Host validation fails when a NetBackup client tries to connect to the master server.

Article: 100034092
Last Published: 2021-03-08
Ratings: 3 6
Product(s): NetBackup & Alta Data Protection

Problem

A NetBackup client is unable to use web services to connect to the master server.
Host validation fails when a NetBackup client tries to connect to the master server. (-or- in Option 1, How to add a new hostname 'alias' to the primary (master) Tomcat certificate.)

 

Error Message

The following error message is displayed where nb-master is a hostname of the NetBackup master server.

In case of NetBackup CA-signed certificates (host ID-based certificates)

nbcertcmd -getCACertificate -server nb-master.some.newdomain.com
The target server nb-master.some.newdomain.com could not be authenticated.
The server name does not match any of the host names listed in the server's certificate.
Names listed in the server's certificate are:
DNS:
nb-master_ext
DNS:
nb-master.some.domain.com
DNS:
nb-master_web_svr
nbcertcmd : The -getCACertificate operation failed for server nb-master.some.newdomain.com.
EXIT STATUS 8509: The specified server name was not found in the web service certificate.

In case of external CA-signed certificates

# nbcertcmd -enrollCertificate -preCheck -server nb-master.some.newdomain.com
The target server nb-master.some.newdomain.com could not be authenticated.
The server name does not match any of the host names listed in the server's certificate.
Names listed in the server's certificate are:
DNS: nb-master_ext
DNS: nb-master.some.domain.com
DNS: nb-master_web_svr 
nbcertcmd: The -enrollCertificate operation failed.
The external certificate enrollment pre-check failed for master server nb-master.some.newdomain.com.
EXIT STATUS 8509: The specified server name was not found in the web service certificate

 

Cause

The NetBackup clients that use web services to connect to the master server verify the hostnames before setting up a connection. The connection is successful when the hostname in the URI of the web service request matches with one of the names in the Tomcat web server SSL certificate.

During the NetBackup installation, master server names are detected and added to the Tomcat certificate. If the NetBackup client tries to connect using a hostname that is not included in the Tomcat certificate, the web service connection to that master server fails. If the client uses an alias instead of the actual hostname, the connection to the master server fails.

For hostname validation, the HTTP URI should be part of the SubAltName property of the Tomcat certificate.

Note: The validation of hosts during web service connection requests is an inherent behavior that is not controlled by NetBackup, and therefore a fix is highly unlikely. This behavior is found with NetBackup version 8.0 and later because of the way the Tomcat certificates are generated. The following document describes a few workarounds to solve the problem.

 

Solution

Option 1: Update the Tomcat certificate on the Master server. 
This option is useful if there are a large number of NetBackup Clients that might use an alias to connect to the master server.

In case of NetBackup CA-signed certificates (host ID-based certificates)

Use the nbcertconfig command to update the Tomcat certificate on the master server to use the hostname that the client uses to refer to the master server. 

  1. Update the existing Tomcat certificate by adding a new name to the certificate.
  2. Regenerate the Tomcat certificate to include the new name of the master server.
Important:
  • These steps are validated for adding plain-text hostnames or aliases. They would not work for adding IP addresses as aliases.
  • The nbcertconfig command overwrites the existing Tomcat certificate. So if you have already added any "Subject Alternative Name(s)" to the existing Tomcat certificate, you must append them to the nbcertconfig command.
  • Run the vxsslcmd command to retrieve the existing "Subject Alternative Name" and new changes after updating the file.

  • On UNIX, run the setupWmC command after running configureCerts to set the permission correctly for the web service user.
  • Please note that there is an "Options" section below which provides and explanation of the various parameters to be used in the commands.
Command
On a Windows master server, run the following commands:
  1. <install path>\bin\goodies\vxsslcmd.exe x509 -in <certificate_file_path> -noout -text
  2. set WEBSVC_password=<web_service_user_password>
  3. <install path>\NetBackup\bin\admincmd\nbcertconfig.exe -t -f -user <web_service_user> -sub "<existing Subject Alternative Name>,<master_server_alias>"
  4. <install path>\wmc\bin\install\configureCerts.bat
  5. <install path>\bin\goodies\vxsslcmd.exe x509  -fingerprint -issuer -subject -dates -noout -in <certificate_file_path> -noout -text

    *** Step Number 2 is optional on 8.1.1 and later because it prompts for the password

           *** Do not use the -f switch in step #3 in NetBackup 8.1 

On a UNIX master server, run the following commands:
  1. /usr/openv/netbackup/bin/goodies/vxsslcmd x509 -in <certificate_file_path> -noout -text
  2. /usr/openv/netbackup/bin/admincmd/nbcertconfig -t -f -sub "<existing Subject Alternative Name>,<master_server_alias>"
  3. /usr/openv/wmc/bin/install/configureCerts
  4. /usr/openv/wmc/bin/install/setupWmc
  5. /usr/openv/netbackup/bin/goodies/vxsslcmd x509 -fingerprint -issuer -subject -dates -noout -in <certificate_file_path> -noout -text
     

          ***Do not use the -f switch in step #2 in NetBackup 8.1

Note: The following warning is generated when running 'vxsslcmd' and can be safely ignored:

"WARNING: can't open config file: /usr/local/ssl/openssl.cnf"

Note: The following warning is generated when running ‘configureCerts’ and can be safely ignored:
"WARNING: The system cannot find the file <install path>\NetBackup\var\global\wsl\config\tomcat_config.”

Options
  • <certificate_file_path> is the path to the x509 digital certificate use for NetBackup Tomcat web service.
    For example:
    Windows: <install path>\var\global\vxss\tomcatcreds\nbwebsvc\certstore\<hash-host_name>!1556!nbatd!1556.0
    UNIX: /usr/openv/var/global/vxss/tomcatcreds/nbwebsvc/.VRTSat/profile/certstore/<hash-host_name>!1556!nbatd!1556.0

    Note: The nbwebsvc folder might be hidden in Windows.
    Note: Some UNIX/Linux shells will require single ( ' ) or double ( " ) qoutes around the path to the credentials file due to the exclamation mark ( ! ) in the path.
     
  • <existing Subject Alternative Name> is a comma-separated list of the SubjectAltNames that are part of the existing Tomcat certificate.
  • <master_server_alias> is the alias or the alternate name of the master server that you want to add.  Add more than one alias by separating them with a comma.
  • <web_service_user_password> is the password of the user account that is used to configure web services on the master server.
  • <web_service_user> is the name of the user account that is used to configure web services on the master server.

In case of external CA-signed certificates

Do the following: 

  1. Update the existing certificate by adding a new name to the SubjectAltNames or regenerate the certificate to include the new name of the master server.
  2. Run the vxsslcmd command to retrieve the existing SubjectAltNames.
  3. Run the the configureWebServerCerts command to configure newly updated certificate for the web server. 
  4. Restart the NetBackup Web Management Console service for the changes to take effect.
Command

On a Windows master server, run the following commands:

  1. <install path>\bin\goodies\vxsslcmd.exe x509 -in <certificate_file_path> -noout -text
  2. Update the existing certificate by adding a new name to the SubjectAltNames or Regenrate the certificate to include the new name of the master server.
  3. <install path>\wmc\bin\install\configureWebServerCerts.bat -addExternalCert -all -certPath <certificate_path> -privateKeyPath <private_key_path> -trustStorePath <trust_store_path>
  4. Restart the NetBackup Web Management Console service.

On a UNIX master server, run the following commands:

  1. /usr/openv/netbackup/bin/goodies/vxsslcmd x509 -in <certificate_file_path> -noout -text
  2. Update the existing certificate by adding a new name to the SubjectAltNames or Regenrate the certificate to include the new name of the master server.
  3. /usr/openv/wmc/bin/install/configureWebServerCerts -addExternalCert -all -certPath <certificate_path> -privateKeyPath <private_key_path> -trustStorePath <trust_store_path> 
  4. /usr/openv/netbackup/bin/nbwmc –terminate; /usr/openv/netbackup/bin/nbwmc –start

Note: The following warning is generated when running 'vxsslcmd' and can be safely ignored:
"WARNING: can't open config file: /usr/local/ssl/openssl.cnf"


Option 2: Update the configuration on the NetBackup Client so that it uses one of the names present in the Tomcat certificate to refer to the master server.

This option is useful if only a single NetBackup client or very few NetBackup clients use this alias.

For more information, refer to the following topic:
SERVER option for NetBackup clients

Reference articles:

NetBackup security certificate cannot be deployed on the master server host - https://www.veritas.com/docs/100032859
For more details on security certificates in NetBackup, refer to the NetBackup Security and Encryption Guide.

Disclaimer:

External certificate authority (CA) support is added in NetBackup 8.1.2.1, which is a limited release. For more information on the external CA support in NetBackup, contact the Veritas Technical Support team.

 

Was this content helpful?