How to re-issue a token on a NetBackup 8.1.x client that has been reinstalled

Article: 100039700
Last Published: 2022-05-31
Ratings: 25 10
Product(s): NetBackup & Alta Data Protection

Problem

If a NetBackup 8.1 client has been backed up by an 8.1 master server, and then the client is reinstalled, a re-issue token must be created to allow the client to communicate securely with the same master server.

Error Message

Reinstall of a NetBackup 8.1 client shows this message in install progress output.

NOTE: Depending on the network, this action may take a few minutes.
To continue without setting up secure communication, press Ctrl+C.

nbcertcmdtool: The -getCertificate operation failed for server client.domain.com.
EXIT STATUS 5940:Reissue token is mandatory, please provide a reissue token.

An authorization token is required in order to get the host certificate for this host. At the prompt, enter the authorization token or q to skip the question.
NOTE: The authorization token entered will not be displayed to the terminal. Enter the authorization token for client or q to skip:

The NetBackup Security Service (nbwebservice. OID 466) log will show a message similar to the following:

CertificateServiceImpl Certificate is in ACTIVE state and request is with different public key, should use reissue,host: client [Info] com.netbackup.security.certificate.service.CertificateServiceImpl No token has been sent for the request, host: client

Cause

The master server knows this client by another certificate. The reissue token tells the master server this is a valid client.

Solution

Generate a new token using the master GUI:

  1. Click on Security Management --> Certificate Management
    The known clients will be listed under Host.
  2. Right click on the host that was reinstalled, select Generate Reissue Token
    User-added image
  3. Provide the Token Name and select Create.
    User-added image
  4. Copy the reissue token to clipboard
  5. On the client, restart the installation.
  6. When prompted by the installer, enter the re-issue token into the install window. It is recommended to use copy/paste to avoid confusion.
     
    Note: The re-issue token will not display.
    • On Unix/Linux, there is no indication that any characters are being typed.
    • On Windows, an asterisk (*) will be added for each character typed.

Alternatively: It is possible to skip the local host ID-based certificate during the installation.

  • After the installation has finished, the token can be generated by executing:
    nbcertcmd -getcertificate -token <token_ID>

    On UNIX systems, the directory path to this command is /usr/openv/netbackup/bin/
    On Windows systems, the directory path to this command is install_path\NetBackup\bin\

OR

  • To create Token from the primary server run:
    bpnbat -login -logintype web

    Note: Complete the login to be allowed to run nbcertcmd commands.
     
    On UNIX systems, the directory path to this command is /usr/openv/netbackup/bin/
    On Windows systems, the directory path to this command is install_path\NetBackup\bin\

  • Then run command:
    nbcertcmd.exe -createToken -reissue -host clientname -server primary-server-name -name token_name

  • Finally, from the client itself:
    nbcertcmd.exe -getCertificate -token xxxxxxxxxxxxxxxx -force

    Note: If the token issue is for Master server, we create a token for Master server and re-issue.

 

Was this content helpful?