Cloud Storage Configuration: How to Add a Cloud Provider (Self-Signed or Public) CA Certificate

Article: 100032993
Last Published: 2022-06-25
Ratings: 1 1
Product(s): NetBackup & Alta Data Protection

Problem

Currently, NetBackup is configured to trust a number of well known public CA's related to cloud storage. However, there are instances when a customer may want to add a specific cloud provider's CA certificate. For the list of public CA certificates that NetBackup trusts, see the Veritas NetBackup Cloud Administrator's Guide.

** NOTE ** You can also use the following steps to add re-issued certificates into NetBackup.

Error Message

When using the Configure Cloud storage Server wizard, the following error is observed within the <install_path>/volmgr/debug/tpcommand folder. You may also see failures while performing cloud storage server specific operations (for example, backup or restore to or from the cloud storage server in bptm or bpdm logs). These errors are captured when verbose logging has been enabled in the vm.conf file, or libcurl logging is enabled based on the storage provider type.

Failure seen in tpcommand log while creating the cloud storage server is as follows:

13:51:42.923 [2800.4020] <2> nbmaster1: AmzResiliency: cURL error: 60(Peer certificate cannot be authenticated with given CA certificates), multi cURL error: 0(OK), STS Error: 2060017(system call failed), HTTP status: 0, Retry type: RETRY_NOT_APPLICABLE, Wait before retry: 0 Sec, Retry Time: Sep 12 13:51:42 

Alternately, the following error message may also be returned in tpcommand logs when the complete SSL certificate chain is not available.

"SSL certificate problem: unable to get local issuer certificate"

 

Additional cURL logging can be captured in tpcommand logs by enabling libcurl logging, once the cloud storage server instance has been created. More details can also be found within this topic Changing cloud storage server properties in the NetBackup Cloud Administrator's Guide.

 

Cause

The reasons could be one of the following:
- Cloud vendor provided self-signed CA certificate is missing from the cacert.pem file, or
- Certificates from the public CA, or any intermediate CA is missing from the  cacert.pem file, or
- Certificate is present in the  cacert.pem file but has already expired.

The cacert.pem file can be found at the following location on a NetBackup media server.

  • Windows:

    • On media server version 10.0, the path is:

      <installation-path>\NetBackup\var\global\cloud

    • On media server version 8.2 to 9.1, the path is:

      <installation-path>NetBackup\var\global\wmc\cloud\cacert.pem

    • On media server versions 7.7.x to 8.1.2, the path is:

      install_path\Veritas\NetBackup\db\cloud\cacert.pem.

  • UNIX:

    • On media server version 10.0, the path is:

      /usr/openv/var/global/cloud/

    • On media server version 8.2 to 9.1, the path is:

      /usr/openv/var/global/wmc/cloud/cacert.pem

    • On media server versions 7.7.x to 8.1.2, the path is:

      /usr/openv/netbackup/db/cloud/cacert.pem.

 

Solution

In order for an SSL certificate to be trusted, that certificate must have been issued by a Certificate Authority (CA) that is included in the trusted keystore of the device that is connecting. NetBackup CloudStore Service Container service uses the certificate bundle located on the media server at the location below when communicating with the cloud object storage device.

Use the following instructions to add a missing or replace an expired certificate issued by the cloud provider, or Certificate Authority (CA) to the cacert.pem file on one or more NetBackup media servers.


** NOTE ** An upgrade of the NetBackup software will revert any changes made to the cacert.pem file, making it necessary to repeat these steps in the event the customer performs an upgrade. 


1) Confirm that the self-signed or public CA certificate is in Base64 PEM (Privacy Enhanced Mode) format.

2) On the media server selected within the Configure Cloud Storage Server wizard,  open the cacert.pem file: 

3) Append the self-signed or public CA certificate to the beginning or at the bottom of cacert.pem, and save the file. The entry will look similar to the following example:

Custom Certificate Header
============================

----BEGIN CERTIFICATE-----
dGVtcyBUcnVzdCBDZW50ZXIxJTAjBgNVBAMMHFQtVGVsZVNl
HbG9iYWxSb290IENsYXNzIDMwggEiMA0GCSqGSIb3DgMq92oV
3Ox+M6pCSzyU9XDFES4hqX2iys52qMzVNn6chr3IhUciJFrf2blw2
.........
LzM8BMZLZGOMivgkeGj5asuRrDFR6fUNOuImle9eiPZaGzPImNC1q
kp2aGtAw4l1OBLBfiyB+d8E9lYLRRpo7PHi4b6HQDWSieB4pTp==
-----END CERTIFICATE-----

 

If the device certificate was issued by one or more intermediary CAs, then the entire SSL Certifcate chain should be appended to the cacert.pem file.

Open a text editor and paste the entire body of each certificate into one text file in the following order to create the certificate chain:

... Device Certificate ... Intermediate Certificate L2 ... Intermediate Certificate L1 ... Root Certificate

Make sure to include the beginning and end tags on each certificate. The resulting certificate chain should look like this:

-----BEGIN CERTIFICATE-----
(Device SSL certificate: YourDeviceName.crt)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Intermediate certificate L2: L2CertIssuer.crt)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Intermediate certificate L1: L1CertIssuer.crt)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your Root certificate: TrustedRootCA.crt)
-----END CERTIFICATE-----

4) Re-run the failed operation to verify it is working after appending the required cloud provider certificates.

Was this content helpful?