cancel
Showing results for 
Search instead for 
Did you mean: 

MSEO bit encryption size change

evargas
Level 4
Certified

Hi all,

We have a Netbackup 7.5.0.3 system running on Solaris 10 with MSEO

Version 6.1.3.140

RSA
1024 bit
ENCRYPTED

We want to change the ecryption bit size to 2048.

How will this affect the backup images written with the 1024 bit?

What is the process to get this acomplished without compromising the backup images already written with the previous key?

is this even possible? or supported?

 

any information will be appreciated.

 

Thanks

 

Efrain Vargas
1 ACCEPTED SOLUTION

Accepted Solutions

mph999
Level 6
Employee Accredited

From memory it is fine, you just create the new key group and configure MSEO polices to use it.

I can't think of a reason it would be an issue, but to be 100% sure I would do this:

Create a new mseo policy called test - use the exsisting key group.

Test backup/ restore using a test NBU policy

Change MSEO policy to use new keygroup, test old backup still restores.

If so, all good ...

Do NOT delete the old keys, you kinda need those to restore the old backups.  Remember to export and backup the new keys (and old if you haven't done so). 

As per the MSEO guide * you're meant to decrese the block size a bit to allow for the MSEO keys  - I guess 2048 bit might use a bit more space so I would decrease the block size by say 12k so ...

Value in SIZE_DATA_BUFFERS = 

<block size> - (12 x 1024)

Where blocksize = 262144 (256k) or whatever.

Also make sure you have the touchfile

/usr/openv/netbackup/db/config/DISABLE_IMMEDIATE_WEOF

MSEO does not support async EOF markers.

Make sure you test backups and restores.

Martin

* In reality as long as your nowhere near the max block size the drive or HBA can handle (unlikely) you're probably ok but I thought I'd better mention it.

 

 

View solution in original post

3 REPLIES 3

mph999
Level 6
Employee Accredited

From memory it is fine, you just create the new key group and configure MSEO polices to use it.

I can't think of a reason it would be an issue, but to be 100% sure I would do this:

Create a new mseo policy called test - use the exsisting key group.

Test backup/ restore using a test NBU policy

Change MSEO policy to use new keygroup, test old backup still restores.

If so, all good ...

Do NOT delete the old keys, you kinda need those to restore the old backups.  Remember to export and backup the new keys (and old if you haven't done so). 

As per the MSEO guide * you're meant to decrese the block size a bit to allow for the MSEO keys  - I guess 2048 bit might use a bit more space so I would decrease the block size by say 12k so ...

Value in SIZE_DATA_BUFFERS = 

<block size> - (12 x 1024)

Where blocksize = 262144 (256k) or whatever.

Also make sure you have the touchfile

/usr/openv/netbackup/db/config/DISABLE_IMMEDIATE_WEOF

MSEO does not support async EOF markers.

Make sure you test backups and restores.

Martin

* In reality as long as your nowhere near the max block size the drive or HBA can handle (unlikely) you're probably ok but I thought I'd better mention it.

 

 

evargas
Level 4
Certified

Thanks mph999

I will test this in our lab and see if it works.

 

 

Efrain Vargas

mph999
Level 6
Employee Accredited

You are most welcome.

I'm working tomorrow, if I have time I'll test this myself as I'm interested  - I'm 99% sure it will be fine to just change the exsisting MSEO policy but I want to be very sure the old backups still recover.

M