11-28-2012 04:08 PM
Can someone tell me a definitive way to confirm the KMS files are not on my catalog tape?
This page seems to try to comfort us in the fact that the KMS directory is not included in the catalog backup.
http://www.symantec.com/business/support/index?page=content&id=HOWTO70216&actp=search&viewlocale=en_US&searchid=1354144775590
"If the KPK, HMK, and key file were included in a catalog backup, and the catalog backup itself is encrypted, you have done the equivalent of locking the keys in the car. To protect from this problem is why KMS has been established as a separate service for NetBackup and why the KMS files are in a separate directory from the NetBackup directories."
But I'm not so comforted, given that the kms files are in /opt/openv/kms. This doesn't look too separate from the Netbackup directories. Our previous catalog backup used to have this file list: "/opt/openv/".
Maybe the Hot Catalog backup excludes /opt/openv/kms. But since there's no "backup selections" pane in the properties of that policy, I can't confirm this.
And, not having that confirmed, I might just be sending my keys out along with my encrypted backups, totally defeating the purpose.
I've looked in the /opt/openv/netbackup/db/images/<master server>/1351000000/hot-catalog-backup_****_FULL.f files, and there doesn't seem to be a proper, readable file list. However, the string "opt openv" appears in all of them.
Can someone tell me a definitive way to confirm the KMS files are not on my catalog tape, without finding a way to restore my catalog (without overwriting the current one)?
Thanks!
Solved! Go to Solution.
11-28-2012 05:32 PM
If you open BAR (the restore interface), select your master server as the source client, then select NBU-Catalog as the policy type, you will be able to browse the files that has been backed up in a catalog backup, just like when you are doing a normal file restore.
You will find that the KMS files should not be there.
11-28-2012 05:32 PM
If you open BAR (the restore interface), select your master server as the source client, then select NBU-Catalog as the policy type, you will be able to browse the files that has been backed up in a catalog backup, just like when you are doing a normal file restore.
You will find that the KMS files should not be there.
11-28-2012 06:46 PM
As clearly documented, KMS files are not included in catalog backup. Why do you need to confirm it?
Our previous catalog backup used to have this file list: "/opt/openv/".
This means you used to add /opt/openv into offline cataog backup selections - this path is not included by defaut.
For now, NetBackup only support online catalog backup, and it works as documented.
You can also check if KMS files are not in catalog backup using bplist command.
bplist -t 35 -R / | findstr KMS
11-28-2012 07:11 PM
In addition to above excellent posts, please read through chapter 17 of NBU Admin Guide I:
PS: You can find the same section in 7.1 version of Admin Guide I.
11-29-2012 12:03 PM
Thank you! That was simple, and completely effective.
11-29-2012 12:08 PM
I chose the first solution because, very often, the product and the documentation have some minor differences. During 12 years of being a Netbackup admin, I've seen at least few times where the documentation and product differed. I asked for a way to "confirm" that the product operated as the documentation specified, and that was the easiest way.
I appreciate all the responses, and how quickly they came!