Additional steps needed to deploy certificates on the inactive nodes of a cluster after the install or upgrade to NetBackup 8.1.

Additional steps needed to deploy certificates on the inactive nodes of a cluster after the install or upgrade to NetBackup 8.1.

Article: 100039875
Last Published: 2017-09-17
Ratings: 0 0
Product(s): NetBackup

Problem

Upon completing the install or upgrade to NetBackup 8.1 on the inactive nodes of a clustered master server there are additional steps that may need to be performed.  On Windows systems the following message is displayed to help highlight that additional steps required:
Warning: You may need to issue host ID-based/host name-based 
         certificates for each cluster node. For details, refer to KB: 100039650


On UNIX systems no such message is displayed at the end of the install.  The additional steps to deploy certificates still need to be performed on all platforms.

Error Message

No error messages are displayed.

Cause

Due to the new security enhancements in NetBackup 8.1 host certificates will need to be created prior to using NetBackup.

Solution

The additional steps required to be performed on the inactive node(s) of a clustered master server are documented in the NetBackup version 8.1 Installation Guide in the section titled: " Generate a certificate on the inactive nodes of a clustered master server"

Those steps are listed here as well:

1 (Conditional). Add all inactive nodes to the cluster.
If all the nodes of the cluster are not currently part of the cluster, start by adding them to the cluster. Please consult with your operating system cluster instructions for assistance with this process.

2. Run the nbcertcmd command to store the Certificate Authority certificate on the inactive node.
UNIX: /usr/openv/netbackup/bin/nbcertcmd -getCACertificate
Windows: <install_path>\NetBackup\bin\nbcertcmd -getCACertificate

3. Run the nbcertcmd command to generate the host certificate on the inactive node.
nbcertcmd -getCertificate

4. (Conditional) If the nbcertcmd -getCertificate command fails with an error message indicating that a token is needed, you need a token from the Certificate Authority. Use the steps that are shown to get and correctly use the token.
  • On the active node, use the bpnbat command as shown to authorize the necessary changes. When you are prompted for the authentication broker, enter the virtual server name, not the local node name.

    bpnbat -login -loginType WEB
     
  • On the active node, use the nbcertcmd command to create a token.

    nbcertcmd -createToken -name token_name

    The token name is not important to this procedure. When the command runs, it displays the token string value. Note this value as it is necessary for the next command.
     
  • On the inactive node, use the authorization token with the nbcertcmd command to store the host certificate.
     
    nbcertcmd -getCertificate -token
     
    This command prompts you for the token string value. Enter the token string from the nbcertcmd -createToken command.

Additional information about certificates is available. Please see the section on deploying certificates on master server nodes in the Veritas NetBackup Security and Encryption Guide.

The steps needed are also documented in article 000127129 (see Related Articles link).

References

Etrack : 3928960

Was this content helpful?