05-29-2014 09:48 AM
Hi all,
We have a Netbackup 7.5.0.3 system running on Solaris 10 with MSEO
Version 6.1.3.140
RSA
1024 bit
ENCRYPTED
We want to change the ecryption bit size to 2048.
How will this affect the backup images written with the 1024 bit?
What is the process to get this acomplished without compromising the backup images already written with the previous key?
is this even possible? or supported?
any information will be appreciated.
Thanks
Solved! Go to Solution.
05-29-2014 01:32 PM
From memory it is fine, you just create the new key group and configure MSEO polices to use it.
I can't think of a reason it would be an issue, but to be 100% sure I would do this:
Create a new mseo policy called test - use the exsisting key group.
Test backup/ restore using a test NBU policy
Change MSEO policy to use new keygroup, test old backup still restores.
If so, all good ...
Do NOT delete the old keys, you kinda need those to restore the old backups. Remember to export and backup the new keys (and old if you haven't done so).
As per the MSEO guide * you're meant to decrese the block size a bit to allow for the MSEO keys - I guess 2048 bit might use a bit more space so I would decrease the block size by say 12k so ...
Value in SIZE_DATA_BUFFERS =
<block size> - (12 x 1024)
Where blocksize = 262144 (256k) or whatever.
Also make sure you have the touchfile
/usr/openv/netbackup/db/config/DISABLE_IMMEDIATE_WEOF
MSEO does not support async EOF markers.
Make sure you test backups and restores.
Martin
* In reality as long as your nowhere near the max block size the drive or HBA can handle (unlikely) you're probably ok but I thought I'd better mention it.
05-29-2014 01:32 PM
From memory it is fine, you just create the new key group and configure MSEO polices to use it.
I can't think of a reason it would be an issue, but to be 100% sure I would do this:
Create a new mseo policy called test - use the exsisting key group.
Test backup/ restore using a test NBU policy
Change MSEO policy to use new keygroup, test old backup still restores.
If so, all good ...
Do NOT delete the old keys, you kinda need those to restore the old backups. Remember to export and backup the new keys (and old if you haven't done so).
As per the MSEO guide * you're meant to decrese the block size a bit to allow for the MSEO keys - I guess 2048 bit might use a bit more space so I would decrease the block size by say 12k so ...
Value in SIZE_DATA_BUFFERS =
<block size> - (12 x 1024)
Where blocksize = 262144 (256k) or whatever.
Also make sure you have the touchfile
/usr/openv/netbackup/db/config/DISABLE_IMMEDIATE_WEOF
MSEO does not support async EOF markers.
Make sure you test backups and restores.
Martin
* In reality as long as your nowhere near the max block size the drive or HBA can handle (unlikely) you're probably ok but I thought I'd better mention it.
05-30-2014 07:12 AM
Thanks mph999
I will test this in our lab and see if it works.
05-30-2014 02:09 PM
You are most welcome.
I'm working tomorrow, if I have time I'll test this myself as I'm interested - I'm 99% sure it will be fine to just change the exsisting MSEO policy but I want to be very sure the old backups still recover.
M