In a nutshell: There are two components to MSEO - the Policy Enforcement Manager (PEM) and Security Server. These can be on the same box, or on different boxes. The PEM intercepts calls to the tape drives, and sends a request to the Security Server; if the encryption policy will allow the read or write, then PEM allows the action; otherwise it is denied (and you get a read or write failure). The encryption policy (defined on the Security Server) is a list of rules for determining whether or not a particular NetBackup job will be encrypted or not, and what type of encryption and compression is used.
Communication between PEM and Security Server is done via dedicated port, and can be configured to use SSL if you wish.
It's a bit more complex than that under the hood, but that's the gist of it.
We have a distributed Netbackup infrastructure, with one Master server and several Media servers (in different domains). Only two of the Media servers are writing encrypted backups with MSEO. These media servers have the PEM software; the Master server has the Security Server software installed. All the encryption keys and policies are stored on the Security Server.
Backup speed is pretty good; there's probably a small hit, but I haven't noticed it. Tape consumption went up a bit, but that was to be expected.
Installation was much easier than I thought it'd be. The only problems I had were:
1. When encryption is turned on, it appears that hardware-level compression at the tape drive is turned off (my LTO3 tapes were getting full at just under 400GB). To correct this, turn on compression in MSEO.
2. I was unable to get SSL to work between all three servers described above, as well as a secondary, fail-over Security Server. I gave up, as it was an optional requirement for us. (I couldn't sort out how to use one set of certificates for all four servers.)
Message Edited by Chuck Stevens #2 on
01-10-2008 12:46 PM