NetWorker: How to Enable In-Flight Encryption Between NetWorker and Data Domain
Summary: This article provides step-by-step instructions to enable in-flight encryption for securing data in transit between NetWorker and Data Domain systems. By default, this feature is not enabled in NetWorker. Enabling in-flight encryption ensures enhanced security during data transfer but may increase backup times and resource usage. Follow the outlined procedures to configure in-flight encryption using both NMC and nsradmin, and setting up DD Boost in-flight encryption on Data Domain systems. ...
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Instructions
Enabling In-Flight Encryption on NetWorker using one of the following options:
2. Configure the Data Domain system to use medium-strength or high-strength TLS encryption. This configuration is transparent to NetWorker.
3. For NetWorker 19.7 and later, ensure that certificate-based encryption support is enabled:
(Option 1) Using NetWorker Management Console (NMC):
1. Connect to the NetWorker server using NMC.
2. In the NetWorker Administration window, select Hosts.
3. Right-click the hostname of the NetWorker server.
4. Select Configure Local Agent. The Local Agent Properties window appears.
5. Go to the Advanced tab and select Connection encrypted.
6. Click OK.
2. In the NetWorker Administration window, select Hosts.
3. Right-click the hostname of the NetWorker server.
4. Select Configure Local Agent. The Local Agent Properties window appears.
5. Go to the Advanced tab and select Connection encrypted.
6. Click OK.
(Option 2) Using nsradmin:
1. Log in as root or Windows Administrator on the NetWorker client.
2. At the command prompt, type:
2. At the command prompt, type:
nsradmin -p nsrexec
3. Edit the NSRLA resource by typing:
print type:NSRLA
4. Change the value of the connection encrypted attribute:
update connection encrypted:enabled
5. Type Yes when prompted to confirm the change.
6. Ensure that the peer certificate for the NetWorker client matches the storage node if the auth method attribute is not set.
6. Ensure that the peer certificate for the NetWorker client matches the storage node if the auth method attribute is not set.
Enabling DD Boost In-Flight Encryption on Data Domain:
1. Ensure that the Data Domain system is running DDOS 5.5 or later.2. Configure the Data Domain system to use medium-strength or high-strength TLS encryption. This configuration is transparent to NetWorker.
3. For NetWorker 19.7 and later, ensure that certificate-based encryption support is enabled:
- The certificate is read from the server by each client and used for connecting to Data Domain.
- The certificates are stored locally in the `/nsr/sec/ddcerts/<dd_host/ss_host>` directory for every connection to Data Domain.
- Root CA Certificate File
- Root CA Certificate
Additional Information
- Ensure that in-flight encryption is enabled on both NetWorker and Data Domain devices for optimal security.
- Do not use in-flight encryption and AES encryption together, as it is redundant and could significantly increase backup duration.
- In-flight encryption is not supported for client direct backup and recovery operations from a NetWorker client host over a network to a remote host's Advance File Type Device (AFTD). Use AES encryption for these operations instead.
- See the Dell NetWorker and Data Domain Boost Integration Guide for more details: https://www.dell.com/support/home/product-support/product/networker/docs
Affected Products
Data Domain Boost – File SystemArticle Properties
Article Number: 000225429
Article Type: How To
Last Modified: 30 May 2024
Version: 1
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.