cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Veritas.com
Support

Media Server Encryption Option in 6.5

marekkedzierski
Level 6
Partner

‎01-09-2008 11:20 AM

    Hi.. Did you try to configure Media Server Encyption Option in NB 6.5 ? Encryption is now for free but I can't find any information about server side encryption.. Is it for free ?
I've found administrators guide for MSEO but where are install CDs ? :)

marekk
0 Kudos
16 REPLIES 16

Chuck_Stevens
Level 6

‎01-09-2008 02:52 PM

Client-based encryption is now "free" (i.e., it comes with the Standard or Advanced Client).  The Media Server Encryption Option is NOT free (rather expensive, actually).  You buy a pair of MSEO licenses (one for encryption, and one for key management), then when registered you get a download link for the software.
 
I recently implemented the MSEO 6.0 for our NetBackup 6.5 environment, and it was a breeze.  Very nice product (albeit expensive).
0 Kudos

Daniel_Hoffer
Not applicable

‎01-09-2008 11:10 PM

Hi Chuck, I work in Product Management on MSEO. I'd love to talk with you about your experience with the product.












[edit: removed personal information]


Message Edited by LakeRat on 01-10-2008 09:46 AM
0 Kudos

marekkedzierski
Level 6
Partner

‎01-10-2008 01:43 AM

Chuck.. could you tell me more about configuration of MSEO ? Is it difficult ? Did you have any problems during installation and configuration ? What's with speed of backups ?
thx for any info

marekk
0 Kudos

Chuck_Stevens
Level 6

‎01-10-2008 12:39 PM

In a nutshell: There are two components to MSEO - the Policy Enforcement Manager (PEM) and Security Server.  These can be on the same box, or on different boxes.  The PEM intercepts calls to the tape drives, and sends a request to the Security Server; if the encryption policy will allow the read or write, then PEM allows the action; otherwise it is denied (and you get a read or write failure).  The encryption policy (defined on the Security Server) is a list of rules for determining whether or not a particular NetBackup job will be encrypted or not, and what type of encryption and compression is used.
 
Communication between PEM and Security Server is done via dedicated port, and can be configured to use SSL if you wish.
 
It's a bit more complex than that under the hood, but that's the gist of it.
 
We have a distributed Netbackup infrastructure, with one Master server and several Media servers (in different domains).  Only two of the Media servers are writing encrypted backups with MSEO.  These media servers have the PEM software; the Master server has the Security Server software installed.  All the encryption keys and policies are stored on the Security Server.
 
Backup speed is pretty good; there's probably a small hit, but I haven't noticed it.  Tape consumption went up a bit, but that was to be expected.
 
Installation was much easier than I thought it'd be.  The only problems I had were:
 
1. When encryption is turned on, it appears that hardware-level compression at the tape drive is turned off (my LTO3 tapes were getting full at just under 400GB).  To correct this, turn on compression in MSEO.
2. I was unable to get SSL to work between all three servers described above, as well as a secondary, fail-over Security Server.  I gave up, as it was an optional requirement for us.  (I couldn't sort out how to use one set of certificates for all four servers.)
 


Message Edited by Chuck Stevens #2 on 01-10-2008 12:46 PM
0 Kudos

marekkedzierski
Level 6
Partner

‎01-10-2008 12:49 PM

Thanks for help :)
I've got another question.. Is there a possibility to create MSEO backup job with Inline Copy .. ? first copy will be encrypted for offsite and second will be not encrypted ?

marekk
0 Kudos

Chuck_Stevens
Level 6

‎01-10-2008 12:53 PM

Sure.  I do this with disk staging.  You can do an encryption policy that checks the Copy number of the backup; if it's copy 1 (kept on-site), then do not encrypt.  If it's copy 2 (sent off-site), then encrypt.  This works with vault duplication, too.
0 Kudos

HockeyMom
Level 2

‎01-10-2008 02:51 PM

To Marek,
I know this is off-topic but our last name is also Kedzierski.  Beside our immediate family, the only relative's we aware of are in Canada or New York.  We live in Michigan.  The name caught my eye. 
L. Kedzierski
0 Kudos

Stumpr2
Level 6

‎01-10-2008 02:57 PM


HockeyMom wrote:
  We live in Michigan. 

Hockeytown?
 
 
0 Kudos

HockeyMom
Level 2

‎01-10-2008 03:01 PM

LOL Major Red Wing's fan, did my name give it away?!?   Smiley Wink
0 Kudos

Stumpr2
Level 6

‎01-10-2008 03:06 PM

I used to go to K-Wings game when I lived in Kazoo.
 
now for the obligatory on topic discussion:
We use IBM drives that have encryption.
0 Kudos

marekkedzierski
Level 6
Partner

‎01-11-2008 01:42 AM

HockeyMom. I'm from Poland and I don't know about my family in US or in Canada :) We have family in Sweden.

marekk
0 Kudos

HockeyMom
Level 2

‎01-11-2008 03:35 AM

Marek,
My father-in-law immigrated from Poland in the 1940's.  He had only one brother and were potato farmers.  Their parents were Zajonz and Wojtek.  If you have any suggestions on how I could research this, please contact me at BKWingNut@aol.com.   I'll let you get back to the original thread.
Thank you!
0 Kudos

marekkedzierski
Level 6
Partner

‎01-23-2008 01:19 PM

Hi.. Is there a possibility go get trial of MSEO ? I can't find any information one the support site or partnernet..

marekk
0 Kudos

marekkedzierski
Level 6
Partner

‎02-01-2008 04:55 AM

After some test I can say that MSEO doesn't work properly with Inline Copy.. I would like to create two copies at the same time, to two different pools and specify backup encryption for pool number  1 and backup without encryption for pool number 2.  MSEO can't properly recognize pool and copy number when policy is initiated with inline copy and creates all copies with encyption or backup without encryption ..
0 Kudos

ahlip
Level 5

‎02-02-2008 07:17 PM

If I don't recall wrongly, there are explicit steps to configure inline tape copy with MSEO such that only certain defined copies are encrypted. It needs to be done within the xml encryption profiles. That part is not so straight-forward so you may need some work/tweaking to get it done.

Do contact Tech Support for assistance if you really cannot get it done.
0 Kudos

jojo
Not applicable

‎03-11-2008 09:59 PM

Hi,

Someone please help me,

I need some clariffication on the licensing of the Media Server encryption option for the Netbackup 6.0.

Our setup is:
we have 2 units NAS (IBM Nseries)  with the Tape libary directly attached to one of the Filer and our Netbackup Master server is connected via LAN.

We are backing up the Filers using NDMP, and we want to implement encryption for added security.


How many Media Server Encryption license do we need?
How many Media Server encryption license key mgmt server do we need?

Do we need also to purchase the Vault Option Base for netbackup to implement the MSEO option?
Is the Vault option base a prerequsite fro the MSEO?

Does the compression on the NDMP policy will be enbaled once we have the MSEO?


Thank you very much for your help.



Regards,













0 Kudos