cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Veritas.com
Support

Can I disable web services in NetBackup 8.1.1

kymbo
Level 2

‎08-06-2018 08:58 PM

Hi 

We are planning an update from NetBackup 7.7.3 to 8.1.1 and read that version 8.0 and up uses a web server for critical backup operations.

We have security concerns about creating new web services on our system, can this be disabled or not installed?

0 Kudos
4 REPLIES 4

Anshu_Pathak
Level 5

‎08-06-2018 10:31 PM

I know a webserver scares every security person but this is what you need to know about webserver (Apache Tomcat) hosted on NetBackup master server.

1. It listens only on loopback (127.0.0.1) IP address. So external world cannot directly connect to it. Hackers cannot exploit it as they cannot remotely connect to this webserver.

2. NetBackup 8.1.1 uses TLSv1.2, which is the most secure release of TLS. You can disable TLSv1.0, TLSv1.1 and weak cipher suite by following these technote.

Disable specific versions of the TLS protocol in NetBackup using the DisableTLSProtocol configuration parameter
https://www.veritas.com/support/en_US/article.000126198

Disabling RC4 cipher suite in NetBackup Authentication Service (nbatd)
https://www.veritas.com/support/en_US/article.100013292

3. Only way to remotely connect to this webserver is via PBX port (1556) on Master server --> then get authenticated by provided OS credentials --> Pass authorization checks --> Then you get access to NetBackup catalog (not all catalog data and no access to storage location)

4. NetBackup now uses certificates while establishing connection with remote NetBackup host (master, media & client). It is like accessing internet banking. NetBackup Master server acts as Certificate Authority (CA - like VeriSign & Google) and issues certificate to each media and client that are part of this master server. This certificate is used to validate host and setup SSL (encrypted) channel for control connections. Webserver is the center piece of this entire architecture hence you cannot disable or stop it.

5. Veritas engineering has done excellent job in ensuring security and reliability of this Webserver. Do not worry and enjoy new features in 8.1.1. As you have not yet completed the upgrade, I suggest you go to 8.1.2 (expected GA later this month).

BIG QUESTION: Why did Veritas do it ?

So that other applications (Veritas and non-Veritas) can use REST (RESTful) API to query NetBackup data. NetBackup is the key product in Veritas portfolio and acts like a sun in solar system for other Veritas products (planets revolving around sun). 

If you get exposed to coming NetBackup release 8.1.2 (expected later this month) you would love it's new features and Webserver (running on master server) reponsible to make that happen. Smiley HappySmiley HappySmiley Happy

Nicolai
Moderator
Moderator
Partner    VIP   

‎08-07-2018 12:20 AM

Nope, Netbackup will not work.

To create a abstraction layer between the different part of Netbackup, REST API calls will also be used internally.

Previous code changes in one area of Netbackup could beak functionality in  another. To avoid this Netbackup components will use REST call, then as long as REST call work as defined, code base should be unaffected.

A since REST is a HTTP request the functionality can be automatic tested at Veritas.

 

0 Kudos

kymbo
Level 2
In response to Anshu_Pathak

‎08-07-2018 05:55 PM

Hi Anshu,

That was a great reply! Thanks for putting in the effort to explain your answer so thoroughly. I will take this into consideration when planning our upgrade.

0 Kudos

kymbo
Level 2
In response to Nicolai

‎08-07-2018 05:56 PM

Hi Nicolai,

I had feeling this might be the case.

Thanks for your reply.

0 Kudos