1. Support
  2. Knowledge base
  3. 100032859

NetBackup security certificate could not be deployed on the master server host

Article: 100032859
Last Published: 2019-06-22
Ratings: 2 2
Product(s): NetBackup & Alta Data Protection

Problem

The NetBackup security certificate could not be deployed on the master server during installation.

Cause

This issue is caused by one of the following:
  • The Security web application has not started or it took a long time to start that caused the NetBackup installer to time out while deploying certificates.
  • Some of the NetBackup core services have not started.
  • The web service certificate that is used for communication with Certificate Authority (CA) is not deployed.
  • Certificate Authority (CA) was unable to sign the NetBackup security certificate.

Solution

To resolve the issue, review the following, possible, causes:

Cause 1 – The Security web application has not started or it took a long time to start, causing the NetBackup installer to time-out while deploying certificates.

Complete the following procedure to manually deploy the certificate on the master server:

  1. Check whether the security web service in the NetBackup Web Management Console (nbwmc) is up and running using the following command:
    <Install_Path>/bptestnetconn -wnbwmc/security -T 5 -e 2 -H <master_server_name>
Install_Path refers to the following paths:
On Windows:  VERITAS\NetBackup\bin
On Unix: /usr/openv/netbackup/bin

For example:
On Windows: C:\Program Files\ VERITAS\NetBackup\bin\bptestnetconn -wnbwmc/security -T 5 -e 2 -H masterserver1
On Unix: /usr/openv/netbackup/bin/bptestnetconn -wnbwmc/security -T 5 -e 2 -H masterserver1
  • If the security web app status is SUCCESS, proceed to Step 2.
  • If the status is FAIL, restart the NetBackup Web Management Console service (nbwmc).
To restart NetBackup web management console, run the following commands:

On Windows:
<Install_Path>\bin\bpdown -e "NetBackup Web Management Console" -f -v
<Install_Path>\bin\bpup -e "NetBackup Web Management Console" -f -v
 
Alternatively you may use Service Control Manager to restart the NetBackup Web Management Console service.
For example:
C:\Program Files\Veritas\NetBackup\bin\bpdown -e "NetBackup Web Management Console" -f -v
C:\Program Files\Veritas\NetBackup\bin\bpup  -e "NetBackup Web Management Console" -f -v

On UNIX:
<Install_Path>/netbackup/bin/nbwmc  -terminate
<Install_Path>/netbackup/bin/nbwmc 

For example:
/usr/openv/netbackup/bin/nbwmc  -terminate
/usr/openv/netbackup/bin/nbwmc
  1. Run the following commands to deploy the CA certificate and the host certificate:
  • nbcertcmd -getCACertificate
  • nbcertcmd -getCertificate

Note: For more details on security certificates in NetBackup, refer to the following :

NetBackup Security and Encryption Guide.
 

If the problem persists, contact the Veritas Technical Support team.

Cause 2 – Some of the NetBackup core services have not started.

Carry out the following procedure to resolve the issue:

  1. Check the status of the following services by running the bpps command from the NetBackup/bin directory:
    • nbsl
    • nbatd
    • NB_dbsrv (on UNIX) or the dbsrv16 (on Windows)

      Note: For more details on NetBackup commands, refer to the                         NetBackup Commands Reference Guide

  2. Start the nbsl and nbatd services, if they are not running.
  3. Start the NB_dbsrv (on Unix) service or the dbsrv16 (on Windows) service, if it is not running.
Restart nbsl, nbatd,  and NB_dbsrv services as follows:

On Windows:
<Install_Path>\bin\bpdown -e "NetBackup Service Layer" -f -v
<Install_Path>\bin\bpup -e "NetBackup Service Layer" -f -v
 
<Install_Path>\bin\bpdown -e "NetBackup Authentication" -f -v
<Install_Path>\bin\bpup -e "NetBackup Authentication" -f -v
 
<Install_Path>\bin\bpdown -e "SQLANYs_VERITAS_NB" -f -v
<Install_Path>\bin\bpup -e "SQLANYs_VERITAS_NB" -f -v

Alternatively, you may use the Service Control Manager to restart the NetBackup Service Layer (NBSL), NetBackup Authentication (AT) services, and and SQLANYs_VERITAS_NB services .

For example:
C:\Program Files\Veritas\NetBackup\bin\bpdown -e "NetBackup Service Layer" -f -v
C:\Program Files\Veritas\NetBackup\bin\bpup  -e "NetBackup Service Layer" -f -v
C:\Program Files\Veritas\NetBackup\bin\bpdown -e "NetBackup Authentication" -f -v
C:\Program Files\Veritas\NetBackup\bin\bpup  -e "NetBackup Authentication" -f -v
C:\Program Files\Veritas\NetBackup\bin\bpdown -e "SQLANYs_VERITAS_NB" -f -v
C:\Program Files\Veritas\NetBackup\bin\bpup  -e "SQLANYs_VERITAS_NB" -f -v

On Unix:
<Install_Path>/netbackup/bin/nbsl -terminate
<Install_Path>/netbackup/bin/nbsl
To stop nbatd and NB_dbsrv, use the term signal as shown in the example:

To start nbatd and NB_dbsrv, run the following commands:
<install_path>/netbackup/bin/nbatd
<install_path>/db/bin/NB_dbsrv

For example:
/usr/openv/netbackup/bin/nbsl  -terminate
/usr/openv/netbackup/bin/nbsl
# ps -fed |grep nbatd
root 16018     1 4 08:47:35 ?     0:01 ./nbatd
root 16019 16011 0 08:47:39 pts/2 0:00 grep nbatd
# kill 16018
# ps -fed |grep NB_dbsrv
root 11959     1 4 08:47:35 ?     0:01 ./NB_dbsrv
root 16174 16011 0 08:47:39 pts/2 0:00 grep ./NB_dbsrv
# kill 11959
/usr/openv/netbackup/bin/nbatd
/usr/openv/db/bin/NB_dbsrv
  1. Run the following commands to get the CA certificate and the host certificate:

    Note: For more details on security certificates in NetBackup, refer to the NetBackup Security and Encryption Guide.

    • nbcertcmd -getCACertificate
    • nbcertcmd -getCertificate
If the problem persists, contact the Veritas Technical Support team.

Cause 3 – The web service certificate that is used for communication with Certificate Authority (CA) is not deployed.

Carry out the following procedure to resolve the issue:
  1. Check the web service user certificate at the following location:
On Windows: <Install_Path>/var/global/vxss/nbcertservice
On UNIX: /usr/openv/var/global/vxss/nbcertservice
There should be a directory using the name of the account, which was provided to the web service.

If the default web service user ‘nbwebsvc’ is used, the directory structure is as follows:
nbwebsvc/certstore
  1. If the path is not available, run the nbcertconfig command to generate the certificate:
    <Install_Path>/admincmd/nbcertconfig -u
For example:
On Windows - VERITAS\NetBackup\bin\admincmd\nbcertconfig -u
On UNIX - /usr/openv/netbackup/bin/admincmd/nbcertconfig -u
 
Note: On Windows, the web service user password must be set in the ‘ WEBSVC_PASSWORD ’ shell variable before executing the nbcertconfig command.
  1. Restart the NetBackup services. 
  2. Run the following commands to get the CA certificate and the host certificate:
  • nbcertcmd -getCACertificate
  • nbcertcmd -getCertificate
Note: For more details on security certificates in NetBackup, refer to the NetBackup Security and Encryption Guide

If the problem persists, contact the Veritas Technical Support team.

Cause 4 – Certificate Authority (CA) was unable to sign the NetBackup security certificate.

You can confirm the error details as follows:
  1. Run the following command:
<Install_path>/netbackup/bin/nbcertcmd -getCertificate
The following error occurs on the command-line interface:
EXIT STATUS 5904: Internal error
  1. Go to the following log file location: 
<Install_path> /netbackup/logs/nbcert/<log_file_name>
  1. Check for the following error message:
VxAT failed to sign certificate, error = 6084

Once the NetBackup installation is complete, carry out the following procedure to resolve the issue:
  1. Run the following command:
<Install_path> /netbackup/bin/admincmd/nbcertconfig -u
  1. Check the security certificate deployment level using following command:
<Install_Path>/netbackup/bin/nbcertcmd -getSecConfig -CertDeployLevel
  1. If the security certificate deployment level is Very High, run the following command to logon:
<Install_Path>/netbackup/bin/bpnbat -login -loginType WEB
  1. Create a token using the following command:
<Install_path> /netbackup/bin/nbcertcmd -createToken -name <token_name>

<token_name> must start with alphanumeric and can include the following characters: spaces, - (hyphen), _ (underscore).
  1. Create a file and add the token in that file.
  2. Deploy the host ID-based certificate by running the following command:

<Install_path>/netbackup/bin/nbcertcmd -getCertificate  -file <token_file_path>

The ‘-file’ parameter should be used only when the security certificate deployment level is Very High. Provide the exact path of the file here.

Example:

  1. <Install_Path>/netbackup/bin/admincmd/nbcertconfig -u
NetBackup AT service configuration for web service user completed successfully.
  1. <Install_Path>/netbackup/bin/nbcertcmd -getSecConfig -CertDeployLevel
Consider that the security for certificate deployment  is set to Very High. Run the following command for authentication:
  1. <Install_Path>/netbackup/bin/bpnbat -login -loginType WEB
Provide the following information:
 
Authentication Broker [MasterServer1 is default]:
Authentication port [0 is default]:
Authentication type (NIS, NISPLUS, WINDOWS, vx, unixpwd, ldap) [unixpwd is default]:
Domain [MasterServer1 is default]:  example.netbackup.com
Login Name [root is default]:
Password:
  1. Run the following command to create a token:
<Install_Path>/netbackup/bin/nbcertcmd -createToken -name “testToken”
Token HKLTMHYHBFHMOKFH created successfully.
  1. Run the following command:
echo HKLTMHYHBFHMOKFH > tokenFile.txt
  1. <Install_Path>/netbackup/bin/nbcertcmd -getCertificate -file tokenFile.txt

Note: For more details on security certificates in NetBackup, refer to the NetBackup Security and Encryption Guide

If the problem persists, contact the Veritas Technical Support team.

Was this content helpful?

Article Languages