Solved: How do I confirm KMS files are not included in Cat...

JsinJ · ‎11-28-2012

Can someone tell me a definitive way to confirm the KMS files are not on my catalog tape?

This page seems to try to comfort us in the fact that the KMS directory is not included in the catalog backup.

http://www.symantec.com/business/support/index?page=content&id=HOWTO70216&actp=search&viewlocale=en_US&searchid=1354144775590

"If the KPK, HMK, and key file were included in a catalog backup, and the catalog backup itself is encrypted, you have done the equivalent of locking the keys in the car. To protect from this problem is why KMS has been established as a separate service for NetBackup and why the KMS files are in a separate directory from the NetBackup directories."

But I'm not so comforted, given that the kms files are in /opt/openv/kms. This doesn't look too separate from the Netbackup directories. Our previous catalog backup used to have this file list: "/opt/openv/".

Maybe the Hot Catalog backup excludes /opt/openv/kms. But since there's no "backup selections" pane in the properties of that policy, I can't confirm this.

And, not having that confirmed, I might just be sending my keys out along with my encrypted backups, totally defeating the purpose.

I've looked in the /opt/openv/netbackup/db/images/<master server>/1351000000/hot-catalog-backup_****_FULL.f files, and there doesn't seem to be a proper, readable file list. However, the string "opt openv" appears in all of them.

Can someone tell me a definitive way to confirm the KMS files are not on my catalog tape, without finding a way to restore my catalog (without overwriting the current one)?

Thanks!

RLeon · ‎11-28-2012

If you open BAR (the restore interface), select your master server as the source client, then select NBU-Catalog as the policy type, you will be able to browse the files that has been backed up in a catalog backup, just like when you are doing a normal file restore.
You will find that the KMS files should not be there.

View solution in original post

RLeon · ‎11-28-2012

If you open BAR (the restore interface), select your master server as the source client, then select NBU-Catalog as the policy type, you will be able to browse the files that has been backed up in a catalog backup, just like when you are doing a normal file restore.
You will find that the KMS files should not be there.

Yasuhisa_Ishika · ‎11-28-2012

As clearly documented, KMS files are not included in catalog backup. Why do you need to confirm it?

Our previous catalog backup used to have this file list: "/opt/openv/".

This means you used to add /opt/openv into offline cataog backup selections - this path is not included by defaut.
For now, NetBackup only support online catalog backup, and it works as documented.

You can also check if KMS files are not in catalog backup using bplist command.

bplist -t 35 -R / | findstr KMS

Marianne · ‎11-28-2012

In addition to above excellent posts, please read through chapter 17 of NBU Admin Guide I:

Protecting the NetBackup catalog

This chapter includes the following topics:

■ About the NetBackup catalog

■ About the catalog upon upgrade to NetBackup 7.5

■ Parts of the NetBackup catalog

■ Protecting the NetBackup catalog
■ .......

You will see that /opt/openv/kms is NOT part of NBU catalog and definitely not included in catalog backup.

PS: You can find the same section in 7.1 version of Admin Guide I.

Handy NetBackup Links

JsinJ · ‎11-29-2012

Thank you! That was simple, and completely effective.

JsinJ · ‎11-29-2012

I chose the first solution because, very often, the product and the documentation have some minor differences. During 12 years of being a Netbackup admin, I've seen at least few times where the documentation and product differed. I asked for a way to "confirm" that the product operated as the documentation specified, and that was the easiest way.

I appreciate all the responses, and how quickly they came!

VOX

How do I confirm KMS files are not included in Catalog Backup