Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  2. NetBackup™ Deduplication Guide
  3. Configuring deduplication
  4. Configuring MSDP replication to a different NetBackup domain
  5. Configuring NetBackup CA and NetBackup host ID-based certificate for secure communication between the source and the target MSDP storage servers
NetBackup™ Deduplication Guide

Configuring NetBackup CA and NetBackup host ID-based certificate for secure communication between the source and the target MSDP storage servers

MSDP now supports secure communications between two media servers from two different NetBackup domains. The secure communication is set up when you run Auto Image Replication (A.I.R.). The two media servers must use the same CA to do the certificate security check. The source MSDP server uses the CA of the target NetBackup domain and the certificate that is authorized by the target NetBackup domain. You must manually deploy CA and the certificate on the source MSDP server before using Auto Image Replication.

Note:

After you upgrade to NetBackup 8.1.2 or later, manually deploy NetBackup CA and the NetBackup host ID-based certificate on the source MSDP server to use the existing Auto Image Replication.

To configure the NetBackup CA and a NetBackup host ID-based certificate, complete the following steps:

  1. On the target NetBackup primary server, run the following command to display the NetBackup CA fingerprint:

    • Windows

      install_path\NetBackup\bin\nbcertcmd -displayCACertDetail

    • UNIX

      /usr/openv/netbackup/bin/nbcertcmd -displayCACertDetail

  2. On the source MSDP storage server, run the following command to get the NetBackup CA from target NetBackup primary server:

    • Windows

      install_path\NetBackup\bin\nbcertcmd -getCACertificate -server target_primary_server

    • UNIX

      /usr/openv/netbackup/bin/nbcertcmd -getCACertificate -server target_primary_server

    When you accept the CA, ensure that the CA fingerprint is the same as displayed in the previous step.

  3. On the source MSDP storage server, run the following command to get a certificate generated by target NetBackup primary server:

    • Windows

      install_path\NetBackup\bin\nbcertcmd -getCertificate -server target_primary_server -token token_string

    • UNIX

      /usr/openv/netbackup/bin/nbcertcmd -getCertificate -server target_primary_server -token token_string

  4. Use either of these two methods to obtain the authorization tokens:

    • NetBackup web UI

      • In NetBackup web UI, select Security > Tokens.

      • Click Add and fill the required details to create a token.

    • NetBackup commands

      • Use the bpnbat command to log on the target NetBackup primary server.

      • Use the nbcertcmd command to get the authorization tokens.

      For more information on the commands, refer to the NetBackup Commands Reference Guide.

Feedback

Was this page helpful?
Previous

Enable inter-node authentication for a NetBackup clustered primary server

Next

Configuring external CA for secure communication between the source MSDP storage server and the target MSDP storage server

Feedback

Was this page helpful?