What 'nbcertcmd -deleteCertificate' does

Problem

Successful execution of 'nbcertcmd -deleteCertificate -hostID host_id' does not remove entries from the NetBackup Administration Console off of the Host Management or Certificate Management tables.

Veritas documents the use of the '-deleteCertificate' switch as follows, in the NetBackup Security and Encryption Guide; refer to the section on Deleting host ID-based certificates, linked here:

Use this topic to manually delete host ID-based certificate of a NetBackup host. You may need to delete certificates in certain scenarios, for example: A NetBackup host is moved from one NetBackup domain to another NetBackup domain. In this scenario, the current host ID-based certificate needs to be deleted and the host must have a certificate issued by the new Certificate Authority (CA) that is the new master server.

Error Message

Sometimes, running 'nbcertcmd -deleteCertificate -hostID host_id' results in the following:

C:\Program Files\Veritas\NetBackup\bin> nbcertcmd -deleteCertificate -hostID 6164fddd-6b8c-475d-94b8-3b35d750cd26
Deleting security certificates can adversely impact the NetBackup functionality.
Do you want to proceed? (y/n) y
Failed to delete certificate.
EXIT STATUS 114: unimplemented error code 114

Cause

It is important to understand what the 'nbcertcmd -deleteCertificate -hostID host_id' command does vs does not do.

Solution

The command 'nbcertcmd -deleteCertificate -hostID host_id' is designed to be run on a NetBackup Client. The operation examines the local certificate store for a certificate matching the hostID specified, and if found, deletes it from the hard drive. The command does not connect to any Master Server services. The NetBackup Master Server's database of known hosts (Host Management table) and known Certificates (Certificate Management table) is unaltered by the command's execution. This is why the host remains listed within the Host Management and Certificate Management tables.

If the specified hostID certificate is not found in the local certificate store, the command will produce EXIT STATUS 114 (as seen above).

Currently, it is not possible to remove entries from either the Host Management or Certificate Management tables. If a NetBackup host is moved from one NetBackup Master Server to another or is decommissioned entirely, it continues to be impossible to remove the host entries from either of these two tables. It is recommended to Revoke the certificate from the Certificate Management table, and add an appropriate Comment to the host entry on the Host Management table describing why the Certificate has been Revoked.

The reason why it is not possible to remove entries from these tables is a security measure. When a host is newly introduced to a Master Server, depending on the configuration, it is possible for the host to automatically be added to the list of known hosts (Host Management) without human interaction. Revoking a hosts certificate causes the known host to become untrusted. If a host with that name and or known Revoked certificate attempts to connect, the Master Server knows not to trust it, and therefore refuses the connection. To re-establish a trust to the host, a human must create a reissue token, and that token must be used to re-establish the trust, thereby removing the Revoked state of the host's certificate.

If instead, a formerly untrusted (Revoked) host was entirely removed from those tables, and then if the host were to attempt a connection with the Master Server, the trust relationship would be handled as all new client trusts are handled (based upon the configuration). And this could happen without the awareness of the NetBackup Administrator, and this may not always be desired.