01-06-2012 03:23 AM
Environment
Veritas Netbackup Server = 7.1
OS of Veritas Netbackup Server = win2008
SIngle Netbackup Master/Media Server
Problem
I checked the Encryption box in the Netbackup Policy but the backup is getting failed with error 9. See the below Activity Monitor details.
Activity Monitor
1/6/2012 3:54:50 PM - Info nbjm(pid=3276) starting backup job (jobid=132127) for client ABC-SERVER, policy ABC_Full_Manual, schedule Manual
1/6/2012 3:54:50 PM - Info nbjm(pid=3276) requesting MEDIA_SERVER_WITH_ATTRIBUTES resources from RB for backup job (jobid=132127, request id:{0B5A8596-0180-4C10-A450-C18CC6E4FE91})
1/6/2012 3:54:50 PM - requesting resource NBU-Server-hcart-robot-tld-0
1/6/2012 3:54:50 PM - requesting resource NBU-Server.NBU_CLIENT.MAXJOBS.ABC-SERVER
1/6/2012 3:54:50 PM - requesting resource NBU-Server.NBU_POLICY.MAXJOBS.ABC_Full_Manual
1/6/2012 3:54:50 PM - granted resource NBU-Server.NBU_CLIENT.MAXJOBS.ABC-SERVER
1/6/2012 3:54:50 PM - granted resource NBU-Server.NBU_POLICY.MAXJOBS.ABC_Full_Manual
1/6/2012 3:54:50 PM - granted resource NBU-Server-hcart-robot-tld-0
1/6/2012 3:54:51 PM - estimated 0 Kbytes needed
1/6/2012 3:54:51 PM - Info nbjm(pid=3276) started backup job for client ABC-SERVER, policy ABC_Full_Manual, schedule Manual on storage unit NBU-Server-hcart-robot-tld-0
1/6/2012 3:54:51 PM - started process bpbrm (6876)
1/6/2012 3:54:52 PM - Info bpbrm(pid=6876) ABC-SERVER is the host to backup data from
1/6/2012 3:54:54 PM - Error bpbrm(pid=6876) Client ABC-SERVER not configured for encryption.
1/6/2012 3:54:56 PM - end writing
1/6/2012 3:55:01 PM - Info bpbkar32(pid=0) done. status: 9: a necessary extension package is not installed or not configured properly
a necessary extension package is not installed or not configured properly(9)
Encryption Setting on Netbackup Server
I also see the client encryption settings from the NetBackup server
1 Open the NetBackup Administration Console on the server.
2 Expand the Host Properties node and select Clients.
3 In the Clients list, double click the name of the client you want to change. The Client Properties dialog displays.
4 In the Properties pane, click Encryption to display the encryption settings for that client. Here the ALLOWED is selected
What I feel that I need a seperate license for the Encryption
01-06-2012 03:58 AM
No separate license required (as from 6.5).
There is a bit more to encryption than just a 'tick' in the policy.
Have you run 'bpinst' from master yet?
Extract from NBU Security and Encryption Guide http://www.symantec.com/docs/DOC3655
A key file must exist as specified with the CRYPT_KEYFILE configuration
option. You create the key file when you specify a NetBackup pass phrase with
the server bpinst command or the client bpkeyfile command.
Also check that BMR and Encryption are not both selected in the same policy.
01-06-2012 03:59 AM
01-06-2012 04:02 AM
Have you actually set the encryption up apart from ticking the boxes?
It needs your passphrase etc. and the keyfiles creating.
Check through the guide to see what else you need to do:
http://www.symantec.com/docs/DOC3655
#edit# looks like Marianne pipped me to the post!
01-06-2012 04:15 AM
01-06-2012 05:01 AM
I am using Enterprise Edition. Second see the below Extract from the Netbackup 7.1 Admin Guide, Page # 108:
The separately-priced NetBackup Encryption option must be installed on the
client for these settings (other than Allowed) to take effect.
The above Extract means that a separate price addon/option required.
01-06-2012 05:15 AM
I do not believe that is the case any longer - client side encryption is free
You do however need a valid client license registered on your system (sure you have already done that) and you do need to actually configure the encryption key files etc. for it to work
01-06-2012 05:27 AM
Emmmm is that possible that mention the straight forward points to configure encryption please ?
I did only saw that the ALLOWED is selected in the host properties as I mentioned in earlier post. Any other configuration/Parameters which I have to do on Client/NBU Server please ?
01-06-2012 05:41 AM
You need to work through the guide in the link i sent earlier
Start at page 264 to get an idea of client side encryption
01-06-2012 06:36 AM
Found a good article.
http://www.symantec.com/business/support/index?page=content&id=TECH72130
=======================================
Question # 1
As the above TN:
Caution: It is important that you remember the pass phrases, including the old pass phrases. If a client's key file is damaged or lost, you need all of the previous pass phrases in order to recreate the key file. Without the key file, you will be unable to restore files that were encrypted with the pass phrases.
Why do I need old pass phrases. Does not only last Pass Phrases enough ?
What I understand is that if I used a Pass Phrase for a backup then that pass phrase is required to restore that specific backup and after some time if I changed the pass phrase and took another backup then I need that specific pass phrase required for that backup to be restore ? am I right ?
=======================================================
Question # 2
Second thing I have the below settings on which I am using encryption: comments please that the setting are correct ?
01-06-2012 06:40 AM
The backups using previous passphrases will need those passphrases to unencryt the backups
Bear in mind that when using client side encryption you will loose all compression when writing to tape
As a result all tapes will run at native speed and native capacity.
If you want full performance you need to use Key Management Encryption that interfaces directly with the firmware of your tape drive (for LTO4 / LTO5)
Glad you are getting there with this
01-06-2012 06:53 AM
Thanks for your kind words. and what comments about Question # 2 ?
01-06-2012 07:08 AM
As with all things in NetBackup - it has lots of options.
The choice is yours but as shown on the screen your selections are "Reccomended" so it is just for you to decide on the cyper strength - all will work fine - just a matter of preference or, if it applies, any SLAs you may have in relation to its strength.
Hope this helps
01-06-2012 10:14 AM