Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  2. NetBackup™ Flex Scale Administrator's Guide
  3. Site-based disaster recovery in NetBackup Flex Scale
  4. Performing disaster recovery using RESTful APIs
  5. Establishing trust and setting up authentication
NetBackup™ Flex Scale Administrator's Guide

Establishing trust and setting up authentication

In NetBackup Flex Scale Appliance, the Appliance web server creates a self-signed CA certificate and an Appliance web server certificate (signed by that CA) for every cluster. As the CA certificates are different, you have to ensure that both the clusters trust the CA of the other. This is done by adding one cluster's gateway CA certificate to the trusted certificate store of the other. Each cluster should be able to trust the secondary site and perform the required operations to configure and manage disaster recovery. Appliance web server certificates are exchanged between both the clusters to enable authentication.

You can use the following RESTful APIs to setup trust and authentication. The secondary site can be added as a disaster recovery cluster to the primary site anytime after the primary site is up and running. The secondary site has to be a freshly installed and configured NetBackup Flex Scale cluster.

The RESTful API calls must be made in the following order on the management server of the clusters. The API calls do not use SSH between the clusters.

You can get the list of available certificates on the cluster using the API:

GET /api/appliance/v1.0/certificates

This API returns the URI of certificateName as Appliance web services certificate, Appliance web services CA certificate and the root certificate. The certificateName should be passed as input to the GET specific certificate API. The certificate is in base64 encoded format.

To set up trust between both the clusters

  1. Get the appliance web services certificate on the primary site by providing the certificate name (appliance-webservice) as input in the GET specific certificate API.
    GET /api/appliance/v1.0/certificates/{certificateName}
  2. Get the appliance web services CA certificate on the primary site by providing the certificate name (appliance-webservice-ca) as input in the GET specific certificate API.
    GET /api/appliance/v1.0/certificates/{certificateName}
  3. Establish trust by passing the certificates obtained from the primary site to the secondary site. Execute the following API on the secondary site:
    POST /api/appliance/v1.0/certificates

    The API imports the certificates of one cluster and exports the certificates on the other cluster to establish trust and enable certificate authentication.

    Set type as appliance-webservice and purpose as remote-cluster-trust-auth. Use the management server FQDN of the remote cluster for gateway.

  4. Get the appliance web services certificate on the secondary site by providing the certificate name (appliance-webservice) as input in the GET specific certificate API.
    GET /api/appliance/v1.0/certificates{certificateName}
  5. Get the appliance web services CA certificate on the secondary site.
    GET /api/appliance/v1.0/certificates/appliance-webservice-ca
  6. Establish trust by passing the certificates obtained from the secondary site to the primary site. Execute the following API on the primary site:
    POST /api/appliance/v1.0/certificates

    The API imports the certificates of one cluster and exports the certificates on the other cluster to establish trust and enable certificate authentication.

    Set type as appliance-webservice and purpose as remote-cluster-trust-auth. Use the management server FQDN of the remote cluster for gateway.

For more information, see the Veritas NetBackup Flex Scale APIs on SORT.

Feedback

Was this page helpful?
Previous

Performing disaster recovery using RESTful APIs

Next

Configuring disaster recovery

Feedback

Was this page helpful?