How to resolve communication problems due to certificate errors after upgrading to 8.1 from a previously re-installed 8.0 host

How to resolve communication problems due to certificate errors after upgrading to 8.1 from a previously re-installed 8.0 host

Article: 100039733
Last Published: 2021-09-30
Ratings: 18 34
Product(s): NetBackup

Problem

Upon upgrading to NetBackup 8.1, a host that has had NetBackup 8.0 installed on it more than once may fail to communicate with other NetBackup 8.1 hosts. To confirm this is the problem, run the following command:

Windows: <install_path>\netbackup\bin\nbcertcmd -hostselfcheck -server mymaster
Unix:  <install_path>/netbackup/bin/nbcertcmd -hostselfcheck -server mymaster

If the output is as follows, then the host lacks a host ID certificate.

Unable to read CRL for server = mymaster, error = 12.Unable to read certificate.EXIT STATUS 5949: Certificate does not exist.

 

Error Message

Backup jobs may fail with messages in the job details such as the following:

Error bpbrm (pid=8585304) [PROXY] Connecting host: client.example.comError bpbrm (pid=8585304) [PROXY] ConnectionId: {7BE360CE-810C-11E7-9FA8-287C08F20000}:OUTBOUNDError bpbrm (pid=8585304) [PROXY] pid: 12452086Error bpbrm (pid=8585304) [PROXY] Received status: 7660 with message Unable to read the certificate mapping file.Error bpbrm (pid=8585304) The peer proxy on host (client.example.com) failed to find usable certificates. Certificates may not have been successfully deployed.Error bpbrm (pid=8585304) [PROXY] Encountered error (CERT_PROTOCOL_SELECT_COMMON_CA_ROOT) while processing(CertProtocol).Error bpbrm (pid=8585304) bpcd on client.example.com exited with status 7660: The peer proxy cannot find usable certificates for the certificate protocol

Running bptestbpcd may fail with similar messages:

[root@master.example.com] # /usr/openv/netbackup/bin/admincmd/bptestbpcd -verbose -host client.example.com<16>bptestbpcd main: Function ConnectToBPCD(client.example.com) failed: 7660<16>bptestbpcd main: The peer proxy cannot find usable certificates for the certificate protocol<16>bptestbpcd main: Unable to read the certificate mapping file.: 12 The peer proxy on host (client.example.com) failed to find usable certificates. Certificates may not have been successfully deployed.: 7660 [PROXY] Encountered error (CERT_PROTOCOL_SELECT_COMMON_CA_ROOT) while processing(CertProtocol).: 4The peer proxy cannot find usable certificates for the certificate protocol

 

Cause

At version 8.0, non-master-server NetBackup hosts automatically and silently request host certificates from the master server.

When the host was new, the master server accepted the request and issued a certificate to the host. Later, something happened to the host that required it to be re-installed. Whatever the event, it likely included the host losing the original certificate.

When the host was re-installed, it requested a host certificate from the master server, as usual. However, this time the master server had records indicating that it had already issued a certificate to the requesting host, and so it denied the request. A certificate request requires a reissue token in this case, but the automatic request that the host sends does not include reissue tokens (or any other kind of authentication token).

Although the re-installed host had no certificate, backups and restores continued to work normally because they do not require host certificates to function. The lack of a certificate went unnoticed until the host was upgraded. NetBackup 8.1 requires host ID certificates to communicate with non-back-level hosts.

 

Solution

Generate a reissue token on the master server for the host in question. Please refer to the Veritas NetBackup Security and Encryption Guide for details on how to generate reissue tokens.

On the host in question, run the nbcertcmd command below and enter the reissue token when prompted. The reissue token will not be echoed to the terminal when you type it.

nbcertcmd -getCertificate -host servername.example.com -server master.example.com -force -token

Windows: <install_path>\netbackup\bin\nbcertcmd
Unix: <install_path>/netbackup/bin/nbcertcmd

Resulting output:

Authorization Token: [Type or paste in the uppercase, 16-character token] Host certificate and certificate revocation list received successfully from server master.example.com.

For details and alternative methods of running nbcertcmd, please refer to How to manually obtain a host ID certificate and follow the instructions to request a host certificate using a reissue token.

Note : If you receive error, refer below given articles :

EXIT STATUS 5989: Reissue token is mandatory as a certificate is already issued to this host.

Revoke the existing certificate if it is active and map this host name to the associated host ID.

https://www.veritas.com/support/en_US/article.100041609

https://www.veritas.com/support/en_US/article.100047465

Was this content helpful?