cancel
Showing results for 
Search instead for 
Did you mean: 

KMS with tape (no OST) - best practice around offsite recovery

itcsge
Level 3

We are looking to implement KMS -  does anyone have experience with this and offsite recovery - specifically how to recovery the key database on the DR master server?

2 ACCEPTED SOLUTIONS

Accepted Solutions

Mark_Solutions
Level 6
Partner Accredited Certified

Doing exactly this for a customer at the moment..

Things to really help...

1. Same version of NetBackup at both sites

2. Same tape drive manufacturer and firmware release

3. Same ENCR_ volume pool names

Once all this is in place you use the nbkmsutil -recoverkey on the DR site to put the key in place on that system after which things should work

We have an issue at the moment with our as we are importing tapes into another live system rather than a DR one and are getting status 19 on the phase 2 import (write protect error but actually indicates that it does not think the encryption key is correct)

We have IBM drives on one site and HP on the other so wonder if that is part of the issue but we have a case open at the moment and i will update this for you when we have it solved in case it helps you in the future

#EDIT#

obviously you will need to know all of the key details for the DR site!

View solution in original post

jim_dalton
Level 6

Or you can copy out the key information using the  tools provided / follow the documented process.

Mark_S says same drives at both sites: I dont agree: you need drives capable of supporting the standard. Ive got IBM at source and HP at target. It works. But on the flip side when it doesnt work you have an added complication, so if given a choice I would buy same.

Just curious as to why you are importing tapes..that could be done on either the source or the DR no? It's not strictly DR, but your work practices may dictate such a move.

Jim

View solution in original post

8 REPLIES 8

Mark_Solutions
Level 6
Partner Accredited Certified

Doing exactly this for a customer at the moment..

Things to really help...

1. Same version of NetBackup at both sites

2. Same tape drive manufacturer and firmware release

3. Same ENCR_ volume pool names

Once all this is in place you use the nbkmsutil -recoverkey on the DR site to put the key in place on that system after which things should work

We have an issue at the moment with our as we are importing tapes into another live system rather than a DR one and are getting status 19 on the phase 2 import (write protect error but actually indicates that it does not think the encryption key is correct)

We have IBM drives on one site and HP on the other so wonder if that is part of the issue but we have a case open at the moment and i will update this for you when we have it solved in case it helps you in the future

#EDIT#

obviously you will need to know all of the key details for the DR site!

View solution in original post

jim_dalton
Level 6

Or you can copy out the key information using the  tools provided / follow the documented process.

Mark_S says same drives at both sites: I dont agree: you need drives capable of supporting the standard. Ive got IBM at source and HP at target. It works. But on the flip side when it doesnt work you have an added complication, so if given a choice I would buy same.

Just curious as to why you are importing tapes..that could be done on either the source or the DR no? It's not strictly DR, but your work practices may dictate such a move.

Jim

View solution in original post

Mark_Solutions
Level 6
Partner Accredited Certified

Jim - in our case both sites are live and using Encryption - there was a need to recover data on another site hence importing the tapes - our issue is the phase 2 will not work - awaiting support to identify the issue

itcsge
Level 3

Jim - would you be able to ping me the documentation you mentioned for the process of exporting/copying out the keys

jim_dalton
Level 6

Search for Netbackup Security and Encryption Guide. The 7.5 ver covers it on pages 316,7. Its trivial.

Jim

Mark_Solutions
Level 6
Partner Accredited Certified

itcsge
Level 3

Jim & Mark - brilliant, many thanks!

Mark_Solutions
Level 6
Partner Accredited Certified

Don't forget once you have the answer you need to close the thread off using the Mark as solutions or Request split solution option against the reply(ies) that helped you