How to resolve communication problems due to certificate errors after upgrading to 8.1 from a previously re-installed 8.0 host
Problem
Upon upgrading to NetBackup 8.1, a host that has had NetBackup 8.0 installed on it more than once may fail to communicate with other NetBackup 8.1 hosts. To confirm this is the problem, run the following command:
Windows: install_path\netbackup\bin\nbcertcmd -hostselfcheck -server mymaster
Unix/Linux: install_path/netbackup/bin/nbcertcmd -hostselfcheck -server mymaster
If the output is as follows, then the host lacks a host ID certificate.
Unable to read CRL for server = mymaster, error = 12.
Unable to read certificate.
EXIT STATUS 5949: Certificate does not exist.
Error Message
Backup jobs may fail with messages in the job details such as the following:
Error bpbrm (pid=8585304) [PROXY] Connecting host: client.example.com
Error bpbrm (pid=8585304) [PROXY] ConnectionId: {7BE360CE-810C-11E7-9FA8-287C08F20000}:OUTBOUND
Error bpbrm (pid=8585304) [PROXY] pid: 12452086
Error bpbrm (pid=8585304) [PROXY] Received status: 7660 with message Unable to read the certificate mapping file.
Error bpbrm (pid=8585304) The peer proxy on host (client.example.com) failed to find usable certificates. Certificates may not have been successfully deployed.
Error bpbrm (pid=8585304) [PROXY] Encountered error (CERT_PROTOCOL_SELECT_COMMON_CA_ROOT) while processing(CertProtocol).
Error bpbrm (pid=8585304) bpcd on client.example.com exited with status 7660: The peer proxy cannot find usable certificates for the certificate protocol
Running bptestbpcd may fail with similar messages:
[root@master.example.com] # /usr/openv/netbackup/bin/admincmd/bptestbpcd -verbose -host client.example.com
<16>bptestbpcd main: Function ConnectToBPCD(client.example.com) failed: 7660
<16>bptestbpcd main: The peer proxy cannot find usable certificates for the certificate protocol
<16>bptestbpcd main: Unable to read the certificate mapping file.: 12 The peer proxy on host (client.example.com) failed to find usable certificates.
Certificates may not have been successfully deployed.: 7660 [PROXY] Encountered error (CERT_PROTOCOL_SELECT_COMMON_CA_ROOT) while processing(CertProtocol).: 4
The peer proxy cannot find usable certificates for the certificate protocol
Cause
At version 8.0, non-master-server NetBackup hosts automatically and silently request host certificates from the master server.
When the host was new, the master server accepted the request and issued a certificate to the host. Later, something happened to the host that required it to be re-installed. Whatever the event, it likely included the host losing the original certificate.
When the host was re-installed, it requested a host certificate from the master server, as usual. However, this time the master server had records indicating that it had already issued a certificate to the requesting host, and so it denied the request. A certificate request requires a reissue token in this case, but the automatic request that the host sends does not include reissue tokens (or any other kind of authentication token).
Although the re-installed host had no certificate, backups and restores continued to work normally because they do not require host certificates to function. The lack of a certificate went unnoticed until the host was upgraded. NetBackup 8.1 requires host ID certificates to communicate with non-back-level hosts.
Solution
Generate a reissue token on the master server for the host in question. Please refer to the Veritas NetBackup Security and Encryption Guide for details on how to generate reissue tokens.
On the host in question, run the nbcertcmd command below and enter the reissue token when prompted. The reissue token will not be echoed to the terminal when you type it.
Example Command:
nbcertcmd -getCertificate -host servername.example.com -server master.example.com -force -token
Windows: install_path\NetBackup\bin\nbcertcmd
Unix/Linux: install_path/netbackup/bin/nbcertcmd
Example Output:
Authorization Token: [Type or paste in the uppercase, 16-character token] Host certificate and certificate revocation list received successfully from server master.example.com.
For details and alternative methods of running nbcertcmd, please refer to How to manually obtain a host ID certificate and follow the instructions to request a host certificate using a reissue token.
Note: If you receive error, refer below given articles:
EXIT STATUS 5989: Reissue token is mandatory as a certificate is already issued to this host.
Revoke the existing certificate if it is active and map this host name to the associated host ID.
- https://www.veritas.com/support/en_US/article.100041609
- https://www.veritas.com/support/en_US/article.100047465
Was this content helpful?
Translated Content
Please note that this document is a translation from English, and may have been machine-translated. It is possible that updates have been made to the original version after this document was translated and published. Veritas does not guarantee the accuracy regarding the completeness of the translation. You may also refer to the English Version of this knowledge base article for up-to-date information.