Problem
A NetBackup client is unable to use web services to connect to the master server.
Host validation fails when a NetBackup client tries to connect to the master server. (-or- in Option 1, How to add a new hostname 'alias' to the primary (master) Tomcat certificate.)
Error Message
The following error message is displayed where nb-master is a hostname of the NetBackup master server.
In case of NetBackup CA-signed certificates (host ID-based certificates)
# nbcertcmd -getCACertificate -server nb-master.some.newdomain.com
The target server nb-master.some.newdomain.com could not be authenticated.
The server name does not match any of the host names listed in the server's certificate.
Names listed in the server's certificate are:
DNS: nb-master_ext
DNS: nb-master.some.domain.com
DNS: nb-master_web_svr
nbcertcmd : The -getCACertificate operation failed for server nb-master.some.newdomain.com.
EXIT STATUS 8509: The specified server name was not found in the web service certificate.
In case of external CA-signed certificates
# nbcertcmd -enrollCertificate -preCheck -server nb-master.some.newdomain.com
The target server nb-master.some.newdomain.com could not be authenticated.
The server name does not match any of the host names listed in the server's certificate.
Names listed in the server's certificate are:
DNS: nb-master_ext
DNS: nb-master.some.domain.com
DNS: nb-master_web_svr
nbcertcmd: The -enrollCertificate operation failed.
The external certificate enrollment pre-check failed for master server nb-master.some.newdomain.com.
EXIT STATUS 8509: The specified server name was not found in the web service certificate
Cause
The NetBackup clients that use web services to connect to the master server verify the hostnames before setting up a connection. The connection is successful when the hostname in the URI of the web service request matches with one of the names in the Tomcat web server SSL certificate.
During the NetBackup installation, master server names are detected and added to the Tomcat certificate. If the NetBackup client tries to connect using a hostname that is not included in the Tomcat certificate, the web service connection to that master server fails. If the client uses an alias instead of the actual hostname, the connection to the master server fails.
For hostname validation, the HTTP URI should be part of the SubAltName property of the Tomcat certificate.
Note: The validation of hosts during web service connection requests is an inherent behavior that is not controlled by NetBackup, and therefore a fix is highly unlikely. This behavior is found with NetBackup version 8.0 and later because of the way the Tomcat certificates are generated. The following document describes a few workarounds to solve the problem.
Solution
Option 1: Update the Tomcat certificate on the Master server.
This option is useful if there are a large number of NetBackup Clients that might use an alias to connect to the master server.
In case of NetBackup CA-signed certificates (host ID-based certificates)
Use the nbcertconfig command to update the Tomcat certificate on the master server to use the hostname that the client uses to refer to the master server.
- Update the existing Tomcat certificate by adding a new name to the certificate.
- Regenerate the Tomcat certificate to include the new name of the master server.
- These steps are validated for adding plain-text hostnames or aliases. They would not work for adding IP addresses as aliases.
- The nbcertconfig command overwrites the existing Tomcat certificate. So if you have already added any "Subject Alternative Name(s)" to the existing Tomcat certificate, you must append them to the nbcertconfig command.
Run the vxsslcmd command to retrieve the existing "Subject Alternative Name" and new changes after updating the file.
- On UNIX, run the setupWmC command after running configureCerts to set the permission correctly for the web service user.
- Please note that there is an "Options" section below which provides and explanation of the various parameters to be used in the commands.
Command |
On a Windows master server, run the following commands:
*** Do not use the -f switch in step #3 in NetBackup 8.1 |
On a UNIX master server, run the following commands:
***Do not use the -f switch in step #2 in NetBackup 8.1 |
Note: The following warning is generated when running 'vxsslcmd' and can be safely ignored:
Note: The following warning is generated when running ‘configureCerts’ and can be safely ignored: |
Options |
|
In case of external CA-signed certificates
Do the following:
- Update the existing certificate by adding a new name to the SubjectAltNames or regenerate the certificate to include the new name of the master server.
- Run the vxsslcmd command to retrieve the existing SubjectAltNames.
- Run the the configureWebServerCerts command to configure newly updated certificate for the web server.
- Restart the NetBackup Web Management Console service for the changes to take effect.
Command |
On a Windows master server, run the following commands:
|
On a UNIX master server, run the following commands:
|
Note: The following warning is generated when running 'vxsslcmd' and can be safely ignored: |
Option 2: Update the configuration on the NetBackup Client so that it uses one of the names present in the Tomcat certificate to refer to the master server.
This option is useful if only a single NetBackup client or very few NetBackup clients use this alias.
For more information, refer to the following topic:
SERVER option for NetBackup clients
Reference articles:
NetBackup security certificate cannot be deployed on the master server host - https://www.veritas.com/docs/100032859
For more details on security certificates in NetBackup, refer to the NetBackup Security and Encryption Guide.
Disclaimer:
External certificate authority (CA) support is added in NetBackup 8.1.2.1, which is a limited release. For more information on the external CA support in NetBackup, contact the Veritas Technical Support team.