** NOTE ** This technote is applicable for NetBackup version 7.7.x to 8.1.x.
Currently, NetBackup is configured to trust a number of well known public CA's related to cloud storage. However, there are instances when a customer may want to add a specific cloud provider's CA certificate. For the list of public CA certificates that NetBackup trusts, see the Veritas NetBackup Cloud Administrator's Guide.
** NOTE ** You can also use the following steps to add re-issued certificates into NetBackup.
When using the Configure Cloud storage Server wizard, the following error is observed within the <install_path>/volmgr/debug/tpcommand folder. You may also see failures while performing cloud storage server specific operations (for example, backup or restore to or from the cloud storage server in bptm or bpdm logs). These errors are captured when verbose logging has been enabled in the vm.conf file, or libcurl logging is enabled based on the storage provider type.
Failure seen in tpcommand log while creating the cloud storage server is as follows:
13:51:42.923 [2800.4020] <2> nbmaster1: AmzResiliency: cURL error: 60(Peer certificate cannot be authenticated with given CA certificates), multi cURL error: 0(OK), STS Error: 2060017(system call failed), HTTP status: 0, Retry type: RETRY_NOT_APPLICABLE, Wait before retry: 0 Sec, Retry Time: Sep 12 13:51:42
Alternately, the following error message may also be returned in tpcommand logs when the complete SSL certificate chain is not available.
"SSL certificate problem: unable to get local issuer certificate"
Additional cURL logging can be captured in tpcommand logs by enabling libcurl logging, once the cloud storage server instance has been created. More details can also be found within this topic Changing cloud storage server properties in the NetBackup Cloud Administrator's Guide.
The reasons could be one of the following:
- Cloud vendor provided self-signed CA certificate is missing from the cacert.pem file, or
- Certificates from the public CA, or any intermediate CA is missing from the cacert.pem file, or
- Certificate is present in the cacert.pem file but has already expired.
The cacert.pem file can be found at the following location on a NetBackup media server.
In order for an SSL certificate to be trusted, that certificate must have been issued by a Certificate Authority (CA) that is included in the trusted keystore of the device that is connecting. NetBackup CloudStore Service Container service uses the certificate bundle located on the media server at the location below when communicating with the cloud object storage device.
Windows - \Program Files\Veritas\NetBackup\db\cloud\cacert.pem
Linux - /usr/openv/netbackup/db/cloud/cacert.pem
Use the following instructions to add a missing or replace an expired certificate issued by the cloud provider, or Certificate Authority (CA) to the cacert.pem file on one or more NetBackup media servers.
** NOTE ** An upgrade of the NetBackup software will revert any changes made to the cacert.pem file, making it necessary to repeat these steps in the event the customer performs an upgrade.
1) Confirm that the self-signed or public CA certificate is in Base64 PEM (Privacy Enhanced Mode) format.
2) On the media server selected within the Configure Cloud Storage Server wizard, open the cacert.pem file:
3) Append the self-signed or public CA certificate to the beginning or at the bottom of cacert.pem, and save the file. The entry will look similar to the following example:
If the device certificate was issued by one or more intermediary CAs, then the entire SSL Certifcate chain should be appended to the cacert.pem file.
Open a text editor and paste the entire body of each certificate into one text file in the following order to create the certificate chain:
... Device Certificate ... Intermediate Certificate L2 ... Intermediate Certificate L1 ... Root Certificate
Make sure to include the beginning and end tags on each certificate. The resulting certificate chain should look like this:
(Device SSL certificate: YourDeviceName.crt)
(Intermediate certificate L2: L2CertIssuer.crt)
(Intermediate certificate L1: L1CertIssuer.crt)
(Your Root certificate: TrustedRootCA.crt)
4) Re-run the failed operation to verify it is working after appending the required cloud provider certificates.
Was this content helpful?
Rating submitted. Please provide additional feedback (optional):