikeSB's picture

Chris,

Where do I download patch releases to apply this, I can only see the 7.5 Base in the Software download area?

When I get access to the patch, I will apply this today and test it.

Mike

MikeSB's picture

Chris,

It now works as advertised!!

Thanks for the feedback.

Regards,

Mike

CRZ's picture

yes

I'm just sorry I couldn't tell you this two weeks ago!


bit.ly/76LBN | APPLBN | 75LBN

Mark_Solutions's picture

All patches come from the support site:

http://www.symantec.com/docs/TECH194138

 

Authorised Symantec Consultant

Don't forget to "Mark as Solution" if someones advice has solved your issue - and please bring back the Thumbs Up!!.

Marianne's picture

See this 'Featured' post as well:

https://www-secure.symantec.com/connect/forums/netbackup-7504-netbackup-75-maintenance-release-4-now-available

 

Supporting Storage Foundation and VCS on Unix and Windows as well as NetBackup on Unix and Windows
Handy NBU Links

RReyes76's picture

Hello To all,

 

I got this same issue with the KMS and I applied the service maintenance 7.5.04 and I still have this issue related with the "0" result on the the Encription Key tag Gui, so in my case updating to this latest maintenance pack didn't work, I have already opened a ticket with Symantec support but so far no help was provided, what else can be done to resolve this issue?

 

in case that any screen shot needs to be uploading for more reference please let me know.

 

thanks in advance for any help you could provide

MikeSB's picture

RReyes76,

Did you test some of the other steps in the Tech Docs above, to verify you really are setup for encryption, first test is the commands I had listed in this original thread, should also work in Windows (except the grep command)

and the 2nd thing to test is outlined in the TechDoc Chris had first posted, it involved deactivating the KMS key (do not delete) and test a restore, if restore still works, then for some reason your KMS install is not fully setup.

Let me know if you need the Step by Step for the KMS setup.

Regards,

Mike.

CRZ's picture

Windows GUI may still be an issue even at 7.5.0.4.  Tell your TSE you think you may need the EEB listed under Etrack 2962480 and send them your screen shot.


bit.ly/76LBN | APPLBN | 75LBN