Solved: NetBackup KMS when appliance is master/media?

sdo · ‎07-10-2014

Hi,

Master/media NB5230 v2.6.0.1, and FC to LTO6 drives in HP MSL 2024.

I know how to setup and configure NetBackup KMS. At this point in time I'm not interested in MSEO.

The Appliance v2.6.0.1 Admin Guide, on page 106, says:

"The NetBackup appliance supports writing to the tape devices that are capable of SCSI T10 encryption to ensure that the tape media that is moved off-site is secure. Tape encryption requires configuration the NetBackup Key Management Service (KMS) feature.
Note: The KMS feature is supported when the appliance is configured as a media server only in a NetBackup domain. A NetBackup master server appliance cannot administrate KMS. A non-appliance master server is required to administrate KMS with the devices that are connected to a NetBackup appliance."

Obviously it is quite clear that:

- NetBackup KMS on appliance master not supported (because it cannot see tape drives)

- NetBackup KMS on appliance media supported (because it can see tape drives)

But, can I infer that this is true:

- NetBackup KMS on appliance master/media supported (because it can see tape drives)

...because the appliance (although acting as a master server) is also acting as a media server.

However, this would conflict with '...is supported when the appliance is configured as a media server only...'

And here grammar can get in the way - is NetBackup KMS supported on media appliances 'only' when in a NetBackup domain? If so, then is NetBackup KMS supported on master/media servers because the media server function is a member of a NetBackup domain, i.e. the master function on the same appliance?

I wish the document made a statement regarding appliances that are 'master/media'.

Thanks.

CRZ · ‎07-10-2014

Now, having SAID that, let me point out THIS note on page 9 of that same HCL:

With version 2.6 and later, KMS is supported with Appliances configured as either a Master or a Media Server. With a NetBackupCLI administrator account in the NetBackup Appliance Shell Menu, an Appliance Master Server can administrate KMS with tape devices connected to itself or another NetBackup Appliance. Regenerating the data encryption key is the only supported method of recovering KMS on an Appliance Master Server.

With versions earlier than 2.6, KMS is only supported when the Appliance is configured as a Media Server, and a non-Appliance Master Server is required to administrate KMS with devices connected to a NetBackup Appliance.

This appears to override the previous stuff I just quoted. So now I'm going to flip-flop and speculate that perhaps something DID change in 2.6... yet didn't make it into the 2.6.0.1 Admin Guide - or the 2.6.0.2 one, for that matter.

So...ignore my previous post and go with this one. :) YES, it is now supported for any master server from 2.6 forward. (We'll try to fix that note up there in the 2.6.0.3 Guide.)

(Researching further, I think there had to be some CLISH changes that had to be made before we could say it was "supported.")

View solution in original post

CRZ · ‎07-10-2014

I read it as media YES, master NO. And media/master is still a "master" so NO.

I agree the grammar for "only" may be a little vague if that single sentence is taken on its own (although is there some other kind of domain besides a NetBackup one?), but the very next sentence, "A NetBackup master server appliance cannot administrate KMS," reads pretty clear to me.

But if that's not enough, here's a very clear note at the very top of the NetBackup 5200 Series - Supported Functionality table in the HCL (page 8):

Key Management Service (KMS) and NetBackup Access Control (NBAC) are not supported when the Appliance is configured as a Master Server.

Again, you might try "but I'm talking about a media/master" but to us, you're still just describing a master.

Symantec NetBackup (tm) Server / Enterprise Server 7.x Hardware Compatibility List (HCL) (updated June 25, 2014).
http://symantec.com/docs/TECH76495

So...short answer: no, and no amount of "lawyering" is gonna change that no. Sorry!

Anticipating your next question, "why is this so?" I have no idea! However, I'm sure there's a good story behind it, backed up by a lot of misery for some poor sucker who tried to make it work. ;)

CRZ · ‎07-10-2014

Now, having SAID that, let me point out THIS note on page 9 of that same HCL:

With version 2.6 and later, KMS is supported with Appliances configured as either a Master or a Media Server. With a NetBackupCLI administrator account in the NetBackup Appliance Shell Menu, an Appliance Master Server can administrate KMS with tape devices connected to itself or another NetBackup Appliance. Regenerating the data encryption key is the only supported method of recovering KMS on an Appliance Master Server.

With versions earlier than 2.6, KMS is only supported when the Appliance is configured as a Media Server, and a non-Appliance Master Server is required to administrate KMS with devices connected to a NetBackup Appliance.

This appears to override the previous stuff I just quoted. So now I'm going to flip-flop and speculate that perhaps something DID change in 2.6... yet didn't make it into the 2.6.0.1 Admin Guide - or the 2.6.0.2 one, for that matter.

So...ignore my previous post and go with this one. :) YES, it is now supported for any master server from 2.6 forward. (We'll try to fix that note up there in the 2.6.0.3 Guide.)

(Researching further, I think there had to be some CLISH changes that had to be made before we could say it was "supported.")

sdo · ‎07-10-2014

Awesome. Thanks Chris. (enjoyed the lawyering comment :)

VOX

NetBackup KMS when appliance is master/media?

Symantec NetBackup (tm) Server / Enterprise Server 7.x Hardware Compatibility List (HCL) (updated June 25, 2014). http://symantec.com/docs/TECH76495

Symantec NetBackup (tm) Server / Enterprise Server 7.x Hardware Compatibility List (HCL) (updated June 25, 2014).
http://symantec.com/docs/TECH76495