05-08-2014 04:48 AM
We are looking to implement KMS - does anyone have experience with this and offsite recovery - specifically how to recovery the key database on the DR master server?
Solved! Go to Solution.
05-08-2014 05:01 AM
Doing exactly this for a customer at the moment..
Things to really help...
1. Same version of NetBackup at both sites
2. Same tape drive manufacturer and firmware release
3. Same ENCR_ volume pool names
Once all this is in place you use the nbkmsutil -recoverkey on the DR site to put the key in place on that system after which things should work
We have an issue at the moment with our as we are importing tapes into another live system rather than a DR one and are getting status 19 on the phase 2 import (write protect error but actually indicates that it does not think the encryption key is correct)
We have IBM drives on one site and HP on the other so wonder if that is part of the issue but we have a case open at the moment and i will update this for you when we have it solved in case it helps you in the future
#EDIT#
obviously you will need to know all of the key details for the DR site!
05-08-2014 05:18 AM
Or you can copy out the key information using the tools provided / follow the documented process.
Mark_S says same drives at both sites: I dont agree: you need drives capable of supporting the standard. Ive got IBM at source and HP at target. It works. But on the flip side when it doesnt work you have an added complication, so if given a choice I would buy same.
Just curious as to why you are importing tapes..that could be done on either the source or the DR no? It's not strictly DR, but your work practices may dictate such a move.
Jim
05-08-2014 05:01 AM
Doing exactly this for a customer at the moment..
Things to really help...
1. Same version of NetBackup at both sites
2. Same tape drive manufacturer and firmware release
3. Same ENCR_ volume pool names
Once all this is in place you use the nbkmsutil -recoverkey on the DR site to put the key in place on that system after which things should work
We have an issue at the moment with our as we are importing tapes into another live system rather than a DR one and are getting status 19 on the phase 2 import (write protect error but actually indicates that it does not think the encryption key is correct)
We have IBM drives on one site and HP on the other so wonder if that is part of the issue but we have a case open at the moment and i will update this for you when we have it solved in case it helps you in the future
#EDIT#
obviously you will need to know all of the key details for the DR site!
05-08-2014 05:18 AM
Or you can copy out the key information using the tools provided / follow the documented process.
Mark_S says same drives at both sites: I dont agree: you need drives capable of supporting the standard. Ive got IBM at source and HP at target. It works. But on the flip side when it doesnt work you have an added complication, so if given a choice I would buy same.
Just curious as to why you are importing tapes..that could be done on either the source or the DR no? It's not strictly DR, but your work practices may dictate such a move.
Jim
05-08-2014 05:26 AM
Jim - in our case both sites are live and using Encryption - there was a need to recover data on another site hence importing the tapes - our issue is the phase 2 will not work - awaiting support to identify the issue
05-09-2014 01:16 AM
Jim - would you be able to ping me the documentation you mentioned for the process of exporting/copying out the keys
05-09-2014 02:35 AM
Search for Netbackup Security and Encryption Guide. The 7.5 ver covers it on pages 316,7. Its trivial.
Jim
05-09-2014 02:42 AM
7.5 guide : http://www.symantec.com/docs/DOC5185
7.6 guide : http://www.symantec.com/docs/DOC6486
05-12-2014 07:38 AM
Jim & Mark - brilliant, many thanks!
05-12-2014 07:44 AM
Don't forget once you have the answer you need to close the thread off using the Mark as solutions or Request split solution option against the reply(ies) that helped you