Veritas NetBackup™ Cloud

Administrator's Guide

UNIX, Windows, Linux

Release 8.3
Veritas NetBackup™ Cloud Administrator's Guide
Last updated: 2020-07-29

Legal Notice
Copyright © 2020 Veritas Technologies LLC. All rights reserved.

Veritas, the Veritas Logo, and NetBackup are trademarks or registered trademarks of Veritas
Technologies LLC or its affiliates in the U.S. and other countries. Other names may be
trademarks of their respective owners.

This product may contain third-party software for which Veritas is required to provide attribution
to the third party (“Third-party Programs”). Some of the Third-party Programs are available
under open source or free software licenses. The License Agreement accompanying the
Software does not alter any rights or obligations you may have under those open source or
free software licenses. Refer to the Third-party Legal Notices document accompanying this
Veritas product or available at:

[Link]

The product described in this document is distributed under licenses restricting its use, copying,
distribution, and decompilation/reverse engineering. No part of this document may be
reproduced in any form by any means without prior written authorization of Veritas Technologies
LLC and its licensors, if any.

THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED

CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED
WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR
NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH
DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. Veritas Technologies LLC SHALL
NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION
WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE
INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE
WITHOUT NOTICE.

The Licensed Software and Documentation are deemed to be commercial computer software
as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19
"Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq.
"Commercial Computer Software and Commercial Computer Software Documentation," as
applicable, and any successor regulations, whether delivered by Veritas as on premises or
hosted services. Any use, modification, reproduction release, performance, display or disclosure
of the Licensed Software and Documentation by the U.S. Government shall be solely in
accordance with the terms of this Agreement.

Veritas Technologies LLC

2625 Augustine Drive
Santa Clara, CA 95054

[Link]
Technical Support
Technical Support maintains support centers globally. All support services will be delivered
in accordance with your support agreement and the then-current enterprise technical support
policies. For information about our support offerings and how to contact Technical Support,
visit our website:

[Link]

You can manage your Veritas account information at the following URL:

[Link]

If you have questions regarding an existing support agreement, please email the support
agreement administration team for your region as follows:

Worldwide (except Japan) CustomerCare@[Link]

Japan CustomerCare_Japan@[Link]

Documentation
Make sure that you have the current version of the documentation. Each document displays
the date of the last update on page 2. The latest documentation is available on the Veritas
website:

[Link]

Documentation feedback
Your feedback is important to us. Suggest improvements or report errors or omissions to the
documentation. Include the document title, document version, chapter title, and section title
of the text on which you are reporting. Send feedback to:
[Link]@[Link]

You can also see documentation information or ask a question on the Veritas community site:

[Link]

Veritas Services and Operations Readiness Tools (SORT)

Veritas Services and Operations Readiness Tools (SORT) is a website that provides information
and tools to automate and simplify certain time-consuming administrative tasks. Depending
on the product, SORT helps you prepare for installations and upgrades, identify risks in your
datacenters, and improve operational efficiency. To see what services and tools SORT provides
for your product, see the data sheet:

[Link]
 Contents

Chapter 1 About NetBackup cloud storage ................................... 11

About cloud storage features and functionality .................................... 11

About the catalog backup of cloud configuration files ........................... 15
About support limitations for NetBackup cloud storage ......................... 15

Chapter 2 About the cloud storage .................................................. 17

About the cloud storage vendors for NetBackup .................................. 17

About the Amazon S3 cloud storage API type .................................... 18
Amazon S3 cloud storage vendors certified for NetBackup .............. 19
Amazon S3 storage type requirements ....................................... 19
Permissions required for Amazon S3 cloud provider user ............... 20
Amazon S3 cloud storage provider options .................................. 21
Amazon S3 cloud storage options .............................................. 26
Amazon S3 advanced server configuration options ........................ 28
Amazon S3 credentials broker details ......................................... 31
About private clouds from Amazon S3-compatible cloud providers
..................................................................................... 33
About Amazon S3 storage classes ............................................. 34
Amazon virtual private cloud support with NetBackup .................... 35
About protecting data in Amazon for long-term retention ................. 37
Protecting data using Amazon's cloud tiering ............................... 48
About using Amazon IAM roles with NetBackup ............................ 51
About NetBackup character restrictions for Amazon S3 cloud
connector ....................................................................... 54
Protecting data with Amazon Snowball and Amazon Snowball
Edge .............................................................................. 55
About Microsoft Azure cloud storage API type .................................... 70
Microsoft Azure cloud storage vendors certified for NetBackup
..................................................................................... 71
Microsoft Azure storage type requirements .................................. 71
Microsoft Azure cloud storage provider options ............................. 72
Microsoft Azure advanced server configuration options .................. 76
Protecting data in Microsoft Azure Archive for long-term retention
..................................................................................... 78
About OpenStack Swift cloud storage API type ................................... 80
6 Contents

OpenStack Swift cloud storage vendors certified for NetBackup

..................................................................................... 81
OpenStack Swift storage type requirements ................................. 81
OpenStack Swift cloud storage provider options ........................... 82
OpenStack Swift storage region options ...................................... 85
OpenStack Swift add cloud storage configuration options ............... 88
OpenStack Swift proxy settings ................................................. 88

Chapter 3 Configuring cloud storage in NetBackup .................... 91

Before you begin to configure cloud storage in NetBackup .................... 92
Configuring cloud storage in NetBackup ............................................ 93
Cloud installation requirements ....................................................... 95
Scalable Storage properties ............................................................ 95
Configuring advanced bandwidth throttling settings ....................... 97
Advanced bandwidth throttling settings ....................................... 98
Cloud Storage properties .............................................................. 100
Adding a cloud storage instance .............................................. 102
Changing cloud storage host properties .................................... 103
Deleting a cloud storage host instance ...................................... 104
About the NetBackup CloudStore Service Container .......................... 104
NetBackup CloudStore Service Container security certificates
.................................................................................... 106
NetBackup CloudStore Service Container security modes ............. 107
NetBackup [Link] configuration file .............................. 108
Deploying host name-based certificates .......................................... 112
Deploying host ID-based certificates ............................................... 114
About data compression for cloud backups ...................................... 115
About data encryption for cloud storage ........................................... 116
About NetBackup KMS for encryption of NetBackup cloud storage
.......................................................................................... 117
About external KMS for encryption of NetBackup cloud storage ............ 119
About cloud storage servers .......................................................... 119
About object size for cloud storage ................................................. 120
About the NetBackup media servers for cloud storage ........................ 122
Using media server as NetBackup Cloud master host .................. 123
Configuring a storage server for cloud storage .................................. 125
KMS database encryption settings ........................................... 128
Assigning a storage class to Amazon cloud storage ..................... 129
Changing cloud storage server properties ........................................ 130
NetBackup cloud storage server properties ...................................... 132
NetBackup cloud storage server bandwidth throttling properties
.................................................................................... 133
 Contents 7

NetBackup cloud storage server connection properties ................. 136

NetBackup CloudCatalyst storage server properties ..................... 144
NetBackup cloud storage server encryption properties ................. 145
About cloud storage disk pools ...................................................... 145
Configuring a disk pool for cloud storage ......................................... 146
Saving a record of the KMS key names for NetBackup cloud storage
encryption ........................................................................... 155
Adding backup media servers to your cloud environment .................... 157
Configuring a storage unit for cloud storage ..................................... 157
Cloud storage unit properties .................................................. 158
Configure a favorable client-to-server ratio ................................. 160
Control backup traffic to the media servers ................................. 161
About NetBackup Accelerator and NetBackup Optimized Synthetic
backups .............................................................................. 161
Enabling NetBackup Accelerator with cloud storage ........................... 161
Enabling optimized synthetic backups with cloud storage .................... 163
Creating a backup policy .............................................................. 165
Changing cloud storage disk pool properties .................................... 165
Cloud storage disk pool properties ........................................... 166
Certificate validation against Certificate Revocation List (CRL) ............. 168
Managing Certification Authorities (CA) for NetBackup Cloud .............. 169

Chapter 4 Monitoring and Reporting .............................................. 173

About monitoring and reporting for cloud backups ............................. 173
Viewing cloud storage job details ................................................... 174
Viewing the compression ratio ....................................................... 175
Viewing NetBackup cloud storage disk reports .................................. 176
Displaying KMS key information for cloud storage encryption ............... 177

Chapter 5 Operational notes ............................................................ 181

NetBackup bpstsinfo command operational notes .............................. 181

Unable to configure additional media servers .................................... 182
Cloud configuration may fail if NetBackup Access Control is enabled
.......................................................................................... 183
Deleting cloud storage server artifacts ............................................. 183
Using csconfig reinitialize to load updated cloud configuration
settings ............................................................................... 183
Enabling or disabling communication between master server and legacy
cloud storage media servers ................................................... 184
8 Contents

Chapter 6 Troubleshooting ................................................................ 187

About unified logging ................................................................... 187
About using the vxlogview command to view unified logs ............. 188
Examples of using vxlogview to view unified logs ........................ 190
About legacy logging ................................................................... 191
Creating NetBackup log file directories for cloud storage ............... 192
NetBackup cloud storage log files .................................................. 193
Enable libcurl logging .................................................................. 195
NetBackup Administration Console fails to open ................................ 196
Troubleshooting cloud storage configuration issues ........................... 197
NetBackup Scalable Storage host properties unavailable .............. 197
Connection to the NetBackup CloudStore Service Container fails
.................................................................................... 198
Cannot create a cloud storage disk pool .................................... 200
Cannot create a cloud storage ................................................. 200
Data transfer to cloud storage server fails in the SSL mode ........... 201
Amazon GovCloud cloud storage configuration fails in non-SSL
mode ........................................................................... 201
Data restore from the Google Nearline storage class may fail
.................................................................................... 202
Backups may fail for cloud storage configurations with Frankfurt
region .......................................................................... 202
Backups may fail for cloud storage configurations with the cloud
compression option ......................................................... 203
Fetching storage regions fails with authentication version V2 ......... 203
Troubleshooting cloud storage operational issues .............................. 204
Cloud storage backups fail ...................................................... 204
Stopping and starting the NetBackup CloudStore Service Container
.................................................................................... 208
A restart of the nbcssc (on legacy media servers), nbwmc, and
nbsl processes reverts all [Link] settings ................. 209
NetBackup CloudStore Service Container startup and shutdown
troubleshooting .............................................................. 209
bptm process takes time to terminate after cancelling GLACIER
restore job ..................................................................... 210
Handling image cleanup failures for Amazon Glacier vault ............. 210
Cleaning up orphaned archives manually .................................. 210
Restoring from Amazon Glacier vault spans more than 24 hours
for single fragment ......................................................... 211
Restoring from GLACIER_VAULT takes more than 24 hours for
Oracle databases ........................................................... 211
 Contents 9

Troubleshooting failures due to missing Amazon IAM permissions

.................................................................................... 213
Restore job fails if the restore job start time overlaps with the
backup job end time ........................................................ 218
Post processing fails for restore from Azure archive ..................... 218
Troubleshooting Amazon Snowball and Amazon Snowball Edge issues
.......................................................................................... 219

Index .................................................................................................................. 221

10 Contents
 Chapter 1
About NetBackup cloud
storage
This chapter includes the following topics:

■ About cloud storage features and functionality

■ About the catalog backup of cloud configuration files

■ About support limitations for NetBackup cloud storage

About cloud storage features and functionality

NetBackup Cloud Storage enables you to back up and restore data from cloud
Storage as a Service (STaaS) vendors. NetBackup Cloud Storage is integrated
with NetBackup OpenStorage.
Table 1-1 outlines the features and functionality NetBackup Cloud Storage delivers.

Table 1-1 Features and functionality

Feature Details

Configuration Wizard A Cloud Storage Server Configuration wizard is incorporated to

facilitate the cloud storage setup and storage provisioning. Cloud
storage provisioning now happens entirely through the NetBackup
interface.

Compression NetBackup Cloud Storage Compression compresses the data inline

before it is sent to the cloud. The compression feature uses a
third-party library called LZO Pro (with compression level 3).
12 About NetBackup cloud storage
About cloud storage features and functionality

Table 1-1 Features and functionality (continued)

Feature Details

Encryption NetBackup Cloud Storage Encryption encrypts the data inline before
it is sent to the cloud. Encryption interfaces with the NetBackup
Key Management Service (KMS) to leverage its ability to manage
encryption keys.

The encryption feature uses an AES 256 cipher feedback (CFB)

mode encryption.

Throttling NetBackup Cloud Storage throttling controls the data transfer rates
between your network and the cloud. The throttling values are set
on a per NetBackup media server basis.

In certain implementations, you want to limit WAN usage for

backups and restores to the cloud. You want to implement this limit
so you do not constrain other network activity. Throttling provides
a mechanism to the NetBackup administrators to limit NetBackup
Cloud Storage traffic. By implementing a limit to cloud WAN traffic,
it cannot consume more than the allocated bandwidth.

NetBackup Cloud Storage Throttling lets you configure and control

the following:

■ Different bandwidth value for both read and write operations.

■ The maximum number of connections that are supported for
each cloud provider at any given time.
■ Network bandwidth as a percent of total bandwidth.
■ Network bandwidth per block of time.

Metering The NetBackup Cloud Storage metering reports enable you to

monitor data transfers within NetBackup Cloud Storage.

Cloud-based storage is unlike traditional tape or disk media, which

use persistent backup images. Your cloud storage vendor calculates
cloud-based storage costs per byte stored and per byte transferred.

The NetBackup Cloud Storage software uses several techniques

to minimize stored and transferred data. With these techniques,
traditional catalog-based information about the amount of protected
data no longer equates to the amount of data that is stored or
transferred. Metering allows installations to monitor the amount of
data that is transferred on a per media server basis across one or
more cloud-based storage providers.

Metering reports are generated through NetBackup OpsCenter.

 About NetBackup cloud storage 13
About cloud storage features and functionality

Table 1-1 Features and functionality (continued)

Feature Details

Cloud Storage service This is applicable to media server versions 7.7.x to 8.1.2 only.

The NetBackup CloudStore Service Container (nbcssc) process

performs the following functions:

■ Generates the metering information for the metering plug-in

■ Controls the network bandwidth usage with the help of the
throttling plug-in

Note: For NetBackup media server versions beyond 8.1.2, these

Cloud Storage functions are performed by the NetBackup Service
Layer (nbsl) service.

On Windows, it is a standard service installed by NetBackup. On

UNIX, it runs as a standard daemon.

The NetBackup CloudStore Service Container (nbcssc) uses

certificate-based authentication. The authentication method used
in previous releases (legacy authentication) is disabled by default.
It is recommended that you upgrade media servers configured as
a cloud storage server to NetBackup 8.1 or later.

If you cannot upgrade these servers, use the Enable insecure

communication with 8.0 and earlier hosts option on the
NetBackup master server. The option is available in the NetBackup
Administration Console on the Security Management > Global
Security Settings > Secure Communication tab.

NetBackup Web The NetBackup Web Management Console (nbwmc) process

Management Console manages requests for certificate and host management.

This process now also controls the configuration parameters that

are related to NetBackup Cloud Storage.

The process is installed as a NetBackup service on Windows and

runs as a standard daemon on UNIX.
14 About NetBackup cloud storage
About cloud storage features and functionality

Table 1-1 Features and functionality (continued)

Feature Details

NetBackup Service The NetBackup Service Layer (nbsl) service facilitates the
Layer communication between NetBackup graphical user interface (UI)
and the NetBackup logic. This service is required to run NetBackup
OpsCenter which manages and monitors multiple NetBackup
environments.

This service is also required for Cloud Storage and now performs
the following functions:

■ Generates the metering information for the metering plug-in

■ Controls the network bandwidth usage with the help of the
throttling plug-in

Note: For media server versions 7.7.x to 8.1.2, these Cloud

Storage functions are performed by the NetBackup Cloud Storage
Service Container (nbcssc).

Storage providers Veritas currently supports several cloud storage providers. More
information is available about each of these vendors.

See “About the cloud storage vendors for NetBackup” on page 17.

OpsCenter Reporting Monitoring and reporting of the data that is sent to cloud storage
is available through new cloud reports in OpsCenter. The cloud
reports include:

■ Job Success Rate: Success rate by backup job level across

domains, clients, policies, and business level views filtered on
cloud-based storage.
■ Data Expiring In Future: Data that expires each day for the
next 7 days filtered on cloud-based storage.
■ Cloud Metering: Historical view of the data that is written to
cloud per cloud provider.
■ Average Data Transfer Rate: Historical view of average data
transfer rate to cloud per cloud provider.
■ Cloud Metering Chargeback: Ranking, forecast, and
distribution view of the cost that is incurred on cloud-based
storage per cloud provider.

Note: Among all Amazon S3-compatible cloud providers that

NetBackup supports, OpsCenter supports monitoring and reporting
of Amazon S3 and Amazon GovCloud (S3) only.

Note: Where Amazon is the cloud service provider, OpsCenter

cannot report on the data that MSDP cloud storage servers upload
to the cloud.
 About NetBackup cloud storage 15
About the catalog backup of cloud configuration files

About the catalog backup of cloud configuration

files
The following cloud configuration files are backed up during the NetBackup catalog
backup process:
■ All .txt files in the meter directory, which contain intermediate metering data
■ [Link]

■ [Link]

■ [Link]

■ [Link]

■ [Link]

■ [Link]

■ libstspicloud_provider_name.conf
All .conf files that are specific to the cloud providers that NetBackup supports
The cloud configuration files that are backed up during the catalog backup process
reside at the following location:

Windows install_path\Veritas\NetBackup\var\global\wmc\cloud

UNIX /usr/openv/var/global/wmc/cloud

Note: The [Link] file is not backed up during the NetBackup catalog backup
process.
This [Link] file is a cloud provider-specific file. This file is installed as part of
the NetBackup installation. This file includes the certificates of NetBackup supported
Certificate Authorities (CA).

About support limitations for NetBackup cloud

storage
The following items are some of the limitations of NetBackup cloud storage:
■ The cloud vendors do not support optimized duplication.
■ The cloud vendors do not support direct to tape (by NDMP).
■ The cloud vendors do not support disk volume spanning of backup images.
16 About NetBackup cloud storage
About support limitations for NetBackup cloud storage

■ If the NetBackup master server is installed on a platform that NetBackup cloud

does not support, you may observe issues in cloud storage server configuration.
For the operating systems that NetBackup supports for cloud storage, see the
NetBackup operating system compatibility list available through the following
URL:
[Link]
■ For Hitachi cloud storage, synthetic backups are not successful if you enabled
the encryption option. To run the synthetic backups successfully, you need to
enable the versioning option for buckets (or namespaces) through the Hitachi
cloud portal. For more details on how to enable the versioning option, contact
your Hitachi cloud provider.
■ Cloud storage servers cannot use the same volume (bucket or container) to
store data. You should create a separate volume (bucket or container) for each
cloud storage server.
■ NetBackup 7.7.1 and later versions support configuring cloud storage using the
Frankfurt region.
■ In the NetBackup Cloud Storage Configuration wizard, the following items are
displayed only in the English language:
■ All the cloud provider names.
■ Description of the cloud providers.
■ In case of AmazonGov, the following fields: Certificate File Name, Private
Key File Name, Private Key Passphrase, Agency, Mission Name, and
Role.
■ In case of Openstack Swift, the following fields: Tenant Type, Tenant Value,
User Type, User Domain Type, User Domain Value, Project Domain
Type, and Project Domain Value.

■ NetBackup now supports IPv6. The support is available only with all the cloud
vendors and proxy server types that support IPv6.
 Chapter 2
About the cloud storage
This chapter includes the following topics:

■ About the cloud storage vendors for NetBackup

■ About the Amazon S3 cloud storage API type

■ About Microsoft Azure cloud storage API type

■ About OpenStack Swift cloud storage API type

About the cloud storage vendors for NetBackup

NetBackup supports cloud storage based on the storage API type. All of the cloud
vendors that NetBackup supports for cloud storage use one of the supported types.
For more information about the storage API types and cloud vendors, see the
following:

Cloud storage See Table 2-1 on page 18.

API types
The table provides links to the topics that describe the requirements for each
storage API type and for the cloud providers who use that storage API type.

Supported Click the following link to identify the list of cloud vendors certified for
cloud vendors NetBackup cloud storage and their storage API type: NetBackup™ Enterprise
Server and Server 8.0 - 8.x.x OS Software Compatibility List
For configuration help, see the information about their storage API type.

Vendors achieve certification by participating in the Veritas technology partners

program. NetBackup can send backups to the storage that these vendors provide.
Veritas may certify vendors between NetBackup releases. For the vendors that are
certified between releases, you must download and install the following configuration
and mappings packages:
18 About the cloud storage
About the Amazon S3 cloud storage API type

You can find links to the packages for your release on the NetBackup master
compatibility list landing page:
[Link]
See Table 2-1 on page 18. identifies the cloud storage APIs that are certified for
NetBackup cloud storage.

Table 2-1 Supported cloud storage API types for NetBackup

API type More information

Amazon S3 See “About the Amazon S3 cloud storage API type” on page 18.

Microsoft Azure See “About Microsoft Azure cloud storage API type” on page 70.

OpenStack Swift See “About OpenStack Swift cloud storage API type” on page 80.

About the Amazon S3 cloud storage API type

NetBackup supports cloud storage from the vendors that use the Amazon S3 storage
API for their storage. Information about the requirements and configuration options
for the Amazon S3 storage API vendors is provided as follows:

Table 2-2 Amazon S3 storage API type information and topics

Information Topic

Certified vendors See “Amazon S3 cloud storage vendors certified for

NetBackup” on page 19.

Requirements See “Amazon S3 storage type requirements” on page 19.

Storage server configuration See “Amazon S3 cloud storage provider options” on page 21.
options

Service host and endpoint See “Amazon S3 cloud storage options” on page 26.
configuration options

SSL, proxy, and HTTP See “Amazon S3 advanced server configuration options”
header options on page 28.

Credential broker options See “Amazon S3 credentials broker details” on page 31.

Storage classes See “About Amazon S3 storage classes” on page 34.

Some vendors may support private clouds that use the Amazon S3 storage type
API.
 About the cloud storage 19
About the Amazon S3 cloud storage API type

See “About private clouds from Amazon S3-compatible cloud providers” on page 33.

Amazon S3 cloud storage vendors certified for NetBackup

Click the following link to identify the vendors who are certified for NetBackup cloud
storage using the Amazon S3 storage API as of the NetBackup 8.3 release:
NetBackup 8.0 - 8.x.x Hardware and Cloud Storage Compatibility List.
Vendors achieve certification by participating in the Veritas Technology Partner
Program (VTPP).

Amazon S3 storage type requirements

The following tables describes the details and requirements of Amazon S3 type
cloud storage in NetBackup:

Table 2-3 Amazon cloud storage requirements

Requirement Details

License You must have a NetBackup license that allows for cloud storage.
requirement

Vendor account You must obtain an account that allows you to create, write to, and read
requirements from the storage that your vendor provides.

Buckets The following are the requirements for the Amazon storage buckets:

■ You can create a maximum of 100 buckets per Amazon account.

■ You can delete empty buckets using the Amazon AWS Management
Console. However, you may not be able to reuse the names of the
deleted buckets while creating buckets in NetBackup.
■ You can create buckets in any Amazon storage region that
NetBackup supports.
■ If the bucket is being used by another user, it is not displayed in the
list.
20 About the cloud storage
About the Amazon S3 cloud storage API type

Table 2-3 Amazon cloud storage requirements (continued)

Requirement Details

Bucket names It is recommended that you use NetBackup to create the buckets that
you use with NetBackup. The Amazon S3 interface may allow the
characters that NetBackup does not allow. Consequently, by using
NetBackup to create the buckets you can limit the potential problems.
The following are the NetBackup requirements for bucket names in the
US Standard region.

■ The bucket name must be between 3 and 255 characters.

■ Any of the 26 lowercase (small) letters of the International Standards
Organization (ISO) Latin-script alphabet. These are the same
lowercase (small) letters as the English alphabet.
■ Any integer from 0 to 9, inclusive.
■ The following character (you cannot use this as the first character
in the bucket name):
Period (.), underscore (_), and dash (-).
Dash -
Exception: You cannot use a period (.) if you use SSL for
communication. By default, NetBackup uses SSL for communication.
See “NetBackup cloud storage server connection properties”
on page 136.

The buckets are not available for use in NetBackup in the following
scenarios:

■ If you have created the buckets in a region that NetBackup does

not support.
■ The bucket name does not comply with the bucket naming
convention.
■ Given permissions are not sufficient for the bucket. See “Permissions
required for Amazon S3 cloud provider user” on page 20.

Number of disk You can create a maximum of 90 disk pools. Attempts to create more
pools than 90 disk pools generate a “failed to create disk volume, invalid
request” error message.

Note: You must have SSL enabled to communicate with Amazon AWS. The
NetBackup backup job fails with a status code o f 87.

Permissions required for Amazon S3 cloud provider user

With the Amazon (S3) cloud providers, the following permissions are required to
work with NetBackup:
 About the cloud storage 21
About the Amazon S3 cloud storage API type

■ s3:CreateBucket
■ s3:ListAllMyBuckets
■ s3:ListBucket
■ s3:GetBucketLocation
■ s3:GetObject
■ s3:PutObject
■ s3:DeleteObject
■ s3:RestoreObject

Amazon S3 cloud storage provider options

Figure 2-1 shows the Cloud Storage Configuration Wizard panel for Amazon S3
cloud storage.

Figure 2-1 Cloud Storage Server Configuration Wizard panel for Amazon
22 About the cloud storage
About the Amazon S3 cloud storage API type

Table 2-4 describes the storage server configuration options for Amazon S3.

Table 2-4 Amazon S3 cloud storage provider configuration options

Field name Required content

Service host Select the name of the cloud service end point for your vendor from the
drop-down list.

If the cloud service end point for your vendor does not appear in the
drop-down list, you must add a cloud storage instance. See the Add
Cloud Storage description in this table.

Storage server Displays the default storage server for your vendor. The drop-down list
name displays only those names that are available for use. If more than one
storage server is available, you can select a storage server other than
the default one.

You can type a different storage server name in the drop-down list,
which can be a logical name for the cloud storage. You can create
multiple storage servers with different names that refer to the same
physical service host for Amazon. If there are no names available in the
list, you can create a new storage server name by typing the name in
the drop-down list.
Note: It is recommended that a storage server name that you add while
configuring an Amazon S3-compatible cloud provider should be a logical
name and should not match a physical host name. For example: While
you add an Amazon GovCloud storage server, avoid using names like
‘[Link]’ or ‘[Link]’. These servers may be physical
hosts, which can cause failures during cloud storage configuration.
Instead, use storage server names like ‘amazongov1’ or ‘amazonserver1’
and so on.

Note: The Add Cloud Storage option is disabled for public clouds.
You must use existing cloud storage.
 About the cloud storage 23
About the Amazon S3 cloud storage API type

Table 2-4 Amazon S3 cloud storage provider configuration options

(continued)

Field name Required content

Add Cloud To configure cloud deployment details, click Add Cloud Storage. The
Storage customized cloud deployment refers to the cloud instances that are not
already listed in the Service Host drop-down list. After you configure
cloud deployment details, the service host appears in the Service Host
drop-down list.

See “Amazon S3 cloud storage options” on page 26.

Once the cloud storage is added, you cannot modify or delete it using
the NetBackup Administration Console. However, you can modify or
delete a storage server by using the csconfig command.
Note: You can use the NetBackup csconfig -a command to create
custom cloud instances for an Amazon S3-compatible cloud provider.
You must run the csconfig command before you run the
nbdevconfig and tpconfig commands.

See the NetBackup Commands Reference Guide for a complete

description about these commands. The guide is available through the
following URL:

[Link]
24 About the cloud storage
About the Amazon S3 cloud storage API type

Table 2-4 Amazon S3 cloud storage provider configuration options

(continued)

Field name Required content

Media server Select a NetBackup media server from the drop-down list. The drop-down
name list displays only NetBackup 8.3 and later media servers. In addition,
only the media servers that conform to the requirements for cloud storage
appear in the drop-down list. The requirements are described in the
following topic:

See “About the NetBackup media servers for cloud storage” on page 122.

The host that you select queries the storage vendor’s network for its
capabilities and for the available storage. The media server also
becomes a data mover for your backups and restores.
To support cloud storage, a media server must conform to the following
items:

■ The operating system must be supported for cloud storage. For the
operating systems that NetBackup supports for cloud storage, see
the NetBackup operating system compatibility list available through
the following URL:
[Link]
■ The NetBackup Service Layer (nbsl) service must be running on
all the media servers.
The NetBackup Web Management Console (nbwmc) must be running
on the master server.
■ For Amazon S3-compatible cloud providers, the media server must
run a NetBackup 8.3 or later release.
■ The NetBackup media servers that you use for cloud storage must
be the same NetBackup version as the master server.

Enter Credentials Applies to: Amazon GovCloud only.

This option is the default selection. Select this option to configure cloud
storage server credentials on this wizard panel by entering the access
key ID and secret access key.

Use Credentials Applies to: Amazon GovCloud only.

Broker
Select this option to configure cloud storage server using credentials
broker. If you select this option, you then use the Credentials Broker
Details wizard panel that appears next to configure the credentials
broker information.
 About the cloud storage 25
About the Amazon S3 cloud storage API type

Table 2-4 Amazon S3 cloud storage provider configuration options

(continued)

Field name Required content

Deduplication Enabling this option creates a CloudCatalyst storage server that can be
used to upload deduplicated data to the cloud.
This option is grayed out if any of the following cases are true:

■ The selected media server does not have NetBackup 8.1 or later
installed.
■ CloudCatalyst does not support the media server operating system.
■ CloudCatalyst does not support the cloud vendor.

When you enable this option, the default path is for Local cache
directory: is/msdpc. You can change this directory by using the Browse
option.

See the NetBackup compatibility lists for support information:

[Link]

For information about CloudCatalyst, see the NetBackup Deduplication

Guide:

[Link]

Local cache Enter the mount path to be used as the storage path on the
directory CloudCatalyst storage server.

For example: /space/mnt/esfs

The deduplicated data is written to this local cache directory before it is

uploaded to the cloud. The larger the cache, the more likely that
NetBackup can service requests locally, avoiding cloud access to read
and write.
Notes:

■ This path should be to a file system which is dedicated for

CloudCatalyst cache use. Inaccurate cache eviction occurs if the
path shares any storage with other data or applications.
■ NetBackup manages the files in the local cache directory. Users
should not manually delete files in this directory.

Access key ID Does not apply for Amazon GovCloud if you select Use Credentials
Broker.

Enter the access key ID for your vendor account.

If you do not have an account, click Create an account with the service
provider link.
26 About the cloud storage
About the Amazon S3 cloud storage API type

Table 2-4 Amazon S3 cloud storage provider configuration options

(continued)

Field name Required content

Secret access Does not apply for Amazon GovCloud if you select Use Credentials
key Broker.

Enter the secret access key for your vendor account. It must be 100 or
fewer characters.

Use IAM NetBackup retrieves the AWS IAM Role name and credentials associated
Role(EC2) with the EC2 instance.
Note: For IAM Role, the selected media server must be hosted on the
EC2 instance.

See “About using Amazon IAM roles with NetBackup” on page 51.

Advanced To change SSL, proxy, or HTTP header (server-side encryption or

Settings storage class) settings for your cloud storage hosts, click Advanced
Settings.

See “Amazon S3 advanced server configuration options” on page 28.

Amazon S3 cloud storage options

The Add Cloud Storage dialog box appears when you click Add Cloud Storage
on the wizard panel for Amazon S3 providers. It contains the following tabs:

General Settings tab See Table 2-5 on page 27.

Region Settings tab See Table 2-6 on page 28.

Note: If your cloud storage deployment is not configured for
multiple regions, you do not need to configure any regions.

Note: To add a cloud storage server in Amazon virtual private cloud (VPC)
environment, enure that you have reviewed the considerations.
See “Amazon virtual private cloud support with NetBackup ” on page 35.
 About the cloud storage 27
About the Amazon S3 cloud storage API type

Table 2-5 General Settings tab options

Option Description

Provider type The cloud storage provider. The following describes the state of
this field:
■ Active if you add cloud storage from the Cloud Storage host
properties. Select the required provider from the list.
■ Inactive if you add cloud storage from the Cloud Storage
Server Configuration Wizard or change settings from the
Cloud Storage host properties. It shows the host that you
selected in the wizard or Cloud Storage host properties.

Service host Enter the cloud service provider host name.

If you want to add a public cloud instance, you need to get the
service host details from the cloud storage provider. Type the
service host details in the text box.

If you want to add a cloud storage instance for a private cloud

deployment, enter a service host name like '[Link]',
in case you can access your cloud provider using the following
URL: '[Link]/services/objectstore'

For custom instance, to use IPv6 endpoint, you must update or

create a new instance with the IPv6 equivalent service host.
Note: Do not prefix the service host name with 'http' or 'https'.

Note: For VPC in default (US East (N. Virginia)) AWS region,
use [Link] as the service host.

Service endpoint Enter the cloud service provider endpoint.

Service endpoint - Enter the cloud service provider endpoint. For

example, '/services/objectstorage' in case your cloud provider
service can be accessed using the
'[Link]/services/objectstore' URL.

You can leave it blank, if the cloud provider service can be

accessed directly from the '[Link]' URL.

HTTP port Enter the HTTP port with which you can access the cloud provider
service in a non-secure mode.

HTTPS port Enter the HTTPS port with which you can access the cloud provider
service in a secure mode.
28 About the cloud storage
About the Amazon S3 cloud storage API type

Table 2-5 General Settings tab options (continued)

Option Description

Storage server name Enter a logical name for the cloud storage that you want to
configure and access using NetBackup.
Note: You can configure multiple storage servers that are
associated with the same public or private cloud storage instance.

Endpoint access style Select the endpoint access style for the cloud service provider.

Path Style is the default endpoint access style.

If your cloud service provider additionally supports virtual hosting

of URLs, select Virtual Hosted Style.

Note: If your cloud storage deployment is not configured for multiple regions, you
do not need to configure any regions.

Table 2-6 Region Settings tab

Option Description

Region name Enter a logical name to identify a specific region where the cloud
storage is deployed. For example: East zone.

Location constraint Enter the location identifier that the cloud provider service uses
for any data transfer operations in the associated region. For a
public cloud storage, you need to get the location constraint details
from the cloud provider.
Note: For VPC in default (US East (N. Virginia)) AWS region,
use US-east-1 as the location identifier.

Service host Enter the service host name for the region. The Service endpoint,
HTTP port, and HTTPS port information that you have entered in
the General Settings tab are used while accessing information
from any region.

Add Click Add to add the region.

Amazon S3 advanced server configuration options

The following tables describes the SSL, HTTP header configuration, and proxy
server options that are specific to all Amazon S3-compatible cloud providers. These
options appear on the Advanced Server Configuration dialog box.
 About the cloud storage 29
About the Amazon S3 cloud storage API type

Table 2-7 General Settings tab options

Option Description

Use SSL Select Use SSL if you want to use the SSL (Secure Sockets Layer)
protocol for user authentication or data transfer between NetBackup
and cloud storage provider.

■ Authentication only. Select this option, if you want to use SSL

only at the time of authenticating users while they access the
cloud storage.
■ Data Transfer. Select this option, if you want to use SSL to
authenticate users and transfer the data from NetBackup to the
cloud storage.

Note: NetBackup supports only Certificate Authority (CA) signed

certificates while it communicates with cloud storage in the SSL
mode. Ensure that the cloud server (public or private) has CA-signed
certificate. If it does not have the CA-signed certificate, data transfer
between NetBackup and cloud provider fails in the SSL mode.

Note: The FIPS region of Amazon GovCloud cloud provider (that

is [Link]) supports only secure
mode of communication. Therefore, if you disable the Use SSL
option while you configure Amazon GovCloud cloud storage with
the FIPS region, the configuration fails.

Note: Glacier service endpoint for the Amazon GovCloud cloud

provider (that is [Link]) supports
only secure mode of communication using the NetBackup
GLACIER_VAULT storage class. Therefore, if you disable the Use
SSL option while you configure Amazon GovCloud cloud storage
with GLACIER_VAULT storage class, the configuration fails.
30 About the cloud storage
About the Amazon S3 cloud storage API type

Table 2-7 General Settings tab options (continued)

Option Description

HTTP Headers Specify appropriate value for the selected HTTP header. Click the
Value column to see the drop-down list and select the value.

■ x-amz-server-side-encryption. Select AE256 from the Value

drop-down list, if you want to protect data in Amazon S3 cloud
storage.
AE256 stands for 256-bit Advanced Encryption Standard.
By setting the header value to AE256, every object that Amazon
S3 cloud storage receives is encrypted before it is stored in the
cloud. Amazon S3 server-side encryption uses one of the
strongest block ciphers available, that is AE256 to encrypt your
data. Additionally, it encrypts the key itself with a master key that
it regularly rotates.
Note: If you have already enabled the encryption option while
creating Amazon S3 cloud storage server, you do not need to
enable this option. Because, the data is already encrypted before
NetBackup sends it over the network.
■ Storage class is configured at the time of creating the storage
server. Once configured, storage class is non-editable.

Table 2-8 Proxy Settings tab options

Option Description

Use Proxy Server Use Proxy Server option to use proxy server and provide proxy server
settings. Once you select the Use Proxy Server option, you can specify
the following details:

■ Proxy Host–Specify IP address or name of the proxy server.

■ Proxy Port–Specify port number of the proxy server.
■ Proxy Type– You can select one of the following proxy types:
■ HTTP

Note: You need to provide the proxy credentials for HTTP

proxy type.
■ SOCKS
■ SOCKS4
■ SOCKS5
■ SOCKS4A
 About the cloud storage 31
About the Amazon S3 cloud storage API type

Table 2-8 Proxy Settings tab options (continued)

Option Description

Use Proxy You can enable proxy tunneling for HTTP proxy type.
Tunneling
After you enable Use Proxy Tunneling, HTTP CONNECT requests
are send from the cloud media server to the HTTP proxy server and
the TCP connection is directly forwarded to the cloud back-end storage.

The data passes through the proxy server without reading the headers
or data from the connection.

Authentication You can select one of the following authentication types if you are
Type using HTTP proxy type.

■ None– Authentication is not enabled. Username and password is

not required.
■ NTLM–Username and password needed.
■ Basic–Username and password needed.

Username is the username of the proxy server

Password can be empty. You can use maximum 256 characters.

Amazon S3 credentials broker details

Figure 2-2 shows the Cloud Storage Configuration Wizard credentials broker
panel for Amazon GovCloud cloud storage. You add the credentials broker details
when you configure a cloud storage server in NetBackup.
See “Configuring a storage server for cloud storage” on page 125.
The credentials broker details also appear in a Cloud Storage Server
Configuration dialog box in which you can change the details.
See “Changing cloud storage host properties” on page 103.
32 About the cloud storage
About the Amazon S3 cloud storage API type

Figure 2-2 Cloud Storage Server Configuration Wizard panel for Amazon

Table 2-9 describes the credential broker options for Amazon GovCloud.

Table 2-9 Credential broker details

Field Description

Service URL Enter the service URL.

For example:
[Link]

Agency Enter the agency name.

Mission Name Enter the mission name.

Role Enter the role.

Certificate File Name Enter the certificate file name.

Private Key File Name Enter the private key file name.
 About the cloud storage 33
About the Amazon S3 cloud storage API type

Table 2-9 Credential broker details (continued)

Field Description

Private Key Select the check box to specify the private key pass phrase. It
Passphrase must be 100 or fewer characters.

The Private Key Passphrase is optional.

Note: The certificate file and the private key file must reside at the following location:
On UNIX - /usr/openv/var/global/wmc/cloud
On Windows - install_path\Veritas\NetBackup\var\global\wmc\cloud

Note: For more details on the credentials broker parameters, contact the Veritas
Technical Support team.

About private clouds from Amazon S3-compatible cloud providers

NetBackup supports the private clouds or cloud instances from the following Amazon
S3-compatible cloud providers:
■ Amazon GovCloud
■ Cloudian HyperStore
■ Hitachi
■ Verizon
Before you configure a private cloud in NetBackup, it must be deployed and
available.

Use the Advanced Server Configuration dialog box

On the select media server panel of the Cloud Storage Configuration Wizard,
click the Advanced Settings option. Then, in the Advanced Server Configuration
dialog box, select the relevant options from the following: Use SSL, Use Proxy
Server, HTTP Headers, and so on.

Note: NetBackup supports only Certificate Authority (CA)-signed certificates while

it communicates with cloud storage in the SSL mode. Ensure that the cloud server
(public or private) has CA-signed certificate. If it does not have the CA-signed
certificate, data transfer between NetBackup and cloud provider fails in the SSL
mode.
34 About the cloud storage
About the Amazon S3 cloud storage API type

Note: The FIPS region of Amazon GovCloud cloud provider (that is

[Link]) supports only secured mode of
communication. Therefore, if you disable the Use SSL option while you configure
Amazon GovCloud cloud storage with the FIPS region, the configuration fails.

The Create an account with service provider link on the wizard panel opens a
cloud provider webpage in which you can create an account. If you configure a
private cloud, that webpage has no value for your configuration process.

About Amazon S3 storage classes

NetBackup supports storage classes for Amazon S3 and Amazon GovCloud. While
you configure a cloud storage, you can select a specific storage class that you want
to assign to your objects or your data backups. The objects are stored according
to their storage classes.
NetBackup supports the following Amazon S3 storage classes:
■ STANDARD
■ STANDARD_IA (IA stands for Infrequent Access.)
■ ONEZONE_IA (without lifecycle) (IA stands for Infrequent Access.)
Select the ONEZONE_IA (Infrequent Access) storage class to restore less
frequently accessed data with single zone resiliency.
■ GLACIER
Images that are written to Glacier using CloudCatalyst can be read only by a
restore operation. The import, verify, or duplicate operations cannot read the
images.
NetBackup cannot write images to the CloudCatalyst Glacier storage server
when it is configured as AIR target storage server.
See “About protecting data in Amazon Glacier” on page 38.
■ GLACIER_VAULT (Not supported by CloudCatalyst)
See “About protecting data in Amazon Glacier vault” on page 42.
■ Glacier Deep Archive
Images that are written to Glacier Deep Archive using CloudCatalyst can be
read only by a restore operation. The import, verify, or duplicate operations
cannot read the images.
See “About protecting data in Amazon Glacier” on page 38.
■ LIFECYCLE (Not supported by CloudCatalyst)
See “Protecting data using Amazon's cloud tiering ” on page 48.
For more about Amazon S3 storage classes, review Amazon S3 Storage Classes.
 About the cloud storage 35
About the Amazon S3 cloud storage API type

In the following scenarios, NetBackup assigns the default STANDARD storage class
to the backups or objects:
■ If you do not select a specific storage class while you configure the Amazon S3
cloud storage
■ If the backups were configured in an earlier NetBackup version

Note: If you initiate a restore from Glacier or Glacier Deep Archive, NetBackup
initiates a warming step. NetBackup does not proceed with the restore until all the
data is available in S3 storage to be read.
The warming step is always done if using Amazon, even if the data is in the
CloudCatalyst cache. For storage classes other than Glacier and Glacier Deep
Archive, the warming step is almost immediate with no meaningful delay. For Glacier
and Glacier Deep Archive, the warming step may be immediate if files were
previously warmed and are still in S3 Standard storage. However, it may take several
minutes, hours, or days depending on settings being used.

See “Assigning a storage class to Amazon cloud storage” on page 129.

Amazon virtual private cloud support with NetBackup

Using NetBackup you can add a new cloud storage in an Amazon virtual private
cloud (VPC) environment.
The following diagram illustrates how NetBackup integrates with VPC.
36 About the cloud storage
About the Amazon S3 cloud storage API type

Amazon
Cloud

VPC

Public Subnet

PC1

Private IP Gateway Internet

Media Server 1 Elastic IP

Master Router
server

Private Subnet
VPC
PC2 Endpoint
Bucket
Media Server 2 Private IP

Region

The diagram illustrates the following points:

■ You must deploy the media servers within the VPC environment.
■ You can deploy the master server locally or in the VPC environment. Ensure
that the master server is able to communicate with the media servers.
■ In the public subnet, PC1 uses both private and elastic IP and has access to
the Internet. The media server 1, also has access to the Internet. In a public
subnet, you can authenticate and access the storage bucket over Internet or
using the VPC endpoint.
■ In the private subnet, PC2 uses only private IP and has no access to the Internet.
The media server 2, also has no access to the Internet. In a private subnet, you
can authenticate and access the storage bucket using the VPC endpoint.
■ A VPC is restricted to a specific region.

Considerations for configuring cloud storage server in an

Amazon virtual private cloud (VPC) environment
■ You need to add a new cloud storage server for the specific region.
See “Amazon S3 cloud storage options” on page 26.
 About the cloud storage 37
About the Amazon S3 cloud storage API type

■ Do not configure multiple regions for one service host.

■ When you configure a region for a service host, it must be same as the VPC
region; you cannot configure a different region. For example, if you want to add
a cloud storage for Singapore region VPC environment, you must configure the
service host region to Singapore.
■ For VPC in the default (US East (N. Virginia)) AWS region, use
[Link] as the service host and us-east-1 as the
location identifier.
■ Configure the NetBackup policy to use the media server within the VPC
environment.

About protecting data in Amazon for long-term retention

The following Amazon cloud storage options are available for long-term retention
of data:
■ See “About protecting data in Amazon Glacier” on page 38.
■ See “About protecting data in Amazon Glacier vault” on page 42.

Difference between GLACIER, GLACIER DEEP ARCHIVE,

and GLACIER_VAULT storage classes: When to use what?
Consider the following table when deciding between GLACIER and
GLACIER_VAULT storage classes:

GLACIER and GLACIER_VAULT storage class

GLACIER_DEEP_ARCHIVE storage
class

GLACIER and GLACIER_DEEP_ARCHIVE GLACIER_VAULT storage class corresponds

storage class corresponds to uploading data to uploading data using Amazon Glacier
through S3 endpoint and transitioning the services to vault.
data to Glacier.

For GLACIER and For GLACIER_VAULT storage class, the

GLACIER_DEEP_ARCHIVE storage class, metadata is stored in STANDARD and
the metadata is stored in STANDARD storage GLACIER_VAULT storage classes.
class.

Cost of operation for GLACIER is Cost of operation for GLACIER and

approximately 2% higher than GLACIER_VAULT storage class is
GLACIER_VAULT. approximately the same with GLACIER being
approximately 2% higher than
GLACIER_VAULT.
38 About the cloud storage
About the Amazon S3 cloud storage API type

GLACIER and GLACIER_VAULT storage class

GLACIER_DEEP_ARCHIVE storage
class

Use GLACIER and Use GLACIER_VAULT storage class if you

GLACIER_DEEP_ARCHIVE storage class if plan to use the immutable vault lock policy
you do not plan to use immutable vault lock for compliance or to protect your data from
capability. ransomware attack.

GLACIER GLACIER_DEEP_ARCHIVE The retrieval retention period for

storage class has a configurable retrieval GLACIER_VAULT storage class is fixed, that
retention period. Thus, it is useful for restores is 24 hours. See “ Restoring from Amazon
that may take more time due to size and Glacier vault spans more than 24 hours for
speed. single fragment ” on page 211.

As objects get uploaded, Amazon provides Amazon takes 24 hours to refresh archive
visibility for all objects and their storage class inventory. Hence, archives uploaded during
property through the Amazon S3 service backup done using GLACIER_VAULT storage
console. Hence, NetBackup images that are class are reflected in the Amazon Glacier
created using GLACIER and service console only after 24 hours. However,
GLACIER_DEEP_ARCHIVE storage class you can get some visibility of backups using
have better visibility through the Amazon S3 the Amazon S3 service console through the
service console. metadata generated during the backup.
Amazon Glacier service console does not
provide any visibility for individual archives.

There are architectural differences between There are architectural differences between
GLACIER_VAULT storage class (using GLACIER_VAULT storage class (using
Amazon Glacier services) and GLACIER and Amazon Glacier services) and GLACIER and
GLACIER_DEEP_ARCHIVE storage class GLACIER_DEEP_ARCHIVE storage class
(using Amazon S3 services). This results in (using Amazon S3 services). This results in
difference in speed that must be considered difference in speed that must be considered
when selecting a storage class. when selecting a storage class.

Storage cleanup handling on failure is better Storage cleanup handling on failure is better
for GLACIER and for GLACIER storage class as compared to
GLACIER_DEEP_ARCHIVE storage class. GLACIER_VAULT storage class.

About protecting data in Amazon Glacier

To protect your data for long-term retention you can back up the data to Amazon
(AWS) Glacier using NetBackup. Using NetBackup, you can create a storage server
with GLACIER or GLACIER_DEEP_ARCHIVE storage class.
 About the cloud storage 39
About the Amazon S3 cloud storage API type

To configure a cloud storage server for Amazon GLACIER or DEEP ARCHIVE

storage class
1 Configure the Amazon GLACIER or GLACIER_DEEP_ARCHIVE cloud storage
server.
See “Configuring a storage server for cloud storage” on page 125.
2 Create a disk pool using the Amazon bucket for GLACIER or
GLACIER_DEEP_ARCHIVE storage.
See “Configuring a disk pool for cloud storage” on page 146.
3 Create a backup policy.
See “Creating a backup policy” on page 165.
See the NetBackup Administrator’s Guide, Volume I
Also ensure that you also have the required permissions. See “Permissions required
for Amazon S3 cloud provider user” on page 20.

To duplicate tape data to Amazon Glacier

Use the bpduplicate command to duplicate tape data to Amazon Glacier storage.

Best practices
When you configure a storage server to transition data to Amazon Glacier, consider
the following:
■ Ensure that GLACIER or GLACIER_DEEP_ARCHIVE is supported for the region
to which the bucket belongs.
■ For restores, set the retrieval retention period to minimum 3 days.
■ Select True Image Recovery option wherever possible to reduce time and cost
for image imports.
To retrieve the data that is sent to Glacier, there is an inherent time delay of
around 4 hours per fragment of the backup image. For phase 2 of image imports,
this time delay is prevalent for images in the Glacier storage. However, if you
enable True Image Recovery in the policy, the time delay for phase 2 imports
reduces drastically from 4 hours to a few minutes per fragment. Phase 1 imports
are faster, irrespective of whether True Image Recovery is enabled or not for
the policy.
See the NetBackup Administrator’s Guide, Volume I to know more about
supported workloads and file systems for True Image Recovery.
See the NetBackup Administrator’s Guide, Volume I to know more about the
phases during image imports.
40 About the cloud storage
About the Amazon S3 cloud storage API type

■ You can reduce restore time by parallel restores. For this operation, you use
multistreaming to backup which creates multiple images at logical boundaries.
■ Workload Granular Recovery (GRT) or VMware Single File Restore (SFR),
increases the time-out on the master, media, and client to more than 5 hours.

Limitations
Consider the following limitations:
■ NetBackup Accelerator feature is not supported for policies of the storage units
that are created for GLACIER or GLACIER_DEEP_ARCHIVE. Do not select
the Accelerator check box.

About restoring data from Amazon Glacier

The NetBackup image is stored as set of objects with specified storage class, in
this case, GLACIER or GLACIER_DEEP_ARCHIVE storage class. Restore from
Amazon Glacier happens in two phases:
■ The objects are first retrieved at an internal staging location that is maintained
by Amazon.
■ From there, the data is restored at the destination location.
NetBackup supports the following Amazon retrieval types:
■ Bulk retrieval, which completes within 5-12 hours.
■ Standard retrieval, which completes within 3 – 5 hours.
■ Expedited retrieval, which completes within 1-5 minutes.
For more about Amazon S3 storage classes, review Amazon S3 Storage Classes.

Note: If you specify Expedited retrieval, Amazon can sometimes fail the request
because of a lack of resources. If this failure happens, you must use Standard
retrieval or Bulk retrieval. In this case, the restore job fails (NetBackup status 5:
restore failed completely).
The activity monitor displays this message from bpbrm: Image warming failed 503.
The following error is in the esfs_storage log on the CloudCatalyst
server:GlacierExpeditedRetrievalNotAvailable: Glacier expedited retrievals
are currently not available, please try again later status code: 503

When you perform a restore, the entire image fragment is restored while only the
selected objects are downloaded.
 About the cloud storage 41
About the Amazon S3 cloud storage API type

Figure 2-3 Restoring from Amazon Glacier

Note: If you use Glacier with CloudCatalyst, you can create GLACIER_RETRIEVAL
touch file on master server in /usr/openv/netbackup/bin directory with one of
three strings in it: bulk, standard, or expedited. You can create this touch file if
you do not want to use the Bulk retrieval option.
If you use Glacier then you can use bulk, standard, or expedited. If you use
DEEP_ARCHIVE you can use bulk or standard. If no string is defined, NetBackup’s
default is bulk if the touch file does not exist.
If you use Glacier with non-CloudCatalyst cloud storage servers, only Amazon
Standard retrieval is supported.
For more about restoring using Amazon S3, review Restoring Archived Objects.

Considerations with Restore of Image Fragments

Note: This section does not apply to CloudCatalyst, only non-CloudCatalyst storage
servers.

If the files and folders, you want to restore belong to multiple image fragment
consider the following:
■ One image fragment is retrieved at a time. Only after the selected files and
folders part of the first image fragment are downloaded, the next image fragment
is retrieved.
42 About the cloud storage
About the Amazon S3 cloud storage API type

■ The restore time must be considered depending on the number of image

fragments. For example, if the files you want to restore are part of two fragments,
an additional 6 - 10 hours will be added to the complete restore time.

Figure 2-4 Restoring image fragments for Amazon Glacier

Note: If you cancel a job after the restore retrieval is initiated, cost is incurred for
all the objects that are retrieved on the staging location till the point of cancellation.

About protecting data in Amazon Glacier vault

To protect your data for long-term retention with Amazon vault lock policy, you can
back up the data to a vault in Amazon Glacier using NetBackup.
When you create a GLACIER_VAULT storage class using NetBackup, you specify
a vault name and a region in which you want to create the vault.
You can use the Amazon vault lock policy to enforce compliance control on the
vault or to make the vault a Write-Once-Read-Many (WORM) device. See the
Amazon documentation for more information.
 About the cloud storage 43
About the Amazon S3 cloud storage API type

Figure 2-5 Protecting data in Amazon Glacier vault

To configure a cloud storage server for GLACIER_VAULT storage class

1 Configure the Amazon GLACIER vault cloud storage server.
See “Configuring a storage server for cloud storage” on page 125.

Note: Each storage server is associated with only one region.

2 Create a disk pool using the Amazon bucket for GLACIER storage.
See “Configuring a disk pool for cloud storage” on page 146.

Note: If you cannot see the desired vault, it means either the vault does not
have an S3 bucket in the same region as the vault region or the vault does not
exist in the region corresponding to the storage server for which you are creating
the disk pool.

3 Use the Amazon console to create a vault lock policy. See the Amazon
documentation for more information.
4 Create a backup policy.
See “Creating a backup policy” on page 165.

Best practices
When you configure a storage server to backup data to a vault in Amazon Glacier,
consider the following:
44 About the cloud storage
About the Amazon S3 cloud storage API type

■ If you have configured immutable vault lock policy to deny the deletion of
archives, Amazon Glacier vault does not allow deletion of archives till the archives
are unlocked for deletion. Hence, the retention period configured for a backup
policy must be greater than the vault lock period by at least two weeks or the
maximum time taken to backup or duplicate data to GLACIER_VAULT with
retries in your environment. Else, the image cleanup job on image expiry will
fail. See “Handling image cleanup failures for Amazon Glacier vault” on page 210.
■ It is recommended you use a vault as a secondary target for backing up data.
■ If you plan to use the vault lock policy, ensure you create a vault for each
retention level you want to use for the vault.
■ Use compression and incremental backups to reduce the size of the data stored
per backup.
■ Select True Image Recovery option wherever possible to reduce time and cost
for image imports.
To retrieve data sent to Glacier, there is an inherent time delay of around four
hours per fragment of the backup image. For phase 2 of image imports, this
time delay is prevalent for image(s) in the Glacier storage. However, if you
enable True Image Recovery in the policy, time spent for phase 2 imports
reduces drastically from four hours to a few minutes per fragment. Phase 1
imports are faster, irrespective of whether True Image Recovery is enabled or
not for the policy.
See the NetBackup Administrator's Guide, Volume I to know more about
supported workloads and file systems for True Image Recovery.
See the NetBackup Administrator's Guide, Volume I to know more about the
phases during image imports.

Limitations
Consider the following limitations:
■ NetBackup Accelerator feature is not supported for policies of the storage units
that are created for GLACIER_VAULT. Do not select the Accelerator check
box.
■ CloudCatalyst with GLACIER_VAULT is not supported.
■ Glacier endpoint for the Amazon GovCloud cloud provider (that is
[Link]) supports only secure mode of
communication using the NetBackup GLACIER_VAULT storage class. Therefore,
if you disable the Use SSL option while you configure the Amazon GovCloud
cloud storage with GLACIER_VAULT storage class, the configuration fails.
 About the cloud storage 45
About the Amazon S3 cloud storage API type

Permissions
You must have the following permissions:
■ glacier:ListVaults
■ glacier:CreateVault
■ glacier:DescribeVault
■ glacier:UploadArchive
■ glacier:DeleteArchive
■ glacier:ListJobs
■ glacier:Describejob
■ glacier:InitiateJob
■ glacier:GetJobOutput
■ Also, ensure you have the required S3 related IAM USER permissions. See
“Permissions required for Amazon S3 cloud provider user” on page 20.
For issues related to permissions, See “Troubleshooting failures due to missing
Amazon IAM permissions” on page 213.

About backing up data to Amazon Glacier vault

When a NetBackup backup job is run to back up data to use the GLACIER_VAULT
storage class, the data is stored in the vault as a set of archives. The metadata is
stored in an S3 bucket as STANDARD storage class objects as well as in the
Amazon Glacier vault as set of archives.

Figure 2-6 Backing up to Amazon Glacier vault

Considerations:
46 About the cloud storage
About the Amazon S3 cloud storage API type

■ If a backup fails due to network issues, the partially backed up data may reside
in the vault and hence occupy storage space.
■ It is recommended using the LIFECYCLE storage class for moving data from
other cloud storage classes to Glacier. See “Protecting data using Amazon's
cloud tiering ” on page 48. However, to move data from other cloud storage
classes to GLACIER_VAULT, you must host a cloud media server and duplicate
data through it. This step is done to avoid data-out cost. This workaround also
applies to moving data from GLACIER_VAULT storage class to other cloud
storage classes.

About restoring data from Amazon Glacier vault

The NetBackup image is stored as a set of data archives in the GLACIER_VAULT
storage class. Restore from Amazon Glacier vault happens in two phases.
■ The archives are first retrieved at an internal staging location that is maintained
by Amazon.
■ From there, the data is restored to the destination location.
The staging restore operation takes a minimum of 3 hours to 5 hours. The archives
are available at the Amazon staging location for a maximum of 24 hours.

Note: NetBackup supports Amazon Standard retrievals that complete within a

minimum of 3 hours to 5 hours. When you perform a restore, the entire image
fragment is brought to the staging location while only the selected archives are
downloaded.
 About the cloud storage 47
About the Amazon S3 cloud storage API type

Figure 2-7 Restoring from Amazon Glacier vault

Considerations with Restore of Image Fragments

If the files and folders you want to restore belong to multiple image fragments,
consider the following:
■ One image fragment is retrieved at a time. Only after the selected files and
folders part of the first image fragment are downloaded, the next image fragment
is retrieved.
■ The restore time must be considered depending on the number of image
fragments. For example, if the files you want to restore are part of two fragments,
an additional 6 - 10 hours are added to the complete restore time.
48 About the cloud storage
About the Amazon S3 cloud storage API type

Figure 2-8 Restoring image fragments for Amazon GLACIER_VAULT

Note: If you cancel a job after the restore retrieval is initiated, cost is incurred for
all the objects that are retrieved on the staging location till the point of cancellation.

Protecting data using Amazon's cloud tiering

Use the LIFECYCLE storage class to protect your data using cloud tiering. Cloud
tiering allows you to back up your data to STANDARD or STANDARD_IA storage
class and then transition the data to STANDARD_IA or GLACIER storage class.
You can configure the storage server properties to determine the number of days
the data resides in each storage class. Thus, you can configure your storage server
for short-term or long-term data protection.
To configure a cloud storage server for Amazon LIFECYCLE storage class
1 Configure the Amazon LIFECYCLE cloud storage server.
See “Configuring a storage server for cloud storage” on page 125.
2 Configure the storage server properties for the following:
■ AMZ:UPLOAD_CLASS
 About the cloud storage 49
About the Amazon S3 cloud storage API type

■ AMZ:TRANSITION_TO_STANDARD_IA_AFTER
■ AMZ:TRANSITION_TO_GLACIER_AFTER
See “NetBackup cloud storage server connection properties” on page 136.
3 Create a disk pool for the LIFECYCLE storage class.
See “Configuring a disk pool for cloud storage” on page 146.
4 Create a backup policy.
See “Creating a backup policy” on page 165.

Best practices
■ Ensure that the selected bucket does not have any existing lifecycle policy.
■ If the data is set to transition to GLACIER, consider the following:
■ Ensure that Amazon Glacier is supported for the region to which the bucket
belongs.
■ You can use multi-streaming to get multiple images at logical boundaries.

Limitations
Consider the following limitations:
■ NetBackup Accelerator feature is not supported for policies of the storage units
that are created for LIFECYCLE. Do not select the Accelerator check box.
■ CloudCatalyst with LIFECYCLE is not supported.

Permissions
You must have the following permissions:
■ Life cycle policy related permissions:
■ s3:PutLifecycleConfiguration
■ s3:GetLifecycleConfiguration

■ Object tagging permissions

■ s3:PutObjectTagging

Note: The bucket owner has these permissions, by default. The bucket
owner can grant these permissions to others by writing an access policy.

■ Also ensure that you also have the required IAM USER permissions. See
“Permissions required for Amazon S3 cloud provider user” on page 20.
50 About the cloud storage
About the Amazon S3 cloud storage API type

About backing up data using LIFECYCLE storage class

Initially, the backed up data resides in the storage class determined by the setting
AMZ:UPLOAD_CLASS in the storage server properties dialog box (default is
STANDARD). However, you can configure the duration after which the data
transitions to other storage classes by changing the following storage server
properties:
■ TRANSITION_TO_STANDARD_IA_AFTER
■ TRANSITION_TO_GLACIER_AFTER

Figure 2-9 Back up process for LIFECYCLE storage class with possible
configurations
 About the cloud storage 51
About the Amazon S3 cloud storage API type

Note: If you want to move data from GLACIER or STANDARD_IA to STANDARD

storage class, or GLACIER to STANDARD_IA storage class, you will need to host
a cloud media server and duplicate data through it.

After you change the storage server properties and as a new back up job is run per
disk pool of the storage server, the new storage server properties get applied to
the bucket associated with the disk pool and to the older non-transitioned images
in this bucket.
See “NetBackup cloud storage server connection properties” on page 136.
See “About protecting data in Amazon Glacier” on page 38.

About restoring data from LIFECYCLE storage class

At the time of restoring, if your data exists in STANDARD or STANDARD_IA storage
class, the data is restored to the destination location. However, if the data resides
in GLACIER storage class, the data is first retrieved at an internal staging location
maintained by Amazon. The data is then restored to the destination location. Hence,
the time taken to restore data from STANDARD or STANDARD_IA storage class
is much less than the time taken to restore data from GLACIER storage class.
See “About restoring data from Amazon Glacier” on page 40.

About using Amazon IAM roles with NetBackup

An AWS IAM role is an Amazon Web Services (AWS) identity with the permission
policy that determine what tasks an identity is authorized to perform. You can use
roles to delegate access to users, applications, or the services that normally don’t
have access to AWS resources. A role is intended to be assumable by anyone who
needs it. If a user assumes a role, temporary security credentials are created
dynamically and provided to the user.
For example, an application running on the AWS Elastic Compute Cloud (EC2)
instances requires the credentials to access the other AWS services like S3 service.
With the traditional approach, you provide the fixed credentials access key and
secret access key. With IAM roles, temporary credentials are used to connect to
the other AWS services.

Considerations
NetBackup supports the AWS IAM Roles for stream-based backup operations,
wherein:
1. NetBackup uses AWS IAM Role that is attached to the AWS EC2 instances
on which media server is configured for all S3 storage communications.
52 About the cloud storage
About the Amazon S3 cloud storage API type

2. NetBackup fetches the role name and temporary credentials by connecting to

the AWS EC2 metadata.
3. NetBackup master server can be deployed on AWS EC2 instance or
on-premises. You must do the required network settings for communication
between the master and media server(s).
4. The NetBackup media server or the CloudCatalyst media server that uses the
IAM role to backup data to cloud must be deployed on the AWS EC2 instance.
5. AWS IAM Role with required permissions must be attached to the NetBackup
media server running on the AWS EC2 instance. See “Permissions required
for Amazon S3 cloud provider user” on page 20.
6. Backup data is stored in S3 storage of the same AWS account where the AWS
IAM role is created.
7. NetBackup supports the AWS IAM Role-based authentication for both Amazon
and Amazon Gov cloud providers.
8. You can modify existing cloud storage server (alias) to use AWS IAM role for
authentication only using csconfig command.
9. Use the AWS Management Console to perform IAM Role allocation,
modification, and revocation operations. NetBackup does not store any
role-specific information.
10. Ensure that the AWS EC2 instance metadata service is accessible to NetBackup
media server. You verify using AWS commands. For example,
To get the role name, run:
curl
[Link]

To get the credentials, run:

curl
[Link]

11. For IPv6 only deployments, AWS IAM Role cannot be used because AWS
EC2 instance metadata service is supported only for IPv4.
12. AWS IAM Role is also supported with CloudCatalyst storage server.

AWS IAM Role deployment

The following diagram illustrates the deployment:
 About the cloud storage 53
About the Amazon S3 cloud storage API type

AWS Environment

NetBackup Clients NetBackup Clients

EC2 instance with NetBackup

CC media server and IAM Role

S3
IAM Role Bucket
AWS User and group

As illustrated in the diagram, to use AWS IAM role with NetBackup:

■ NetBackup master server can be deployed on-premises or in the cloud.
■ Backup data is stored in S3 storage of the same AWS account where the AWS
IAM role is created.
■ AWS IAM role is attached to AWS EC2 instance on which CloudCatalyst media
server is installed.

Note: When role is attached to AWS EC2 instance that has access to S3 storage,
NetBackup user doesn’t need to provide any credentials.

Tip: You get better performance, if the NetBackup clients are deployed in cloud.

Configuring AWS IAM Role with NetBackup

Using the AWS Management Console and the NetBackup Administration Console,
you can configure AWS IAM Roles with NetBackup.
To configure AWS IAM Role with NetBackup
1 Perform the following configurations in the AWS Management Console to use
AWS IAM Roles with NetBackup:
■ Create AWS IAM role.
54 About the cloud storage
About the Amazon S3 cloud storage API type

■ Attach role to AWS EC2 instance which will be used as a NetBackup media
server.
For guidelines refer to the technote.
2 Configure the new cloud storage server to use the AWS IAM role. No
credential-specific information is required for using the AWS IAM roles.
See “Amazon S3 cloud storage provider options” on page 21.
See “Configuring a storage server for cloud storage” on page 125.
A new option 'CREDS_ROLE’ for credential broker (-creds_broker) option is added
to the csconfig command.
See the NetBackup Commands Reference Guide.

Note: For modifying the existing cloud storage server (alias) to use AWS IAM role
for authentication, use only the csconfig command.

About NetBackup character restrictions for Amazon S3 cloud

connector
NetBackup S3 cloud connector on the S3 compliant cloud storage does not support
VMware and Hyper-V backups if the virtual machine display name contains
unsupported characters. The unsupported characters are listed in the Object Key
Naming guidelines from Amazon S3.

Characters to avoid as per Amazon S3 Object Key Naming

guidelines:
The virtual machine display name maps to the key name in Amazon S3 context.
Therefore, avoid the following set of characters in a virtual machine display name:
■ Backslash \
■ Left curly brace {
■ Right curly brace }
■ Non-printable ASCII characters (128–255 decimal characters)
■ Caret ^
■ Percent character %
■ Grave accent or back tick `
■ Right square bracket ]
■ Left square bracket [
 About the cloud storage 55
About the Amazon S3 cloud storage API type

■ Quotation marks "

■ Tilde ~
■ Less Than symbol <
■ Greater Than symbol >
■ Pound character #
■ Vertical bar or pipe |

Characters to avoid as per NetBackup S3 connector

guidelines:
Avoid the following set of characters in a virtual machine display name:
■ Ampersand &
■ Dollar $
■ ASCII character ranges 00–1F hex (0–31 decimal) and 7F (127 decimal)
■ At symbol @
■ Equals =
■ Semicolon ;
■ Colon :
■ Plus +
■ Space (Significant sequences of spaces may be lost in some uses, especially
multiple spaces)
■ Comma ,
■ Question mark ?
■ Right round parenthesis )
■ Left round parenthesis (

Note: For an updated list of characters to avoid, refer to Amazon S3 documentation.

Protecting data with Amazon Snowball and Amazon Snowball Edge

Amazon Snowball and Amazon Snowball Edge devices can be configured with
NetBackup, to backup data to cloud.
The data that is backed up using the Snowball and Snowball Edge devices can be
categorized as:
56 About the cloud storage
About the Amazon S3 cloud storage API type

Old data The backup images that are present in tapes and disks or any other
storage media and accumulated over the years.

Live data Live data The backup data that is generated using daily backups while
the Amazon Snowball or the Amazon Snowball Edge device is
on-premises.

Define storage lifecycle polices for such backups wherein, the actual
backup goes to the local storage, and the secondary copy is duplicated
to Snowball or Snowball Edge device.

Note: Only STANDARD storage class is supported.

Best practices
Follow these practices when backing up the data to Amazon cloud:
■ Plan to keep at least one copy of the data on-premises while data from Snowball
or Snowball Edge device is imported to cloud. If backup copy on the Snowball
or Snowball device is the only copy you have, use the bpduplicate command
to make a copy.
See the NetBackup Commands Reference Guide.
■ Verify the imported data in the cloud before discarding (if required) the
on-premises backup copy.
■ Use the Amazon Snowball and Amazon Snowball Edge device for initial seeding.
■ Do not use the buckets for any other purpose before the data is imported to
them.
■ (For live data) Suspend the duplication operations while the data is in transit
and is imported to cloud.
■ (For live data) After the data is available in cloud, resume duplication to duplicate
the delta data, which was generated on premises or use another device to
transfer it.

Methods
Following are the different methods available for data transfer.
 About the cloud storage 57
About the Amazon S3 cloud storage API type

Table 2-10
Device Methods

Amazon Snowball with Refer to the following topics

NetBackup
■ See “Configuring NetBackup for Amazon Snowball with
Amazon Snowball client” on page 58.
■ See “Configuring NetBackup for Amazon Snowball with
Amazon S3 API interface” on page 60.
■ See “Configuring SSL for Amazon Snowball and
Amazon Snowball Edge” on page 68.
■ After backups are imported into the cloud bucket, you
need to perform the post backup procedures. See “Post
backup procedures if you have used S3 API interface”
on page 69.
■ To improve write performances to the Amazon Snowball
device, multiple Amazon S3 adapters can be configured.
Also, multiple custom instances can point to the same the
device.
See “Using multiple Amazon S3 adapters” on page 62.

Amazon Snowball Edge Refer to the following topics

with NetBackup
■ See “Configuring NetBackup with Amazon Snowball Edge
with file interface” on page 63.
■ See “Configuring NetBackup for Amazon Snowball Edge
with S3 API interface” on page 64.
■ See “Configuring SSL for Amazon Snowball and
Amazon Snowball Edge” on page 68.
■ After backups are imported into the cloud bucket, you
need to perform the post backup procedures. See “Post
backup procedures if you have used S3 API interface”
on page 69.

For NetBackup File interface methods are not supported with the CloudCatalyst
CloudCatalyst Appliance Appliance.

See “Configuring NetBackup for Amazon Snowball and Amazon

Snowball Edge for NetBackup CloudCatalyst Appliance”
on page 66.
58 About the cloud storage
About the Amazon S3 cloud storage API type

Table 2-10 (continued)

Device Methods

For NetBackup File interface methods are not supported with the CloudCatalyst
CloudCatalyst media server media server.

Refer to the following topics

■ See “Configuring NetBackup for Amazon Snowball with

Amazon S3 API interface” on page 60.
■ See “Configuring NetBackup for Amazon Snowball Edge
with S3 API interface” on page 64.
■ See “Configuring SSL for Amazon Snowball and
Amazon Snowball Edge” on page 68.
■ After backups are imported into the cloud bucket, before
restore you need to perform the post backup procedures.
See “Post backup procedures if you have used S3 API
interface” on page 69.

Configuring NetBackup for Amazon Snowball with Amazon

Snowball client
In this method data is first staged on the NetBackup media server and then using
the Amazon Snowball client, data is moved to the Amazon Snowball device.
Ensure that you have enough space on the file system you plan to use for staging.
 About the cloud storage 59
About the Amazon S3 cloud storage API type

To configure NetBackup to transfer data to Amazon Snowball using the

Amazon Snowball client
1 Create the cloud storage server with default instance.

Note: An Amazon Snowball device can be used to transfer data only from the
region from where the device is obtained. Thus, ensure that all the buckets in
storage server belong to same region.

Create different bucket(s) for Amazon Snowball when you configure the disk
pool. These buckets are used to create an import job in the AWS console.

Note: It is recommended to create the buckets from the NetBackup

Administration Console. However, if you create buckets from the AWS console,
ensure that only characters that are supported by NetBackup are used.

See “Configuring cloud storage in NetBackup” on page 93.

2 Create an import job in the AWS console. Select the buckets that were created
during the disk pool creation. Refer to the AWS documentation for detailed
steps.
3 Ensure that the media server has enough space to stage the backup data.
4 Update the following storage server properties:
■ AMZ:OFFLINE_TRANSFER_MODE: FILESYSTEM

■ AMZ:TRANSFER_DRIVE_PATH: <absolute path where the data must

be backed up>

Note: Set these properties back to NONE after you have transferred the data to
the Amazon Snowball device.

See “NetBackup cloud storage server connection properties” on page 136.

5 For live data, create the storage lifecycle policy, backup policy and run the
backup for initial seeding.
For old data, use the bpduplicate command and duplicate the images on the
storage unit.
See the NetBackup Commands Reference Guide.
60 About the cloud storage
About the Amazon S3 cloud storage API type

6 Install the Amazon Snowball client on the media server. Refer to the AWS
documentation for detailed steps.
Using the Amazon Snowball client, transfer the backup data from the media
server to the Amazon Snowball device.
7 After the data transfer is complete:
■ Deactivate the backup policy or postpone the secondary operation
processing in the SLP till the device is in transit.
■ Set the storage server properties you have configured in step 4 to NONE.

8 Ship the device to the cloud vendor. Refer to the AWS documentation for
detailed steps.

Example of Amazon client command to move data to

Amazon Snowball device
After the backup job is complete, the backup data is staged on the media server.
Then run the Amazon Snowball client copy command to transfer the data to the
Amazon Snowball device: Following is an example:
snowball cp --recursive <TransferDrivePath/MyBucket/Image>
s3://MyBucket/Logs

Refer to the AWS documentation for detailed steps.

Configuring NetBackup for Amazon Snowball with Amazon

S3 API interface
When you backup data to the Amazon Snowball device using the Amazon S3
interface, data is moved directly from the source to the Amazon Snowball device
using the Amazon S3 APIs.
To configure NetBackup to transfer data to Amazon Snowball using the S3
API interface
1 Create a temporary storage server (non-CloudCatalyst) and disk pool to create
or list the buckets that you plan to use for the device import job.

Note: It is recommended to create the buckets from the NetBackup

Administration Console. However, if you create buckets from the AWS console,
ensure that only characters that are supported by NetBackup are used.

2 Delete the temporary storage server (non-CloudCatalyst) and disk pool.

3 Create an import job in the AWS console. Refer to the AWS documentation
for detailed steps.
 About the cloud storage 61
About the Amazon S3 cloud storage API type

4 Install the Amazon Snowball S3 adapter on a different host. Refer to the AWS
documentation for detailed steps.
5 (Optional) To use SSL protocol for communication with the Amazon Snowball
adapter, append the certificate provided to the Amazon Snowball adapter on
the command line as it is to /usr/openv/var/global/wmc/cloud/[Link]
file on the media server. Ensure that the format and length of the newly copied
certificate matches with the existing certificates in [Link].
See “Configuring SSL for Amazon Snowball and Amazon Snowball Edge”
on page 68.
6 Add a custom instance for the device.
Set the custom instance’s cloud storage properties with details of the host on
which you have installed the Amazon Snowball S3 adapter.
Set the following in the General Settings tab:
■ Provider type: Amazon or Amazon GovCloud depending upon the end point
for which you have ordered the device.
■ Service host: IP or host name of the adapter
■ Service endpoint: Leave blank
■ HTTP Port: Default is 8080. Or enter the port you have configured.
■ HTTPS port: Default is 8443. Or enter the port you have configured.
■ Endpoint access style: Path Style
Set the following in the Region Setting tab:
■ Location constraint: Region from where you have ordered the device.
■ Service host: IP or host name of the adapter

Note: An Amazon Snowball Edge device can be used to transfer data only
from the region from where the device is obtained. Thus, use the location
constraint and service host of the region from where the device is obtained.

See “Adding a cloud storage instance” on page 102.

7 Create a storage server for the device using the custom instance.
See “Configuring cloud storage in NetBackup” on page 93.
8 Update the following storage server property:
AMZ:OFFLINE_TRANSFER_MODE: PROVIDER_API

See “NetBackup cloud storage server connection properties” on page 136.

62 About the cloud storage
About the Amazon S3 cloud storage API type

9 For live data, create the NetBackup storage lifecycle policy, backup policy and
run the backup for initial seeding.
For old data, use the bpduplicate command and duplicate the images on the
storage unit.
See the NetBackup Commands Reference Guide.
10 After the data transfer is complete:
■ Deactivate the backup policy or postpone the secondary operation
processing in the SLP till the device is in transit.
■ Set the storage server properties you have configured to NONE.
■ Save the properties. You need this information during the post-backup
process.
Take an image capture of storage server properties from Administration
console or use nbdevconfig -getconfig command. See the NetBackup
Commands Reference Guide.
Also, note down the object size (for non-CloudCatalyst) that was configured.

11 Ship the device to the cloud vendor. Refer to the AWS documentation for
detailed steps.

Note: After backups are imported into the cloud bucket, before restore you need
to perform the post backup procedures. See “Post backup procedures if you have
used S3 API interface” on page 69.

Using multiple Amazon S3 adapters

To improve write performances to the Amazon Snowball device, multiple Amazon
S3 adapters can be configured. Also, multiple custom instances can point to the
same the device.
To use multiple Amazon S3 adapter
1 For each Amazon Snowball adapter create one custom cloud storage instance.
2 Transfer data to the Amazon Snowball device.
3 Delete the custom instance with Amazon S3 adapter IP as service host. Run
the following command:
csconfig cldinstance -r -in <instance-name>

See the NetBackup Command Reference Guide.

 About the cloud storage 63
About the Amazon S3 cloud storage API type

4 Add all the storage servers that are created for the Amazon Snowball device
into the default cloud instance ([Link]). Run the following command:
csconfig cldinstance -as -in [Link] -sts <storage-server-name>

5 Update the following storage server property:

AMZ:OFFLINE_TRANSFER_MODE: NONE

See “NetBackup cloud storage server connection properties” on page 136.

6 Change SSL settings (if performed) for the storage servers.

Configuring NetBackup with Amazon Snowball Edge with

file interface
When you backup data to the Amazon Snowball Edge device using the file interface,
data is moved directly from the source to the Amazon Snowball Edge device.
Recommendation: As a precaution, always create a copy of the backup till the
Amazon Snowball Edge device is not imported to cloud.
To configure NetBackup to transfer data to Amazon Snowball Edge using the
file interface
1 Create the cloud storage server with default instance.

Note: An Amazon Snowball Edge device can be used to transfer data only
from the region from where the device is obtained. Thus, ensure that all the
buckets in storage server belong to same region.

Create different bucket(s) for Amazon Snowball Edge when you configure the
disk pool. These buckets are used to create an import job in the AWS console.

Note: It is recommended to create the buckets from the NetBackup

Administration Console. However, if you create buckets from the AWS console,
ensure that only characters that are supported by NetBackup are used.

See “Configuring cloud storage in NetBackup” on page 93.

2 Create an import job in the AWS console. Select the buckets that were created
during the disk pool creation. Refer to the AWS documentation for detailed
steps.
3 Install the Amazon Snowball client on the NetBackup media server.
4 Configure the Amazon Snowball Edge device using the Amazon Snowball
client.
64 About the cloud storage
About the Amazon S3 cloud storage API type

5 Update the following storage server properties:

■ AMZ:OFFLINE_TRANSFER_MODE: FILESYSTEM

■ AMZ:TRANSFER_DRIVE_PATH: <absolute path of the directory where

the file share of the Amazon Snowball Edge device is mounted>
Mount the root of the file share instead of individual bucket(s) and provide
that path to TRANSFER_DRIVE_PATH.

Note: Set the property back to NONE after you have transferred the data to
the Amazon Snowball Edge device.

See “NetBackup cloud storage server connection properties” on page 136.

6 Create the NetBackup storage lifecycle policy and backup policy.
7 After the data transfer is complete:
■ Deactivate the backup policy or postpone the secondary operation
processing in the SLP till the device is in transit.
■ Set the storage server properties you have configured in step 5 to NONE.
■ Rollback the changes you done in step 6.

8 Ship the device to the cloud vendor. Refer to the AWS documentation for
detailed steps.

Configuring NetBackup for Amazon Snowball Edge with

S3 API interface
When you backup data to the Amazon Snowball Edge device using the S3 interface,
data is moved directly from the source to the Amazon Snowball Edge device using
the Amazon S3 adapter.
To configure NetBackup to transfer data to Amazon Snowball Edge using S3
API interface
1 Configure the Amazon Snowball Edge device using the Amazon Snowball
client.
2 Create a temporary storage server (non-CloudCatalyst) and disk pool to create
or list the buckets that you plan to use for the device import job.

Note: It is recommended to create the buckets from the NetBackup

Administration Console. However, if you create buckets from the AWS console,
ensure that only characters that are supported by NetBackup are used.
 About the cloud storage 65
About the Amazon S3 cloud storage API type

3 Delete the temporary storage server (non-CloudCatalyst) and disk pool.

4 Create an import job in the AWS console. Refer to the AWS documentation
for detailed steps.
5 Configure the Amazon Snowball Edge device using the Amazon Snowball
client.
6 (Optional) To use SSL protocol for communication with the Amazon Snowball
Edge, get the certificate using the Amazon snowball client and append the
certificate as it is to /usr/openv/var/global/wmc/cloud/[Link] file on
the media server. Ensure that the format and length of the newly copied
certificate matches with the existing certificates in [Link].
See “Configuring SSL for Amazon Snowball and Amazon Snowball Edge”
on page 68.
7 Add a custom instance for the device.
See “Adding a cloud storage instance” on page 102.
Set the custom instance’s cloud storage properties with details of the host on
which you have installed the Amazon Snowball S3 adapter.
Set the following in the General Settings tab:
■ Provider type: Amazon or Amazon GovCloud depending upon the end point
for which you have ordered the device.
■ Service host: IP or host name
■ Service endpoint: Leave blank
■ HTTP Port: Default is 8080. Or enter the port you have configured.
■ HTTPS port: Default is 8443. Or enter the port you have configured.
■ Endpoint access style: Path Style
Set the following in the Region Setting tab:
■ Location constraint: Region from where you have ordered the device.
■ Service host: IP or host name

Note: An Amazon Snowball Edge device can be used to transfer data only
from the region from where the device is obtained. Thus, use the location
constraint and service host of the region from where the device is obtained.

8 Create a storage server for the device using the custom instance.
See “Configuring cloud storage in NetBackup” on page 93.
66 About the cloud storage
About the Amazon S3 cloud storage API type

9 Update the following storage server property:

AMZ:OFFLINE_TRANSFER_MODE: PROVIDER_API

See “NetBackup cloud storage server connection properties” on page 136.

10 For live data, create the storage lifecycle policy, backup policy and run the
backup for initial seeding.
For old data, use the bpduplicate command and duplicate the images on the
storage unit.
See the NetBackup Commands Reference Guide.
11 After the data transfer is complete:
■ Deactivate the backup policy or postpone the secondary operation
processing in the SLP till the device is in transit.
■ Set the storage server property you have configured to NONE.
■ Save the properties you need this information during the post-backup
process.
Take an image capture of storage server properties from Administration
console or use nbdevconfig -getconfig command. See the NetBackup
Commands Reference Guide.
Also, note down the object size (for non-CloudCatalyst) that was configured.

12 Ship the device to the cloud vendor. Refer to the AWS documentation for
detailed steps.

Note: After backups are imported into the cloud bucket, before restore you need
to perform the post backup procedures. See “Post backup procedures if you have
used S3 API interface” on page 69.

Configuring NetBackup for Amazon Snowball and Amazon

Snowball Edge for NetBackup CloudCatalyst Appliance
To configure NetBackup for Amazon Snowball and Amazon Snowball Edge
for NetBackup CloudCatalyst Appliance
1 Configure Appliance with Cloud Catalyst storage server.
2 Create an import job in the AWS console. Select the bucket that was created
during configuring the appliance. Refer to the AWS documentation for detailed
steps.
 About the cloud storage 67
About the Amazon S3 cloud storage API type

3 After the device arrives and is configured in your environment, create and
Amazon custom cloud storage instance. Configure the instance with the
Snowball Adapter IP, Address/Hostname, ports, Access style, and Location
constraint.
See “Cloud Storage properties” on page 100.
4 Move the storage server that is created under default-shipped cloud storage
instance, to the newly created custom cloud storage instance.
■ Find the instance to which the storage server belongs to. Run the following
command:
csconfig cldinstance -i

■ Remove the storage server from the discovered instance. Run the following
command:
csconfig cldinstance -rs -in cloud storage instance name -sts
storage server name
See the NetBackup Commands Reference Guide.
■ Add a new storage server with the same name, under the new cloud storage
instance. Run the following command:
csconfig cldinstance -as -in Cloud Storage Instance name -sts
storage server name
See the NetBackup Commands Reference Guide.
Also ensure that you have configured the SSL settings as per your
requirements.

5 (Required for Snowball Edge) Update the storage server credentials from the
media server that is attached to the storage server. Run the following command:
tpconfig -update -storage_server storage server name -stype
storage server type -sts_user_id [user ID] -password password

See the NetBackup Commands Reference Guide.

Ensure that SSL settings are done correctly.
6 Update the following storage server property:
AMZ:OFFLINE_TRANSFER_MODE: PROVIDER_API

Update the other storage properties according to the information that is noted
in step 3.
See “NetBackup cloud storage server connection properties” on page 136.
68 About the cloud storage
About the Amazon S3 cloud storage API type

7 For live data, create the storage lifecycle policy, backup policy and run the
backup for initial seeding.
For old data, use the bpduplicate command and duplicate the images on the
storage unit.
See the NetBackup Commands Reference Guide.
8 After the data transfer is complete:
■ Deactivate the backup policy or postpone the secondary operation
processing in the SLP till the device is in transit.
■ Set the storage server property you have configured to NONE.
■ Save the properties. You need this information during the post-backup
process.
Take an image capture of storage server properties from Administration
console or use nbdevconfig -getconfig command. See the NetBackup
Commands Reference Guide.

9 Ship the device to the cloud vendor. Refer to the AWS documentation for
detailed steps.

Note: After backups are imported into the cloud bucket, before restore you need
to perform the post backup procedures. See “Post backup procedures if you have
used S3 API interface” on page 69.

Configuring SSL for Amazon Snowball and Amazon

Snowball Edge
To configure SSL for Amazon Snowball
1 Ensure that the entries in the
/.aws/snowball/config/[Link] file are correct.
Especially, ensure that the host name is set.
2 Start the adapter. Following is a sample command:
./snowball-adapter -i Snowball IP address -m path to manifest
file -u 29 character unlock code --ssl-enabled --aws-secret-key
key
 About the cloud storage 69
About the Amazon S3 cloud storage API type

3 Self-signed SSL certificate and key are generated in the

/.aws/snowball/config/ directory.

4 Append the certificate provided to the Amazon Snowball adapter on the

command line as it is to /usr/openv/var/global/wmc/cloud/[Link]
file on the media server. Ensure that the format and length of the newly copied
certificate matches with the existing certificates in [Link].
To configure SSL for Amazon Snowball Edge
1 Lists the certificates available for use. Run the following Amazon Snowball
client command:
./snowballEdge list-certificates

2 Obtain the certificate. Run the following Amazon Snowball client command:
./snowballEdge get-certificate --certificate-arn arn_value

3 Append the certificate provided on the command line as it is to

/usr/openv/var/global/wmc/cloud/[Link] file on the media server.
Ensure that the format and length of the newly copied certificate matches with
the existing certificates in [Link].

Post backup procedures if you have used S3 API interface

After backups are imported into the cloud bucket, perform the following steps before
restore:
1. Update the custom instance service host to real endpoint. Also change the
HTTP port and region values.

Note: In case of CloudCatalyst, restart the vxesfd service.

2. (Exception) You cannot update a custom instance for AWS default regions
because they are already used by the default-shipped cloud storage instances
of NetBackup. Such regions include AWS China Beijing Region, AWS China
Ningxia Region, AWS US-East region), AWS GovCloud-US-West and US-East
region. For such regions and NetBackup CloudCatalyst appliance follow these
steps. You can also follow these steps if you encounter an error for unique
hostname.
■ Keep the saved storage properties handy.
■ Remove the storage server. Run the following command:
csconfig cldinstance -rs -in cloud storage instance name -sts
storage server name
70 About the cloud storage
About Microsoft Azure cloud storage API type

See the NetBackup Commands Reference Guide.

■ Add a new storage server with the same name, under the default storage
instance ([Link], [Link], [Link], etc.) or the storage
instance corresponding to the bucket region. Run the following command
to the find the instance:
csconfig cldinstance -i
Run the following command to add the storage server:
csconfig cldinstance -as -in Cloud Storage Instance name -sts
storage server name -obj_size size in bytes
See the NetBackup Commands Reference Guide.
Ensure that the object size (for non-CloudCatalyst) is accurate and same
as the storage server that is created.
Also ensure that you have configured the SSL settings as per your
requirements.

3. Make sure the SSL setting for storage server as expected. You can verify and
update the properties from the Change Storage Server Connection
Properties dialog box.
See “To change associated cloud storage server host properties” on page 103.
4. [For Amazon Snowball Edge device only] Update credentials for each storage
server with the Amazon account credentials. Run the following command:
tpconfig -update -storage_server storage server name -stype
storage server type -sts_user_id [user ID] -password password

See the NetBackup Commands Reference Guide.

5. Verify and update the OFFLINE_TRANSFER_MODE storage server property
to NONE.

Note: In case of CloudCatalyst, restart the vxesfd service.

6. Perform the restore and verify the data.

7. Activate policies or activate the secondary operation processing in the SLP .

About Microsoft Azure cloud storage API type

NetBackup supports cloud storage from the vendors that use the Microsoft Azure
storage API for their storage. Information about the requirements and configuration
options for the Microsoft Azure storage API vendors is provided as follows:
 About the cloud storage 71
About Microsoft Azure cloud storage API type

Table 2-11 Microsoft Azure storage API type information and topics

Information Topic

Certified vendors See “Microsoft Azure cloud storage vendors

certified for NetBackup” on page 71.

Requirements See “Microsoft Azure storage type

requirements” on page 71.

Storage server configuration options See “Microsoft Azure cloud storage provider
options” on page 72.

SSL and proxy options See “Microsoft Azure advanced server

configuration options” on page 76.

Microsoft Azure cloud storage vendors certified for NetBackup

Click the following link to identify the vendors who are certified for NetBackup cloud
storage using the Microsoft Azure storage API as of the NetBackup 8.3 release:
NetBackup 8.0 - 8.x.x Hardware and Cloud Storage Compatibility List.
Vendors achieve certification by participating in the Veritas Technology Partner
Program (VTPP).

Microsoft Azure storage type requirements

Table 2-12 describes the details and requirements of Microsoft Azure cloud storage
in NetBackup.

Table 2-12 Microsoft Azure cloud storage requirements

Requirement Details

License You must have a NetBackup license that allows for cloud storage.
requirement

Microsoft Azure You must obtain a Microsoft Azure storage account and at least one
account storage access key (primary access key or secondary access key).
requirements
72 About the cloud storage
About Microsoft Azure cloud storage API type

Table 2-12 Microsoft Azure cloud storage requirements (continued)

Requirement Details

Container names It is recommended that you use NetBackup to create the container that
you use with NetBackup.
The following are the NetBackup requirements for container names:

■ Container names must be from 3 through 63 characters long.

■ Container names must start with a letter or number, and can contain
only letters, numbers, and the dash (-) character.
■ Every dash (-) character must be immediately preceded and followed
by a letter or number; consecutive dashes are not permitted in
container names.
■ All letters in a container name must be lowercase.

You can refer to the following link:

[Link]

Microsoft Azure cloud storage provider options

Figure 2-10 shows the Cloud Storage Configuration Wizard panel for Microsoft
Azure cloud storage.
 About the cloud storage 73
About Microsoft Azure cloud storage API type

Figure 2-10 Cloud Storage Server Configuration Wizard panel for Microsoft
Azure

Table 2-13 describes the storage server configuration options for Microsoft Azure.
74 About the cloud storage
About Microsoft Azure cloud storage API type

Table 2-13 Microsoft Azure storage server configuration options

Field name Required content

Service host Service host is the host name of the cloud service end point of
Microsoft Azure.
The Service host drop-down list displays part of the service host
URL that also comprises Storage Account.

Example of a service host URL:

storage_account.[Link]
Note: Based on the region where you have created your storage
account - default or China - you should select the service host from
the drop-down list.

Storage server name Displays the default Azure storage server, which is my-azure. You
can select a storage server other than the default one.

The drop-down list displays only those names that are available for
use.

You can type a different storage server name in the drop-down list,
which can be a logical name for the cloud storage. You can create
multiple storage servers with different names that refer to the same
physical service host for Azure. If there are no names available in
the list, you can create a new storage server name by typing the
name in the drop-down list.
Note: It is recommended that a storage server name that you add
while configuring an Azure cloud storage should be a logical name
and should not match a physical host name. For example: While
you add an Azure storage server, avoid using names like ‘[Link]’
or ‘[Link]’. These servers may be physical hosts, which can
cause failures during cloud storage configuration. Instead, use
storage server names like ‘azure1’ or ‘azureserver1’ and so on.
 About the cloud storage 75
About Microsoft Azure cloud storage API type

Table 2-13 Microsoft Azure storage server configuration options (continued)

Field name Required content

Deduplication Enabling this option creates a CloudCatalyst storage server that

can be used to upload deduplicated data to the cloud.
This option is grayed out if any of the following cases are true:

■ The selected media server does not have NetBackup 8.1 or later
installed.
■ CloudCatalyst does not support the media server operating
system.
■ CloudCatalyst does not support the cloud vendor.

See the NetBackup compatibility lists for support information:

[Link]

For information about CloudCatalyst, see the NetBackup

Deduplication Guide

Local cache directory Enter the mount path to be used as the storage path on the
CloudCatalyst storage server.

For example: /space/mnt/esfs

The deduplicated data is written to this local cache directory before

it is uploaded to the cloud. The larger the cache, the more likely
that NetBackup can service requests locally, avoiding cloud access
to read and write.
Notes:
■ This path should be to a file system which is dedicated for
CloudCatalyst cache use. Inaccurate cache eviction occurs if
the path shares any storage with other data or applications.
■ NetBackup manages the files in the local cache directory. Users
should not manually delete files in this directory.

Media server name Select a NetBackup media server from the drop-down list.

Only the media servers that conform to the requirements for cloud
storage appear in the drop-down list. The requirements are
described in the following topic:

See “About the NetBackup media servers for cloud storage”

on page 122.

The host that you select queries the storage vendor’s network for
its capabilities and for the available storage. The media server also
becomes a data mover for your backups and restores.
76 About the cloud storage
About Microsoft Azure cloud storage API type

Table 2-13 Microsoft Azure storage server configuration options (continued)

Field name Required content

Storage Account Enter the storage account that you want to use for your cloud
backups.

For more information about Microsoft Azure storage service, refer

to the Microsoft Azure documentation.

[Link]

Create the storage account using the following URL:

[Link]

Access key Enter your Azure access key. You can enter the primary access
key or the secondary access key. It must be 100 or fewer characters.

Refer to the following URL for the access key:

[Link]

Advanced Settings To change SSL or proxy settings for Azure, click Advanced
Settings.

See “Microsoft Azure advanced server configuration options”

on page 76.

Configure access tier Select ACCOUNT_ACCESS_TIER option to use the Microsoft

Azure account's access tier (Hot or Cool) settings.
ACCOUNT_ACCESS_TIER

Configure access tier Select ARCHIVE option for long term retention.
ARCHIEVE See “Protecting data in Microsoft Azure Archive for long-term
retention” on page 78.

Microsoft Azure advanced server configuration options

The following table describes the SSL and proxy options that are specific to all
Microsoft Azure compatible cloud providers. These options appear on the Advanced
Server Configuration dialog box.
 About the cloud storage 77
About Microsoft Azure cloud storage API type

Table 2-14 General settings options

Option Description

Use SSL Select this option if you want to use the SSL (Secure Sockets Layer)
protocol for user authentication or data transfer between NetBackup
and cloud storage provider.

■ Authentication only - Select this option, if you want to use SSL

only at the time of authenticating users while they access the cloud
storage.
■ Data Transfer - Select this option, if you want to use SSL to
authenticate users and transfer the data from NetBackup to the
cloud storage.
Note: NetBackup supports only Certificate Authority (CA)-signed
certificates while it communicates with cloud storage in the SSL
mode. Ensure that the cloud server (public or private) has CA-signed
certificate. If it does not have the CA-signed certificate, data transfer
between NetBackup and cloud provider fails in the SSL mode.

Table 2-15 Proxy Settings tab options

Option Description

Use Proxy Server Use Proxy Server option to use proxy server and provide proxy server
settings. Once you select the Use Proxy Server option, you can specify
the following details:

■ Proxy Host–Specify IP address or name of the proxy server.

■ Proxy Port–Specify port number of the proxy server.
■ Proxy Type– You can select one of the following proxy types:
■ HTTP

Note: You need to provide the proxy credentials for HTTP

proxy type.
■ SOCKS
■ SOCKS4
■ SOCKS5
■ SOCKS4A

Use Proxy You can enable proxy tunneling for HTTP proxy type.
Tunneling
After you enable Use Proxy Tunneling, HTTP CONNECT requests
are send from the cloud media server to the HTTP proxy server and
the TCP connection is directly forwarded to the cloud back-end storage.

The data passes through the proxy server without reading the headers
or data from the connection.
78 About the cloud storage
About Microsoft Azure cloud storage API type

Table 2-15 Proxy Settings tab options (continued)

Option Description

Authentication You can select one of the following authentication types if you are
Type using HTTP proxy type.

■ None– Authentication is not enabled. Username and password is

not required.
■ NTLM–Username and password needed.
■ Basic–Username and password needed.

Username is the username of the proxy server

Password can be empty. You can use maximum 256 characters.

Protecting data in Microsoft Azure Archive for long-term retention

To protect your data for long-term retention you can back up the data to Microsoft
Azure Archive Blob storage using NetBackup. Using NetBackup, you can create a
storage server with Archive storage tier.

Note: The Archive storage tier is only available at the blob level and not at the
storage account level.

Requirements
Ensure that the following requirements are fulfilled:
■ You must have a general-purpose storage V2 to use Azure Archive.
■ Account level tier must be configured to HOT, else backup fails.

Limitations
Consider the following limitations:
■ Accelerator and deduplication are not supported with Azure Archive.
■ If restore or cleanup fails, you need to manually set the tier to archive for
corresponding blobs.

High-level steps for configurations

1. Configure the Azure Archive cloud storage server.
See “Configuring a storage server for cloud storage” on page 125.
2. Create a disk pool with Microsoft Azure Container.
See “Configuring a disk pool for cloud storage” on page 146.
 About the cloud storage 79
About Microsoft Azure cloud storage API type

3. Storage unit is created using the disk pool.

4. Verify if the AZR:STORAGE_TIER property is configured for the storage server.

Note: Once storage server is configured, its STORAGE_TIER cannot be

changed.

See “NetBackup cloud storage server properties” on page 132.

5. Use the STU in the backup policy or the service lifecycle policy.
See “Creating a backup policy” on page 165.

Backing up data to Azure Archive

During backup, NetBackup first uploads data to HOT Tier and after the data is
successfully uploaded, it is moved to the Archive Tier.
The following diagram illustrates the backup flow.

NetBackup job
completed

Hot Storage Tier Archive Tier

Data is moved
to Archive Tier
Data Metadata Data

Restoring data from Azure Archive

During restore, first image fragments are moved from Archive Tier to HOT tier.
Movement of image fragments takes around 3 hrs to 15 hrs. After the image
fragments are available in HOT Tier, they are downloaded to local storage. After
the restore is complete, the image fragments on the HOT tier are moved back to
the Archive Tier.

Note: Image import from Azure Archive storage with TIR is faster.

The following diagram illustrates the restore flow.

80 About the cloud storage
About OpenStack Swift cloud storage API type

NetBackup Restore Job

Retrieve (takes 3-15 hours) and download

Long term retention Objects (image fragment) Files and folders

cloud storage are retrieved to the HOT tier are available
(Azure Archive Storage)

About OpenStack Swift cloud storage API type

NetBackup supports cloud storage from the vendors that use the OpenStack Swift
storage API for their storage. Information about the requirements and configuration
options for the OpenStack Swift storage API vendors is provided as follows:

Table 2-16 OpenStack Swift storage API type information and topics

Information Topic

Certified vendors See “OpenStack Swift cloud storage vendors

certified for NetBackup” on page 81.

Requirements See “OpenStack Swift storage type

requirements” on page 81.

Storage server configuration options See “OpenStack Swift cloud storage provider
options” on page 82.

Region and host configuration options See “OpenStack Swift storage region options”
on page 85.

Cloud instance configuration options See “OpenStack Swift add cloud storage
configuration options” on page 88.
 About the cloud storage 81
About OpenStack Swift cloud storage API type

Table 2-16 OpenStack Swift storage API type information and topics
(continued)

Information Topic

Proxy connection options See “OpenStack Swift proxy settings”

on page 88.

OpenStack Swift cloud storage vendors certified for NetBackup

Click the following link to identify the vendors who are certified for NetBackup cloud
storage using the OpenStack Swift storage API as of the NetBackup 8.3 release:
NetBackup 8.0 - 8.x.x Hardware and Cloud Storage Compatibility List.
Vendors achieve certification by participating in the Veritas Technology Partner
Program (VTPP).

OpenStack Swift storage type requirements

The following table provides links to the details and requirements of OpenStack
Swift compatible cloud.

Table 2-17 OpenStack Swift compatible cloud storage requirements

Requirement Details

License requirement You must have a NetBackup license that allows for cloud storage.

Storage account You must obtain the credentials required to access the cloud
requirements storage account.

If you use authentication V1, only the user name and password
are required to validate the user to access the cloud storage.

If you use authentication version Identity V2, the user name,

password, and either tenant ID or tenant name is required to
validate the user to access the cloud storage.
82 About the cloud storage
About OpenStack Swift cloud storage API type

Table 2-17 OpenStack Swift compatible cloud storage requirements

(continued)

Requirement Details

Containers The containers for OpenStack Swift compliant cloud providers

cannot be created in NetBackup. You must use the native cloud
tools to create a container.

The container names must conform to the following requirements:

■ The container name must be between 3 and 255 characters.

■ Any of the 26 lowercase (small) letters of the International
Standards Organization (ISO) Latin-script alphabet. These are
the same lowercase (small) letters as the English alphabet.
■ Any integer from 0 to 9, inclusive.
■ Any of the following characters (you cannot use these as the
first character in the container name):
Period (.), underscore (_), and dash (-).
Exception: If you use SSL for communication, you cannot use
a period. By default, NetBackup uses SSL for communication.
See “NetBackup cloud storage server connection properties”
on page 136.

Note: Only those containers are listed in NetBackup that follow

these naming conventions.

OpenStack Swift cloud storage provider options

Figure 2-11 shows the cloud storage provider wizard panel for OpenStack
Swift-compliant cloud storage. The panel includes cloud provider and access
information.
 About the cloud storage 83
About OpenStack Swift cloud storage API type

Figure 2-11 Cloud Storage Server Configuration Wizard panel

Table 2-18 describes configuration options for OpenStack Swift cloud storage.

Table 2-18 OpenStack Swift provider and access details

Field name Required content

Cloud storage Displays the name of the selected cloud provider.

provider

Cloud storage Select the cloud storage name from the list. If the list is empty, you must
name add a cloud storage instance. See the Add Cloud Storage option
description.

Add Cloud Click the add cloud storage option, then add, select, or enter the required
Storage information.

See “OpenStack Swift add cloud storage configuration options”

on page 88.
84 About the cloud storage
About OpenStack Swift cloud storage API type

Table 2-18 OpenStack Swift provider and access details (continued)

Field name Required content

Tenant ID / Based on the selection, enter either the tenant ID or tenant name that
Tenant Name is associated with your cloud storage credentials.
Note: This field is visible only if you selected the Identity v2
Authentication version in the Add Cloud Storage dialog box.

See “OpenStack Swift add cloud storage configuration options”

on page 88.

User name Enter the user name that is required to access the cloud storage.

Password Enter the password that is required to access the cloud storage. It must
be 100 or fewer characters.

Proxy Settings To change the default storage server for your cloud vendor or specify
the maximum number of network connections, click Advanced Settings.

User ID Based on the selection, enter either the User ID or the User Name that
is associated with your cloud storage credentials. When you provide
User ID, User Name and Domain information is not required.
Note: This field is visible only if you selected the Identity v3
Authentication version in the Authentication version dialog box.

See “OpenStack Swift add cloud storage configuration options”

on page 88.

Domain ID / Based on the selection, enter either the user's Domain ID or Domain
Domain name (for Name that is associated with your cloud storage credentials.
user details)
Note: This field is visible only if you selected the Identity v3
Authentication version in the Authentication version dialog box.

See “OpenStack Swift add cloud storage configuration options”

on page 88.

Project ID / Based on the selection, enter either the Project ID or Project Name that
Project Name is associated with your cloud storage credentials. When you provide
Project ID, Project Name and Domain information is not required.
Note: This field is visible only if you selected the Identity v3
Authentication version in the Authentication version dialog box.

See “OpenStack Swift add cloud storage configuration options”

on page 88.
 About the cloud storage 85
About OpenStack Swift cloud storage API type

Table 2-18 OpenStack Swift provider and access details (continued)

Field name Required content

Domain ID / Based on the selection, enter either the project's Domain ID or Domain
Domain name(for Name that is associated with your cloud storage credentials.
project details)
Note: This field is visible only if you selected the Identity v3
Authentication version in the Authentication version dialog box.

See “OpenStack Swift add cloud storage configuration options”

on page 88.

Deduplication Enabling this option creates a CloudCatalyst storage server that can be
used to upload deduplicated data to the cloud.
This option is grayed out if any of the following cases are true:

■ The selected media server does not have NetBackup 8.1 or later
installed.
■ CloudCatalyst does not support the media server operating system.
■ CloudCatalyst does not support the cloud vendor.

See the NetBackup compatibility lists for support information:

[Link]

For information about CloudCatalyst, see the NetBackup Deduplication

Guide

Local cache Enter the mount path to be used as the storage path on the
directory CloudCatalyst storage server.

For example: /space/mnt/esfs

The deduplicated data is written to this local cache directory before it is

uploaded to the cloud. The larger the cache, the more likely that
NetBackup can service requests locally, avoiding cloud access to read
and write.
Notes:

■ This path should be to a file system which is dedicated for

CloudCatalyst cache use. Inaccurate cache eviction occurs if the
path shares any storage with other data or applications.
■ NetBackup manages the files in the local cache directory. Users
should not manually delete files in this directory.

OpenStack Swift storage region options

Figure 2-12 shows the storage region wizard panel for OpenStack Swift-compliant
cloud storage. The panel includes storage region and storage host information.
86 About the cloud storage
About OpenStack Swift cloud storage API type

Figure 2-12 Cloud Storage Server Configuration Wizard panel

Provider and access details are used to map the cloud storage settings to NetBackup
storage settings. The cloud storage region is mapped to the NetBackup storage
server. All the backups that are targeted to the NetBackup storage server use the
cloud storage region to which it is mapped.

Note: One cloud storage region is mapped to one NetBackup storage server.

Table 2-19 describes configuration options for OpenStack Swift cloud storage.
 About the cloud storage 87
About OpenStack Swift cloud storage API type

Table 2-19 OpenStack Swift region and host details

Field name Description

Storage region Select the cloud storage region.

You may use the cloud storage region that is geographically closest
to the NetBackup media server that sends the backups to the
cloud. Contact your storage administrator for more details.
Note: This field is visible only if you selected the Identity v2
Authentication version in the Add Cloud Storage dialog box.

See “OpenStack Swift add cloud storage configuration options”

on page 88.

Storage URL The cloud storage URL is auto-populated based on the storage
region selection. This field is non-editable and is only for your
reference.
Note: This field is visible only if you selected the Identity v2
Authentication version in the Add Cloud Storage dialog box.

See “OpenStack Swift add cloud storage configuration options”

on page 88.

Storage server name Enter a unique name for the storage server.
Note: It is recommended that a storage server name that you
add while configuring an OpenStack Swift compatible cloud
provider should be a logical name and should not match a physical
host name. For example: When you add an Oracle storage server,
avoid using names like ‘[Link]’ or ‘[Link]’. These
servers may be physical hosts, which can cause failures during
cloud storage configuration. Instead, use storage server names
like ‘oracle1’ or ‘oracleserver1’ and so on.

Media server name Select a NetBackup media server from the drop-down list. The
drop-down list displays only NetBackup 8.3 and later media
servers. In addition, only the media servers that conform to the
requirements for cloud storage appear in the drop-down list. The
requirements are described in the following topic:

See “About the NetBackup media servers for cloud storage”

on page 122.

The host that you select queries the storage vendor’s network for
its capabilities and for the available storage. The media server
also becomes a data mover for your backups and restores.
88 About the cloud storage
About OpenStack Swift cloud storage API type

OpenStack Swift add cloud storage configuration options

The following table describes the configuration options for the Add Cloud Storage
dialog box. It appears when you click Add Cloud Storage on the wizard panel for
OpenStack providers.

Table 2-20 Add Cloud Storage

Field Description

Cloud storage provider The cloud storage provider from the previous wizard panel is
displayed.

Cloud storage name Enter a unique name to identify the authentication service endpoint.

You can reuse the same authentication service endpoint for

another storage server.

Authentication This field is not visible for cloud providers with custom
location authentication URLs.

Select the authentication location of the cloud storage, otherwise,

select Other.
Note: If you select Other, you must enter the authentication URL.

Authentication version Select the authentication version that you want to use.

Select Do not use identity service if you do not want to

authenticate using the OpenStack's Identity APIs.

Authentication URL Enter the authentication URL that your cloud vendor provided.

Authentication URL comprises of either HTTP or HTTPS and port

number. For example,
[Link]

For custom instance, to use IPv6 endpoint, you must update or

create a new instance with the IPv6 equivalent authentication URL.

OpenStack Swift proxy settings

For security purpose, you can use a proxy server to establish communication with
the cloud storage.
The following table describes the options of the Proxy Settings dialog box.
 About the cloud storage 89
About OpenStack Swift cloud storage API type

Table 2-21 Proxy settings for OpenStack Swift

Option Description

Use Proxy Server Use Proxy Server option to use proxy server and provide proxy server
settings. Once you select the Use Proxy Server option, you can specify
the following details:

■ Proxy Host–Specify IP address or name of the proxy server.

■ Proxy Port–Specify port number of the proxy server. Possible
values: 1-65535
■ Proxy Type– You can select one of the following proxy types:
■ HTTP

Note: You need to provide the proxy credentials for HTTP

proxy type.
■ SOCKS
■ SOCKS4
■ SOCKS5
■ SOCKS4A

Use Proxy You can enable proxy tunneling for HTTP proxy type.
Tunneling
After you enable Use Proxy Tunneling, HTTP CONNECT requests
are send from the cloud media server to the HTTP proxy server and
the TCP connection is directly forwarded to the cloud back-end storage.

The data passes through the proxy server without reading the headers
or data from the connection.

Authentication You can select one of the following authentication types if you are
Type using HTTP proxy type.

■ None– Authentication is not enabled. Username and password is

not required.
■ NTLM–Username and password needed.
■ Basic–Username and password needed.

Username is the username of the proxy server

Password can be empty. You can use maximum 256 characters.

90 About the cloud storage
About OpenStack Swift cloud storage API type
 Chapter 3
Configuring cloud storage
in NetBackup
This chapter includes the following topics:

■ Before you begin to configure cloud storage in NetBackup

■ Configuring cloud storage in NetBackup

■ Cloud installation requirements

■ Scalable Storage properties

■ Cloud Storage properties

■ About the NetBackup CloudStore Service Container

■ Deploying host name-based certificates

■ Deploying host ID-based certificates

■ About data compression for cloud backups

■ About data encryption for cloud storage

■ About NetBackup KMS for encryption of NetBackup cloud storage

■ About external KMS for encryption of NetBackup cloud storage

■ About cloud storage servers

■ About object size for cloud storage

■ About the NetBackup media servers for cloud storage

■ Configuring a storage server for cloud storage

92 Configuring cloud storage in NetBackup
Before you begin to configure cloud storage in NetBackup

■ Changing cloud storage server properties

■ NetBackup cloud storage server properties

■ About cloud storage disk pools

■ Configuring a disk pool for cloud storage

■ Saving a record of the KMS key names for NetBackup cloud storage encryption

■ Adding backup media servers to your cloud environment

■ Configuring a storage unit for cloud storage

■ About NetBackup Accelerator and NetBackup Optimized Synthetic backups

■ Enabling NetBackup Accelerator with cloud storage

■ Enabling optimized synthetic backups with cloud storage

■ Creating a backup policy

■ Changing cloud storage disk pool properties

■ Certificate validation against Certificate Revocation List (CRL)

■ Managing Certification Authorities (CA) for NetBackup Cloud

Before you begin to configure cloud storage in

NetBackup
It is recommended that you do the following before you begin to configure cloud
storage in NetBackup:
■ Review the NetBackup configuration options for your cloud storage vendor.
NetBackup supports cloud storage based on the storage API type, and Veritas
organizes the information that is required to configure cloud storage by API type.
The API types, the vendors who use those API types, and links to the required
configuration information are in the following topic:
See “About the cloud storage vendors for NetBackup” on page 17.

Note: Veritas may certify vendors between NetBackup releases. If your cloud
storage vendor is not listed in the NetBackup product documentation, see the
following webpage for the most up-to-date list of supported cloud vendors:
[Link]
 Configuring cloud storage in NetBackup 93
Configuring cloud storage in NetBackup

■ Collect the information that is required to configure cloud storage in NetBackup.

If you have the required information organized by the NetBackup configuration
options, the configuration process may be easier than if you do not.

Configuring cloud storage in NetBackup

This topic describes how to configure cloud storage in NetBackup. Table 3-1 provides
an overview of the tasks to configure cloud storage. Follow the steps in the table
in sequential order.
The NetBackup Administrator's Guide, Volume I describes how to configure a base
NetBackup environment. The NetBackup Administrator's Guide, Volume I is available
through the following URL:
[Link]

Table 3-1 Overview of the NetBackup cloud configuration process

Step Task More information

Step 1 Create NetBackup log file directories on See “NetBackup cloud storage log files” on page 193.
the master server and the media servers
See “Creating NetBackup log file directories for cloud storage”
on page 192.

Step 2 Review the cloud installation See “Cloud installation requirements” on page 95.
requirements

Step 3 Determine the requirements for See “About the cloud storage vendors for NetBackup” on page 17.
provisioning and configuring your cloud
storage provider in NetBackup

Step 4 Configure the global cloud storage host See “Scalable Storage properties” on page 95.
properties as necessary

Step 5 Configure the Cloud Storage properties Optionally, add a cloud storage service host using the NetBackup
host properties.

See “Cloud Storage properties” on page 100.

Step 6 Understand the role of the CloudStore See “About the NetBackup CloudStore Service Container”
Service Container on page 104.

Applicable for media server versions

7.7.x to 8.1.2 only.

Step 7 Provision a security certificate for See “NetBackup CloudStore Service Container security certificates”
authentication on the media servers on page 106.

See “Deploying host name-based certificates” on page 112.

94 Configuring cloud storage in NetBackup
Configuring cloud storage in NetBackup

Table 3-1 Overview of the NetBackup cloud configuration process

(continued)

Step Task More information

Step 8 Understand key management for Encryption is optional.

encryption
See “About data encryption for cloud storage” on page 116.

See “About NetBackup KMS for encryption of NetBackup cloud

storage” on page 117.

See “About external KMS for encryption of NetBackup cloud

storage” on page 119.

Step 9 Configure the storage server See “About cloud storage servers” on page 119.

See “Adding a cloud storage instance” on page 102.

See “Configuring a storage server for cloud storage” on page 125.

See “About object size for cloud storage” on page 120.

Step 10 Configure the disk pool See “About cloud storage disk pools” on page 145.

See “Configuring a disk pool for cloud storage” on page 146.

Step 11 Configure additional storage server See “NetBackup cloud storage server properties” on page 132.
properties
See “Changing cloud storage server properties” on page 130.

Step 12 Add additional media servers Adding additional media servers is optional.

See “About the NetBackup media servers for cloud storage”

on page 122.

See “Adding backup media servers to your cloud environment”

on page 157.

Step 13 Configure a storage unit See “Configuring a storage unit for cloud storage” on page 157.

Step 14 Configure NetBackup Accelerator and Accelerator and optimzed synthetic backups are optional.
optimized synthetic backups
See “About NetBackup Accelerator and NetBackup Optimized
Synthetic backups” on page 161.

See “Enabling NetBackup Accelerator with cloud storage”

on page 161.

See “Changing cloud storage server properties” on page 130.

Step 15 Configure a backup policy See “Creating a backup policy” on page 165.

See the NetBackup Administrator's Guide, Volume I

 Configuring cloud storage in NetBackup 95
Cloud installation requirements

Cloud installation requirements

When you develop a plan to implement a NetBackup Cloud solution, use Table 3-2
to assist with your plan.

Table 3-2 Cloud installation requirements

Requirement Details

NetBackup media For the operating systems that NetBackup supports for cloud
server platform support storage, see the NetBackup operating system compatibility list
available through the following URL:

[Link]

When you install the NetBackup media server software on your

host, ensure that you specify the fully-qualified domain name for
the NetBackup server name.

Cloud storage provider You must have an account created with your preferred cloud storage
account provider before you configure NetBackup Cloud Storage. Please
refer to the list of available NetBackup cloud storage providers.

You can create this account in the Cloud Storage Configuration

Wizard.

See “About the cloud storage vendors for NetBackup” on page 17.

NetBackup cloud NetBackup cloud storage is licensed separately from base

storage licensing NetBackup.

The license also enables the Use Accelerator feature on the

NetBackup policy Attributes tab. Accelerator increases the speed
of full backups for files systems.

Scalable Storage properties

The Scalable Storage Cloud Settings properties contain information about
encryption, metering, bandwidth throttling, and network connections between the
NetBackup hosts and your cloud storage provider.
The Scalable Storage properties appear only if the host is supported for cloud
storage. See the NetBackup hardware compatibility list for your release available
through the following URL:
[Link]
The Scalable Storage properties apply to currently selected media servers.
96 Configuring cloud storage in NetBackup
Scalable Storage properties

Figure 3-1 Scalable Storage Cloud Settings host properties

Table 3-3 describes the properties.

Table 3-3 Scalable Storage Cloud Settings host properties

Property Description

Key Management Server If you configured a key management service (KMS) server, the name of the master
(KMS) Name server that sends the request to the KMS server is displayed here.

Metering Interval Determines how often NetBackup gathers connection information for reporting purposes.
NetBackup OpsCenter uses the information that is collected to create reports. The
value is set in seconds. The default setting is 300 seconds (5 minutes). If this value to
zero, metering is disabled.

Total Available Bandwidth Use this value to specify the speed of your connection to the cloud. The value is
specified in kilobytes per second. The default value is 102400 KB/sec.

Sampling interval The time, in seconds, between measurements of bandwidth usage. The larger this
value, the less often NetBackup checks to determine the bandwidth in use.

If this value is zero, throttling is disabled.

 Configuring cloud storage in NetBackup 97
Scalable Storage properties

Table 3-3 Scalable Storage Cloud Settings host properties (continued)

Property Description

Advanced Settings Click Advanced Settings to specify additional settings for throttling.

See “Configuring advanced bandwidth throttling settings” on page 97.

See “Advanced bandwidth throttling settings” on page 98.

Maximum concurrent jobs The default maximum number of concurrent jobs that the media server can run for the
cloud storage server.

This value applies to the media server, not to the cloud storage server. If you have
more than one media server that can connect to the cloud storage server, each media
server can have a different value. Therefore, to determine the total number of
connections to the cloud storage server, add the values from each media server.

If you configure NetBackup to allow more jobs than the number of connections,
NetBackup fails any jobs that start after the number of maximum connections is reached.
Jobs include both backup and restore jobs.

You can configure job limits per backup policy and per storage unit.
Note: NetBackup must account for many factors when it starts jobs: the number of
concurrent jobs, the number of connections per media server, the number of media
servers, and the job load-balancing logic. Therefore, NetBackup may not fail jobs
exactly at the maximum number of connections. NetBackup may fail a job when the
connection number is slightly less than the maximum, exactly the maximum, or slightly
more than the maximum.

If the media server is not a Cloud Catalyst storage server, a value over 100 is generally
not needed.

If the media server is a Cloud Catalyst storage server, change the value to 160 or more.

Configuring advanced bandwidth throttling settings

Advanced bandwidth throttling settings let you control various aspects of the
connection between the NetBackup hosts and your cloud storage provider.
The total bandwidth and the bandwidth sampling interval are configured on the
Cloud Settings tab of the Scalable Storage host properties screen.
See “Scalable Storage properties” on page 95.
To configure advanced bandwidth throttling settings
1 In the NetBackup Administration Console, expand NetBackup Management
> Host Properties > Media Servers in the left pane.
2 In the right pane, select the host on which to specify properties.
98 Configuring cloud storage in NetBackup
Scalable Storage properties

3 Click Actions > Properties.

4 In the properties dialog box left pane, select Scalable Storage.
5 In the right pane, click Advanced Settings. The Advanced Throttling
Configuration dialog box appears.
The following is an example of the dialog box:

6 Configure the settings and then click OK.

See “Advanced bandwidth throttling settings” on page 98.

Advanced bandwidth throttling settings

The following table describes the advanced bandwidth throttling settings.

Table 3-4 Advanced Throttling Configuration settings

Property Description

Read Bandwidth Use this field to specify the percentage of total bandwidth that read
operations can use. Specify a value between 0 and 100. If you
enter an incorrect value, an error is generated.

If there is insufficient bandwidth to transmit the specified amount

of data within a few minutes, restore or replication failures may
occur due to timeouts.

Consider the total load of simultaneous jobs on multiple media

servers when you calculate the required bandwidth.

Default value: 100

Possible values: 0 to 100

 Configuring cloud storage in NetBackup 99
Scalable Storage properties

Table 3-4 Advanced Throttling Configuration settings (continued)

Property Description

Write Bandwidth Use this field to specify the percentage of total bandwidth that write
operations can use. Specify a value between 0 and 100. If you
enter an incorrect value, an error is generated.

If there is insufficient bandwidth to transmit the specified amount

of data within a few minutes, backup failures may occur due to
timeouts.

Consider the total load of simultaneous jobs on multiple media

servers when you calculate the required bandwidth.

Default value: 100

Possible values: 0 to 100

Work time Use this field to specify the time interval that is considered work
time for the cloud connection.

Specify a start time and end time in 24-hour format. For example,
2:00 P.M. is 14:00.

Indicate how much bandwidth the cloud connection can use in the
Allocated bandwidth field. This value determines how much of
the available bandwidth is used for cloud operations in this time
window. The value is expressed as a percentage or in kilobytes
per second.

Off time Use this field to specify the time interval that is considered off time
for the cloud connection.
Specify a start time and end time in 24-hour format. For example,
2:00 P.M. is 14:00.

Indicate how much bandwidth the cloud connection can use in the
Allocated bandwidth field. This value determines how much of
the available bandwidth is used for cloud operations in this time
window. The value is expressed as a percentage or in kilobytes
per second.

Weekend Specify the start and stop time for the weekend.
Indicate how much bandwidth the cloud connection can use in the
Allocated bandwidth field. This value determines how much of
the available bandwidth is used for cloud operations in this time
window. The value is expressed as a percentage or in kilobytes
per second.
100 Configuring cloud storage in NetBackup
Cloud Storage properties

Table 3-4 Advanced Throttling Configuration settings (continued)

Property Description

Read Bandwidth This field displays how much of the available bandwidth the cloud
(KB/s) storage server transmits to a NetBackup media server during each
restore job. The value is expressed in kilobytes per second.

Write Bandwidth This field displays how much of the available bandwidth the
(KB/s) NetBackup media server transmits to the cloud storage server
during backup jobs. The value is expressed in kilobytes per second.

Cloud Storage properties

The NetBackup Cloud Storage properties in the NetBackup Administration
Console apply to the currently selected master server.
The hosts that appear in this Cloud Storage list are available to select when you
configure a storage server. The Service Provider type of your cloud vendor
determines whether a service host is available or required.
NetBackup includes service hosts for some cloud storage providers. You can add
a new host to the Cloud Storage list if the Service Provider type allows it. If you
add a host, you also can change its properties or delete it from the Cloud Storage
list. (You cannot change or delete the information that is included with NetBackup.)
If you do not add a service host to this Cloud Storage list, you can add one when
you configure the storage server. The Service Provider type of your cloud vendor
determines whether a Service Hostname is available or required.
 Configuring cloud storage in NetBackup 101
Cloud Storage properties

Figure 3-2 Cloud Storage host properties

Cloud Storage host properties contain the following properties:

Table 3-5 Cloud Storage

Property Description

Cloud Storage The cloud storage that corresponds to the various cloud service
providers that NetBackup supports are listed here.

See “Adding a cloud storage instance” on page 102.

See “Changing cloud storage host properties” on page 103.

See “Deleting a cloud storage host instance” on page 104.

Associated Storage The cloud storage servers that correspond to the selected cloud
Servers for storage are displayed.

See “Changing cloud storage host properties” on page 103.

102 Configuring cloud storage in NetBackup
Cloud Storage properties

Note: Changes that you make in the Cloud Storage dialog box are applied before
you click OK in the Host Properties dialog box.

Adding a cloud storage instance

You may have to add a custom cloud storage instance before you configure a
NetBackup cloud storage server. A custom cloud storage allows customization,
such as a different service host or other properties. A custom cloud storage instance
appears in the Cloud Storage Server Configuration Wizard when you configure
a storage server.
The cloud storage provider type determines if you have to add a custom cloud
storage instance.
See “About the cloud storage vendors for NetBackup” on page 17.
You can add a custom cloud storage instance as follows:

By using NetBackup With this method, you add the cloud storage instance before you
Master Server configure the storage server in NetBackup. Then, the wizard that
Properties configures the storage is populated with the instance details. You
select the instance when you configure the storage server.

See “To add a cloud storage instance in Cloud Storage host

properties” on page 102.

By using the Cloud With this method, you add the instance at the same time as when
Storage Server you configure the storage server in NetBackup. The wizard that
Configuration Wizard configures the storage is not populated with the instance details
until you add them in the wizard itself.

See “Configuring a storage server for cloud storage” on page 125.

To add a cloud storage instance in Cloud Storage host properties

1 In the NetBackup Administration Console, expand NetBackup Management
> Host Properties > Master Servers in the left pane.
2 In the right pane, select the master server on which to add the cloud storage
instance.
3 On the Actions menu, click Properties.
4 In the properties dialog box left pane, select Cloud Storage.
5 In the right pane, click Add.
 Configuring cloud storage in NetBackup 103
Cloud Storage properties

6 In the Add Cloud Storage dialog box, configure the settings.

See “Amazon S3 cloud storage options” on page 26.
7 After you configure the settings, click OK.

Changing cloud storage host properties

From the Cloud Storage Master Server Properties, you can change the following
properties:

Cloud Storage properties You can change the properties of a host that you add. (You
cannot change or delete the properties of the cloud storage
providers that are included with NetBackup.)

See “To change cloud storage host properties” on page 103.

Associated cloud storage See “To change associated cloud storage server host
server properties properties” on page 103.

How to change cloud storage server properties is described in a different topic.

See “Changing cloud storage server properties” on page 130.
To change cloud storage host properties
1 In the NetBackup Administration Console, expand NetBackup Management
> Host Properties > Master Servers in the left pane.
2 In the right pane, select the master server on which to specify properties.
3 On the Actions menu, click Properties.
4 In the left pane of the Master Server Properties dialog box, select Cloud
Storage.
5 In the Cloud Storage list in the right pane, select the wanted cloud storage.
6 Click Change adjacent to the Cloud Storage list.
7 In the Change Cloud Storage dialog box, change the properties.
See “Amazon S3 cloud storage options” on page 26.
8 Click OK in the Change Cloud Storage dialog box.
9 Click OK to close the Master Server Properties dialog box.
To change associated cloud storage server host properties
1 In the NetBackup Administration Console, expand NetBackup Management
> Host Properties > Master Servers in the left pane.
2 In the right pane, select the master server on which to specify properties.
104 Configuring cloud storage in NetBackup
About the NetBackup CloudStore Service Container

3 On the Actions menu, click Properties.

4 In the left pane of the Master Server Properties dialog box, select Cloud
Storage.
5 In the Associated Cloud Storage Servers for list in the right pane, select the
wanted storage server.
6 Click Change adjacent to the Associated Cloud Storage Servers for list.
7 In the Cloud Storage Server Configuration dialog box, change the properties.
See “Amazon S3 advanced server configuration options” on page 28.
See “Amazon S3 credentials broker details” on page 31.
8 Click OK in the Change Cloud Storage dialog box.
9 Click OK to close the Master Server Properties dialog box.

Deleting a cloud storage host instance

You can delete your custom cloud storage (cloud instance) by using the Cloud
Storage Master Server Properties. You cannot delete the cloud storage instances
that were delivered with NetBackup.
See “Cloud Storage properties” on page 100.
To delete a cloud storage host instance
1 In the NetBackup Administration Console, expand NetBackup Management
> Host Properties > Master Servers in the left pane.
2 In the right pane, select the master server on which to specify properties.
3 On the Actions menu, click Properties.
4 In the left pane of the Master Server Properties dialog box, select Cloud
Storage.
5 In the Cloud Storage list in the right pane, select the wanted cloud storage.
6 Click Remove.
7 In the Remove the Cloud Storage dialog box, click Yes.
8 Click OK to close the Master Server Properties dialog box.

About the NetBackup CloudStore Service

Container
This is applicable to media server versions 7.7.x to 8.1.2 only.
 Configuring cloud storage in NetBackup 105
About the NetBackup CloudStore Service Container

The NetBackup CloudStore Service Container (nbcssc) is a web-based service

container that runs on older media servers that are configured for cloud storage.
This container hosts the throttling service and the metering data collector service.
NetBackup OpsCenter uses the metering data for monitoring and reporting.
You can configure the NetBackup CloudStore Service Container behavior by using
the Scalable Storage host properties in the NetBackup Administration Console.
See “Scalable Storage properties” on page 95.
The port number for the NetBackup CloudStore Service Container service is 5637.
Older media servers that are configured for cloud storage must use this port.
Communication with the master server fails if the older media servers use a different
port. Refer to the NetBackup Network Ports Reference Guide for more information
on ports used by NetBackup.
NetBackup uses several methods of security for the NetBackup CloudStore Service
Container, as follows:

Security certificates The NetBackup hosts on which the NetBackup CloudStore Service
Container runs must be provisioned with a security certificate or
certificates.

See “NetBackup CloudStore Service Container security certificates”

on page 106.
Note: You do not need to generate a security certificate, if you have
already generated it before configuring the cloud storage.

Security modes The NetBackup CloudStore Service Container can run in different
security modes.

See “NetBackup CloudStore Service Container security modes”

on page 107.

See “About the NetBackup media servers for cloud storage” on page 122.

Note: For NetBackup releases beyond 8.1.2, the nbcssc service is no longer
deployed. The NetBackup Web Management Console (nbwmc) service handles the
cloud storage configuration operations and the NetBackup Service Layer (nbsl)
service handles the throttling service and the metering data collector service
functions. For media server versions beyond 8.1.2, authentication is done using
host ID-based certificate.
Refer to the Veritas NetBackup Administrator's Guide, Volume I for more information
about these services.
106 Configuring cloud storage in NetBackup
About the NetBackup CloudStore Service Container

NetBackup CloudStore Service Container security certificates

The NetBackup CloudStore Service Container requires a digital security certificate
so that it starts and runs. How the security certificate is provisioned depends on
the release level of NetBackup, as follows:

NetBackup 8.2 and The NetBackup hosts that run the CloudStore Service Container
later require a host ID-based certificate. You may have to install the
certificate on those hosts.

See “Deploying host ID-based certificates” on page 114.

If the NetBackup master server is clustered, you must ensure that

the active node and the passive nodes have the host-ID based
certificate. See the NetBackup Security and Encryption Guide for
more information.

NetBackup 8.0 to The NetBackup hosts that run the CloudStore Service Container
8.1.2 require both a host ID-based certificate and a host name-based
certificate. You may have to install the certificates on those hosts.

See “Deploying host name-based certificates” on page 112.

See “Deploying host ID-based certificates” on page 114.

If the NetBackup master server is clustered, you must ensure that

the active node and the passive nodes have both host named-based
and host-ID based certificates. See the NetBackup Security and
Encryption Guide for more information.
 Configuring cloud storage in NetBackup 107
About the NetBackup CloudStore Service Container

NetBackup 7.7 and The NetBackup hosts that run the CloudStore Service Container
7.7.x require a host name-based certificate. You must use a command to
install it on a media server.

See “Deploying host name-based certificates” on page 112.

Note: You do not need to generate a security certificate, if you have
already generated it before configuring the cloud storage.

The host name-based security certificates expire after one year.

NetBackup automatically replaces existing certificates with new ones
as needed.
Note: The security certificates that are provisioned for other
NetBackup features or purposes satisfy the certificate requirement
for the NetBackup CloudStore Service Container. The NetBackup
Access Control feature uses security certificates, and the NetBackup
Administration Console requires security certificates for interhost
communication.

If the NetBackup master server is clustered, you must ensure that

the active node and the passive node have host named-based
certificates.

See the NetBackup Security and Encryption Guide for more

information.

Where the media server security certificates reside depend on the release level of
NetBackup, as follows:

NetBackup 7.7 to The certificate name is the host name that you used when you
8.1.2 configured the NetBackup media server software on the host. The
path for the certificate is as follows, depending on operating system:

■ UNIX/Linux: /usr/openv/var/vxss/credentials
■ Windows:
install_dir\Veritas\NetBackup\var\VxSS\credentials

See “About the NetBackup CloudStore Service Container” on page 104.

NetBackup CloudStore Service Container security modes

This is applicable only up to NetBackup version 8.1.2.
The NetBackup CloudStore Service Container can run in one of two different modes.
The security mode determines how the clients communicate with the service, as
follows:
108 Configuring cloud storage in NetBackup
About the NetBackup CloudStore Service Container

Secure mode In the default secure mode, the client components must authenticate
with the CloudStore Service Container. After authentication,
communication occurs over a secure HTTPS channel.

Non-secure mode The CloudStore Service Container uses non-secure communication.

Clients communicate with the server over HTTP with no authentication
required.

You can use the CSSC_IS_SECURE attribute of the [Link] file to set the
security mode. The default value is 64, secure communication.
See “NetBackup [Link] configuration file” on page 108.
See “About the NetBackup CloudStore Service Container” on page 104.

NetBackup [Link] configuration file

Table 3-6 describes the [Link] configuration file parameters.
The [Link] file is available on the master server and all the media
servers that are installed on the platforms that NetBackup cloud supports.

Note: Before you modify any of the parameters in the [Link] file, you
must stop the nbcssc service (on media server versions 7.7.x to 8.1.2 only) and
the nbwmc service (on master server). Once you modify the parameters, restart
these services for the changes to take effect.

The [Link] file resides in the following directories:

■ UNIX: /usr/openv/var/global/wmc/cloud
On media server versions 7.7.x to 8.1.2, the path is
/usr/openv/netbackup/db/cloud.

■ Windows: install_path\Veritas\NetBackup\var\global\wmc\cloud
On media server versions 7.7.x to 8.1.2, the path is
install_path\Veritas\NetBackup\db\cloud.

Table 3-6 [Link] configuration file parameters and descriptions

Parameter Description

CSSC_VERSION It is not recommended to modify this value.

Specifies the version of [Link] file. The

default value is 2.
 Configuring cloud storage in NetBackup 109
About the NetBackup CloudStore Service Container

Table 3-6 [Link] configuration file parameters and descriptions

(continued)

Parameter Description

CSSC_PLUGIN_PATH It is not recommended to modify this value.

Specifies the path where NetBackup cloud storage

plug-ins are installed. The default path is as follows:

On Windows:
install_path\Veritas\NetBackup\bin\ost-plugins

On UNIX: /usr/openv/lib/ost-plugins

CSSC_PORT This is applicable to media server versions 7.7.x to 8.1.2

only.

Specifies the port number for the CloudStore Service

Container (nbcssc). Specify the value as 5637.

This port is used to provide back-level media server

support for the older media servers that are configured
for cloud storage. Ensure that the older media servers
use this port. Communication with the master server fails
if the older media servers use a different port.

CSSC_LOG_DIR Specifies the directory path where csconfig, nbcldutil, and

cloud plugins generate log files.

The default path is as follows:

On Windows:
install_path\Veritas\NetBackup\logs\nbcssc

On UNIX: /usr/openv/netbackup/logs/nbcssc
Note: For media server versions 7.7.x to 8.1.2, the
nbcssc service uses this path for log files.

CSSC_LOG_FILE This is applicable only up to NetBackup release 8.1.2.

Specifies the file name that the nbcssc service uses to

write its logs. The default value is empty, which means
that the NetBackup logging mechanism determines the
log file name.

CSCONFIG_LOG_FILE Specifies the file name that the csconfig utility uses to
write its logs. The default value is empty, which means
that the NetBackup logging mechanism determines the
log file name.
110 Configuring cloud storage in NetBackup
About the NetBackup CloudStore Service Container

Table 3-6 [Link] configuration file parameters and descriptions

(continued)

Parameter Description

CSSC_IS_SECURE Specifies if the nbcssc service runs in secure (value 64)

or non-secure mode (value 0). The default value is 64.

CSSC_CIPHER_LIST Specifies the cipher list that NetBackup uses for the
following purpose:

■ The cloud master host's cipher is used for

communication with the cloud service provider.
■ The media server cipher is used for communicating
with the cloud master host's nbwmc service and with
the cloud service provider.

It is recommended that you do not modify this value.

However, if you want to customize the cipher list,
depending on the purpose, you must modify the cipher
list in the [Link] on the master server and
the media servers.
Note: If the cipher list is invalid, the customized cipher
list is replaced by the default cipher list.

The default value is AES:!aNULL:@STRENGTH.

CSSC_LOG_LEVEL Specifies the log level for csconfig and nbcldutil CLI utility
logging. Value 0 indicates that the logging is disabled and
non-zero value indicates that the logging is enabled.
The default value is 0.

CSSC_MASTER_PORT This is applicable for media server versions 7.7.x to 8.1.2

only. It is not applicable for NetBackup master and media
server versions 8.2 and later.

This parameter value must be set to 5637.

This port is used to provide back-level media server

support for older media servers that are configured for
cloud storage. Ensure that the older media servers use
this port. Communication with the master server fails if
the older media servers use a different port.
 Configuring cloud storage in NetBackup 111
About the NetBackup CloudStore Service Container

Table 3-6 [Link] configuration file parameters and descriptions

(continued)

Parameter Description

CSSC_MASTER_NAME Specifies the NetBackup master server name. This entry

indicates that the nbwmc service runs on this host. It
processes all cloud provider-specific requests based on
the [Link] and [Link]
files that reside at the following location:

■ On Windows:
install_path\NetBackup\var\global\wmc\cloud
On media server versions 7.7.x to 8.1.2, the path is
install_path\NetBackup\db\cloud.
■ On UNIX:
/usr/openv/var/global/wmc/cloud
On media server versions 7.7.x to 8.1.2, the path is
/usr/openv/netbackup/db/cloud.

CSSC_LEGACY_AUTH_ENABLED Specifies if the nbcssc service has the legacy

authentication enabled (value 1) or disabled (0). The
default value is 0.
Note: Starting from NetBackup 8.1, the
CSSC_LEGACY_AUTH_ENABLED option is deprecated.
To communicate with legacy media servers, use the
Enable insecure communication with 8.0 and earlier
hosts option on the NetBackup master server. The option
is available in the NetBackup Administration Console
on the Security Management > Global Security
Settings > Secure Communication tab.
112 Configuring cloud storage in NetBackup
Deploying host name-based certificates

Table 3-6 [Link] configuration file parameters and descriptions

(continued)

Parameter Description

CSSC_ALLOW_LEGACY_AUTH Specifies if the master server can communicate with

legacy media servers that are configured for cloud
storage. Only media server versions 7.7.x to 8.1.2 are
supported.

The value 1 (default value) indicates that the

communication is enabled while the value 0 means that
the communication is disabled.

Use this parameter in conjunction with the Enable

insecure communication with 8.0 and earlier hosts
option available in the NetBackup Administration Console
GUI (Security Management > Global Security Settings
> Security Communication tab).

The GUI option allows you to enable or disable master

server communication with all back-level legacy media
servers. It works as an all or none kind of a setting and is
not specific to cloud storage media servers. This
parameter provides that additional level of control for the
cloud. You can use this setting to enable or disable master
server communication with back-level cloud storage media
servers explicitly.

For example, if the GUI option is enabled (default value)

and this parameter value is set to 0, the NetBackup master
server continues to work with supported back-level media
servers as other storage servers. However, legacy cloud
storage media servers that use the older method of
communication using hardcoded credentials are blocked
altogether, thus increasing the security of your NetBackup
environment.
Note: This parameter value has no effect if the GUI
option is disabled. If you modify this parameter value, you
must restart the NetBackup Web Management Console
(nbwmc) service for the changes to take effect.

Deploying host name-based certificates

This is applicable for media server versions 7.7.x to 8.1.2 only.
 Configuring cloud storage in NetBackup 113
Deploying host name-based certificates

You can deploy the required host name-based security certificate for the NetBackup
media servers that you use for cloud storage. Each media server that you use for
cloud storage runs the NetBackup CloudStore Service Container.
See “About the NetBackup CloudStore Service Container” on page 104.
You can deploy a certificate for an individual media server or for all media servers.
Media servers that you use for cloud storage must have a host name-based security
certificate.

Note: Deploying a host name-based certificate is a one-time activity for a host. If

a host name-based certificate was deployed for an earlier release or for a hotfix, it
does not need to be done again.

Ensure the following before you deploy a host-name based certificate:

■ All nodes of the cluster have a host ID-based certificate.
■ All Fully Qualified Domain Names (FQHN) and short names for the cluster nodes
are mapped to their respective host IDs.

Deploying a host name-based certificate on media servers

This procedure works well when you deploy host name-based security certificates
to many hosts at one time. As with NetBackup deployment in general, this method
assumes that the network is secure.
To deploy a host name-based security certificate for media servers
1 Run the following command on the master server, depending on your
environment. Specify the name of an individual media server or specify
-AllMediaServers.

On Windows: install_path\NetBackup\bin\admincmd\bpnbaz
-ProvisionCert host_name|-AllMediaServers

On UNIX: /usr/openv/netbackup/bin/admincmd/bpnbaz -ProvisionCert

host_name|-AllMediaServers

NetBackup appliance (as a NetBackupCLI user): bpnbaz -ProvisionCert

Media_server_name

2 Restart the NetBackup Service Layer (nbsl) service on the media server.
114 Configuring cloud storage in NetBackup
Deploying host ID-based certificates

Note: In you use dynamic IPs on the hosts (DHCP), ensure that the host name and
the IP address are correctly listed on the master server. To do so, run the following
NetBackup bpclient command on the master server:
On Windows: Install_path\NetBackup\bin\admincmd\bpclient -L -All
On UNIX: /usr/openv/netbackup/bin/admincmd/bpclient -L -All

Deploying host ID-based certificates

Depending on the certificate deployment security level, a non-master host may
require an authorization token before it can obtain a host ID-based certificate from
the Certificate Authority (master server). When certificates are not deployed
automatically, they must be deployed manually by the administrator on a NetBackup
host using the nbcertcmd command.
The following topic describes the deployment levels and whether the level requires
an authorization token.

Deploying when no token is needed

Use the following procedure when the security level is such that a host administrator
can deploy a certificate on a non-master host without requiring an authorization
token.
To generate and deploy a host ID-based certificate when no token is needed
1 The host administrator runs the following command on the non-master host to
establish that the master server can be trusted:
nbcertcmd -getCACertificate

2 Run the following command on the non-master host:

nbcertcmd -getCertificate

Note: To communicate with multiple NetBackup domains, the administrator of

the host must request a certificate from each master server using the -server
option.

Run the following command to get a certificate from a specific master server:
nbcertcmd -getCertificate -server master_server_name

3 To verify that the certificate is deployed on the host, run the following command:
nbcertcmd -listCertDetails
 Configuring cloud storage in NetBackup 115
About data compression for cloud backups

Deploying when a token is needed

Use the following procedure when the security level is such that a host requires an
authorization token before it can deploy a host ID-based certificate from the CA.
To generate and deploy a host ID-based certificate when a token is required
1 The host administrator must have obtained the authorization token value from
the CA before proceeding. The token may be conveyed to the administrator
by email, by file, or verbally, depending on the various security guidelines of
the environment.
2 Run the following command on the non-master host to establish that the master
server can be trusted:
nbcertcmd -getCACertificate

3 Run the following command on the non-master host and enter the token when
prompted:
nbcertcmd -getCertificate -token

Note: To communicate with multiple NetBackup domains, the administrator of

the host must request a certificate from each master server using the -server
option.

If the administrator obtained the token in a file, enter the following:

nbcertcmd -getCertificate -file authorization_token_file

4 To verify that the certificate is deployed on the host, run the following command:
nbcertcmd -listCertDetails

Use the -cluster option to display cluster certificates.

About data compression for cloud backups

In NetBackup, you can compress your data before you send it to cloud storage
server.
You can enable data compression on the NetBackup media server while you
configure your cloud storage server using the Cloud Storage Server Configuration
Wizard.
See “Configuring a storage server for cloud storage” on page 125.
116 Configuring cloud storage in NetBackup
About data encryption for cloud storage

Note: After you have enabled the data compression during the cloud storage
configuration, you cannot disable it.

Important notes about data compression in NetBackup

■ NetBackup media servers that are older than the 7.7.3 version do not support
data compression. Therefore, if you have selected an older media server while
you configure the cloud storage server, the compression option does not appear
on the Cloud Storage Server Configuration Wizard.
■ NetBackup uses a third-party library, LZO Pro, with compression level 3. The
bptm logs provide information of the compression ratio of your data after the
backup is taken in the cloud storage.
See “Viewing the compression ratio” on page 175.
■ NetBackup compresses the data in chunks of 256 KB.
■ NetBackup Accelerator and True Image Restore (TIR) with move detection is
supported with compression.
■ The backup data is compressed before it is transmitted to the cloud storage
server. If both the compression and the encryption options are selected, the
data is compressed before it is encrypted.
■ Data compression reduces the backup time and the data size based on how
much the data is compressible. Although you may notice reduced bandwidth
utilization when you compare it with the data without compression.
■ Performance of the data compression is reduced, if the data is incompressible.
Therefore, it is not recommended to enable compression for backing up
incompressible data such as policy data and so on.
■ It is not recommended to use the same bucket with storage servers of different
types.
■ You must not use client-side compression along with storage server-side
compression.
■ You cannot change the compression configuration settings (enable/disable)
after the storage server is created.

About data encryption for cloud storage

You can encrypt your data before you send it to the cloud. The NetBackup Cloud
Storage Server Configuration Wizard and the Disk Pool Configuration Wizard
include the steps that configure key management and encryption.
 Configuring cloud storage in NetBackup 117
About NetBackup KMS for encryption of NetBackup cloud storage

NetBackup uses NetBackup Key Management Service (NetBackup KMS) and

external key management service (external KMS) for managing data encryption in
case of cloud disk storage.
See “About NetBackup KMS for encryption of NetBackup cloud storage” on page 117.
See “About external KMS for encryption of NetBackup cloud storage” on page 119.
More information about NetBackup KMS and external KMS is available.
See the NetBackup Security and Encryption Guide for more information.:

About NetBackup KMS for encryption of

NetBackup cloud storage
NetBackup uses NetBackup Key Management Service (NetBackup KMS) to manage
the keys for the data encryption for disk storage. NetBackup KMS is a NetBackup
master server-based symmetric key management service. The service runs on the
NetBackup master server. An additional license is not required to use the NetBackup
KMS functionality. NetBackup uses NetBackup KMS to manage the encryption
keys for cloud storage.
See “About data encryption for cloud storage” on page 116.
You need to provide KMS and key-specific information when you enable the
Encryption through Cloud Storage Server Configuration Wizard and configure
disk pool using the Disk Pool Configuration Wizard. Key-specific information is
based on the KMS server configuration. If a KMS server is not configured, NetBackup
KMS is by default configured as a KMS server as part of the encryption setting for
the cloud storage server.
The following table describes the keys that are required for the NetBackup KMS
database. You can enter the pass phrases for these keys when you use the Cloud
Storage Server Configuration Wizard.

Table 3-7 Encryption keys required for the KMS database

Key Description

Host Master Key The Host Master Key protects the key database. The Host Master
Key requires a pass phrase and an ID. NetBackup KMS uses the
pass phrase to generate the key.

Key Protection Key A Key Protection Key protects individual records in the key
database. The Key Protection Key requires a pass phrase and an
ID. NetBackup KMS uses the pass phrase to generate the key.
118 Configuring cloud storage in NetBackup
About NetBackup KMS for encryption of NetBackup cloud storage

The following table describes the encryption keys that are required for each storage
server and volume combination. If you specify encryption when you configured the
cloud storage server, you must configure a pass phrases for the key group for the
storage volumes. You enter the pass phrase for these keys when you use the Disk
Pool Configuration Wizard.

Table 3-8 Encryption keys and key records for each storage server and
volume combination

Item Description

Key group key A key group key protects the key group. Each storage server and volume
combination requires a key group, and each key group key requires a
pass phrase. The key group name must use the format for the storage
type that is described as follows:

For cloud storage, the following is the format:

storage_server_name:volume_name
The following items describe the requirements for the key group name
components for cloud storage:

■ storage_server_name : You must use the same name that you

use for the storage server. The name can be a fully-qualified domain
name or a short name, but it must be the same as the storage server.
■ The colon (:) is required after the storage_server_name.
■ volume_name : You must specify the LSU name that the storage
vendor exposes to NetBackup.

The Disk Pool Configuration Wizard conforms to this format when it

creates a key group.

Key record Each key group that you create requires a key record. A key record
stores the actual key that protects the data for the storage server and
volume.

A name for the key record is optional. If you use a key name, you can
use any name. It is recommended that you use the same name as the
volume name. The Disk Pool Configuration Wizard does not prompt
for a key record key; it uses the volume name as the key name.

More information about NetBackup KMS and external KMS is available in the
NetBackup Security and Encryption Guide.
 Configuring cloud storage in NetBackup 119
About external KMS for encryption of NetBackup cloud storage

About external KMS for encryption of NetBackup

cloud storage
NetBackup supports keys from external key management service (external KMS)
server in case of cloud storage.
If external KMS is configured on the master server, note the following:
■ No extra steps are required to configure external KMS in the Cloud Storage
Server Configuration Wizard.
■ No extra steps are required to provide inputs for key passphrase in the Disk
Pool Configuration Wizard.
Symmetric encryption key is required for each storage server and volume
combination. Symmetric encryption key is not created on the external KMS server
for each storage server and volume combination. You need to ensure that a
Symmetric encryption key already exists on the external KMS server with a custom
attribute with value of key group in the 'storage_server_name:volume_name' format.
More information about external KMS is available in the NetBackup Security and
Encryption Guide.

About cloud storage servers

A storage server is an entity that writes data to and reads data from the storage.
In case of cloud storage server, it is a host or an end point that cloud vendor exposes
to perform backup operations using NetBackup media server(s). You can use any
logical name to identify the cloud storage when you configure cloud storage server
in NetBackup.
When you configure a cloud storage server, it inherits the NetBackup Scalable
Storage properties.
See “Scalable Storage properties” on page 95.
After you configure the storage server, you can change the properties of the storage
server.
See “Changing cloud storage server properties” on page 130.
NetBackup media servers back up the clients and send the data to the storage
server.
See “About the NetBackup media servers for cloud storage” on page 122.
120 Configuring cloud storage in NetBackup
About object size for cloud storage

About object size for cloud storage

During backup, NetBackup divides the backup image data into chunks called objects.
PUT request is made for each object to move it to the cloud storage.
By setting a custom Object Size, you can control the amount of PUT and GET
requests that are sent to and from the cloud storage. The reduced number of PUT
and GET requests help in reducing the total charges that are incurred for the
requests.
During the creation of a cloud storage server, you can specify a custom value for
the Object Size. Consider the cloud storage provider, hardware, infrastructure,
expected performance, and other factors for deciding the value. Once you set the
Object Size for a cloud storage server, you cannot change the value. If you want
to set a different Object Size, you must recreate the cloud storage server.
See “Configuring a storage server for cloud storage” on page 125.

Guidelines for selecting the Object Size

The performance of NetBackup in cloud is driven by the combination of object size,
number of parallel connections, and the read or write buffer size.
To enhance the performance of backup and restore operations, NetBackup uses
multiple parallel connections into cloud storage. The performance of NetBackup
depends on the number of parallel connections. Number of parallel connections
are derived from the read or write buffer size and the object size.
Read or Write buffer size (user set) ÷ Object Size (user set) = Number of parallel
connections (derived). The following diagram illustrates how these factors are
related:
The following diagram illustrates how these factors are related:
 Configuring cloud storage in NetBackup 121
About object size for cloud storage

Figure 3-3 Object size

Objects
(configurable size)
Cloud connector
16 MB
Backup data
stream 16 MB Cloud object
Parallel connections
storage
(derived)
16 MB
16 MB

Number of Read or Write Buffer Size Read or write buffer

=
Parallel Connections Object Size (configurable size)

■ Consider the following factors when deciding the number of parallel connections:
■ Maximum number of parallel connections that are permitted by the cloud
storage provider.
■ Network bandwidth availability between NetBackup and the cloud storage
environment.
■ System memory availability on the NetBackup host.

■ If you increase the object size, the number of parallel connections reduce. The
number of parallel connections affect the upload and download rate.
■ If you increase the read or write buffer size, the number of parallel connections
increase. Similarly, if you want lesser number of parallel connections, you can
reduce the read or write buffer size. However, you must consider the network
bandwidth and the system memory availability.
■ Cloud providers charge for the number of PUT and GET requests that are
initiated during a backup or restore process. The smaller the object size, higher
the number of PUT or GET requests, and therefore, higher charges are incurred.
■ In case of temporary failures with data transfer, NetBackup performs multiple
retries for transferring the failed objects. In such case, if the failures persist, the
complete object is transferred again. Also, with higher latency and higher packet
loss, the performance might reduce. To handle the latency and packet loss
issues, increasing the number of parallel connections can be helpful.
■ NetBackup has some time-outs on the client side. If the upload operation takes
more time (due to big object size) than the minimum derived NetBackup data
transfer rate, there can be failures with NetBackup.
122 Configuring cloud storage in NetBackup
About the NetBackup media servers for cloud storage

■ For legacy environments without deduplication support, if the number of

connections are less, parallel downloads will be less compared to older number
of connections.
For example, while restoring from back-level images (8.0 and earlier), where
the object size is 1MB, the buffer of 16 MB (for one connection) is not completely
used while also consuming memory. With the increased object size, there is a
restriction on number of connections due to the available read or write buffer
size memory.

Current default settings

The default settings are as follows:

Table 3-9 Current default settings

Cloud CloudCatalyst storage Non-CloudCatalyst storage

storage
provider Object size Default read or Object size Default read or
write buffer size write buffer size

Amazon 64 MB (fixed) 64 MB (fixed) 16 MB (fixed) 400 MB (configurable

S3/Amazon between 16 MB to 1
GovCloud GB)

Azure 64 MB (fixed) 64 MB (fixed) 4 MB (fixed) 400 MB (configurable

between 4 MB to 1
GB)

About the NetBackup media servers for cloud

storage
The NetBackup media servers that you use for cloud storage backup the NetBackup
clients and then send that backup data to the cloud storage server. The storage
server then writes the data to storage.
See “About cloud storage servers” on page 119.
The NetBackup media servers also can move data back to primary storage (the
client) during restores and from secondary storage to tertiary storage during
duplication. These media servers are also known as data movers. They host a
software plug in that they use to communicate with the storage implementation.
When you configure a cloud storage server, the media server that you specify in
the wizard or on the command line becomes a cloud storage data mover.
See “Configuring a storage server for cloud storage” on page 125.
 Configuring cloud storage in NetBackup 123
About the NetBackup media servers for cloud storage

You can add additional media servers to backup clients. They can help balance
the load of the backups that you send to the cloud storage.
See “Adding backup media servers to your cloud environment” on page 157.
You can control which data movers are used for backups and duplications when
you configure NetBackup storage units.
See “Configuring a storage unit for cloud storage” on page 157.
You can configure a cloud media server as a cloud master host.
See “Using media server as NetBackup Cloud master host” on page 123.
To support cloud storage, a media server must conform to the following items:
■ The operating system must be supported for cloud storage. For the operating
systems that NetBackup supports for cloud storage, see the NetBackup operating
system compatibility list available through the following URL:
[Link]
■ On media server versions 7.7.x to 8.1.2, the NetBackup Cloud Storage Service
Container (nbcssc) must be running.
See “About the NetBackup CloudStore Service Container” on page 104.
■ The NetBackup media servers that you use for cloud storage must be the same
NetBackup version as the master server.

Using media server as NetBackup Cloud master host

These steps are applicable to media server versions up to 8.1.2 only.
You must perform this procedure for all the operating systems those are not
supported by NetBackup cloud.
See the NetBackup hardware compatibility list for your release available through
the following URL:
[Link]
For disaster recovery, you must take a manual backup of the following files from
the media server that you have configured as NetBackup cloud master host:
■ [Link]

■ [Link]
124 Configuring cloud storage in NetBackup
About the NetBackup media servers for cloud storage

To use media server as NetBackup cloud master host

1 Identify one of the NetBackup cloud media servers as a cloud master host.
Choose a media server that has same NetBackup master server version. Do
not use a media server with different version.

Note: The media server does not hold the master copy of the
[Link] file which all the media servers require while configuring
the cloud storage and for running operations such as backup, restore, and so
on.

2 Run the following commands on all the NetBackup cloud media servers
including the one that is selected as the cloud master host:
nbcssc -t -a Netbackup

nbcssc -s -a Netbackup -m cloud_master_host -f

For information on the command, see NetBackup Commands Reference Guide.

3 Ensure that the values of CSSC_PORT and CSSC_IS_SECURE as mentioned
in [Link] file from cloud master host are copied as
CSSC_MASTER_PORT and CSSC_MASTER_IS_SECURE in
[Link] file on all other NetBackup cloud media servers.

After you select a cloud master host, do not change the name again to point to
another media server. If you need to do so, contact Veritas Technical Support.

Additional task post disaster recovery

For a cloud storage server that uses proxy server, you must update the proxy
credentials.
■ To perform the task using the NetBackup Administrators Console, see See
“Changing cloud storage host properties” on page 103.
■ To perform the task using the commands, run the following:
csconfig cldinstance -us -in instance_name -sts storage_server_name
-pxtype proxy_type -pxhost proxy_host -pxport proxy_port
-pxautth_type proxy_auth_type -pxtunnel proxytunnel_usage

For information on the command, see NetBackup Commands Reference Guide.

Additional task post master server upgrade

This is applicable for a NetBackup environment where a master server is running
on an unsupported operating system such as Solaris x86 or Windows Server 2008,
and the media server is promoted as a Cloud Master host.
 Configuring cloud storage in NetBackup 125
Configuring a storage server for cloud storage

After upgrading the master server, if you plan to perform a rolling upgrade on the
media server, then there are some additional post-upgrade steps that must be
performed to ensure that the cloud storage server works seamlessly after the media
server upgrade is completed.
Refer to the following technote for more details:
[Link]

Configuring a storage server for cloud storage

Configure in this context means to configure a host as a storage server that can
write to and read from the cloud storage. The NetBackup Cloud Storage Server
Configuration Wizard communicates with your cloud storage vendor's service
endpoint and selects the appropriate host for the storage server.
See “About cloud storage servers” on page 119.
The wizard also lets you enable encryption and configure corresponding parameters
for the NetBackup Key Management Service (NetBackup KMS) server if no KMS
server is configured.
See “About data encryption for cloud storage” on page 116.
If data encryption and NetBackup KMS are configured, it is recommended that you
save a record of key names.
See “Saving a record of the KMS key names for NetBackup cloud storage
encryption” on page 155.
If you configure a storage server by using CLI, you must run csconfig command
before running nbdevconfig and tpconfig commands.
See the NetBackup Commands Reference Guide.
The NetBackup media server that you select during the configuration process must
conform to the requirements for cloud storage.
See “About the NetBackup media servers for cloud storage” on page 122.
To configure a cloud storage server by using the wizard
1 In the NetBackup Administration Console connected to the NetBackup
master server, select either NetBackup Management or Media and Device
Management.
2 In the right pane, click Configure Cloud Storage Servers.
126 Configuring cloud storage in NetBackup
Configuring a storage server for cloud storage

3 Click Next on the welcome panel.

The Select cloud provider panel appears.
The following is an example of the panel:

4 On the Select cloud provider panel, perform one of the following:

■ Select the cloud provider from the Cloud storage providers list of cloud
providers.
■ Sort the list of cloud providers by selecting the cloud storage API type from
the Storage API type drop-down list and then selecting the cloud provider.
■ In the Cloud storage providers search box, type the cloud provider name
that you want to select. A cloud provider may support multiple cloud storage
API types. Select an appropriate provider.

5 Click Next. A wizard panel for the selected cloud provider appears.
 Configuring cloud storage in NetBackup 127
Configuring a storage server for cloud storage

6 Select the preferred storage class and click Next.

Note: This option is available only for Amazon and Amazon GovCloud cloud
providers. See “About Amazon S3 storage classes” on page 34.

7 Specify the following settings on the Specify object size, compression, and
encryption settings panel.

Note: NetBackup media servers that are older than the 7.7.3 version do not
support data compression. Therefore, if you have selected an older media
server, the compression option does not appear on the panel.

Note: NetBackup 8.2 or earlier media servers do not support data encryption
for keys that an external KMS manages. If you configure encryption on such
media servers, the Encryption option shows NetBackup KMS configuration
settings.

Caution: If you use NetBackup commands to add a NetBackup 7.7.3 or earlier

media server to a cloud storage environment that uses compression, cloud
backups may fail. Ensure that all media servers that you add to a cloud storage
configuration with the compression are NetBackup 7.7.3 or later.

■ To specify a custom object size, enter a value in the Object Size field. If
you do not update the value, the default object size is used.

Note: The object size must be less than or equal to the read or write buffer
size.

See “About object size for cloud storage” on page 120.

■ To compress your backup data, select Compress data before writing to
cloud storage.
See “About data compression for cloud backups” on page 115.
■ To encrypt the data that would go on cloud storage , select Encrypt data
using AES-256 before writing to cloud storage.
See “About NetBackup KMS for encryption of NetBackup cloud storage”
on page 117.
See “About external KMS for encryption of NetBackup cloud storage”
on page 119.
128 Configuring cloud storage in NetBackup
Configuring a storage server for cloud storage

See “KMS database encryption settings” on page 128.

Click Next. If you entered the compression and the encryption information, a
dialog box appears that explains that you cannot change the settings after
configuration. Click Yes to proceed or click No to cancel. If you click Yes, the
Cloud Storage Server Configuration Summary panel appears.
8 On the Cloud Storage Server Configuration Summary panel, verify the
selections.
If you need to make corrections, click Back until you reach the panel on which
you need to make corrections.
If the selections are OK, click Next. The wizard creates the storage server,
and the Storage Server Creation Confirmation panel appears.
9 On the Storage Server Creation Confirmation panel, do one of the following:
■ To continue to the Disk Pool Configuration Wizard, click Next.
See “Configuring a disk pool for cloud storage” on page 146.
■ To exit from the wizard, click Finish.
If you exit, you can still create a disk pool.
See “Configuring a disk pool for cloud storage” on page 146.

KMS database encryption settings

This section describes the settings to configure the NetBackup Key Management
Service database and the encryption keys for your cloud storage. This information
protects the database that contains the keys that NetBackup uses to encrypt the
data. Key groups and key records also are required for encryption. The Cloud
Storage Server Configuration Wizard and the Disk Pool Configuration Wizard
configures the encryption for you.

Table 3-10 Required information for the encryption database

Field Name Required information

KMS Server Name This field displays the name of your NetBackup master server. You can only configure
KMS on your master server. This field cannot be changed.
If KMS is not configured, this field displays <kms_server_name>.

Host Master Key (HMK) Enter the key that protects the database. In KMS terminology, the key is called a
Passphrase passphrase.

Re-enter HMK Passphrase Re-enter the host master key.

 Configuring cloud storage in NetBackup 129
Configuring a storage server for cloud storage

Table 3-10 Required information for the encryption database (continued)

Field Name Required information

Host Master Key ID The ID is a label that you assign to the master key. The ID lets you identify the
particular host master key. You are limited to 255 characters in this field.

To decipher the contents of a keystore file, you must identify the correct Key
Protection Key and Host Master Key. These IDs are stored unencrypted in the
keystore file header. You can select the correct ones even if you only have access
to the keystore file. To perform a disaster recovery you must remember the correct
IDs and the pass phrases that are associated with the files.

Key Protection Key (KPK) Enter the password that protects the individual records within the KMS database.
Passphrase In KMS terminology, the key is called a passphrase.

Re-enter KPK Passphrase Re-enter the key protection password.

Key Protection Key ID The ID is a label that you assign to the key. The ID lets you identify the particular
key protection key. You are limited to 255 characters in this field.

To decipher the contents of a keystore file, you must identify the correct Key
Protection Key and Host Master Key. These IDs are stored unencrypted in the
keystore file header. You can select the correct ones even if you only have access
to the keystore file. To perform a disaster recovery you must remember the correct
IDs and the pass phrases that are associated with the files.

After you configure the storage server and disk pool, it is recommended that you
save a record of the key names.
See “Saving a record of the KMS key names for NetBackup cloud storage
encryption” on page 155.

Assigning a storage class to Amazon cloud storage

In NetBackup, you can assign a storage class to cloud storage while you configure
a new storage server.
See “About Amazon S3 storage classes” on page 34.
See “Configuring a storage server for cloud storage” on page 125.
To assign a storage class
1 In the NetBackup Administration Console > Cloud Storage Configuration
wizard, select Amazon.
2 On the Add Storage Server screen, specify the Amazon S3 configuration
details such as, service host, storage server name, and access details.
130 Configuring cloud storage in NetBackup
Changing cloud storage server properties

3 Select the preferred storage class and click Next. It is recommended that you
do not modify the storage class of a cloud storage server after you have
assigned it.
See “About Amazon S3 storage classes” on page 34.

Note: Prior to NetBackup 8.1.1, in the Advanced Server Configuration screen,

the x-amz-storage-class header displayed the Amazon S3 storage classes
that NetBackup supports.

Note: AMZ:STORAGE_CLASS lists the storage class in the storage server

properties dialog box.

4 Configure a new disk pool.

See “Configuring a disk pool for cloud storage” on page 146.

Note: It is recommended that you use different buckets for different storage
classes.

5 Configure a new storage unit by accessing NetBackup Administration

Console > NetBackup Management > Storage > Storage Units.
6 Modify the existing policy or SLP (or create new policy or SLP) to use the new
storage unit by accessing the respective user interfaces:
■ To access policy, do the following: In the NetBackup Administration
Console, expand NetBackup Management, and click Policies.
■ To access SLP, do the following: In the NetBackup Administration
Console, expand NetBackup Management, expand Storage, and click
Storage Life Cycle Policies.

Changing cloud storage server properties

The Change Storage Server dialog box lists all storage server properties. You can
change these properties, if required.
See “Configuring cloud storage in NetBackup” on page 93.
How to change cloud storage host properties is described in a different topic.
See “Changing cloud storage host properties” on page 103.
 Configuring cloud storage in NetBackup 131
Changing cloud storage server properties

To change cloud storage server properties

1 In the NetBackup Administration Console, expand Media and Device
Management > Credentials > Storage Server.
2 Select the storage server.
3 On the Edit menu, select Change.
4 In the Change Storage Server dialog box, select the Properties tab.
The following is an example of the Properties for Amazon S3 storage server
of type amazon_raw:

5 To change a property, select its value in the Value column and then change
it.
See “NetBackup cloud storage server properties” on page 132.
See “NetBackup cloud storage server connection properties” on page 136.
See “NetBackup cloud storage server encryption properties” on page 145.
132 Configuring cloud storage in NetBackup
NetBackup cloud storage server properties

6 Repeat step 5 until you have finished changing the properties.

7 Click OK.
8 Restart the NetBackup Remote Manager and Monitor Service (nbrmms) by
using the NetBackup Administration Console Activity Monitor.

NetBackup cloud storage server properties

The Properties tab of the Change Storage Server dialog box lets you change
some of the properties that affect the NetBackup interaction with the cloud storage.
The following table describes the prefixes that NetBackup uses to categorize the
properties.
Not all properties apply to all storage vendors.

Table 3-11 Prefix definitions

Prefix Definition For more information

AMZ Amazon See “NetBackup cloud storage server connection properties”

on page 136.

AMZGOV Amazon GovCloud See “NetBackup cloud storage server connection properties”
on page 136.

AZR Microsoft Azure See “NetBackup cloud storage server connection properties”
on page 136.

CLD Cloudian Hyperstore See “NetBackup cloud storage server connection properties”
on page 136.

CRYPT Encryption See “NetBackup cloud storage server encryption properties”

on page 145.

GOOG Google Nearline See “NetBackup cloud storage server connection properties”
on page 136.

HT Hitachi See “NetBackup cloud storage server connection properties”

on page 136.

HTTP HTTP headers See “NetBackup cloud storage server connection properties”
on page 136.
Note: This field applies to Amazon S3-compatible cloud providers.

METER Metering See “NetBackup cloud storage server connection properties”

on page 136.
 Configuring cloud storage in NetBackup 133
NetBackup cloud storage server properties

Table 3-11 Prefix definitions (continued)

Prefix Definition For more information

MSDPCLD CloudCatalyst deduplication See “NetBackup CloudCatalyst storage server properties”

to the cloud on page 144.

ORAC Oracle Cloud See “NetBackup cloud storage server connection properties”
on page 136.

SWSTK-SWIFT SwiftStack (Swift) See “NetBackup cloud storage server connection properties”
on page 136.

THR Throttling See “NetBackup cloud storage server bandwidth throttling

properties” on page 133.

VER Verizon See “NetBackup cloud storage server connection properties”

on page 136.

See “Changing cloud storage server properties” on page 130.

NetBackup cloud storage server bandwidth throttling properties

The following storage server properties apply to bandwidth throttling. The THR prefix
specifies a throttling property. Use the correct cloud provider URL for the desired
cloud vendor.
To change these properties, use the Scalable Storage host properties Cloud
Settings tab.
See “Scalable Storage properties” on page 95.

Table 3-12 Cloud storage server bandwidth throttling properties

Property Description

THR:storage_server Shows maximum number of concurrent jobs that can be run for a
specific cloud storage server.
If configuring throttling for a media server that is a CloudCatalyst cloud
storage server:

■ Change this value to 160 or more.

■ This value should be the same as the Maximum concurrent jobs
media server property in the Scalable Storage host properties.
See “Scalable Storage properties” on page 95.

Default value: Not applicable

Possible values: See the Description column

134 Configuring cloud storage in NetBackup
NetBackup cloud storage server properties

Table 3-12 Cloud storage server bandwidth throttling properties (continued)

Property Description

THR:AVAIL_BANDWIDTH This read-only field displays the total available bandwidth value for the
cloud feature. The value is displayed in bytes per second. You must
specify a number greater than zero. If you enter zero, an error is
generated.

Default value: 104857600

Possible values: Any positive integer

THR:DEFAULT_MAX_CONNECTIONS The default maximum number of concurrent jobs that the media server
can run for the cloud storage server.

If THR:storage_server is set, NetBackup uses THR:storage_server

instead of THR:DEFAULT_MAX_CONNECTIONS.

This is a read-only field.

This value applies to the media server not to the cloud storage server.
If you have more than one media server that can connect to the cloud
storage server, each media server can have a different value. Therefore,
to determine the total number of jobs that can run on the cloud storage
server, add the values from each media server.

If NetBackup is configured to allow more jobs than

THR:DEFAULT_MAX_CONNECTIONS, NetBackup fails any jobs that
start after the number of maximum jobs is reached. Jobs include both
backup and restore jobs.

You can configure job limits per backup policy and per storage unit.
See the NetBackup Administrator's Guide, Volume I.
Note: NetBackup must account for many factors when it starts jobs:
the number of concurrent jobs, the number of
THR:DEFAULT_MAX_CONNECTIONS per media server, the number
of media servers, and the job load-balancing logic. Therefore,
NetBackup may not fail jobs exactly at the maximum number of
connections. NetBackup may fail a job when the connection number is
slightly less than the maximum, exactly the maximum, or slightly more
than the maximum.

In practice, you should not need to set this value higher than 100.

Default value: 10

Possible values: 1 to 2147483647

 Configuring cloud storage in NetBackup 135
NetBackup cloud storage server properties

Table 3-12 Cloud storage server bandwidth throttling properties (continued)

Property Description

THR:OFF_TIME_BANDWIDTH_PERCENT This read-only field displays the bandwidth percent that is used during
off time.

Default value: 100

Possible values: 0 to 100

THR:OFF_TIME_END This read-only field displays the end of off time. Specify the time in
24-hour format. For example, 8:00 A.M. is 8 and 6:30 P.M. is 1830.

Default value: 8

Possible values: 0 to 2359

THR:OFF_TIME_START This read-only field displays the start of off time. Specify the time in
24-hour format. For example, 8:00 A.M. is 8 and 6:30 P.M. is 1830.

Default value: 18

Possible values: 0 to 2359

THR:READ_BANDWIDTH_PERCENT This read-only field displays the read bandwidth percentage the cloud
feature uses. Specify a value between 0 and 100. If you enter an
incorrect value, an error is generated.

Default value: 100

Possible values: 0 to 100

THR:SAMPLE_INTERVAL This read-only field displays the rate at which backup streams sample
their utilization and adjust their bandwidth use. The value is specified
in seconds. When this value is set to zero, throttling is disabled.

Default value: 0

Possible values: 1 to 2147483647

THR:WEEKEND_BANDWIDTH_PERCENT This read-only field displays the bandwidth percent that is used during
the weekend.

Default value: 100

Possible values: 0 to 100

THR:WEEKEND_END This read-only field displays the end of the weekend. The day value is
specified with numbers, 1 for Monday, 2 for Tuesday, and so on.

Default value: 7

Possible values: 1 to 7
136 Configuring cloud storage in NetBackup
NetBackup cloud storage server properties

Table 3-12 Cloud storage server bandwidth throttling properties (continued)

Property Description

THR:WEEKEND_START This read-only field displays the start of the weekend. The day value is
specified with numbers, 1 for Monday, 2 for Tuesday, and so on.

Default value: 6

Possible values: 1 to 7

THR:WORK_TIME_BANDWIDTH_PERCENT This read-only field displays the bandwidth percent that is used during
the work time.

Default value: 100

Possible values: 0 to 100

THR:WORK_TIME_END This read-only field displays the end of work time. Specify the time in
24-hour format. For example, 8:00 A.M. is 8 and 6:30 P.M. is 1830.

Default value: 18

Possible values: 0 to 2359

THR:WORK_TIME_START This read-only field displays the start of work time. Specify the time in
24-hour format. For example, 8:00 A.M. is 8 and 6:30 P.M. is 1830.

Default value: 8

Possible values: 0 to 2359

THR:WRITE_BANDWIDTH_PERCENT This read-only field displays the write bandwidth percentage the cloud
feature uses. Specify a value between 0 and 100. If you enter an
incorrect value, an error is generated.

Default value: 100

Possible values: 0 to 100

See “Changing cloud storage server properties” on page 130.

See “NetBackup cloud storage server properties” on page 132.

NetBackup cloud storage server connection properties

All or most of the cloud storage servers use the storage server properties in
Table 3-13. The following are the prefixes for the currently supported cloud vendors:
■ Amazon: AMZ
■ Amazon GovCloud: AMZGOV
■ Cloudian: CLD
 Configuring cloud storage in NetBackup 137
NetBackup cloud storage server properties

■ Google Nearline: GOOG

■ Hitachi: HT
■ Microsoft Azure: AZR
■ Verizon: VER

Table 3-13 Storage server cloud connection properties

Property Description

METER:DIRECTORY This read-only field displays the directory in which

to store data stream metering information.

Default value: UNIX:

/usr/openv/var/global/wmc/cloud or
/usr/openv/netbackup/db/cloud (on media
server versions 7.7.x to 8.1.2 only)

Windows:
install_path\Veritas\NetBackup\var\global\wmc\cloud
or
install_path\Veritas\NetBackup\db\cloud\
(on media server versions 7.7.x to 8.1.2 only)

METER:INTERVAL The interval at which NetBackup gathers

connection information for reporting purposes.

NetBackup OpsCenter uses the information that

is collected to create reports. The value is set in
seconds. The default setting is 300 seconds (5
minutes). If you set this value to zero, metering is
disabled

To change this property, use the Cloud Settings

tab of the Scalable Storage host properties.

See “Scalable Storage properties” on page 95.

Default value: 300

Possible values: 1 to 10000

138 Configuring cloud storage in NetBackup
NetBackup cloud storage server properties

Table 3-13 Storage server cloud connection properties (continued)

Property Description

PREFIX:CURL_CONNECT_TIMEOUT The amount of time that is allocated for the media

server to connect to the cloud storage server. This
value is specified in seconds. The default is 300
seconds or five minutes.

This only limits the connection time, not the

session time. If the media server cannot connect
to the cloud storage server in the specified time,
the job fails.

This value cannot be disabled. If an invalid number

is entered, the CURL_CONNECT_TIMEOUT returns
to the default value of 300.

Default value: 300

Possible values: 1 to 10000

PREFIX:CURL_TIMEOUT The maximum time in seconds to allow for the

completion of a data operation. This value is
specified in seconds. If the operation does not
complete in the specified time, the operation fails.
The default is 900 seconds (15 minutes). To
disable this timeout, set the value to 0 (zero).

Default value: 900

Possible values: 1 to 10000

PREFIX:ESFS_HOST Identifies the host that contains the ESFS cache.

The ESFS cache is used by a CloudCatalyst
storage server for deduplication to the cloud.

This property is set internally and cannot be

changed by the user.

PREFIX:LOG_CURL Determines if cURL activity is logged. The default

is NO which means log activity is disabled.

Default value: NO

Possible values: NO (disabled) and YES (enabled)

 Configuring cloud storage in NetBackup 139
NetBackup cloud storage server properties

Table 3-13 Storage server cloud connection properties (continued)

Property Description

PREFIX:READ_BUFFER_SIZE The size of the buffer to use for read operations.

READ_BUFFER_SIZE is specified in bytes.

To enable the use of the buffer, set this value to

a non-zero number.

The READ_BUFFER_SIZE determines the size of

the data packets that the storage server transmits
during each restore job. An increase in the value
may increase performance when a large amount
of contiguous data is accessed. If insufficient
bandwidth exists to transmit the specified amount
of data within a few minutes, restore failures may
occur due to timeouts. When you calculate the
required bandwidth, consider the total load of
simultaneous backup jobs and restore jobs on
multiple media servers.

See “About object size for cloud storage”

on page 120.

PREFIX:USE_SSL Determines if Secure Sockets Layer encryption is

used for the control APIs. The default value is YES,
meaning SSL is enabled.

Default value: YES

Possible values: YES or NO

PREFIX:USE_SSL_RW Determines if Secure Sockets Layer encryption is

used for read and write operations. The default
value is YES, meaning SSL is enabled.

Default value: YES

Possible values: YES or NO

Provider Suffix: USE_CRL If SSL is enabled and the CRL option is enabled,
each non-self-signed SSL certificate is verified
against the CRL.
140 Configuring cloud storage in NetBackup
NetBackup cloud storage server properties

Table 3-13 Storage server cloud connection properties (continued)

Property Description

PREFIX: OBJECT_SIZE The size of the data object that NetBackup sends
to the cloud storage server with an HTTP PUT and
GET requests.

Object Size is specified in bytes. You cannot edit

the Object Size once you set the value.

See “About object size for cloud storage”

on page 120.

PREFIX: WRITE_BUFFER_NUM This parameter is not applicable for Amazon

S3-compatible cloud providers.

This read-only field displays the total number of

write buffers that are used by the plug-in. The
WRITE_BUFFER_SIZE value defines the size of
the buffer. The value is set to 1 and cannot be
changed.

Default value: 1

Possible values: 1

PREFIX:WRITE_BUFFER_SIZE The size of the buffer to use for write operations.

WRITE_BUFFER_SIZE is specified in bytes.

To disable the use of the buffer, set this value to

0 (zero).

The WRITE_BUFFER_SIZE value determines the

size of the data packs transmitted from the data
mover to the storage server during a backup. An
increase in the value may increase performance
when a large amount of contiguous data is
accessed. If insufficient bandwidth exists to
transmit the specified amount of data within a few
minutes, backup failures may occur due to
timeouts. When you calculate the required
bandwidth, consider the total load of simultaneous
backup jobs and restore jobs on multiple media
servers.

See “About object size for cloud storage”

on page 120.
 Configuring cloud storage in NetBackup 141
NetBackup cloud storage server properties

Table 3-13 Storage server cloud connection properties (continued)

Property Description

HTTP:User-Agent This is applicable only for Amazon S3-compatible

cloud providers.

This property is set internally and cannot be

changed by the user.

HTTP:x-amz-server-side-encryption This is applicable only for the following cloud

providers: Amazon S3 and Amazon GovCloud

Use this property to enable the server-side

encryption of the data that you need to transfer to
the cloud storage.

AES-256 is a server-side encryption standard.

Set this property to NONE to disable the

server-side encryption for the cloud provider.
Note: You should not enable this property, if you
have already enabled the media server-side
encryption option while configuring cloud storage
server using the NetBackup Administration
Console.

AMZ:REGION_NAME This is applicable only for Amazon

GLACIER_VAULT storage class.

Displays the region set during configuration of the

storage server.

This property is set during configuration of the

storage server and cannot be changed by the user.

AMZ:UPLOAD_CLASS This is applicable only for the LIFECYCLE storage

class.

Use this property to specify the storage class to

back up the data.

Default value: STANDARD

Possible values: STANDARD or STANDARD_IA

AMZ:RETRIEVAL RETENTION PERIOD This is applicable only for Amazon Glacier.

Use this property to specify the retrieval retention

period in days.
142 Configuring cloud storage in NetBackup
NetBackup cloud storage server properties

Table 3-13 Storage server cloud connection properties (continued)

Property Description

AMZ:TRANSITION_TO_STANDARD_IA_AFTER This is applicable only for the LIFECYCLE storage

class.

If you have set the UPLOAD_CLASS as

STANDARD, the
TRANSITION_TO_STANDARD_IA_AFTER must
be set to either NONE or in the range 30 to
2147483617.

If you have set the UPLOAD_CLASS as

STANDARD_IA, the
TRANSITION_TO_STANDARD_IA_AFTER must
be set to NONE.

AMZ:TRANSITION_TO_GLACIER_AFTER This is applicable only for the LIFECYCLE storage

class.

If you have set UPLOAD_CLASS as STANDARD,

and if TRANSITION_TO_STANDARD_IA_AFTER
is set in the range 30 to 2147483617, you must
set TRANSITION_TO_GLACIER_AFTER as
NONE or in the range 60 to 2147483647. This
value includes a minimum stay of 30 days for the
data in the STANDARD_IA storage class.

If you have set UPLOAD_CLASS as STANDARD,

and if TRANSITION_TO_STANDARD_IA_AFTER
is set to NONE, you must set
TRANSITION_TO_GLACIER_AFTER in the range
1 to 2147483647.

If you have set UPLOAD_CLASS as

STANDARD_IA and if
TRANSITION_TO_STANDARD_IA_AFTER is set
to NONE, you must set
TRANSITION_TO_GLACIER_AFTER in the range
30 to 2147483647.

AMZ:STORAGE_CLASS This is applicable only for the Amazon S3 cloud

providers.

Displays the storage class used by the cloud

storage server.

This property is set internally and cannot be

changed by the user.
 Configuring cloud storage in NetBackup 143
NetBackup cloud storage server properties

Table 3-13 Storage server cloud connection properties (continued)

Property Description

AZR:STORAGE_TIER This is applicable only for Microsoft Azure Archive.

Displays the storage tier used by the cloud storage

server.

AMZ:OFFLINE_TRANSFER_MODE This is applicable only for the Amazon S3 cloud

providers.

Use this property to set the storage destination for

Amazon Snowball.

Default value: NONE

Note: Set the property to NONE after you are
done with using the Snowball mode. In this mode,
the end point must point to Amazon public end
point.

Possible values:

FILESYSTEM: Set this property if you want the

data to be transferred to Amazon Snowball using
the file interface.

The storage server end point must point to the

Amazon public end point.

PROVIDER_API: Set this property if you want to

transfer the data to Amazon Snowball using the
S3 interface provided by Amazon.

The storage server end point must point to

Snowball end point.

AMZ:TRANSFER_DRIVE_PATH This is applicable only for the Amazon S3 cloud

providers and if the
AMZ:OFFLINE_TRANSFER_MODE property is set
to FILESYSTEM

Use this property to set the absolute mount point

where the data must backed up for Amazon
Snowball.

Default value: NONE

See “Changing cloud storage server properties” on page 130.

See “NetBackup cloud storage server properties” on page 132.
144 Configuring cloud storage in NetBackup
NetBackup cloud storage server properties

NetBackup CloudCatalyst storage server properties

The MSDPCLD prefix specifies a deduplication storage property in the Properties
tab of the Change Storage Server dialog box. The following table describes the
properties.

Table 3-14 CloudCatalyst storage server properties

Property Description

MSDPCLD:storagepath Storage Path

MSDPCLD:spalogpath Storage Pool Log Path

MSDPCLD:dbpath Database Path

MSDPCLD:required_interface Required Interface

MSDPCLD:spalogretention Storage Pool Log

Retention

MSDPCLD:verboselevel Storage Pool Verbose

Level (Range 0 - 5)

MSDPCLD:replication_target(s) Replication Target(s)

MSDPCLD:dedupetocloud Dedupe To Cloud

MSDPCLD:Storage Pool Raw Size Storage Pool Raw Size

MSDPCLD:Storage Pool Reserved Space Storage Pool Reserved

Space

MSDPCLD:Storage Pool Size Storage Pool Size

MSDPCLD:Storage Pool Used Space Storage Pool Used Space

MSDPCLD:Storage Pool Available Space Storage Pool Available

Space

MSDPCLD:Catalog Logical Size Catalog Logical Size

MSDPCLD:Catalog files Count Catalog files Count

MSDPCLD:Deduplication Ratio Deduplication Ratio

See “NetBackup cloud storage server properties” on page 132.

See “Changing cloud storage server properties” on page 130.
 Configuring cloud storage in NetBackup 145
About cloud storage disk pools

NetBackup cloud storage server encryption properties

The following encryption-specific storage server properties are used by all or most
of the storage vendors. The CRYPT prefix specifies an encryption property. These
values are for display purposes only and cannot be changed.

Table 3-15 Encryption cloud storage server properties

Property Description

CRYPT:KMS_SERVER This read-only field displays NetBackup server that hosts the
KMS service. When you set the storage server properties, enter
the name of the KMS server host. By default, this field contains
the NetBackup master server name. You cannot change this
value.

Default value: The NetBackup master server name

Possible values: N/A

CRYPT:KMS_VERSION This read-only field displays the NetBackup Key Management

Service version. You cannot change this value.

Default value: 16

Possible values: N/A

CRYPT:LOG_VERBOSE This read-only field displays if logs are enabled for encryption
activities. The value is either YES for logging or NO for no logging.

Default value: NO

Possible values: YES and NO

CRYPT:VERSION This read-only field displays the encryption version. You cannot
change this value.

Default value: 13107

Possible values: N/A

See “NetBackup cloud storage server properties” on page 132.

See “Changing cloud storage server properties” on page 130.

About cloud storage disk pools

A disk pool represents disk volumes on the underlying disk storage. A disk pool is
the storage destination of a NetBackup storage unit. For cloud storage, you must
specify only one volume for a disk pool.
146 Configuring cloud storage in NetBackup
Configuring a disk pool for cloud storage

Disk pool and disk volume names must be unique within your cloud storage
provider's environment.
See “Configuring a disk pool for cloud storage” on page 146.
If a cloud storage disk pool is a storage destination in a storage lifecycle policy,
NetBackup capacity management applies.
See the NetBackup Administrator's Guide, Volume I.

Configuring a disk pool for cloud storage

Use the NetBackup Disk Pool Configuration Wizard to create a disk pool for cloud
storage. If you create encrypted storage and NetBackup KMS is configured, you
must enter a pass phrase for each selected volume that uses encryption. The pass
phrase creates the encryption key for that volume. If you create encrypted storage
and external KMS is configured, you do not need to enter pass phrase for each
selected volume.
To configure a cloud storage disk pool by using the wizard
1 If the Disk Pool Configuration Wizard was launched from the Storage Server
Configuration Wizard, go to step 5.
Otherwise, in the NetBackup Administration Console, select either
NetBackup Management or Media and Device Management.
2 From the list of wizards in the right pane, click Configure Disk Pool.
 Configuring cloud storage in NetBackup 147
Configuring a disk pool for cloud storage

3 On the Welcome panel, the types of disk pools that you can configure depend
on the types of storage servers that exist in your environment.
The following is an example of the wizard panel:

Read the information on the welcome panel of the wizard. Then, select the
appropriate storage server type and click Next.
The Storage Server Selection panel appears.
148 Configuring cloud storage in NetBackup
Configuring a disk pool for cloud storage

4 On the Storage Server Selection panel, the storage servers that you
configured for the selected storage server type appear.
The following is an example of the wizard panel:

Select the storage server for this disk pool.

After you select the cloud storage server, click Next. The Volume Selection
wizard panel appears.
 Configuring cloud storage in NetBackup 149
Configuring a disk pool for cloud storage

5 The Volume Selection panel displays the volumes that have been created
already under your account within the vendor's cloud storage.

Note: The following properties do not apply to cloud storage disk pools: Total
available space, Total raw size, Low water mark, and High water mark.
All these values are derived from the storage capacity, which cannot be fetched
from the cloud provider.

The following is an example of the wizard panel:

To add a volume, click Add New Volume. A dialog box appears that contains
the information that is required for a volume for your cloud vendor. In that dialog
box, enter the required information. Use the following link to find the information
about the requirements for the volume names.
150 Configuring cloud storage in NetBackup
Configuring a disk pool for cloud storage

See “About the cloud storage vendors for NetBackup” on page 17.
To select a volume, click the check box for the volume. You can select one
volume only.
After you select the volume for the disk pool, click Next. The behavior of the
wizard depends on whether you configured encryption for the storage server,
as follows:

No encryption If you selected a volume on a storage destination that does not

require encryption, the Additional Disk Pool Information panel
appears.

Go to the next step, step 6.

Encryption If you selected a volume on a storage destination that requires

encryption and NetBackup KMS is already configured, a Settings
dialog box appears in which you must enter an encryption pass
phrase. The pass phrase is for the key group key for this storage
volume and storage server combination.

If you have selected a volume on a storage destination that

requires encryption and external KMS is configured for the storage
server, you do not need to provide an encryption pass phrase.
Encryption keys are not created in case of external KMS at the
time of disk pool configuration using the Disk Pool Configuration
Wizard. You need to ensure that a key with a custom attribute
with value of key group name already exists on the external KMS
server.

See “About NetBackup KMS for encryption of NetBackup cloud

storage” on page 117.

See “About external KMS for encryption of NetBackup cloud

storage” on page 119.

After you enter a pass phrase and then click OK in the Settings
dialog box, the dialog box closes. Click Next in the Volume
Selection wizard panel to continue to the Additional Disk Pool
Information wizard panel.

Continue to the next step, step 6.

 Configuring cloud storage in NetBackup 151
Configuring a disk pool for cloud storage

6 On the Additional Disk Pool Information panel, enter or select the properties
for this disk pool.
The following is an example of the wizard panel:

See “Cloud storage disk pool properties” on page 166.

After you enter the additional disk pool information, click Next. The Summary
panel appears.
152 Configuring cloud storage in NetBackup
Configuring a disk pool for cloud storage

7 On the Summary panel, verify the selections.

If the summary shows your selections accurately, click Next.
It is recommended that you save the KMS key group name and the KMS key
name. They are required to recover the keys.
See “Saving a record of the KMS key names for NetBackup cloud storage
encryption” on page 155.
 Configuring cloud storage in NetBackup 153
Configuring a disk pool for cloud storage

8 After NetBackup creates the disk pool, a wizard panel describes the successful
action.
The following is an example of the wizard panel:

After NetBackup creates the disk pool, you can do the following:

Configure a storage unit Ensure that Create a storage unit using the disk pool that
you have just created is selected and then click Next. The
Storage Unit Creation wizard panel appears. Continue to
the next step.

Exit Click Close.

You can configure one or more storage units later.

See “Configuring a storage unit for cloud storage” on page 157.

154 Configuring cloud storage in NetBackup
Configuring a disk pool for cloud storage

9 On Storage Unit Creation wizard panel, enter the appropriate information for
the storage unit.
The following is an example of the wizard panel:

See “Cloud storage unit properties” on page 158.

After you enter or select the information for the storage unit, click Next to create
the storage unit.
You can use storage unit properties to control your backup traffic.
See “Configure a favorable client-to-server ratio” on page 160.
See “Control backup traffic to the media servers” on page 161.
10 After NetBackup configures the storage unit, the Finished panel appears. Click
Finish to exit from the wizard.
 Configuring cloud storage in NetBackup 155
Saving a record of the KMS key names for NetBackup cloud storage encryption

Saving a record of the KMS key names for

NetBackup cloud storage encryption
It is recommended that you save a record of the encryption key names and tags.
The key tag is necessary if you need to recover or recreate the keys.

Saving a record of the NetBackup KMS server key names

Use the following procedure to save a record of the key names if NetBackup KMS
server is configured when you enable the encryption setting during storage server
configuration for cloud storage.
See “About data encryption for cloud storage” on page 116.
To save a record of the key names
1 To determine the key group names, use the following command on the master
server:
UNIX: /usr/openv/netbackup/bin/admincmd/nbkmsutil -listkgs
Windows: install_path\Program
Files\Veritas\NetBackup\bin\admincmd\[Link] -listkgs

The following is example output:

Key Group Name : [Link]:symc_backups_gold

Supported Cypher : AES_256
Number of Keys : 1
Has Active Key : Yes
Creation Time : Tues Oct 01 [Link] 2013
Last Modification Time: Tues Oct 01 [Link] 2013
Description : [Link]:symc_backups_gold
156 Configuring cloud storage in NetBackup
Saving a record of the KMS key names for NetBackup cloud storage encryption

2 For each key group, write all of the keys that belong to the group to a file. Run
the command on the master server. The following is the command syntax:
UNIX: /usr/openv/netbackup/bin/admincmd/nbkmsutil -listkeys -kgname
key_group_name > [Link]

Windows: install_path\Program
Files\Veritas\NetBackup\bin\admincmd\[Link] -listkeys
-kgname key_group_name > [Link]

The following is example output:

[Link] -listkeys -kgname [Link]:symc_backups_gold
> encrypt_keys_CloudVendor.com_symc_backups_gold.txt

Key Group Name : [Link]:symc_backups_gold

Supported Cypher : AES_256
Number of Keys : 1
Has Active Key : Yes
Creation Time : Tues Jan 01 [Link] 2013
Last Modification Time: Tues Jan 01 [Link] 2013
Description : Key group to protect cloud volume
FIPS Approved Key : Yes

Key Tag : 532cf41cc8b3513a13c1c26b5128731e

5ca0b9b01e0689cc38ac2b7596bbae3c
Key Name : Encrypt_Key_April
Current State : Active
Creation Time : Tues Jan 01 [Link] 2013
Last Modification Time: Tues Jan 01 [Link] 2013
Description : -

Number of Keys: 1

3 Include in the file the pass phrase that you used to create the key record.
4 Store the file in a secure location.

Saving a record of an external KMS server key names

Refer to your KMS server documentation for key recovery steps.
 Configuring cloud storage in NetBackup 157
Adding backup media servers to your cloud environment

Adding backup media servers to your cloud

environment
You can add additional media servers to your cloud environment. Additional media
servers can help improve backup performance. Such servers are known as data
movers. The media servers that you add are assigned the credentials for the storage
server. The credentials allow the data movers to communicate with the storage
server.
A NetBackup media server must conform to the requirements for cloud storage.
See “About the NetBackup media servers for cloud storage” on page 122.
To add backup media servers to your cloud environment
1 In the NetBackup Administration Console, expand Media and Device
Management > Credentials > Storage Servers.
2 Select the cloud storage server.
3 From the Edit menu, select Change.
4 In the Change Storage Server dialog box, select the Media Servers tab.
5 Select the media server or servers that you want to enable for cloud backup.
The media servers that you select are configured as cloud servers.
6 Click OK.
7 Modify disk pools, storage units, and policies as desired.

Configuring a storage unit for cloud storage

Create one or more storage units that reference the disk pool.
The Disk Pool Configuration Wizard lets you create a storage unit; therefore, you
may have created a storage unit when you created a disk pool. To determine if
storage units exist for the disk pool, see the NetBackup Management > Storage
> Storage Units window of the Administration Console.
A storage unit inherits the properties of the disk pool. If the storage unit inherits
replication properties, the properties signal to a NetBackup storage lifecycle policy
the intended purpose of the storage unit and the disk pool. Auto Image Replication
requires storage lifecycle policies.
You can use storage unit properties to control your backup traffic.
See “Configure a favorable client-to-server ratio” on page 160.
See “Control backup traffic to the media servers” on page 161.
158 Configuring cloud storage in NetBackup
Configuring a storage unit for cloud storage

To configure a storage unit from the Actions menu

1 In the NetBackup Administration Console, expand NetBackup Management
> Storage > Storage Units.
2 On the Actions menu, select New > Storage Unit.

3 Complete the fields in the New Storage Unit dialog box.

See “Cloud storage unit properties” on page 158.

Cloud storage unit properties

The following are the configuration options for a cloud disk pool storage unit.

Table 3-16 Cloud storage unit properties

Property Description

Storage unit A unique name for the new storage unit. The name can describe the
name type of storage. The storage unit name is the name used to specify a
storage unit for policies and schedules. The storage unit name cannot
be changed after creation.
 Configuring cloud storage in NetBackup 159
Configuring a storage unit for cloud storage

Table 3-16 Cloud storage unit properties (continued)

Property Description

Storage unit type Select Disk as the storage unit type.

Disk type Select Cloud Storage (type) for the disk type. type represents the disk
pool type, based on storage vendor, encryption, and so on.

Disk pool Select the disk pool that contains the storage for this storage unit.

All disk pools of the specified Disk type appear in the Disk pool list.
If no disk pools are configured, no disk pools appear in the list.

Media server The Media server setting specifies the NetBackup media servers that
can backup clients and move the data to the cloud storage server. The
media servers can also move the data for restore or duplication
operations.
Specify the media server or servers as follows:

■ To allow any server in the media server list to deduplicate data,

select Use any available media server.
■ To use specific media servers to deduplicate the data, select Only
use the following media servers. Then, select the media servers
to allow.

NetBackup selects the media server to use when the policy runs.

Maximum The Maximum concurrent jobs setting specifies the maximum number
concurrent jobs of jobs that NetBackup can send to a disk storage unit at one time.
(Default: one job. The job count can range from 0 to 256.) This setting
corresponds to the Maximum concurrent write drives setting for a Media
Manager storage unit.

NetBackup queues jobs until the storage unit is available. If three backup
jobs are scheduled and Maximum concurrent jobs is set to two,
NetBackup starts the first two jobs and queues the third job. If a job
contains multiple copies, each copy applies toward the Maximum
concurrent jobs count.

Maximum concurrent jobs controls the traffic for backup and

duplication jobs but not restore jobs. The count applies to all servers
in the storage unit, not per server. If you select multiple media servers
in the storage unit and 1 for Maximum concurrent jobs, only one job
runs at a time.

The number to enter depends on the available disk space and the
server's ability to run multiple backup processes.
Warning: A Maximum concurrent jobs setting of 0 disables the
storage unit.
160 Configuring cloud storage in NetBackup
Configuring a storage unit for cloud storage

Table 3-16 Cloud storage unit properties (continued)

Property Description

Maximum For normal backups, NetBackup breaks each backup image into
fragment size fragments so it does not exceed the maximum file size that the file
system allows. You can enter a value from 20 MBs to 51200 MBs.

For a FlashBackup policy, it is recommended that you use the default,

maximum fragment size to ensure optimal duplication performance.

Configure a favorable client-to-server ratio

You can use storage unit settings to configure a favorable client-to-server ratio.
Uou can use one disk pool and configure multiple storage units to separate your
backup traffic. Because all storage units use the same disk pool, you do not have
to partition the storage.
For example, assume that you have 100 important clients, 500 regular clients, and
four media servers. You can use two media servers to back up your most important
clients and two media servers to back up your regular clients.
The following example describes how to configure a favorable client-to-server ratio:
■ Configure the media servers for NetBackup deduplication and configure the
storage.
■ Configure a disk pool.
■ Configure a storage unit for your most important clients (such as STU-GOLD).
Select the disk pool. Select Only use the following media servers. Select two
media servers to use for your important backups.
■ Create a backup policy for the 100 important clients and select the STU-GOLD
storage unit. The media servers that are specified in the storage unit move the
client data to the deduplication storage server.
■ Configure another storage unit (such as STU-SILVER). Select the same disk
pool. Select Only use the following media servers. Select the other two media
servers.
■ Configure a backup policy for the 500 regular clients and select the STU-SILVER
storage unit. The media servers that are specified in the storage unit move the
client data to the deduplication storage server.
Backup traffic is routed to the wanted data movers by the storage unit settings.
 Configuring cloud storage in NetBackup 161
About NetBackup Accelerator and NetBackup Optimized Synthetic backups

Note: NetBackup uses storage units for media server selection for write activity
(backups and duplications) only. For restores, NetBackup chooses among all media
servers that can access the disk pool.

Control backup traffic to the media servers

On disk pool storage units, you can use the Maximum concurrent jobs settings
to control the backup traffic to the media servers. Effectively, this setting directs
higher loads to specific media servers when you use multiple storage units for the
same disk pool. A higher number of concurrent jobs means that the disk can be
busier than if the number is lower.
For example, two storage units use the same set of media servers. One of the
storage units (STU-GOLD) has a higher Maximum concurrent jobs setting than
the other (STU-SILVER). More client backups occur for the storage unit with the
higher Maximum concurrent jobs setting.

About NetBackup Accelerator and NetBackup

Optimized Synthetic backups
NetBackup Cloud Storage supports NetBackup Accelerator and NetBackup
Optimized Synthetics. Encryption, metering, and throttling are functional and
supported when you enable NetBackup Accelerator or NetBackup Optimized
Synthetic backups. You enable both NetBackup Accelerator and NetBackup
Optimized Synthetic backups in the same way as non-Cloud backups. More
information about NetBackup Accelerator and NetBackup Optimized Synthetic
backups is available.
■ See the NetBackup Deduplication Guide.
■ See the NetBackup Administrator's Guide, Volume I

Enabling NetBackup Accelerator with cloud

storage
Use the following procedure to enable NetBackup Accelerator for use with
NetBackup cloud storage.
162 Configuring cloud storage in NetBackup
Enabling NetBackup Accelerator with cloud storage

Enabling Accelerator for use with NetBackup cloud storage

1 In the NetBackup Administration Console, select NetBackup Management >
Policies > policy_name . Select Edit > Change, and select the Attributes
tab.
2 Select Use accelerator.
3 Confirm the Policy storage option is a valid Cloud storage unit.
The storage unit that is specified under Policy storage must be one of the
supported Cloud vendors. You can’t set Policy storage to Any Available.

Figure 3-4 Enable Accelerator

Determining if NetBackup Accelerator was used during a backup operation

1 In the NetBackup Administration Console, select Activity Monitor. Double
click the backup that you want to check.
2 Click the Detailed Status tab.
3 Review the status for accelerator enabled. This text indicates the backup
used NetBackup Accelerator.
 Configuring cloud storage in NetBackup 163
Enabling optimized synthetic backups with cloud storage

Figure 3-5 Confirm Accelerator used during backup

Enabling optimized synthetic backups with cloud

storage
Optimized Synthetic backups require three backup schedules. You must have a
Full backup, an Incremental backup, and a Full Backup with Synthetic backup
enabled. You can use either a Differential incremental or a Cumulative incremental
for the incremental backup. You must then perform a full backup, then at least one
incremental backup, and finally a full backup with synthetic enabled. The final backup
is the optimized synthetic backup.

Note: In the case of Hitachi cloud configuration, the True Image Restore (TIR) or
synthetic backups do not work, if you have enabled the encryption option. To
successfully run the TIR or synthetic backups, you need to enable the versioning
option for buckets (or namespaces) through the Hitachi cloud portal. For more
details on how to enable the versioning option, contact Hitachi cloud provider.
164 Configuring cloud storage in NetBackup
Enabling optimized synthetic backups with cloud storage

Enabling Optimized Synthetic backups for use with NetBackup Cloud Storage
1 In the NetBackup Administration Console, select NetBackup Management >
Policies > policy_name . Select Edit > Change, and select the Attributes
tab.
2 Select Collect true image restore information and with move detection.
3 Confirm the Policy storage option is a valid Cloud storage unit.
The storage unit that is specified under Policy storage must be one of the
supported Cloud vendors. You can’t set Policy storage to Any Available.

Figure 3-6 Enable Optimized Synthetic backups

Determining if a backup was an Optimized Synthetic backup

1 In the NetBackup Administration Console, select Activity Monitor. Double
click the backup that you want to check.
2 Click the Detailed Status tab.
3 Review the status for Performing Optimized Synthetic Operation. This text
indicates the backup was an Optimized Synthetic backup.
 Configuring cloud storage in NetBackup 165
Creating a backup policy

Figure 3-7 Confirm backup was Optimized Synthetic

Creating a backup policy

Use the following procedure to create a backup policy.
To create a policy
1 In the NetBackup Administration Console, expand NetBackup Management
> Policies.
2 Select Actions > New > Policy.
3 Type a unique name for the policy.

4 Clear the Use Policy Configuration Wizard and click OK.

5 Configure the attributes, the schedules, the clients, and the backup selections
for the new policy.

Changing cloud storage disk pool properties

You can change some of the properties of a disk pool.
166 Configuring cloud storage in NetBackup
Changing cloud storage disk pool properties

To change disk pool properties

1 In the NetBackup Administration Console, expand Media and Device
Management > Devices > Disk Pools.
2 Select the disk pool that you want to change in the details pane.
3 On the Edit menu, select Change.

4 Change the properties as necessary.

See “Cloud storage disk pool properties” on page 166.
5 Click OK.

Cloud storage disk pool properties

The properties of a disk pool may vary depending on the purpose the disk pool.
 Configuring cloud storage in NetBackup 167
Changing cloud storage disk pool properties

Note: The following properties do not apply to cloud storage disk pools: Total
available space, Total raw size, Usable Size, Low water mark, and High water
mark.
All these values are derived from the storage capacity, which cannot be fetched
from the cloud provider.

The following table describes the possible properties:

Table 3-17 Cloud storage disk pool properties

Property Description

Name The disk pool name.

Storage servers The storage server name.

Disk volumes The disk volume that comprises the disk pool.

Total raw size The total raw, unformatted size of the storage in the disk pool.

The storage host may or may not expose the raw size of the
storage.
Note: Total raw size does not apply to cloud storage disk
pools.

Total available space The total amount of space available in the disk pool.
Note: Total available space does not apply to cloud
storage disk pools.

Comments A comment that is associated with the disk pool.

High water mark The High water mark, is a threshold at which the volume or
the disk pool is considered full.
Note: High water mark does not apply to cloud storage
disk pools.

Low water mark The Low water mark is a threshold at which NetBackup
stops image cleanup.

Low water mark does not apply to cloud storage disk pools.
168 Configuring cloud storage in NetBackup
Certificate validation against Certificate Revocation List (CRL)

Table 3-17 Cloud storage disk pool properties (continued)

Property Description

Limit I/O streams Select to limit the number of read and write streams (that is,
jobs) for each volume in the disk pool. A job may read backup
images or write backup images. By default, there is no limit.

When the limit is reached, NetBackup chooses another

volume for write operations, if available. If not available,
NetBackup queues jobs until a volume is available.

Too many streams may degrade performance because of

disk thrashing. Disk thrashing is excessive swapping of data
between RAM and a hard disk drive. Fewer streams can
improve throughput, which may increase the number of jobs
that complete in a specific time period.

A starting point is to divide the Maximum concurrent jobs

of all of the storage units by the number of volumes in the
disk pool.

per volume Select or enter the number of read and write streams to allow
per volume.

Many factors affect the optimal number of streams. Factors

include but are not limited to disk speed, CPU speed, and
the amount of memory.
For the disk pools that are configured for Snapshot and that
have a Replication source property:

■ Always use increments of 2 when you change this setting.

A single replication job uses two I/O streams.
■ If more replication jobs exist than streams are available,
NetBackup queues the jobs until streams are available.
■ Batching can cause many replications to occur within a
single NetBackup job. Another setting affects snapshot
replication job batching.

Certificate validation against Certificate

Revocation List (CRL)
For all the cloud providers, NetBackup provides a capability to verify the SSL
certificates against the CRL (Certificate Revocation List). If SSL is enabled and the
CRL option is enabled, each non-self-signed SSL certificate is verified against the
CRL. If the certificate is revoked, NetBackup does not connect to the cloud provider.
You can enable validation against CRL using one of the following ways:
 Configuring cloud storage in NetBackup 169
Managing Certification Authorities (CA) for NetBackup Cloud

■ csconfig CLI: crl parameter is added with the SSL parameters. The option is
available when you add or update the storage server. CRL value can be changed
only through csconfig CLI before creating an alias.
■ Storage server properties dialog: Update the USE_CRL property from the storage
server properties dialog. From the GUI, you can only disable the CRL option,
after configuration.
See “NetBackup cloud storage server connection properties” on page 136.
■ You can also use to the nbdevconfig CLI with getconfig and setconfig options
to enable or disable verification against CRL.

Note: Post upgrade, for the cloud and cloud catalyst storage servers with SSL
enabled, the CRL validation is enabled by default.

Requirements for enabling certificate validation against

Certificate Revocation List (CRL)
■ CRL distribution endpoints are http thus, turn off any firewall rule that block http
(port 80) connection to external network. For example,
[Link]
■ CRL download URL is dynamically fetched from the certificate thus, disable any
firewall rule that blocks unknown URLs.
■ Typically, CRL URLs (distribution endpoints) support IPV4. For IPV6
environments disable the CRL option.
■ Private Clouds typically have a self-signed certificate. Thus, for private clouds,
CRL check is not required. The check is skipped even if CRL option is enabled.
■ CRL distribution point must be present in the x.509 certificate. The type of
distribution point must http.

Managing Certification Authorities (CA) for

NetBackup Cloud
NetBackup cloud supports only X.509 certificates in .PEM (Privacy-enhanced
Electronic Mail) format.
You can find the details of the Certification Authorities (CAs) in the [Link]
bundle at following location:
■ Windows:
install_path\Veritas\NetBackup\var\global\wmc\cloud\[Link]
170 Configuring cloud storage in NetBackup
Managing Certification Authorities (CA) for NetBackup Cloud

On media server versions 7.7.x to 8.1.2, the path is

install_path\Veritas\NetBackup\db\cloud\[Link].

■ UNIX: /usr/openv/var/global/wmc/cloud/[Link]
On media server versions 7.7.x to 8.1.2, the path is
/usr/openv/netbackup/db/cloud/[Link].

Note: In a cluster deployment, NetBackup database path points to the shared disk,
which is accessible from the active node.

You can add or remove a CA from the [Link] bundle.

After you complete the changes, when you upgrade to a new version of NetBackup,
the [Link] bundle is overwritten by the new bundle. All the entries that you
may have added or removed are lost. As a best practice, keep a local copy of the
edited [Link] file. You can use the local copy to override the upgraded file
and restore your changes.
To add a CA
You must get a CA certificate from the required cloud provider and update it in the
[Link] file. The certificate must be in .PEM format.
1 Open the [Link] file.
2 Append the self-signed CA certificate on a new line and at the beginning or
the end of the [Link] file.
Add the following information block:
Certificate Authority Name

==========================

–––––BEGIN CERTIFICATE–––––

<Certificate content>

–––––END CERTIFICATE–––––

3 Save the file.

To remove a CA
Before you remove a CA from the [Link] file, ensure that none of the cloud
jobs are using the related certificate.
 Configuring cloud storage in NetBackup 171
Managing Certification Authorities (CA) for NetBackup Cloud

1 Open the [Link] file.

2 Remove the required CA. Remove the following information block:
Certificate Authority Name

==========================

–––––BEGIN CERTIFICATE–––––

<Certificate content>

–––––END CERTIFICATE–––––

3 Save the file.

List of CAs approved by NetBackup

■ AddTrust External Root
■ Baltimore CyberTrust Root
■ Cybertrust Global Root
■ DigiCert Assured ID Root CA
■ DigiCert Assured ID Root G2
■ DigiCert Assured ID Root G3
■ DigiCert Global CA G2
■ DigiCert Global Root CA
■ DigiCert Global Root G2
■ DigiCert Global Root G3
■ DigiCert High Assurance EV Root CA
■ DigiCert Trusted Root G4
■ D-Trust Root Class 3 CA 2 2009
■ GeoTrust Global CA
■ GeoTrust Primary Certification Authority
■ GeoTrust Primary Certification Authority - G2
■ GeoTrust Primary Certification Authority - G3
■ GeoTrust Universal CA
■ GeoTrust Universal CA 2
■ RSA Security 2048 v3
172 Configuring cloud storage in NetBackup
Managing Certification Authorities (CA) for NetBackup Cloud

■ Starfield Services Root Certificate Authority - G2

■ Thawte Primary Root CA
■ Thawte Primary Root CA - G2
■ Thawte Primary Root CA - G3
■ VeriSign Class 1 Public Primary Certification Authority - G3
■ VeriSign Class 2 Public Primary Certification Authority - G3
■ Verisign Class 3 Public Primary Certification Authority - G3
■ VeriSign Class 3 Public Primary Certification Authority - G4
■ VeriSign Class 3 Public Primary Certification Authority - G5
■ VeriSign Universal Root Certification Authority
 Chapter 4
Monitoring and Reporting
This chapter includes the following topics:

■ About monitoring and reporting for cloud backups

■ Viewing cloud storage job details

■ Viewing the compression ratio

■ Viewing NetBackup cloud storage disk reports

■ Displaying KMS key information for cloud storage encryption

About monitoring and reporting for cloud backups

Veritas provides several methods to monitor and report NetBackup cloud storage
and cloud storage activity, as follows:
174 Monitoring and Reporting
Viewing cloud storage job details

NetBackup OpsCenter The NetBackup OpsCenter provides the most detailed reports of
NetBackup cloud storage activity. See the NetBackup OpsCenter
Administrator’s Guide.

If OpsCenter cannot connect to the media server, it cannot obtain

the necessary data for reporting. Therefore, ensure that the
following services are up and running on all the media servers
that are configured for cloud storage:

■ NetBackup CloudStore Service Container (nbcssc) (on media

server versions 7.7.x to 8.1.2 only)
■ NetBackup Service Layer (nbsl) service

Note: Where Amazon is the cloud service provider, OpsCenter

cannot report on the data that MSDP cloud storage servers upload
to the cloud.

See “Connection to the NetBackup CloudStore Service Container

fails” on page 198.

The NetBackup The Disk Pools window displays the values that were stored
Administration Console when NetBackup polled the disk pools. NetBackup polls the disk
Disk Pools window pools every five minutes.

To display the window, in the NetBackup Administration

Console, in the left pane, select Media and Device Management
> Devices > Disk Pools.
Note: The information that is displayed for Used Capacity and
Available Space is inaccurate in the NetBackup Administration
Console. Even if there is data in the disk pool, the value that is
displayed for Used Capacity is zero. The value for Available
Space displays the maximum amount. You must review the
information on the provider website for accurate use information.

Note: The information that is displayed for Used Capacity and

Available Space for Amazon is inaccurate in the NetBackup
Administration Console. The values are found under Media and
Device Management > Devices > Disk Pool. Even if there is
information in the disk pool, the value that is displayed for Used
Capacity is zero. The value for Available Space displays the
maximum amount. You must review the information on the
provider website for accurate use information.

NetBackup disk reports See “Viewing NetBackup cloud storage disk reports” on page 176.

Viewing cloud storage job details

Use the NetBackup Activity Monitor to view job details.
 Monitoring and Reporting 175
Viewing the compression ratio

To view cloud storage job details

1 In the NetBackup Administration Console, click Activity Monitor.
2 Click the Jobs tab.
3 To view the details for a specific job, double-click on the job that is displayed
in the Jobs tab pane.
4 In the Job Details dialog box, click the Detailed Status tab.

Viewing the compression ratio

The bptm logs provide information of the compression ratio of your data after the
backup is taken in the cloud storage. The compression ratio is calculated by dividing
the original size with the compressed size. For example, if the original data is of
15302918144 bytes and is compressed to 7651459072, then the compression ratio
is 2.00.
176 Monitoring and Reporting
Viewing NetBackup cloud storage disk reports

To view the compression ratio

1 Note down the bptm PID of the backup job.
See “Viewing cloud storage job details” on page 174.
2 Open the [Link] file. The log file resides in the following directories:

UNIX /usr/openv/netbackup/logs/

Windows install_path\NetBackup\logs\

3 Search for the bptm PID instance.

The following lines provide the compression ratio information according to the
image format:

date:time <PID> <4> 35:bptm:<PID>:

media_server_IP: compress: image image_name_C1_F1
compressed from data in bytes to data in bytes bytes,
compression ratio ratio_value

date:time <PID> <4> 35:bptm:<PID>:

media_server_IP: compress: image image_name_C1_HDR
compressed from data in bytes to data in bytes bytes,
compression ratio ratio_value

Viewing NetBackup cloud storage disk reports

The NetBackup disk reports include information about the disk pools, disk storage
units, disk logs, and images that are stored on disk media.
Table 4-1 describes the disk reports available.
 Monitoring and Reporting 177
Displaying KMS key information for cloud storage encryption

Table 4-1 Disk reports

Report Description

Images on Disk The Images on Disk report generates the image list present on the disk
storage units that are connected to the media server. The report is a
subset of the Images on Media report; it shows only disk-specific
columns.

The report provides a summary of the storage unit contents. If a disk

becomes bad or if a media server crashes, this report can let you know
what data is lost.

Disk Logs The Disk Logs report displays the media errors or the informational
messages that are recorded in the NetBackup error catalog. The report
is a subset of the Media Logs report; it shows only disk-specific columns.

Disk Storage Unit The Disk Storage Unit Status report displays the state of disk storage
Status units in the current NetBackup configuration.

Multiple storage units can point to the same disk pool. When the report
query is by storage unit, the report counts the capacity of disk pool
storage multiple times.

Disk Pool Status The Disk Pool Status report displays the state of disk pool storage units.
This report displays only when a license is installed that enables a
NetBackup disk feature.

See “About monitoring and reporting for cloud backups” on page 173.
To view disk reports
1 In the NetBackup Administration Console, in the left pane, expand
NetBackup Management > Reports > Disk Reports.
2 Select the name of a disk report.
3 In the right pane, select the report settings.
4 Click Run Report.

Displaying KMS key information for cloud storage

encryption
You can use the nbkmsutil command to list the following information about the
key groups and the key records:

Key groups See To display KMS key group information.

178 Monitoring and Reporting
Displaying KMS key information for cloud storage encryption

Keys See To display KMS key information.

Note: It is recommended that you keep a record key information. The key tag that
is listed in the output is necessary if you need to recover keys.

To display KMS key group information

◆ To list all of the key groups, use the nbkmsutil with the -listkgs option. The
following is the command format:
UNIX: /usr/openv/netbackup/bin/admincmd/nbkmsutil -listkgs
Windows: install_path\Veritas\NetBackup\bin\admincmd\nbkmsutil
-listkgs

The following is example output on UNIX hosted storage. On Windows, the

volume name is not used.

nbkmsutil -listkgs

Key Group Name : [Link]:symc_volume_for_backups

Supported Cypher : AES_256
Number of Keys : 1
Has Active Key : Yes
Creation Time : Tues Jan 01 [Link] 2013
Last Modification Time: Tues Jan 01 [Link] 2013
Description : -
 Monitoring and Reporting 179
Displaying KMS key information for cloud storage encryption

To display KMS key information

◆ To list all of the keys that belong to a key group name, use the nbkmsutil with
the -listkgs and -kgname options. The following is the command format:
UNIX: /usr/openv/netbackup/bin/admincmd/nbkmsutil -listkeys -kgname
[Link]:AdvDisk_Volume

Windows: install_path\Veritas\NetBackup\bin\admincmd\nbkmsutil
-listkeys -kgname [Link]:

The following is example output on UNIX hosted storage. On Windows, the

volume name is not used.

nbkmsutil -listkeys -kgname [Link]:symc_volume_for_backup

Key Group Name : [Link]:symc_volume_for_backups

Supported Cypher : AES_256
Number of Keys : 1
Has Active Key : Yes
Creation Time : Tues Jan 01 [Link] 2013
Last Modification Time: Tues Jan 01 [Link] 2013
Description : -

Key Tag : 532cf41cc8b3513a13c1c26b5128731e5ca0b9b01e0689cc38ac2b7596bbae3c

Key Name : Encrypt_Key_April
Current State : Active
Creation Time : Tues Jan 01 [Link] 2013
Last Modification Time: Tues Jan 01 [Link] 2013
Description : -

You can also use the nbkmscmd command to list the keys from NetBackup KMS
and external KMS server. You need to ensure that a Symmetric encryption key
already exists in the external KMS server with a custom attribute with value of key
group in the 'storage_server_name:volume_name' format.
To display the key information for NetBackup KMS and external KMS
1 Run the following command to retrieve the KMS server configuration names.
nbkmscmd -listkmsconfig

2 Run the following command to retrieve key information for a key group from
the KMS server.
nbkmscmd -listkeys -name KMS_server_name -keyGroupName
key_group_name -jsonRaw
180 Monitoring and Reporting
Displaying KMS key information for cloud storage encryption
 Chapter 5
Operational notes
This chapter includes the following topics:

■ NetBackup bpstsinfo command operational notes

■ Unable to configure additional media servers

■ Cloud configuration may fail if NetBackup Access Control is enabled

■ Deleting cloud storage server artifacts

■ Using csconfig reinitialize to load updated cloud configuration settings

■ Enabling or disabling communication between master server and legacy cloud

storage media servers

NetBackup bpstsinfo command operational notes

The following table describes operational notes for the bpstsinfo command with
NetBackup cloud storage.

Table 5-1 bpstsinfo command operational notes

Note Description

Use either the -stype option or Use either the -stype option or the -storageserverprefix option to constrain
the -storageserverprefix the bpstsinfo command to list storage server information. If you do not, the
command searches all providers, which may be time consuming and may result
in a timeout.
182 Operational notes
Unable to configure additional media servers

Table 5-1 bpstsinfo command operational notes (continued)

Note Description

Specify the correct -stype The plug-in that requests the information affects the information that is returned.
Therefore, use the correct -stype with the bpstsinfo command. To determine
the -stype, use the following command:

nbdevquery -liststs -storage_server fq_host_name

If the storage is encrypted, the -stype includes an _crypt suffix.

Encrypted and non-encrypted When you use the bpstsinfo command to display the encrypted logical storage
storage units are displayed in unit (LSU) information, the output shows both encrypted and non-encrypted LSUs
bpstsinfo command output if both types exist. That output is the expected result. The bpstsinfo command
operates on the level of the storage plug-in, which is not aware of any higher-level
detail, such as encryption.

The following is an example of a command that specifies encrypted storage:

bpstsinfo -lsuinfo -storage_server [Link] -stype

amazon_crypt

Unable to configure additional media servers

If you attempt to run the Cloud Storage Server Configuration Wizard on a second
media server that uses the same master server as the first media server, the
operation fails. An illegal duplication error similar to the following appears:

Your only options in the wizard are to click Cancel or Back. If you click Back, there
are no configuration changes that allow the wizard to continue.
You must use the correct procedure if you want multiple media servers in your cloud
environment. More information is available in a different topic.
See “To add backup media servers to your cloud environment” on page 157.
 Operational notes 183
Cloud configuration may fail if NetBackup Access Control is enabled

Cloud configuration may fail if NetBackup Access

Control is enabled
If you attempt to configure a cloud storage server in an environment that uses
NetBackup Access Control, you may receive an error message similar to the
following:
Error creating Key Group and Keys cannot connect on socket

NetBackup generates this error message because the user does not have sufficient
rights within NetBackup Access Control. The user account that configures the cloud
storage server must be a member of the NBU_KMS Admin Group.
See the NetBackup Security and Encryption Guide for more information about
NetBackup Access Control and account setup:

Deleting cloud storage server artifacts

If you incorrectly remove a storage server, configuration files are left orphaned on
the computer. Attempts to create a new storage server fail with an error message
that indicates a logon failure. Use the following procedure to correctly delete a
storage server:
Deleting a storage server
1 Expire all images on the storage server.
2 Delete the storage unit.
3 Delete the disk pool.
4 Delete the storage server.
5 Delete .pref files from db/cloud directory.

Using csconfig reinitialize to load updated

cloud configuration settings
You might update your NetBackup cloud storage configuration settings, typically
when you have upgraded the NetBackup master server or have downloaded a
newer version of the NetBackup Cloud configuration package ([Link]
configuration file). When you install the updated package or make updates to your
existing cloud storage configuration settings, then depending on the NetBackup
release version, you are required to restart the NetBackup CloudStore Service
184 Operational notes
Enabling or disabling communication between master server and legacy cloud storage media servers

Container (nbcssc) or the NetBackup Web Management Console (nbwmc) service

for the configuration changes to take effect.
Sometimes, the nbcssc or nbwmc service might hang and a service restart might
fail. This happens either due to an invalid [Link] file or due to a
version mismatch between the xml file and the configured CloudStore version. A
service restart failure can eventually lead to a failure in the NetBackup backup jobs.
Starting with NetBackup 8.2 release, you can use the csconfig utility to reload the
updated cloud configuration settings without the need to restart any service.
After making the configuration updates, run the following command on the
NetBackup master or media server:
On UNIX, run the following command from the
/usr/openv/netbackup/bin/admincmd/ directory:

# sudo ./csconfig reinitialize

On Windows, run the following command from the

<install_path>\NetBackup\bin\admincmd\ directory:

csconfig reinitialize

When you run the csconfig reinitialize command option, the nbwmc service reloads
the configuration settings from the [Link], [Link], and
[Link] files. There is no need to restart the nbwmc service.

Enabling or disabling communication between

master server and legacy cloud storage media
servers
This is applicable for media server version 7.7.x to 8.1.2 only.
The NetBackup CloudStore Service Container (nbcssc) service that runs on older
cloud storage media servers uses port 5637 to communicate with the master server.
Starting with release 8.2, nbcssc service is no longer deployed. The NetBackup
Web Management Console (nbwmc) and the NetBackup Service Layer (nbsl)
services now handle that functionality.
Even when you upgrade your master server to 8.2 or later, the legacy cloud storage
media servers continue to use the legacy cloud service for communicating with the
master server. The NetBackup 8.2 master server, however, does support legacy
cloud storage media servers. To allow communication between an 8.2 master server
and the older media servers, you have to open port 5637 on the master server.
 Operational notes 185
Enabling or disabling communication between master server and legacy cloud storage media servers

To enable nbwmc service communication on port 5637

1 Run the following command on the master server:
UNIX:
# usr/openv/wmc/bin/install/configurePorts -addLegacyCloudService

Windows:
<install_path>\NetBackup\wmc\bin\install\configurePorts
-addLegacyCloudService

2 Restart the nbwmc service for the changes to take effect.

3 Run the following command to provision a hostname-based certificate for the
media server:
UNIX:
# usr/openv/netbackup/bin/admincmd/bpnbaz -ProvisionCert
<media_server>

Windows:
<install_path>\NetBackup\bin\admincmd\bpnbaz -ProvisionCert
<media_server>

In case of an appliance, run the following commands instead:

UNIX:
# usr/openv/netbackup/bin/bpnbat -AddMachine <appliance_hostname>

Windows:
<install_path>\NetBackup\bin\bpnbat -AddMachine
<appliance_hostname>

4 Restart the cloud storage services on the media server.

Even though older versions of media servers are supported, it is recommended
that you upgrade such media servers to version 8.2 or later. After upgrading all the
legacy media servers, you can disable nbwmc service usage on port 5637.
186 Operational notes
Enabling or disabling communication between master server and legacy cloud storage media servers

To disable nbwmc service communication on port 5637

1 Run the following command on the master server:
UNIX:
# usr/openv/wmc/bin/install/configurePorts
-removeLegacyCloudService

Windows:
<install_path>\NetBackup\wmc\bin\install\configurePorts
-removeLegacyCloudService

2 Restart the nbwmc service for the changes to take effect.

 Chapter 6
Troubleshooting
This chapter includes the following topics:

■ About unified logging

■ About legacy logging

■ NetBackup cloud storage log files

■ Enable libcurl logging

■ NetBackup Administration Console fails to open

■ Troubleshooting cloud storage configuration issues

■ Troubleshooting cloud storage operational issues

■ Troubleshooting Amazon Snowball and Amazon Snowball Edge issues

About unified logging

Unified logging creates log file names and messages in a format that is standardized
across Veritas products. Only the vxlogview command can assemble and display
the log information correctly. Server processes and client processes use unified
logging.
Log files for originator IDs are written to a subdirectory with the name specified in
the log configuration file. All unified logs are written to subdirectories in the following
directory:

Windows install_path\NetBackup\logs

UNIX /usr/openv/logs
188 Troubleshooting
About unified logging

You can access logging controls in Logging host properties. You can also manage
unified logging with the following commands:

vxlogcfg Modifies the unified logging configuration settings.

for more information about the vxlogcfg command.

vxlogmgr Manages the log files that the products that support unified logging
generate.

for more information about the vxlogmgr command.

vxlogview Displays the logs that unified logging generates.

See “Examples of using vxlogview to view unified logs” on page 190.

for more information about the vxlogview command.

About using the vxlogview command to view unified logs

Only the vxlogview command can assemble and display the unified logging
information correctly. The unified logging files are in binary format and some of the
information is contained in an associated resource file. These logs are stored in
the following directory. You can display vxlogview results faster by restricting the
search to the files of a specific process.

UNIX /usr/openv/logs

Windows install_path\NetBackup\logs

Table 6-1 Fields in vxlogview query strings

Field name Type Description Example

PRODID Integer or string Provide the product ID or the PRODID = 51216

abbreviated name of product.
PRODID = 'NBU'

ORGID Integer or string Provide the originator ID or the ORGID = 116

abbreviated name of the component.
ORGID = 'nbpem'

PID Long Integer Provide the process ID PID = 1234567

TID Long Integer Provide the thread ID TID = 2874950

 Troubleshooting 189
About unified logging

Table 6-1 Fields in vxlogview query strings (continued)

Field name Type Description Example

STDATE Long Integer or string Provide the start date in seconds or STDATE = 98736352
in the locale-specific short date and
STDATE = '4/26/11 [Link]
time format. For example, a locale
AM'
can have the format 'mm/dd/yy
hh:mm:ss AM/PM'

ENDATE Long Integer or string Provide the end date in seconds or ENDATE = 99736352
in the locale-specific short date and
ENDATE = '04/27/11 [Link]
time format. For example, a locale
AM'
can have the format 'mm/dd/yy
hh:mm:ss AM/PM'

PREVTIME String Provide the hours in 'hh:mm:ss' PREVTIME = '[Link]'

format. This field should be used
only with operators =, <, >, >=, and
<=

SEV Integer Provide one of the following possible SEV = 0

severity types:
SEV = INFO
0 = INFO

1 = WARNING

2 = ERR

3 = CRIT

4 = EMERG

MSGTYPE Integer Provide one of the following possible MSGTYPE = 1

message types:
MSGTYPE = DIAG
0 = DEBUG (debug messages)

1 = DIAG (diagnostic messages)

2 = APP (application messages)

3 = CTX (context messages)

4 = AUDIT (audit messages)

CTX Integer or string Provide the context token as string CTX = 78

identifier or 'ALL' to get all the
CTX = 'ALL'
context instances to be displayed.
This field should be used only with
the operators = and !=.
190 Troubleshooting
About unified logging

Table 6-2 Examples of query strings with dates

Example Description

(PRODID == 51216) && ((PID == 178964)|| ((STDATE == Retrieves the log file message for the
'2/5/15 [Link] AM') && (ENDATE == '2/5/15 NetBackup product ID 51216 between
[Link] PM')) 9AM and 12PM on 2015-05-02.

((prodid = 'NBU') && ((stdate >= ‘11/18/14 Retrieves the log messages for the
[Link] AM’) && (endate <= ‘12/13/14 [Link] PM’))) || NetBackup product NBU between
((prodid = 'BENT') && ((stdate >= ‘12/12/14 [Link] 2014-18-11 and 2014-13-12 and the log
AM’) && (endate <= ‘12/25/14 [Link] PM’))) messages for the NetBackup product
BENT between 2014-12-12 and
2014-25-12.

(STDATE <= ‘04/05/15 [Link] AM’) Retrieves the log messages that were
logged on or before 2015-05-04 for all
of the installed Veritas products.

Examples of using vxlogview to view unified logs

The following examples demonstrate how to use the vxlogview command to view
unified logs.

Table 6-3 Example uses of the vxlogview command

Item Example

Display all the vxlogview -p 51216 -d all

attributes of the log
messages

Display specific Display the log messages for NetBackup (51216) that show only the date, time, message
attributes of the log type, and message text:
messages
vxlogview --prodid 51216 --display D,T,m,x

Display the latest log Display the log messages for originator 116 (nbpem) that were issued during the last 20
messages minutes. Note that you can specify -o nbpem instead of -o 116:

# vxlogview -o 116 -t [Link]

 Troubleshooting 191
About legacy logging

Table 6-3 Example uses of the vxlogview command (continued)

Item Example

Display the log Display the log messages for nbpem that were issued during the specified time period:
messages from a
specific time period # vxlogview -o nbpem -b "05/03/15 [Link] AM"
-e "05/03/15 [Link] AM"

Display results faster You can use the -i option to specify an originator for a process:

# vxlogview -i nbpem

The vxlogview -i option searches only the log files that the specified process (nbpem)
creates. By limiting the log files that it has to search, vxlogview returns a result faster. By
comparison, the vxlogview -o option searches all unified log files for the messages that
the specified process has logged.
Note: If you use the -i option with a process that is not a service, vxlogview returns the
message "No log files found." A process that is not a service has no originator ID in the file
name. In this case, use the -o option instead of the -i option.

The -i option displays entries for all OIDs that are part of that process including libraries (137,
156, 309, etc.).

Search for a job ID You can search the logs for a particular job ID:

# vxlogview -i nbpem | grep "jobid=job_ID"

The jobid= search key should contain no spaces and must be lowercase.

When searching for a job ID, you can use any vxlogview command option. This example
uses the -i option with the name of the process (nbpem). The command returns only the
log entries that contain the job ID. It misses related entries for the job that do not explicitly
contain the jobid=job_ID.

About legacy logging

In NetBackup legacy debug logging, a process creates log files of debug activity in
its own logging directory. By default, NetBackup creates only a subset of logging
directories, in the following locations:

Windows install_path\NetBackup\logs
install_path\Volmgr\debug

UNIX /usr/openv/netbackup/logs
/usr/openv/volmgr/debug
192 Troubleshooting
About legacy logging

It is recommended that you do not use symbolic links or hard links inside legacy
log folders.
If any process runs for a non-root or non-admin user and there is no logging
happening under legacy log folders, you can create a folder using the mklogdir
command for the required user.
To run a command line for a non-root or non-admin user (troubleshooting when the
NetBackup services are not running), it is recommended that you create user folders
for the specific command line. You can create the folders either using the mklogdir
command or manually with the non-root or non-admin user privileges.
To use legacy logging, a log file directory must exist for a process. If the directory
is not created by default, you can use the Logging Assistant or the mklogdir batch
files to create the directories. Or, you can manually create the directories. When
logging is enabled for a process, a log file is created when the process begins.
Each log file grows to a certain size before the NetBackup process closes it and
creates a new log file.
You can use the following batch files to create all of the log directories:
■ Windows: install_path\NetBackup\Logs\[Link]
■ UNIX: /usr/openv/netbackup/logs/mklogdir

More information
See the NetBackup Commands Reference Guide for a complete description about
the mklogdir command.

Creating NetBackup log file directories for cloud storage

Before you configure your NetBackup feature, create the directories into which the
NetBackup commands write log files. Create the directories on the master server
and on each media server that you use for your feature. The log files reside in the
following directories:
■ UNIX: /usr/openv/netbackup/logs/
■ Windows: install_path\NetBackup\logs\
More information about NetBackup logging is available in the NetBackup Logging
Reference Guide.
To create log directories for NetBackup commands
◆ Depending on the operating system, run one of the following scripts:
UNIX: /usr/openv/netbackup/logs/mklogdir
Windows: install_path\NetBackup\logs\[Link]
 Troubleshooting 193
NetBackup cloud storage log files

To create the tpconfig command log directory

◆ Depending on the operating system, create the debug directory and the
tpcommand directory (by default, the debug directory and the tpcommand directory
do not exist). The pathnames of the directories are as follows:
UNIX: /usr/openv/volmgr/debug/tpcommand
Windows: install_path\Veritas\Volmgr\debug\tpcommand

NetBackup cloud storage log files

NetBackup cloud storage exists within the Veritas OpenStorage framework.
Therefore, the log files for cloud activity are the same as for OpenStorage with
several additions.
Some NetBackup commands or processes write messages to their own log files.
For those commands and processes, the log directories must exist so that the utility
can write log messages.
Other processes use Veritas Unified Logging (VxUL). Each process has a
corresponding VxUL originator ID. VxUL uses a standardized name and file format
for log files. To view VxUL log files, you must use the NetBackup vxlogview
command.
More information about how to view and manage log files is available. See the
NetBackup Logging Reference Guide.
The following are the component identifiers for log messages:
■ An sts_ prefix relates to the interaction with the plug-in that writes to and reads
from the storage.
■ A cloud storage server prefix relates to interaction with that cloud vendor's
storage network.
■ An encrypt prefix relates to interaction with the encryption plug-in.
■ A KMSCLIB prefix relates to interaction with the NetBackup Key Management
Service.
Most interaction occurs on the NetBackup media servers. Therefore, the log files
on the media servers that you use for disk operations are of most interest.
194 Troubleshooting
NetBackup cloud storage log files

Warning: The higher the log level, the greater the affect on NetBackup performance.
Use a log level of 5 (the highest) only when directed to do so by a Veritas
representative. A log level of 5 is for troubleshooting only.
Specify the NetBackup log levels in the Logging host properties on the NetBackup
master server. The log levels for some processes specific to certain options are set
in configuration files as described in Table 6-4.

Table 6-4 describes the logs.

Table 6-4 NetBackup logs for cloud storage

Activity OID Processes

Backups and N/A Messages appear in the log files for the following processes:
restores
■ The bpbrm backup and restore manager.
■ The bpdbm database manager.
■ The bpdm disk manager.
■ The bptm tape manager for I/O operations.
The log files reside in the following directories:

■ UNIX: /usr/openv/netbackup/logs/
■ Windows: install_path\NetBackup\logs\

Backups and 117 The nbjm Job Manager.

restores

Image cleanup, N/A The bpdbm database manager log files.

verification, import,
The log files reside in the following directories:
and duplication
■ UNIX: /usr/openv/netbackup/logs/bpdbm
■ Windows: install_path\NetBackup\logs\bpdbm

Cloud connection N/A The bpstsinfo utility writes information about connections
operations to the cloud storage server in its log files.

Cloud account 222 The Remote Manager and Monitor Service is the process
configuration that creates the cloud storage accounts. RMMS runs on
media servers.

Cloud Storage N/A This is applicable to media server versions 7.7.x to 8.1.2 only.
Service Container
The NetBackup Cloud Storage Service Container (nbcssc)
writes log files to the following directories:

■ For Windows:
install_path\Veritas\NetBackup\logs\nbcssc
■ For UNIX: /usr/openv/netbackup/logs/nbcssc
 Troubleshooting 195
Enable libcurl logging

Table 6-4 NetBackup logs for cloud storage (continued)

Activity OID Processes

NetBackup Web 495 The NetBackup Web Management Console (nbwmc) service
Management writes logs to the following directories:
Console
■ For Windows:
install_path\Veritas\netbackup\logs\nbwebservice
■ For UNIX: /usr/openv/logs/nbwebservice

NetBackup Service N/A The NetBackup Service Layer (nbsl) service writes logs to
Layer the following directories:

■ For Windows:
install_path\Veritas\netbackup\logs\nbsl
■ For UNIX: /usr/openv/logs/nbsl

csconfig utility N/A The NetBackup csconfig command-line utility writes logs to
the following directories:

■ For Windows:
install_path\Veritas\netbackup\logs\nbcssc
■ For UNIX: /usr/openv/netbackup/logs/nbcssc

Credentials N/A The tpconfig utility. The tpconfig command writes log
configuration files to the tpcommand directory.

Device 111 The nbemm process.

configuration

Device 178 The Disk Service Manager process that runs in the Enterprise
configuration Media Manager (EMM) process.

Device 202 The Storage Server Interface process that runs in the Remote
configuration Manager and Monitor Service. RMMS runs on media servers.

Device 230 The Remote Disk Service Manager interface (RDSM) that
configuration runs in the Remote Manager and Monitor Service. RMMS
runs on media servers.

See “Troubleshooting cloud storage operational issues” on page 204.

Enable libcurl logging

Set the storage server property CLOUD_PREFIX:LOG_CURL to YES to enable cURL
logging. The CLOUD_PREFIX value is the prefix value of each storage provider. The
possible values are:
196 Troubleshooting
NetBackup Administration Console fails to open

AMZ Amazon

AMZGOV Amazon GovCloud

AZR Microsoft Azure

CLD Cloudian HyperStore

GOOG Google Nearline

HT Hitachi

ORAC Oracle Cloud

SWSTK-SWIFT SwiftStack (Swift)

VER Verizon

For example, to enable LOG_CURL for Amazon, set AMZ:LOG_CURL to YES.

See “Changing cloud storage server properties” on page 130.

NetBackup Administration Console fails to open

This is applicable to media server versions 7.7.x to 8.1.2 only.
If you change the port number used by the NetBackup CloudStore Service Container
(nbcssc), the NetBackup Administration Console may not open.
You must change the port number value to 5637 in the following places:

The CloudStore Service The CloudStore Service Container configuration file resides
Container configuration file in the following directories:

■ UNIX: /usr/openv/java/[Link]
■ Windows:
install_path\Veritas\NetBackup\bin\[Link]

The port number is defined in the configuration file as follows:

[NBCSSC]
NBCSSC_PORT=5637

Note: Port 5637 is used to provide back-level media support

for media servers that are configured for cloud storage.
Ensure that you make the port number change at all places.
Communication with the master server fails if the older media
servers use a different port.
 Troubleshooting 197
Troubleshooting cloud storage configuration issues

The operating system's The services file is in the following locations:

services file
■ Windows:
C:\WINDOWS\system32\drivers\etc\services
■ Linux: /etc/services

For a media server that is promoted as a cloud master, make sure that the port
number is the same across all places. If you change the value in the CloudStore
Service Container configuration file, ensure that you also change the value in the
services file.

See “Connection to the NetBackup CloudStore Service Container fails” on page 198.

Troubleshooting cloud storage configuration

issues
The following sections may help you troubleshoot configuration issues.
See “NetBackup Scalable Storage host properties unavailable” on page 197.
See “Connection to the NetBackup CloudStore Service Container fails” on page 198.
See “Cannot create a cloud storage disk pool” on page 200.
See “Cannot create a cloud storage” on page 200.
See “NetBackup Administration Console fails to open” on page 196.
See “Data transfer to cloud storage server fails in the SSL mode” on page 201.
See “Amazon GovCloud cloud storage configuration fails in non-SSL mode”
on page 201.
See “Data restore from the Google Nearline storage class may fail” on page 202.
See “Fetching storage regions fails with authentication version V2” on page 203.

NetBackup Scalable Storage host properties unavailable

If the NetBackup CloudStore Service Container is not active, the Scalable Storage
host properties are unavailable. Either of the following two symptoms may occur:
■ The Scalable Storage properties for a media server are unavailable
■ A pop-up box may appear that displays an “Unable to fetch Scalable Storage
settings” message.
You should determine why the NetBackup CloudStore Service Container is inactive,
resolve the problem, and then start the Service Container.
198 Troubleshooting
Troubleshooting cloud storage configuration issues

See “NetBackup CloudStore Service Container startup and shutdown

troubleshooting” on page 209.
See “Stopping and starting the NetBackup CloudStore Service Container”
on page 208.

Connection to the NetBackup CloudStore Service Container fails

This is applicable for media server versions 7.7.x to 8.1.2 only.
The NetBackup cloud storage csconfig configuration command makes three
attempts to connect to the NetBackup CloudStore Service Container with a
60-second time-out for each connection attempt. The NetBackup OpsCenter also
connects to the NetBackup CloudStore Service Container to obtain data for reporting.
If they cannot establish a connection, verify the following information:
■ The NetBackup CloudStore Service Container is active.
See “NetBackup CloudStore Service Container startup and shutdown
troubleshooting” on page 209.
See “Stopping and starting the NetBackup CloudStore Service Container”
on page 208.
■ Your firewall settings are appropriate.
■ The Enable insecure communication with 8.0 and earlier hosts option on
the NetBackup master server is selected if the media server is of the version
8.0 or earlier. The option is available in the NetBackup Administration Console
on the Security Management > Global Security Settings > Secure
Communication tab.
■ The [Link] file is present on both NetBackup master and media server in
following locations:
■ UNIX/Linux - /usr/openv/var/webtruststore
■ Windows - <install_path>/var/webtruststore
If the [Link] file is not present on the master server or a media server, run
the nbcertcmd -getCACertificate command on that host. After running this
command, restart the NetBackup CloudStore Service Container on that host.
See the NetBackup Commands Reference Guide for a complete description of
the command.

Note: This [Link] file contains the CA certificates that the NetBackup
authorization service generates.
 Troubleshooting 199
Troubleshooting cloud storage configuration issues

■ The [Link] file is same on the NetBackup master and media server.
■ The security certificate is present in following locations:
■ UNIX/Linux - /usr/openv/var/vxss/credentials
■ Windows - <install_path>/var/vxss/credentials
If the security certificate is not present, run the bpnbaz -ProvisionCert on the
master server. After running this command, restart the NetBackup CloudStore
Service Container on the master server and the media servers.
See “Deploying host name-based certificates” on page 112.
■ If the master server runs on an operating system that does not support
NetBackup cloud configurations: You can choose to use the NetBackup
CloudStore Service Container on a media server as the master service container.
To do so, update the CSSC_MASTER_NAME parameter of the [Link]
file on all the cloud-supported media servers with the media server name you
chose earlier. However, communication from other media servers to the media
server that now functions as the master configuration for the nbcssc service
and vice versa fails. The failure happens because both these media servers
verify if a trusted host has made the communication request.

Note: The media server that now functions as the master configuration for the
nbcssc service must run the same NetBackup version as the NetBackupmaster
server.

For the operating systems that NetBackup supports for cloud storage, see the
NetBackupoperating system compatibility list available through the following
URL:
[Link]
See “About the NetBackup CloudStore Service Container” on page 104.
To fix this issue, add the authorized host entries on the media and the master
servers that support cloud configurations.
See the 'Adding a server to a servers list' topic in the NetBackup™
Administrator's Guide, Volume I for detailed steps.
■ On the media server, if the certificate deployment security level if set to Very
High, automatic certificate deployment is disabled. An authorization token must
accompany every new certificate request. Therefore, you must create an
authorization token before deploying the certificates.
See the 'Creating authorization tokens' topic in the NetBackup™ Security and
Encryption Guide for detailed steps.
200 Troubleshooting
Troubleshooting cloud storage configuration issues

Cannot create a cloud storage disk pool

The following table describes potential solutions if you cannot create a disk pool in
NetBackup.

Table 6-5 Cannot create disk pool solutions

Error Description

The wizard is not able to The error message appears in the Disk Configuration Wizard.
obtain Storage Server
The Disk Configuration Wizard query to the cloud vendor host timed-out.
information. Cannot connect
The network may be slow or a large number of objects (for example, buckets
on socket. (25) on Amazon S3) may exist.

To resolve the issue, use the NetBackup nbdevconfig command to

configure the disk pool. Unlike the wizard, the nbdevconfig command
does not monitor the command response times.

See the NetBackup Commands Reference Guide for a complete description

of the commands.

Cannot create a cloud storage

If you cannot create a cloud storage in NetBackup, verify the following:
■ The [Link] file is present on both NetBackup master and media server in
following locations:
■ UNIX/Linux - /usr/openv/var/webtruststore
■ Windows - <install_path>/var/webtruststore
On media server versions 7.7.x to 8.1.2, if the [Link] file is not present,
run the nbcertcmd -getCACertificate on the master server. After running
this command, restart the NetBackup CloudStore Service Container.
See the NetBackup Commands Reference Guide for a complete description of
the command.

Note: This [Link] file is a NetBackup-specific file. This file includes the CA
certificates generated by the NetBackup authorization service.

■ The [Link] file is same on the NetBackup master and media server.
■ For media server versions 7.7.x to 8.1.2, the machine certificate is present in
following locations:
■ UNIX/Linux - /usr/openv/var/vxss/credentials
 Troubleshooting 201
Troubleshooting cloud storage configuration issues

■ Windows - <install_path>/var/vxss/credentials
If the security certificate is not present, run the bpnbaz -ProvisionCert on the
master server. After running this command, restart the NetBackup CloudStore
Service Container on the master and media server.
See “Deploying host name-based certificates” on page 112.
■ For media server versions 7.7.x to 8.1.2, the NetBackup CloudStore Service
Container is active.
See “Stopping and starting the NetBackup CloudStore Service Container”
on page 208.
■ The Enable insecure communication with 8.0 and earlier hosts option on
the NetBackup master server is selected if the media server is of the version
8.0 or earlier. The option is available in the NetBackup Administration Console
on the Security Management > Global Security Settings > Secure
Communication tab.
■ On the media server, if the certificate deployment security level if set to Very
High, automatic certificate deployment is disabled. An authorization token must
accompany every new certificate request. Therefore, you must create an
authorization token before deploying the certificates.
See the 'Creating authorization tokens' topic in the NetBackup™ Security and
Encryption Guide for detailed steps.

Data transfer to cloud storage server fails in the SSL mode

NetBackup supports only Certificate Authority (CA)-signed certificates while it
communicates with cloud storage in the SSL mode. Ensure that the cloud server
(public or private) has CA-signed certificate. If it does not have the CA-signed
certificate, data transfer between NetBackup and cloud provider fails in the SSL
mode.

Amazon GovCloud cloud storage configuration fails in non-SSL mode

The FIPS region of Amazon GovCloud cloud provider (that is
[Link]) supports only secured mode of
communication. Therefore, if you disable the Use SSL option while you configure
Amazon GovCloud cloud storage with the FIPS region, the configuration fails.
To enable the SSL mode again, run the csconfig command with -us parameter
to set the value of SSL to '2'.
See the NetBackup Commands Reference Guide for a complete description about
the commands.
202 Troubleshooting
Troubleshooting cloud storage configuration issues

Data restore from the Google Nearline storage class may fail
Data restore from the Google Nearline storage class may fail, if your
READ_BUFFER_SIZE in NetBackup is set to a value that is greater than the allotted
read throughput. Google allots the read throughput based on the total size of the
data that you have stored in the Google Nearline storage class.

Note: The default READ_BUFFER_SIZE is 100 MB.

The NetBackup bptm logs show the following error after the data restore from
Google Nearline fails:
HTTP status: 429, Retry type: RETRY_EXHAUSTED

Google provides 4 MB/s of read throughput per TB of data that you store in the
Google Nearline storage class per location. You should change the
READ_BUFFER_SIZE value in NetBackup to match it to the read throughput that
Google allots.
For example, if the data that you have stored in the Google Nearline storage class
is 5 TB, you should change the READ_BUFFER_SIZE value to match it to the allotted
read throughput, which equals to 20 MB.
Refer to the Google guidelines, for more information:
[Link]
See “Changing cloud storage server properties” on page 130.
See “NetBackup cloud storage server connection properties” on page 136.

Backups may fail for cloud storage configurations with Frankfurt

region
NetBackup 7.7.1 and later versions support configuring cloud storage using the
Frankfurt region. NetBackup media servers that are older than the 7.7.1 version do
not support configuring cloud storage using the Frankfurt region.
Cloud backups may fail in the following scenario:
You have configured cloud storage server with a media server that is older than
NetBackup 7.7.1. You have created a disk pool in the Frankfurt region using an
existing bucket.
To avoid such cloud backup failures, ensure that when you configure cloud storage
using the Frankfurt region, the cloud media server is NetBackup 7.7.1 or later
version.
 Troubleshooting 203
Troubleshooting cloud storage configuration issues

Backups may fail for cloud storage configurations with the cloud
compression option
The NetBackup cloud data compression option requires all cloud media servers
that are associated with the cloud storage configuration to be NetBackup 7.7.3 or
later version.
Cloud backups may fail in the following cloud compression scenario:
You have configured cloud storage server using the NetBackup Administration
Console or the command-line interface with the compression option enabled, with
a media server that is compatible. You then add a media server of a version that
is older than NetBackup 7.7.3 using the command-line interface, to the same cloud
configuration.
To avoid such cloud backup failures, ensure that all media servers that you add to
the cloud storage configuration with the compression option to be NetBackup 7.7.3
or later version.

Fetching storage regions fails with authentication version V2

When you use authentication version V2, if fetching storage regions step fails with
pop-up error Unable to process request (228), perform the following
troubleshooting steps:
Ensure that nbsl and nbwmc services are up and running.
Enable nbwmc logs and in the [Link] file, increase verbosity to the highest
level. Try fetching regions once again.
See “NetBackup [Link] configuration file” on page 108.
If the issue persists, look for cURL error in csconfig logs. The cURL error code
helps you to find the root cause of the issue.
Some of the erroneous configuration scenarios can be:
■ If the cURL error indicates that issue is caused due to invalid authentication
URL, ensure that identity API version 2 endpoint (v2.0/tokens) is used for
authentication.
For example, [Link] must be used to
authenticate instead of [Link]
■ If the cURL error indicates that the issue is caused due to non-CA signed
certificate, add a self-signed certificate to [Link] for authentication as well
as storage endpoint (in case they are hosted separately).
204 Troubleshooting
Troubleshooting cloud storage operational issues

Troubleshooting cloud storage operational issues

The following sections may help you troubleshoot operational issues.
See “NetBackup Scalable Storage host properties unavailable” on page 197.
See “Cloud storage backups fail” on page 204.
See “A restart of the nbcssc (on legacy media servers), nbwmc, and nbsl processes
reverts all [Link] settings” on page 209.
See “NetBackup CloudStore Service Container startup and shutdown
troubleshooting” on page 209.
See “NetBackup Administration Console fails to open” on page 196.

Cloud storage backups fail

See the following topics:
■ Accelerator backups fail
■ Backups fail after the WRITE_BUFFER_SIZE is increased
■ The storage volume was created by the cloud vendor interface
■ The NetBackup CloudStore Service Container is not active
■ Backups may fail if the Use any available media server option is selected
■ Cloud backup and restore operations fail with error code 83 or error code 2106
■ Cloud storage backup fails for certificate issues
■ Backup jobs to Amazon S3 complaint cloud storage fail with status 41

Accelerator backups fail

A message similar to the following is in the job details:

Critical bptm(pid=28291) accelerator verification failed: backupid=

host_name_1373526632, offset=3584, length=141976576, error=
2060022, error message: software error
Critical bptm(pid=28291) image write failed: error 2060022: software
error
Error bptm(pid=28291) cannot write image to disk, Invalid argument end
writing; write time: [Link]
Info bptm(pid=28291) EXITING with status 84
Info bpbkar(pid=6044) done. status: 84: media write error media write
error(84)
 Troubleshooting 205
Troubleshooting cloud storage operational issues

This error may occur in the environments that have more than one cloud storage
server. It indicates that NetBackup Accelerator backups of a client to one cloud
storage server were later directed to a different cloud storage server.
For Accelerator backups to cloud storage, ensure the following:
■ Always back up each client to the same storage server. Do so even if the other
storage server represents storage from the same cloud storage vendor.
■ Always use the same backup policy to back up a client, and do not change the
storage destination of that policy.

Backups fail after the WRITE_BUFFER_SIZE is increased

If the cloud storage server WRITE_BUFFER_SIZE property exceeds the total swap
space of the computer, backups can fail with a status 84.
Adjust the WRITE_BUFFER_SIZE size to a value lower than the computer’s total swap
space to resolve this issue.

The storage volume was created by the cloud vendor

interface
A message similar to the following is in the job details:

Info bptm(pid=xxx) start backup

Critical bptm(pid=xxxx) image open failed: error 2060029: authorization
failure
Error bpbrm(pid=xxxx) from client gabby: ERR - Cannot write to STDOUT. E
rrno = 32: Broken pipe
Info bptm(pid=xxxx) EXITING with status 84

A message similar to the following appears in the bptm log file:

Container container_name is not Veritas container or tag data error,
fail to create image. Please make sure that the LSU is created by
means of NBU.

This error indicates that the volume was created by using the cloud storage vendor’s
interface.
You must use the NetBackup Disk Pool Configuration Wizard to create the volume
on the cloud storage. The wizard applies a required partner ID to the volume. If you
use the vendor interface to create the container, the partner ID is not applied.
To resolve the problem, use the cloud storage vendor’s interface to delete the
container. In NetBackup, delete the disk pool and then recreate it by using the Disk
Pool Configuration Wizard.
See “Viewing cloud storage job details” on page 174.
206 Troubleshooting
Troubleshooting cloud storage operational issues

See “NetBackup cloud storage log files” on page 193.

The NetBackup CloudStore Service Container is not active

This is applicable to media server versions 7.7.x to 8.1.2 only.
If the NetBackup CloudStore Service Container is not active, backups cannot be
sent to the cloud storage.
NetBackup does not validate that the CloudStore Service Container is active when
you use NetBackup commands to configure NetBackup cloud storage. Therefore,
any backups that initiate in such a scenario fail.
See “NetBackup CloudStore Service Container startup and shutdown
troubleshooting” on page 209.

Backups may fail if the Use any available media server

option is selected
While you configure a cloud storage server, you must ensure that the media server
and the master server are of the same version.

Note: This limitation does not apply to the existing cloud storage servers.

Cloud backups may fail in the following scenario:

You selected Use any available media server while you configured the storage
unit and NetBackup uses a media server with version different than the master
server version during cloud storage configuration.
To resolve this issue, do the following:
Select Only use the following media servers while you configure the storage unit
and select the media server with a version same as master server from the Media
Servers pane.

Cloud backup and restore operations fail with error code

83 or error code 2106
The cloud backups and restore operations failing with error code 83 or error code
2106 may occur due to any one of the following reasons:
■ The media server's date and time settings are skewed (not in sync with the
GMT/UTC time).
■ The storage server credentials that are provided are incorrect.
Perform the following:
Change the media server's date and time settings so that it is in sync with the
GMT/UTC time.
 Troubleshooting 207
Troubleshooting cloud storage operational issues

Update the storage server credentials. Use the tpconfig command to update the
credentials. For more information, see the NetBackup Commands Reference Guide.

Cloud storage backup fails for certificate issues

If the cloud storage backups fails because of certificate issues, verify the following:
■ The [Link] file is present on both NetBackup master and media server in
following locations:
■ UNIX/Linux - /usr/openv/var/webtruststore
■ Windows - <install_path>/var/webtruststore
For media server versions 7.7.x to 8.1.2, if the [Link] file is not present,
run the nbcertcmd -getCACertificate on the master server. After running
this command, restart the NetBackup CloudStore Service Container.
See the NetBackup Commands Reference Guide for a complete description of
the command.

Note: This [Link] file is a NetBackup-specific file. This file includes the CA
certificates generated by the NetBackup authorization service.

■ The [Link] file is same on the NetBackup master and media server.
■ For media server versions 7.7.x to 8.1.2, the machine certificate is present in
following locations:
■ UNIX/Linux - /usr/openv/var/vxss/credentials
■ Windows - <install_path>/var/vxss/credentials
If the security certificate is not present, run the bpnbaz -ProvisionCert on the
master server. After running this command, restart the NetBackup CloudStore
Service Container on the master and media server.
See “Deploying host name-based certificates” on page 112.
■ For media server versions 7.7.x to 8.1.2, the NetBackup CloudStore Service
Container is active.
See “Stopping and starting the NetBackup CloudStore Service Container”
on page 208.
■ The Enable insecure communication with 8.0 and earlier hosts option on
the NetBackup master server is selected if the media server is of the version
8.0 or earlier. The option is available in the NetBackup Administration Console
on the Security Management > Global Security Settings > Secure
Communication tab.
208 Troubleshooting
Troubleshooting cloud storage operational issues

■ On the media server, if the certificate deployment security level if set to Very
High, automatic certificate deployment is disabled. An authorization token must
accompany every new certificate request. Therefore, you must create an
authorization token before deploying the certificates.
See the 'Creating authorization tokens' topic in the NetBackup™ Security and
Encryption Guide for detailed steps.

Backup jobs to Amazon S3 complaint cloud storage fail

with status 41
NetBackup consumes the available bandwidth to it's maximum potential and pushes
the requests accordingly, however the Amazon S3 complaint cloud is not able to
process the number requests.
The cloud vendor returns error 503 to slow down the requests and the backup job
fails with the following errors:
■ In the media server bptm logs:
bptm:4940:<media_server_name>: AmzResiliency:
AmzResiliency::getRetryType cURL error: 0, multi cURL error: 0,
HTTP status: 503, XML response: SlowDown, RetryType:
RETRY_EXHAUSTED

■ In the media server bpbrm logs:

bpbrm Exit: client backup EXIT STATUS 41: network connection timed
out

This issue arises only if higher bandwidth is available between NetBackup and the
cloud storage.
To troubleshoot you can perform one of the following:
■ Configure bandwidth throttling to reduce the number of requests.
See “NetBackup cloud storage server connection properties” on page 136.
■ Reduce the number of read/write buffers.
See “NetBackup cloud storage server bandwidth throttling properties”
on page 133.
■ Talk to your cloud vendor to increase the number of parallel requests limit. This
might incur extra cost.

Stopping and starting the NetBackup CloudStore Service Container

This is applicable to media server versions 7.7.x to 8.1.2 only.
Use the NetBackup Administration Console to stop and start the NetBackup
CloudStore Service Container (nbcssc) service.
 Troubleshooting 209
Troubleshooting cloud storage operational issues

See “About the NetBackup CloudStore Service Container” on page 104.

See “NetBackup CloudStore Service Container startup and shutdown
troubleshooting” on page 209.
To start or stop the CloudStore Service Container
1 In the NetBackup Administration Console, expand NetBackup
Administration > Activity Monitor.
2 Click the Daemons tab (UNIX or the Services tab (Windows).
3 In the Details pane, select nbcssc (UNIX and Linux) or NetBackup
CloudStore Service Container Windows).
4 On the Actions menu, select Stop Selected or Start Selected (Windows) or
Stop Daemon or Start Daemon (UNIX).

A restart of the nbcssc (on legacy media servers), nbwmc, and nbsl
processes reverts all [Link] settings
Missing entries and comments are not allowed in the [Link] file. If you
remove or comment out values in the [Link] file, a restart of the nbcssc
(on older media servers), nbwmc, and nbsl processes on the media servers returns
all settings to their default values.

NetBackup CloudStore Service Container startup and shutdown

troubleshooting
This is applicable for media server versions 7.7.x to 8.1.2 only.
See the following topics:
■ Security certificate not provisioned
■ Security mode changed while service is active

Security certificate not provisioned

The NetBackup media servers that you use for cloud storage must have a security
certificate provisioned. If not, the CloudStore Service Container cannot start. Verify
that the certificate exists.
See “NetBackup CloudStore Service Container security certificates” on page 106.

NetBackup 7.7 to If a certificate does not exist, create one from the NetBackup master
8.1.2 server.

See “NetBackup CloudStore Service Container security certificates”

on page 106.
210 Troubleshooting
Troubleshooting cloud storage operational issues

Security mode changed while service is active

Do not change the security mode of the NetBackup CloudStore Service Container
while the service is active. If the security mode is changed while the service is
active, you may encounter service startup or service shutdown problems. Be sure
to stop the service in the same mode it was started.
See “NetBackup CloudStore Service Container security modes” on page 107.
See “Stopping and starting the NetBackup CloudStore Service Container”
on page 208.

bptm process takes time to terminate after cancelling GLACIER

restore job
During Amazon GLACIER restores on UNIX media servers, after canceling a restore
job for images that are in GLACIER, the bptm process takes about 4 hours to
terminate.
Workaround
You must manually kill the process.

Handling image cleanup failures for Amazon Glacier vault

The topic describes how to handle image cleanup failures for Amazon Glacier vault
when vault lock policy is applied to the vault. Image cleanup fails when retention
period set in the NetBackup policy is less than the period enforced by the vault lock
policy applied on the Amazon Glacier vault storage unit.
To clean up image failures, see
[Link]

Cleaning up orphaned archives manually

There may be instances where you cannot clean up orphaned images in Amazon
Glacier vault due to the absence of a metadata object. A metadata object contains
mapping information between data objects and NetBackup images.
To manually clean up orphaned archives in Amazon Glacier vault, see
[Link]
 Troubleshooting 211
Troubleshooting cloud storage operational issues

Restoring from Amazon Glacier vault spans more than 24 hours for
single fragment

Note: This section does not apply to CloudCatalyst, only non-CloudCatalyst storage
servers.

Archives stored in Amazon Glacier vault, once retrieved, are available for download
for only 24 hours. If your NetBackup restore job (for images residing in Amazon
Glacier vault) takes more than 24 hours to download a single fragment, the restore
job may fail while reading the image. For example, if your fragment size is 512 GB
and restore speed is less than 50 Mbps, the restore will fail.
To recover from this situation, do one of the following:
■ Use a check point restore.
■ Start a restore for the remaining files.
■ Duplicate the image with lesser fragment size.

Restoring from GLACIER_VAULT takes more than 24 hours for

Oracle databases
Oracle forms a restore job, so that first the data files are restored (one job per data
file) and then every set of archive logs (one restore job per set of logs) associated
with the data files is restored. This causes the Oracle restore jobs to run five restore
jobs in succession (when one restore job gets over, the next one automatically
starts). Since every new restore job with data in a vault in Amazon Glacier cloud
storage requires minimum four hours to retrieve the data to bring it on premise, this
causes the Oracle data file restore jobs to run for 24 hours or longer.
There are two options to perform the recovery:

Using the NetBackup for Oracle recovery wizard

Increase the Number of parallel streams for restore and recover to the number
of backup requests that are required. For example 10. You can set this number
higher since Oracle RMAN will only use the required number of streams.
See section About NetBackup for Oracle restores in the NetBackup for Oracle
Administrator's Guide.

Using the RMAN template

This procedure takes a longer time that the earlier mentioned method.
212 Troubleshooting
Troubleshooting cloud storage operational issues

1. Determine the log sequence and thread numbers required for the recovery
step (restoring the archive logs). This can be done by looking at Oracle or by
looking at the backup jobs.
2. Create an RMAN script and allocate the required number of channels to perform
the restore of the archive logs.
For example: Consider a “run” block where 8 channels are allocated and
restored sequence numbers 1373 – 1380
RMAN> run

{ allocate channel ch00 type 'SBT_TAPE' PARMS

'SBT_LIBRARY=/bp/bin/libobk.so64';

allocate channel ch01 type 'SBT_TAPE' PARMS

'SBT_LIBRARY=/bp/bin/libobk.so64';

allocate channel ch02 type 'SBT_TAPE' PARMS

'SBT_LIBRARY=/bp/bin/libobk.so64';

allocate channel ch03 type 'SBT_TAPE' PARMS

'SBT_LIBRARY=/bp/bin/libobk.so64';

allocate channel ch04 type 'SBT_TAPE' PARMS

'SBT_LIBRARY=/bp/bin/libobk.so64';

allocate channel ch05 type 'SBT_TAPE' PARMS

'SBT_LIBRARY=/bp/bin/libobk.so64';

allocate channel ch06 type 'SBT_TAPE' PARMS

'SBT_LIBRARY=/bp/bin/libobk.so64';

allocate channel ch07 type 'SBT_TAPE' PARMS

'SBT_LIBRARY=/bp/bin/libobk.so64';

Restore the archive log from sequence 1373 thread 1 until sequence 1380
thread 1;
release channel ch00;

release channel ch01;

release channel ch02;

release channel ch03;

release channel ch04;

release channel ch05;

release channel ch06;

 Troubleshooting 213
Troubleshooting cloud storage operational issues

release channel ch07;

3. Using the NetBackup for Oracle client, start NetBackup Backup, Archive, and
Restore interface or create another script to restore the data file or files. If
you’re restoring more than one data file, you may need to increase the number
of streams if each data file is in a different image.
4. Start the restore of the data files and archive logs to run in parallel.
5. Perform the recovery of the database or data files using the NetBackup Backup,
Archive, and Restore interface or by using another script.
See the NetBackup for Oracle Administrator's Guide.

Troubleshooting failures due to missing Amazon IAM permissions

If the AWS credential provided in NetBackup cloud configuration does not have S3
or Glacier related permission, you could see failures or errors at various stages of
configuration, backup, and restore.
Some error messages are clearly described and identifiable in the NetBackup
Administrator console, while others are vague.
Amazon displays the AccessDeniedException error message. To decipher this
error message, you need to check the log files to check for the missing permission.
■ List Vault or List Bucket permission (glacier:ListVaults) missing.
The following error is displayed:

This error occurs while creating a storage server. If you are using the CLI,
tpcommand to add credential fails.
Check the tpcommand logs for AccessDeniedException, for example,
amazon: Json:
{"code":"AccessDeniedException","type":"Client","message":"User:
arn:aws:iam::326221795898:user/Readonly_user is not authorized to
214 Troubleshooting
Troubleshooting cloud storage operational issues

perform: glacier:ListVaults on resource:

arn:aws:glacier:ap-south-1:326221795898:vaults/"} [Link].139
[7388.4424] <2> [Link]: AmzVaultApi:
json_string({"code":"AccessDeniedException","type":"Client","message":"User:
arn:aws:iam::326221795898:user/Readonly_user is not authorized to
perform: glacier:ListVaults on resource:
arn:aws:glacier:ap-south-1:326221795898:vaults/"}) [Link].139
[7388.4424] <16> [Link]:

■ Create Vault or Create Bucket permission (glacier:CreateVault or

glacier:DescribeVault) missing.
The following error is displayed:

This error occurs while creating a disk pool using the NetBackup Administrator
console. If you are using the CLI, nbdevconfig command fails.
Check the nbrrms log for AccessDeniedException, for example,
amazon_raw:: AmzVaultApi: Error: server error code
AccessDeniedException, User:
arn:aws:iam::326221795898:user/Readonly_user is not authorized to
perform: glacier:CreateVault on resource:
arn:aws:glacier:ap-south-1:326221795898:vaults/fail-to-create,
httpcode [403] returning [2060037],11:STS Service,1Post Archive
or S3 Object permission missing - backup will fail in activity
monitor.
 Troubleshooting 215
Troubleshooting cloud storage operational issues

■ Upload archives permission (glacier:UploadArchive) missing.

The following error is displayed:

This error occurs while backing up archives. The backup jobs fail with permission
error.
Check the bptm log for details, for example,
"code":"AccessDeniedException","type":"Client","message":"User:
arn:aws:iam::3234415151:user/XYZ is not authorized to perform:
glacier:UploadArchive on resource: LSTR-gtwy-00076(debug).

■ Retrieve job after archive permission (glacier:InitiateJob) missing.

The following error is displayed:
216 Troubleshooting
Troubleshooting cloud storage operational issues

This errors occurs after you start a restore.

Check the bptm log for details, for example,
"code":"AccessDeniedException","type":"Client","message":"User:
arn:aws:iam::3234415151:user/XYZ is not authorized to perform:
glacier:InitiateJob on resource: LSTR-gtwy-00076(debug).

■ Retrieve Archive or retrieve Object permission missing (glacier:GetJobOutput)

missing.
The following error is displayed:
 Troubleshooting 217
Troubleshooting cloud storage operational issues

This missing permission causes the restore job to be in incomplete state if

NetBackup cannot download archives after posting jobs.
Check the bptm log for details, for example,
"code":"AccessDeniedException","type":"Client","message":"User:
arn:aws:iam::3234415151:user/XYZ is not authorized to perform:
glacier:GetJobOutput on resource: LSTR-gtwy-00076(debug).

■ Delete Archive or Delete Object permission (glacier:DeleteArchive) missing.

The following error is displayed:
218 Troubleshooting
Troubleshooting cloud storage operational issues

This missing permission causes the image cleanup or image expiry process to
fail.
Check the bpdm log for details, for example,
"code":"AccessDeniedException","type":"Client","message":"User:
arn:aws:iam::3234415151:user/XYZ is not authorized to perform:
glacier:DeleteArchive on resource: LSTR-gtwy-00076(debug).

Restore job fails if the restore job start time overlaps with the backup
job end time
If you trigger a restore job within a few seconds of the backup job completion, the
restore job fails with the following error:
Standard policy restore error

The restore job in such scenario fails because the cloud provider requires time to
update the parameters required for performing a restore. Thus, trigger the restore
after a few minutes from the backup job completion.

Post processing fails for restore from Azure archive

When post processing for restore from Azure archive fails, blobs are not moved
from the Hot tier to Archive tier post restore.
 Troubleshooting 219
Troubleshooting Amazon Snowball and Amazon Snowball Edge issues

To move the blobs from Hot tier to Archive tier follow the steps:
■ Use the list blob operation and get a list blobs with prefix
REHYDRATE_PENDING. The blob names are returned in format -
REHYDRATE_PENDING/<image_name>
■ Search for blobs with <image_name>/ as prefix and filter with the blob names
in integer format after the prefix.
For example :
Consider image name as imagename_1544519515_C1_F1
Blob to pick for post processing - imagename_1544519515_C1_F1/21
Blob not to be picked up -
imagename_1544519515_C1_F1/imagename_1544519515/0
■ Use the set blob tier operation on blob to change the access tier of the blobs
returned from above step from hot access tier to archive access tier.

Note: Do not move the META_BLOCK_MAP_FILE and META_IMAGE_PROPERTIES

and blobs to the archive tier.

■ After you successfully, move the blob to archive access tier, delete the blob with
prefix REHYDRATE_PENDING using the delete blob operation.

Troubleshooting Amazon Snowball and Amazon

Snowball Edge issues
Disk pool creation fails
Disk pool creation fails when the cloud storage properties are changed to Amazon
Snowball end point. The following error is encountered:
No Volumes found.

To troubleshoot:
Ensure that the OFFLINE_TRANSFER_MODE storage server property is set to
PROVIDER_API.

Restore fails
Restore fails with the following error:
The specified key does not exist.

The image to be restored was not successfully imported to cloud. Re-run the
duplication-to-cloud operation for that image and perform the restore.
220 Troubleshooting
Troubleshooting Amazon Snowball and Amazon Snowball Edge issues

Run the bpduplicate command. See the NetBackup Command Reference Guide.

Import to cloud fails

In case of CloudCatalyst media server, backup the data to the device again from
NetBackup and perform the import.
In case of a non-CloudCatalyst media server, run the duplication-to-cloud operation
for that image. Use the bpduplicate command. See the NetBackup Command
Reference Guide.
For any other issues. ensure that the configuration is done properly. Refer to the
NetBackup with Amazon Snowball and Snowball Edge Configuration Checks
technote.
 Index

A bandwidth
Add at least one index marker 92 throttling 133
Amazon bpstsinfo command
glacier vault 45–46 operational notes 181
amazon
virtual private cloud 35 C
amazon (S3) catalog
permissions 20 cloud configuration files 15
Amazon GLACIER Certificate Authority (CA) 114
long-term retention 38 cloud
Amazon Glacier 37 storage unit properties 158
Amazon Glacier Deep Archive 37 Cloud Catalyst
Amazon Glacier Vault 37 Maximum concurrent jobs Scalable Storage
Amazon IAM roles 51 property 97
Amazon lifecycle cloud configuration files 15
restore 51 cloud disk pool
Amazon S3 changing properties 165
about 18 cloud master host 123
configuration options 22 Cloud Settings tab 95
configuration options (advanced) 28 cloud storage
credential broker details 32 Amazon S3 API type 18
requirements 19 configuring 93
Amazon Snowball 55 Microsoft Azure API type 70
CloudCatalyst Appliance 66 OpenStack Swift API type 80
configuring with Amazon S3 API interface 60 Cloud Storage host properties 100
configuring with Amazon Snowball client 58 cloud storage instance
Amazon Snowball Edge 55 add 102
CloudCatalyst Appliance 66 change 103
configuring with file interface 63 delete 104
configuring with S3 API interface 64 manage 103
remove 103
B cloud storage properties
backups fail change 103
Accelerator backups fail 204 manage 103
after the WRITE_BUFFER_SIZE is remove 103
increased 205 cloud storage server
storage volume was created by the cloud vendor about 119
interface 205 bandwidth properties 133
The NetBackup CloudStore Service Container is changing properties 130
not active 206 CloudCatalyst 144
Use any available media server option 206 connection properties 136
222 Index

cloud storage server (continued) H

encryption properties 145 host ID-based certificates
properties 132 deploying with a token 115
CloudCatalyst deploying without a token 114
configuring throttling for 133 host name-based certificates
ESFS_HOST cloud connection property 138 deploying 113
CloudStore Service Container hotfix 113
about 105
configuring port number 109
port number 105
I
security certificate for 106 IAM Role 53
security mode changed while service is
active 210 J
security modes 107 job ID search in unified logs 191
startup and shutdown troubleshooting 209
[Link] configuration file 108 L
Configuration
legacy logging 191
Accelerator 162
LIFECYCLE
configuration
backup 50
disk pool configuration wizard 146
cloud tiering 48
optimized synthetic backups for cloud
Local cache directory for CloudCatalyst 25, 75, 85
storage 163
logging
configuring a deduplication storage unit 157
legacy 191
configuring cloud storage 93

D M
Maximum concurrent jobs 159
Deduplication storage unit
Maximum fragment size 160
Only use the following media servers 159
Microsoft Azure
Use any available media server 159
about 70
Disk type 159
configuration options 73
Dynamic Host Configuration Protocol (DHCP) 114
configuration options (advanced) 76
requirements 71
E [Link] 191
encryption Monitoring 173
properties 145 MSDP cloud storage server
external KMS 119 properties 144

F N
Features and functionality 11 NetBackup
FlashBackup policy hotfix 113
Maximum fragment size (storage unit setting) 160 NetBackup Accelerator
about 161
G NetBackup CloudCatalyst
glacier vault Cloud storage server properties 133
back up 45 enabling in Cloud Storage Server Configuration
restore 46 Wizard 25, 75, 85
ESFS_HOST cloud connection property 138
Local cache directory 25, 75, 85
 Index 223

NetBackup CloudCatalyst (continued) storage server. See cloud storage server

MSDP cloud storage server properties 144 changing properties for cloud 130
NetBackup CloudStore Service Container. See storage unit
CloudStore Service Container configuring for deduplication 157
NetBackup Scalable Storage 97–98 properties for cloud 158
NetBackup Scalable Storage host properties Storage unit name 158
unavailable 197 Storage unit type 159
NetBackup Service Layer (NBSL) 113
T
O throttling data transfer rate 96
OpenStack Swift
about 80 U
configuration options (cloud storage
unified logging 187
instance) 26, 88
format of files 188
provider configuration options 83, 86
proxy settings 88
requirements 81 V
Optimized Synthetic backups virtual private cloud 35
about 161 VPC 35
vxlogview command 188
with job ID option 191
P
port number
CloudStore Service Container 105
configuring for the CloudStore Service
Container 109
Preferences
common 138
encryption 145
throttling 145
private clouds
Amazon S3-compatible cloud providers 33
properties
bandwidth 133
cloud storage server 132
CloudCatalyst storage server 144
connection 136
encryption 145

R
Reporting 173
requirements 95

S
Scalable Storage host properties 95, 97–98
Scalable Storage host properties unavailable 197
Scalable Storage, NetBackup 97–98
security certificates
for cloud storage 106