Getting your environment up and running after a disaster when the disaster recovery package passphrase is lost

  • Article ID:100033743
  • Modified Date:
  • Product(s):

Problem

Beginning with NetBackup 8.1, a disaster recovery package is created during each catalog backup. The package is encrypted with the passphrase that you set.

The disaster recovery package contains the following information:

  • Security certificates and private keys of the master server and the NetBackup CA (Certificate Authority)
  • Information about the hosts in the domain
  • Security settings

You need to provide the same encryption passphrase when you install NetBackup in the disaster recovery mode on the master server after a disaster. If you fail to provide the appropriate passphrase, the NetBackup identity cannot be recovered and you need to manually deploy host ID-based certificates on all NetBackup hosts.

Additional information about passphrases can be found in the NetBackup 8.1 Security and Encryption guide, and also from article 000127599

Solution

To get your NetBackup environment up and running after a disaster when the disaster recovery passphrase is lost, carry out the following procedure:

  1. Install NetBackup in the non-disaster recovery mode as the passphrase is lost. In this case, the master server receives a new Certificate Authority (CA) certificate and host ID-based certificate.
  2. Add the media server (associated with the catalog backup that you want to restore) to the master server to make it visible in the Host Properties node in the NetBackup Administration Console.
Do one of the following:
  • Add the media server using the NetBackup Administration Console:
    • Go to Host Properties > Master Servers > Servers and add the media server.
    • Restart the NetBackup services.
  • Add the media server using the command-line interface. Run the following command:
admincmd/nbemmcmd -addhost -machinename <media_server> -machinetype media -masterserver <master_server> -operatingsystem <OS> -netbackupversion < netbackup_media_server_version >
  1. Manually deploy a host ID-based certificate on the media server that is associated with the catalog backup that you want to restore. Run the following commands:
  • nbcertcmd -getCAcertificate
  • nbcertcmd -getCertificate -force
If the certificate deployment level on the master server is set to Very High, you must create an authorization token before you deploy a certificate. Run the following commands to create the token:
  • nbcertcmd -getCAcertificate
  • bpnbat -login
  • nbcertcmd -createToken -name <token_name>
  • nbcertcmd -getCertificate -token
  1. Clear the cache from the master server and the media server using the following command:
  • bpclntcmd -clear_whitelist_cache
  1. Deploy host name-based certificates on the media server if the catalog backup is on the media server. To deploy the host name-based certificate, run the following command on the master server.
  • bpnbaz -ProvisionCert <media_server_name>
  1. Restart the NetBackup services on the media server where the host name-based certificate is deployed.
  2. Perform catalog recovery. Restart NetBackup services on the master server when the recover is completed.
  3. Refresh the certificate on the master server because the catalog recovery has brought the old database back.
  • If your environment is not clustered, run the following commands:
  • bpnbat -login
  • nbcertcmd -createtoken -name <reissue_token_name> -reissue -host <host_name>
  • nbcertcmd -getCertificate -token <token_name> -force
  • nbcertcmd -getCertificate -force -host <host_name>
  • If your environment is clustered, run the following commands:
  • bpnbat -login
  • nbcertcmd -createtoken -name <reissue_token_name> -reissue -host <cluster_virtual_name>
  • nbcertcmd -getCertificate -token <token_name> -force -cluster
  • nbcertcmd -getCertificate -force -host <host_name>
Note: The  host_name is the name of the active cluster node.
  1. To refresh the certificate on the media server, run the following commands:
  • nbcertcmd -getCAcerificate
  • nbcertcmd -getCertificate -force
If the certificate deployment level on the master server is set to Very High, you must create an authorization token before you deploy a certificate.
To create a token, run the following commands:
  • nbcertcmd -getCAcertificate
  • bpnbat -login
  • nbcertcmd -createToken -name <token_name>
  • nbcertcmd -getCertificate -token
  1. To Clear the cache from the master server and the media server, run the following command:
  • bpclntcmd –clear_whitelist_cache
  1. Restart the NetBackup services on the media server.
  2. To deploy new host ID-based certificates on the remaining hosts (clients and media servers), run the following commands:
  • nbcertcmd -getCAcertificate
  • nbcertcmd -getCertificate -force
  • If the certificate deployment level on the master server is set to Very High, you must create an authorization token before you deploy a certificate. Run the following commands:
  • nbcertcmd -getCAcertificate
  • nbcertcmd -createToken -name <token_name>
  • nbcertcmd -getCertificate -token
  1. Deploy the host name-based certificates on all media servers and clients. To deploy the host name-based certificates, run the following command on the master server.
    bpnbaz -ProvisionCert -AllMediaServers –AllClients
  2. Set a new Disaster Recovery Passphrase.  See the NetBackup Security And Encryption Guide for information on how to set the passphrase.  Once completed, run a catalog backup.
  3. Verify whether the normal backups that you have previously created run successfully or not.
Note: NetBackup services need to be restarted on the media servers and clients where the host name-based certificates are deployed.
 

Was this content helpful?

Get Support