Description
Deploying a security certificate on a NetBackup host
NetBackup hosts may require a security certificate for authentication for various purposes. If so, you must use a NetBackup command to deploy a certificate for each host that requires one.
When using the NetBackup Administration Console to log into a host that does not have a security certificate installed, the following message appears, stating that a security certificate is mandatory.
Choose one of the following procedures to deploy a security certificate on NetBackup hosts:
| Deployment scenario (Actual procedures follow this table) |
Purpose |
| Deploying a security certificate for a master server, including a master server in a cluster | Use this procedure to:
Exception: Not required for a Microsoft Windows Server Failover Cluster (WSFC) after a NetBackup push installation to the WSFC.
|
| Deploying a security certificate for media servers or clients | This procedure uses IP address verification to identify the target NetBackup host and then deploy the certificate. With this procedure, you can deploy a certificate for an individual host, for all media servers, or for all clients. |
| Creating a host identity and then deploying a security certificate for a media server or client | This procedure requires that you run a command on the NetBackup master server to create an identity for the target host. Then, you must run a command on the target host to obtain the certificate from the master server. With this procedure, you can deploy a certificate for an individual host. |
Notes:
- You must be a NetBackup administrator to deploy certificates.
- Deploying a security certificate is a one-time activity for a given NetBackup host.
Deploying a security certificate for a master server including a master server in a cluster
Perform this procedure for the master server. If the master server is part of a cluster, perform this procedure on the active node.
To deploy a security certificate for a NetBackup master server
- Run the following command on the master server:
Windows: install_path\NetBackup\bin\admincmd\bpnbaz -ConfigureAuth -force
UNIX: /usr/openv/netbackup/bin/admincmd/bpnbaz -ConfigureAuth -force
- Stop and restart all NetBackup processes and services:
■ On Windows systems:
install_path\NetBackup\bin\bpdown -f
■ On UNIX and Linux systems:
/usr/openv/netbackup/bin/bp.kill_all
To start all NetBackup processes and services:
■ On Windows systems:
install_path\NetBackup\bin\bpup -f
■ On UNIX and Linux systems:
/usr/openv/netbackup/bin/bp.start_all
- If the master server is part of a cluster, restart the NetBackup Service Layer service and the NetBackup Vault Manager service on the active node of the master server.
Deploying a security certificate for media servers or clients
This procedure works well when deploying certificates to many hosts at one time. As with NetBackup deployment in general, this method assumes that the network is secure.
To deploy a security certificate for media servers or clients
-
Run the following command on the master server, depending on your environment. Specify the name of an individual host, specify -AllMediaServers, or specify -AllClients.
Windows: install_path\NetBackup\bin\admincmd\bpnbaz -ProvisionCert host_name | -AllMediaServers | -AllClients
UNIX: /usr/openv/netbackup/bin/admincmd/bpnbaz -ProvisionCert host_name | -AllMediaServers | -AllClients
NetBackup appliance (as a NetBackup command line user): bpnbaz -ProvisionCert Media_server_name
-
Restart the NetBackup Service Layer service on the master server.
No services need to be restarted if the target host is a NetBackup client.
Creating a host identity and then deploying a security certificate for a media server or client
This procedure works best when deploying certificates to a small number of hosts. The same password must be entered once on the master server, and then again on the target host, so this method is considered to be more secure.
To create a host identity and then deploy a security certificate for a media server or client
-
Run the following command on the master server to create an identity for the target NetBackup host:
Windows: install_path\NetBackup\bin\bpnbat -addmachine target_hostname
UNIX: /usr/openv/netbackup/bin/bpnbat -addmachine target_hostname
Enter a password of your choice when prompted and make a note of it.
-
Run the following command on the target NetBackup host to obtain a certificate from the master server and deploy it:
Windows: install_path\NetBackup\bin\bpnbat -loginmachine
UNIX: /usr/openv/netbackup/bin/bpnbat -loginmachine
Enter the master server name as the authentication broker name when prompted. Enter the same computer name and password that were used to create the target host identity on the master server.
Note: If a target host has multiple host names, repeat the steps for each host name.
Was this content helpful?
Translated Content
Please note that this document is a translation from English, and may have been machine-translated. It is possible that updates have been made to the original version after this document was translated and published. Veritas does not guarantee the accuracy regarding the completeness of the translation. You may also refer to the English Version of this knowledge base article for up-to-date information.