How to manually obtain a host ID Certificate.

How to manually obtain a host ID Certificate.

Article: 100039650
Last Published: 2019-07-02
Ratings: 20 11
Product(s): NetBackup

Problem

Beginning with NetBackup version 8.1, administrators are required to configure a trust relationship between the Certificate Authority (CA), which is the master server, and any NetBackup media servers or clients.   Administrators can configure this trust relationship either while deploying NetBackup or after the deployment is complete.  NetBackup does not function properly until this trust relationship is established.  For example, backups and restores may fail. Please refer to the Veritas NetBackup Security and Encryption Guide for a more detailed discussion of host certificates.

T here are several scenarios that require the administrator to manually set up trust between a master server and a media server or client.

  • Interactive install where the user decides to skip deploying host certificates
  • Push install/silent install where the user puts SKIP in the /tmp/NBInstallAnswer.conf file.
  • Clusters
  • LiveUpdate
  • Client is protected by multiple master servers

This document describes the manual steps required to establish trust.

Solution

The following steps detail how to setup trust between master servers, media servers, and clients.  The steps to manually obtain host certificates are similar across each scenario. Any caveats are noted.

Retrieve and Store CA Certificate

On the media server or client, determine if a CA Certificate is present for this NetBackup master server.

Windows: <install_path>\netbackup\bin\nbcertcmd -displayCACertDetail -server mymaster
UNIX: <install_path>/netbackup/bin/nbcertcmd -displayCACertDetail -server mymaster


The output will be similar to the following:

CA Certificate received successfully from server mymaster.
         Subject Name : /CN=nbatd/OU=root@mymaster.mydomain.com/O=vx
           Start Date : Dec 18 13:34:26 2012 GMT
          Expiry Date : Dec 13 14:49:26 2032 GMT
     SHA1 Fingerprint : 0E:19:AF:AF:DB:A6:7F:A7:BA:AF:62:54:E8:9B:D4:6C:8A:06:E2:CF
  CA Certificate State : Not Trusted

Note the 'CA Certificate State'.  Trusted indicates that the CA Certificate is already present in the certificate store on myhost.  Not Trusted indicates that the CA Certificate is not present in the certificate store. 

 

If the CA Certificate is 'Not Trusted' , it must be retrieved from the NetBackup master server. Please contact your Backup Administrator to obtain the proper SHA1 fingerprint value for your CA.  If you have access to the master server you may run the following command to display the SHA1 fingerprint.

Windows: <install_path>\netbackup\bin\nbcertcmd -listCACertDetails
UNIX: <install_path>/netbackup/bin/nbcertcmd -listCACertDetails


The output will be similar to the following:

Subject Name : /CN=nbatd/OU=root@mymaster.com/O=vx
Start Date : Sep 16 10:37:58 2016 GMT
Expiry Date : Sep 11 11:52:58 2036 GMT
SHA1 Fingerprint : C3:5E:2E:21:78:DF:47:0D:FF:6A:45:7A:0E:7F:1B:98:B1:F2:92:CA

If the master server has multiple CA certificates, the command displays multiple certificate entries. You can use the 'Subject Name' in the output to determine the mapping between the certificates and the master servers.

To deploy a CA certificate


Windows: <install_path>\netbackup\bin\nbcertcmd -getCACertificate -server mymaster
UNIX: <install_path>/netbackup/bin/nbcertcmd -getCACertificate -server mymaster


The output will be similar to the following if the media server or client where the command is run completes successfully:

Authenticity of root certificate cannot be established.The SHA1 fingerprint of root certificate is C3:5E:2E:21:78:DF:47:0D:FF:6A:45:7A:0E:7F:1B:98:B1:F2:92:CA.Are you sure you want to continue using this certificate ? (y/n): yThe validation of root certificate fingerprint is successful.CA certificate stored successfully from server mymaster.

 

To confirm the CA certificate was deployed: 

Windows: <install_path>\netbackup\bin\nbcertcmd -displayCACertDetail -server mymaster
UNIX: <install_path>/netbackup/bin/nbcertcmd -displayCACertDetail -server mymaster


If successful, the output will be similar to the following:

C A Certificate received successfully from server mymaster. Subject Name : /CN=nbatd/OU=root@mymaster.com/O=vx Start Date : Sep 16 10:37:58 2016 GMT Expiry Date : Sep 11 11:52:58 2036 GMT SHA1 Fingerprint : C3:5E:2E:21:78:DF:47:0D:FF:6A:45:7A:0E:7F:1B:98:B1:F2:92:CA CA Certificate State : Trusted

 

Obtain a host ID certificate for the media server or client

The following factors must be considered when attempting to obtain a host ID certificate manually:

    • The NetBackup daemons or services on the master server must be active.
    • The security level configured on the NetBackup master server.
    • Has the NetBackup master server already issued a host certificate for this media server or client?
    • If the host certificate request is for a client, is there network connectivity to the NetBackup master server?

       

The nbcertcmd command attempts to inform the user of these conditions through error codes and informational messages.  Examples of those errors are detailed below.

Factor: The NetBackup daemons or services on the master server must be active

If the master server services/daemons are not active, the following error will be displayed when attempting to run nbcertcmd:

Windows: <install_path>\netbackup\bin\nbcertcmd -displayCACertDetail -server mymaster
UNIX: <install_path>/netbackup/bin/nbcertcmd -displayCACertDetail -server mymaster

The output will be similar to the following: Failed to display CA certificate detailsnbcertcmd: The -displayCACertDetail operation failed.EXIT STATUS 26: client/server handshaking failed

 

Factor: The security level configured on the NetBackup master server

To determine the security level on master server, run the command shown on the master server:

Windows: <install_path>\netbackup\bin\nbcertcmd -getSecConfig -certDeployLevel
UNIX: <install_path>/netbackup/bin/nbcertcmd -getSecConfig -certDeployLevel

The output will be similar to the following:

  Security for certificate deployment : <Very High, High or Medium>
 

Definitions of the security levels are as follows:

 
Security Level
Description
Very High
The certificates are issued without an authorization token if the master server can resolve the host name to the IP address from which the request originated This should be:    An authorization token must accompany every new certificate request.
 
High
(default)

Certificates are deployed on hosts during installation after confirming the master server fingerprint or through the nbcertcmd command. No authorization token is required if the host is known to the master server.

A host is considered to be known to the master server if the host can be found in the following entities:

1. If the host is listed against any of the following options in the NetBackup configuration file (Windows registry or the bp.conf file on UNIX):

■ APP_PROXY_SERVER
■ DISK_CLIENT
■ ENTERPRISE_VAULT_REDIRECT_ALLOWED
■ MEDIA_SERVER
■ NDMP_CLIENT
■ SERVER
■ SPS_REDIRECT_ALLOWED
■ TRUSTED_MASTER
■ VM_PROXY_SERVER

2. If the host is listed as a client name in the altnames file (ALTNAMESDB_PATH).

3. If the host appears in the EMM database of the master server.

4. If at least one catalog image of the client exists that is less than 6 months old.

5. If the client is listed in at least one backup policy.

6. If the client is a legacy client. That is, a client is listed in Host Properties --> Master server -->   Client Attributes.

 
Medium
Th e certificates are issued without an authorization token if the master server can resolve the host name to the IP address from which the request originated.
Please refer to the  Veritas NetBackup Security and Encryption Guide for details on generating authorization tokens . 


Common Errors:
 
Error:
 
“Warning: There is no answer file present and no valid bp.conf.
         Therefore, security configuration is not complete.
         Manual steps are required before backups and restores can occur. For
         more information: https://www.veritas.com/support/en_US/article.000127129."

Solution:
This error message indicates that a bp.conf file was not generated during installation.  To generate bp.conf file execute:
/usr/openv/netbackup/bin/private/nb_init_cfg


Error:
Attempted to get a host ID certificate when a token is required will result in the following error:

Windows: <install_path>\netbackup\bin\nbcertcmd -getCertificate -host myhost -server mymaster
UNIX: <install_path>/netbackup/bin/nbcertcmd -getCertificate -host myhost -server mymaster

The output will be similar to the following:

EXIT STATUS 5946: Token is mandatory, please provide a token.
Solution: Use the -token argument with nbcertcmd command to prompt for a token.  A token is 16 uppercase characters.  The token will not be echoed to the terminal when you type it. Windows: <install_path>\netbackup\bin\nbcertcmd -getCertificate -host myhost -server mymaster -tokenUNIX: <install_path>/netbackup/bin/nbcertcmd -getCertificate -host myhost -server mymaster -token The output will be similar to the following: Authorization Token: [Type or paste in the upper case, 16 character token ] Host certificate and certificate revocation list received successfully from server mymaster.

 

Additionally, administrators can specify the -envtoken <envtoken> argument for the nbcertcmd command for a non-interactive installation. The envtoken is the environment variable that contains the token.  
 

Example Windows:
At the command prompt set the temporary environmental setting:
set myenvtoken=ABCDEFGHIJKLMNOP

Executed nbcertcmd with the envtoken specified:
 <install_path>\netbackup\bin\nbcertcmd -getCertificate -host myhost -server mymaster -envtoken myenvtoken

Resulting output:
Host certificate and certificate revocation list received successfully from server mymaster.

Once the above is complete, run: set myenvtoken= 
Alternately, exit the command prompt which will automatically delete the variable.

Example Unix:
To set the environmental variable, execute the following from the command prompt:

myenvtoken="ABCDEFGHIJKLMNOP"
 export myenvtoken

 <install_path>/netbackup/bin/nbcertcmd -getCertificate -host myhost -server mymaster -envtoken myenvtoken

Resulting output:

Host certificate and certificate revocation list received successfully from server mymaster.   Once the above is complete, run: unset myenvtoken

 

Error:
Attempting to get a host ID certificate for a media server or client that is not known to the master server the following error will be shown:

Windows:  <install_path>\netbackup\bin\nbcertcmd -getCertificate
Unix: <install_path>/netbackup/bin/nbcertcmd -getCertificate

The output will be similar to the following:

nbcertcmd: The -getCertificate operation failed for server myclient.
EXIT STATUS 5955: The host name is not known to the master server.


Solution:
Make the client known to the master server, based on one of the methods described in the security level table earlier in this article, per the currently configured security level.  After making the client  known to the master, the host ID certificate will be obtained successfully.   Alternately, the user can specify an authorization token.

Windows:<install_path>\netbackup\bin\nbcertcmd -getCertificate -hos t  myhost  -se rver mymaster
Unix: <install_path>/netbackup/bin/nbcertcmd -getCertificate -hos t  myhost  -se rver mymaster

The output will be similar to the following:

Host certificate and certificate revocation list received successfully from server mymaster.

 

Factor: Has the NetBackup master server already issued a host ID certificate for this client/media server?
Attempts to get a host ID certificate for a host that should already have a host ID certificate, will result in an error.  The most common reasons for this error are attempts to re-install a media server or a client, or interrupting an install after the host certificate has been deployed.  The hostselfcheck option can be used to determine your current state.  

Host ID Certificate is present:

Windows: <install_path>\netbackup\bin\nbcertcmd -hostselfcheck -server mymaster
Unix:  <install_path>/netbackup/bin/nbcertcmd -hostselfcheck -server mymaster

Resulting output:

Certificate is not revoked.

Host ID Certificate is not present:

Windows: <install_path>\netbackup\bin\nbcertcmd -hostselfcheck -server mymaster
Unix:  <install_path>/netbackup/bin/nbcertcmd -hostselfcheck -server mymaster

 

Resulting output:

Unable to read CRL for server = mymaster, error = 12.
Unable to read certificate.
EXIT STATUS 5949: Certificate does not exist.


In the case where a host ID certificate is not present, use the getCertificate option to retrieve a host ID certificate.


Windows: <install_path>\netbackup\bin\nbcertcmd -getCertificate -host myhost -server mymaster  
Unix:  <install_path>/netbackup/bin/nbcertcmd -getCertificate -host myhost -server mymaster  


Resulting output:

nbcertcmd: The -getCertificate operation failed for server mymaster.
EXIT STATUS 5940: Reissue token is mandatory, please provide a reissue token.

  In this case a special type of authorization token  called a reissue token must be generated.  Please refer to the Veritas NetBackup Security and Encryption Guide for details on how to generate reissue tokens.   This operation is performed on the master server. 

The reissue token is passed to nbcertcmd in the same manner as an authorization token.  A reissue token is 16 uppercase characters.  The reissue token will not be echoed to the terminal when you type it.

Windows:  <install_path>\netbackup\bin\nbcertcmd -getCertificate -host  myhost  -server mymaster -token
Unix:  <install_path>/netbackup/bin/nbcertcmd -getCertificate -host  myhost  -server mymaster -token


Resulting output:

Authorization Token: [Type or paste in the upper case, 16 character token ]
Host certificate and certificate revocation list received successfully from server mymaster.

Additionally, administrators can specify the -envtoken <envtoken> argument for the nbcertcmd command for a non-interactive installation. The envtoken is the environment variable that contains the token.  

Example Windows:
At the command prompt set the temporary environmental setting:
set myenvtoken=ABCDEFGHIJKLMNOP

Executed nbcertcmd with the envtoken specified:
 <install_path>\netbackup\bin\nbcertcmd -getCertificate -host myhost -server mymaster -envtoken myenvtoken

Resulting output:
Host certificate and certificate revocation list received successfully from server mymaster.

Once the above is complete, run: set myenvtoken= 
Alternately, exit the command prompt which will automatically delete the variable.

Example Unix:
To set the environmental variable, execute the following from the command prompt:

myenvtoken="ABCDEFGHIJKLMNOP"
 export myenvtoken

 <install_path>/netbackup/bin/nbcertcmd -getCertificate -host myhost -server mymaster -envtoken myenvtoken

Resulting output:

Host certificate and certificate revocation list received successfully from server mymaster.   Once the above is complete, run: unset myenvtoken  

 

Factor: If the host ID certificate request is for a client, is there network connectivity to the NetBackup master server?

Some NetBackup clients may not have direct network connectivity to the master server.  To determine if the client has direct access, use the nbcertcmd -ping command.  There are several error codes that may indicate that no direct connectivity exists.    

Windows: <install_path>\netbackup\bin\nbcertcmd -ping
Unix: <install_path>/netbackup/bin/nbcertcmd -ping

Resulting output:

nbcertcmd: The -ping operation failed.
EXIT STATUS 8500: Connection with the web service was not established.

  If direct access is not available, you may specify one or more media servers as an option to nbcertcmd. These media servers act as a proxy for the nbcertcmd calls.  No configuration is required on the media server to support this ability.  The only requirements are:

    • The client has direct network access to the media server
    • The media server and the master server are in the same NetBackup domain
    • The media server is running NetBackup 8.1

To configure the host ID certificate, provide the -mediaServList argument to nbcertcmd command.  

Windows: <install_path>\netbackup\bin\nbcertcmd -getCertificate -host myhost -server mymaster -mediaServList mymediaserver

Unix: <install_path>/netbackup/bin/nbcertcmd -getCertificate -host myhost -server mymaster -mediaServList mymediaserver

If successful, the following will be displayed: Host certificate and certificate revocation list received successfully from server mymaster.

No additional arguments are required if you specify the media server(s) using the MEDIA_SERVERS key in the registry on Windows, or the bp.conf file on UNIX/Linux. 

 

Was this content helpful?