Veritas NetBackup™ Troubleshooting Guide
- Troubleshooting procedures
- Troubleshooting NetBackup problems
- Troubleshooting vnetd proxy connections
- Troubleshooting security certificate revocation
- Verifying host name and service entries in NetBackup
- Frozen media troubleshooting considerations
- Troubleshooting problems with the NetBackup web services
- Resolving PBX problems
- Troubleshooting problems with validation of the remote host
- About troubleshooting Auto Image Replication
- Using NetBackup utilities
- About the NetBackup support utility (nbsu)
- About the NetBackup consistency check utility (NBCC)
- About the robotic test utilities
- Disaster recovery
- About disk recovery procedures for UNIX and Linux
- About clustered NetBackup server recovery for UNIX and Linux
- About disk recovery procedures for Windows
- About clustered NetBackup server recovery for Windows
- About recovering the NetBackup catalog
- About NetBackup catalog recovery and OpsCenter
- About recovering the entire NetBackup catalog
- About recovering the NetBackup catalog image files
- About recovering the NetBackup relational database
Troubleshooting web service issues after external CA configuration
The web service does not start or respond after external certificate (ECA) configuration.
Check the web server logs at the following location:
Check if the logs contain any of the following strings:
SEVERE [main] org.apache.tomcat.util.net.SSLUtilBase.getStore Failed to load keystore type [JKS] with path [C:\Program Files\Veritas\NetBackup\var\global\wsl\credentials\tpcredentials\nbwebservice.jks] due to [Illegal character in opaque part at index 2: C:\Program Files\Veritas\NetBackup\var\global\wsl\credentials\tpcredentials\nbwebservice.jks]
Caused by: java.lang.IllegalArgumentException: Keystore was tampered with, or password was incorrect
The root cause can be: The keystore of the external CA used by the NetBackup web service is tampered or deleted.
Verify that NetBackup Web Management Console service is running.
Run the following command:
On UNIX: /usr/openv/netbackup/bin/bpps -x
On Windows: Use the NetBackup Activity Monitor or the services application of the Windows Control Panel.
If the status is FAIL, reconfigure the external certificate by executing the following command:
On Windows:Install path\netbackup\wmc\bin\configureWebServerCerts -addExternalCert -nbHost -certPath file_path -privateKeyPath file_path -trustStorePath file_path
On Unix:/usr/openv/netbackup/bin/configureWebServerCerts -addExternalCert -nbHost -certPath file_path -privateKeyPath file_path -trustStorePath file_path
Try to start the NetBackup web service.
For windows:Install path\netbackup\wmc\bin\nbwmc.exe -start -srvname "NetBackup Web Management Console"
For Unix:/usr/openv/netbackup/bin/nbwmc start
External certificate is not configured.
The issue can occur because of the following:
Invalid certificate, private key, or trust store.
Error message : The certificate could not be added. Please check the configureWebServerCerts logs.
Certificate does not contain server name in the subject alternative name (SAN) of the certificate.
Open web server configuration logs
Location: <install dir>/NetBackup/wmc/webserver/logs/configureWebServerCerts.log
Review the log messages:
If the logs have the following message:
unable to load private key 22308:error:0906D06C:PEM routines:PEM_read_bio:no start line:.\crypto\pem\pem_lib.c:697:Expecting: ANY PRIVATE KEY Could not export certificates in PKCS#12 format, 1.
The private key does not t match the private key of the certificate that is provided.
Provide the appropriate private key.
If the logs have following message:
Error occurred while adding certificate to keystore. Exception: java.security.cert.CertificateParsingException: signed overrun, bytes = 918 Exiting.. Could not import CA certificates in JAVA keystore, -1.
The file path that is provided for the -trustStorePath option is not a valid file path or a valid trust store CA certificate is not present at the given file path.
Provide the trust store bundle path for the -trustStorePath option.
The following error message is displayed:
The server name server_name was not found in the web service certificate.
The certificate could not be added. Please check configureWebServerCerts logs.
For successful configuration, ensure the following:
Common name of the subject name and the SAN names should not be empty at the same time.
If the SAN is not empty, host name must be present in the SAN entry.
If SAN is empty, common name of the subject name must be host name.
Only PEM formatted certificates are allowed.
The host name is the name provided for the master server at the time of installation. Host name can be found in the setenv file with the NB_HOSTNAME property.
Location of the file:
On UNIX : /usr/openv/wmc/bin/setenv
On Windows: install_path\Veritas\NetBackup\wmc\bin\setenv
Communication can be successful in the following scenarios:
The certificate contains all host names that the master server is known by (host names that are listed in the SERVER entries of other hosts in the domain) in the SAN field of the certificate.
Server authentication attributes are set in the certificate.
Check the logs for the missing entry.
Add the missing host name in the SAN of the certificate.