Data Domain: How to configure secure replication between Data Domain Restorers (DDRs) when replicating over the public internet

Summary: This article describes how to configure secure replication between Data Domain Restorers (DDRs) when replicating over the public internet

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Instructions

Data Domain Operating System (DDOS) version 6.0.x (and later) introduces changes to allow secure replication of data over the public internet. This functionality is designed to protect against a man in the middle (MITM) attack allowing unauthorised access to data. It is based around secure authentication via secure sockets layer (SSL) certificate related information on source and destination Data Domain Restorers (DDRs).

Authentication can be configured in one of three modes:
  • Anonymous: No authentication is applied to connections
  • One-way: Only the destination SSL certificate is certified
  • Two-way: Both source and destination SSL certificates are certified
Obviously two-way authentication is deemed the most secure so is recommended where security of replicated data is a concern.

As of initial releases of this functionality is can only be configured via the Data Domain command line shell (DDSH) and cannot yet be configured via any graphical user interface (i.e. Data Domain System Manager/Management Center).

Pre-requisites:
  • Ensure that both source and destination DDRs are running DDOS 6.0.x (or later)
  • Ensure that a replication license has been added to both source and destination DDR
  • Ensure that required ports have been opened on any firewalls between source and destination DDR (see KB article 323297 for further information: Port requirements for allowing access to Data Domain system through a Firewall)
  • Ensure that mutual trust has been established between source and destination DDR (note that this requires port 3009 to be open between DDRs as per the above document)
Log into the CLI  on both source and destination systems and make sure you can ping in both directions and that the trust is established in both directions.
 
Confirm that the host name of the remote system is resolvable/contactable:

# net ping [hostname of remote DDR]

Establish mutual trust with remote system:

# adminaccess trust add host [hostname of remote system] type mutual
  • Restart the Data Domain File System (DDFS) on both source and destination system (to ensure that mutual trust fully established) - note that this will cause a short outage to services on each DDR:
# filesys restart
 
Note:  you can validate that the trusts exist by running the following command on the source and the target.  If you are on the source Data Domain use the target host name and vice versa if you are on the Target system. 
 
adminaccess trust show [hostname]    

Steps to configure a secure replication context:

Note that secure replication is supported with all replication protocols (i.e. directory/mtree/collection) however the following example uses mtree replication. If using other replication protocols commands will need to be modified as required.
  • Create the new replication context (note that this command needs to be run on source and destination system):
# replication add source mtree://[source DDR host name]/data/col1/[source mtree name] destination mtree://[destination DDR host name]/data/col1/[destination mtree name] encryption enabled authentication mode {anonymous | one-way | two-way}
  • Initialize the replication context on the source system:
# replication initialize mtree://[destination DDR host name]/data/col1/[destination mtree name]

Affected Products

Cloud Disaster Recovery
Article Properties
Article Number: 000019129
Article Type: How To
Last Modified: 05 Sep 2025
Version:  5
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.