Problem
If a NetBackup 8.1 client has been backed up by an 8.1 master server, and then the client is reinstalled, a re-issue token must be created to allow the client to communicate securely with the same master server.
Error Message
Reinstall of a NetBackup 8.1 client shows this message in install progress output.
NOTE: Depending on the network, this action may take a few minutes.
To continue without setting up secure communication, press Ctrl+C.
nbcertcmdtool: The -getCertificate operation failed for server client.domain.com.
EXIT STATUS 5940:Reissue token is mandatory, please provide a reissue token.
An authorization token is required in order to get the host certificate for this host. At the prompt, enter the authorization token or q to skip the question.
NOTE: The authorization token entered will not be displayed to the terminal. Enter the authorization token for client or q to skip:
The NetBackup Security Service (nbwebservice. OID 466) log will show a message similar to the following:
CertificateServiceImpl Certificate is in ACTIVE state and request is with different public key, should use reissue,host: client [Info] com.netbackup.security.certificate.service.CertificateServiceImpl No token has been sent for the request, host: client
Cause
The master server knows this client by another certificate. The reissue token tells the master server this is a valid client.
Solution
Generate a new token using the master GUI:
- Click on Security Management --> Certificate Management
The known clients will be listed under Host. - Right click on the host that was reinstalled, select Generate Reissue Token
- Provide the Token Name and select Create.
- Copy the reissue token to clipboard
- On the client, restart the installation.
- When prompted by the installer, enter the re-issue token into the install window. It is recommended to use copy/paste to avoid confusion.
Note: The re-issue token will not display.- On Unix/Linux, there is no indication that any characters are being typed.
- On Windows, an asterisk (*) will be added for each character typed.
Alternatively: It is possible to skip the local host ID-based certificate during the installation.
- After the installation has finished, the token can be generated by executing:
nbcertcmd -getcertificate -token <token_ID>
On UNIX systems, the directory path to this command is /usr/openv/netbackup/bin/
On Windows systems, the directory path to this command is install_path\NetBackup\bin\
OR
- To create Token from the primary server run:
bpnbat -login -logintype web
Note: Complete the login to be allowed to run nbcertcmd commands.
On UNIX systems, the directory path to this command is /usr/openv/netbackup/bin/
On Windows systems, the directory path to this command is install_path\NetBackup\bin\ Then run command:
nbcertcmd.exe -createToken -reissue -host clientname -server primary-server-name -name token_name
Finally, from the client itself:
nbcertcmd.exe -getCertificate -token xxxxxxxxxxxxxxxx -force
Note: If the token issue is for Master server, we create a token for Master server and re-issue.