Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  2. NetBackup™ Deduplication Guide
  3. Configuring deduplication
  4. About MSDP mutli-domain VLAN Support
NetBackup™ Deduplication Guide

About MSDP mutli-domain VLAN Support

MSDP supports multi-domain NetBackup setups. In a multi-domain set-up, it is important for primary servers from other domains to connect with the MSDP storage server and the primary server of the NetBackup domain that contains the MSDP server. The primary servers and media servers must have multiple network interfaces and host names in a multi-domain setup.

When you configure MSDP VLAN, the local NetBackup domain and the other NetBackup domain must have the NetBackup version 8.2 or later.

An example for using an MSDP VLAN

The following table describes the hierarchy that is used in the example:

NetBackup domain A

NetBackup domain B

primaryA - (10.XX.30.1/24)

primaryA2 - (10.XX.40.1/24)

mediaA - (10.XX.30.2/24)

mediaA2 - (10.XX.40.2/24)

primaryB - (10.XX.40.3/24)

mediaB - (10.XX.40.4/24)

primaryA is the primary server of domain A and has two host names and IP addresses. mediaA is the media server of domain A and has two host names and IP addresses. MSDP storage server is created on media server mediaA.

To let domain B access the MSDP storage server on mediaA of domain A, run the following steps:

  1. Create an MSDP storage server on media server mediaA of NetBackup domain A.

    Open the NetBackup web UI. Click Storage > Disk storage. Click on the Storage servers tab. Click Add and select Media Server Deduplication Pool to local or cloud storage.

  2. Run following command on mediaA to create a new MSDP user testuser1 with password testuser1pass:

    spauser -a -u "testuser1" -p "testuser1pass" --role admin

  3. Servers in the domain B can only access IP like 10.XX.40.*, so primaryA2 is used as the primary server host name of domain A.

    Run following command on mediaB to get a CA certificate and a host certificate from primaryA:

    nbcertcmd -GetCACertificate -server primaryA2

    nbcertcmd -GetCertificate -server primaryA2 -token <token_string>

    If the nbcertcmd - GetCACertificate displays the error "The server name does not match any of the host names listed in the server's certificate", refer to the following article to add more host name to primary server:

    https://support.cohesity.com/s/article/article-100034092

  4. Create an MSDP OpenStorage server on mediaB of NetBackup domain B.

    Open the NetBackup web UI. Click Storage > Disk storage. Click on the Storage server tab. Click Add and select OpenStorage Technology (OST).

    The OpenStorage server name mediaA2 is used as the host name that has the IP address 10.XX.40.*.

    OpenStorage server type is PureDisk, user name is testuser1, and password is testuser1pass. You must enter the server type as PureDisk.

Now mediaB of NetBackup domain B can use the MSDP storage server mediaA2 and the network IP address 10.XX.40.*

In a multi-domain NetBackup configuration, there are times when the media server in domain B must know the server certificate of the media server in domain A. For example, this setup is required when a VMware image recovery is performed from domain A to domain B.

To move mediaA2's server certificate to primaryB is a two-step process, and you need to be a privileged user to run the following steps:

  1. Read the file /etc/nginx/conf.d/nginx_spws.conf and examine the ssl_certificate field.

    Copy ssl_certificate field (for example, /msdp/data/dp1/pdvol/spws/var/keys/cluster_spws_cert.pem) from mediaA2 to primaryB.

    Sample file:

    engine : cat /etc/nginx/conf.d/nginx_spws.conf
    server {
    listen 443 default ssl;
    listen [::]:443 default ssl;
    server_name _;
    ssl_session_cache shared:SSL:1m;
    ssl_session_timeout 5m;
    ssl_certificate /msdp/data/dp1/pdvol/spws/var/keys/cluster_spws_cert.pem;
    ssl_certificate_key /msdp/data/dp1/pdvol/spws/var/keys/cluster_spws_key.pem;
    ssl_verify_client off;
    ssl_protocols TLSv1.2;
    ssl_ciphers
    ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-G
    CM-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES
    128-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256;
    ssl_prefer_server_ciphers on;
    include /etc/nginx/locations/nginx_loc_spws.conf;
    }
  2. Run the following command on primaryB to import that certificate to primaryB's trusted keystore.

    Note:

    The storepass and keypass values can be found in /usr/openv/var/global/jkskey on primaryB.

    /usr/openv/java/jre/bin/keytool
    -keystore /usr/openv/var/global/wsl/credentials/truststoreMSDP.bcfks
    -storetype BCFKS
    -providername CCJ
    -providerclass com.safelogic.cryptocomply.jcajce.provider.CryptoComplyFipsProvider
    -providerpath /usr/openv/wmc/webserver/lib/ccj.jar
    -storepass 4d2b912d38dff8d2406b2aba2d023740aafa520a16cd3bb8b1b39b10b58a4ce5
    -keypass 4d2b912d38dff8d2406b2aba2d023740aafa520a16cd3bb8b1b39b10b58a4ce5
    -alias primaryB -importcert -file cluster_spws_cert.pem

    Note:

    Your version of the bc-fips-X.X.X.X.jar file can be different than the one in the previous example. Search that directory for bc-fips* to find the right version for your NetBackup installation.

  3. When you run the -list command on primaryB, you should see something similar to the following example:

    /usr/openv/java/jre/bin/keytool -list
    -keystore /usr/openv/var/global/wsl/credentials/truststoreMSDP.bcfks
    -storetype BCFKS
    -providername CCJ
    -providerclass com.safelogic.cryptocomply.jcajce.provider.CryptoComplyFipsProvider
    -providerpath /usr/openv/wmc/webserver/lib/ccj.jar
    -storepass 4d2b912d38dff8d2406b2aba2d023740aafa520a16cd3bb8b1b39b10b58a4ce5  
    Keystore type: BCFKS 
    Keystore provider: BCFIPS 
    Your keystore contains 2 entries 
    ca1, Jan 11, 2023, trustedCertEntry,  
    Certificate fingerprint (SHA-256): 
    4A:52:C8:9E:B1:1F:A9:21:99:3B:AA:5A:0C:B5:C3:2F:51:(string continues) 
    primaryB, Jan 16, 2023, trustedCertEntry,  
    Certificate fingerprint (SHA-256): 
    AE:34:D1:63:B1:94:33:8C:07:5D:9A:D6:2B:CF:5B:52:D7:(string continues)
    

    The second certificate that is listed is that of mediaA2.

If an external CA is used in the NetBackup setup, you do not need to run the nbcertcmd - GetCACertificate and the nbcertcmd - GetCertificate commands. If NetBackup domain A and NetBackup domain B do not use the same external CA, you must synchronize the external root CA between the two NetBackup domains for MSDP communication. If the servers have multiple host names, then the Subject Alternative Name field of the external certificate must contain all the host names.

Feedback

Was this page helpful?
Previous

About MSDP application user support

Next

About NetBackup WORM storage support for immutable and indelible data

Feedback

Was this page helpful?