Could not fetch the host ID of the NetBackup master server

Problem

From an Administrator CMD prompt on the client:

C:\Program Files\Veritas\NetBackup\bin>nbcertcmd -getCertificate
nbcertcmd: The -getCertificate operation failed for server MyMaster.
EXIT STATUS 5987: Could not fetch the host ID of the NetBackup master server. The master server may not have the certificate.

Cause

The above error language is suggestive that the Master Server heard the request from the client, and the subsequent attempt of the Master Server to confirm its own identity prior to issuing an identity to the client, failed.

Additionally, attempts to refresh the local certificate on the Master Server also fail with the following message:

C:\Program Files\Veritas\NetBackup\bin>nbcertcmd -getCertificate -force
nbcertcmd: The -getCertificate operation failed for server MyMaster.lab.com.
EXIT STATUS 5989: Reissue token is mandatory as a certificate is already issued to this host. Revoke the existing certificate if it is active and map this host name to the associated host ID.

This issue can be caused when the CLIENT_NAME registry key (or bp.conf entry), or CLUSTER_NAME in the case of a cluster setup,  on the Master Server has been changed from the value it was installed with.

Upon successful installation of a NetBackup Master Server, the hostname of the master server is listed in both the Host Management and Certificate Management database tables.  These entries can be observed in the NetBackup Java Administration Console on the Host Management and Certificate Management screens. The name can also be listed by running 'nbcertcmd -listAllDomainCertificates'.

The CLIENT_NAME registry key / bp.conf entry should exactly match the displayed name for the Master Server on the Host Management table in the 'Host' column.

Example:

Solution

If the CLIENT_NAME key is altered, for example, by switching it from a fully qualified name to shortname or visa-versa, the errors documented above will occur.

It is necessary to adjust the Master Server's CLIENT_NAME parameter to match the value displayed in the Host column of the Host Management table, then restart the NetBackup Web Management Console (nbwmc) service (or on UNIX/Linux: 
      $ sudo /usr/openv/netbackup/bin/nbwmc -terminate
      $ sudo /usr/openv/netbackup/bin/nbwmc &

Once done, attempts to add new clients or media servers should no longer result in EXIT STATUS 5987.

NOTE: In a clustered environment a change to the CLUSTER_NAME can also cause this issue, the CLUSTER_NAME setting should be checked against the original cluster certificate name in the Java Console.   If needed, set it to be an exact match of the value displayed in the Host column of the Host Management table for the cluster certificate .  A restart of the services may be needed for changes to the CLUSTER_NAME setting to be picked up.

However, those hosts which already experienced an EXIT STATUS 5987 when trying to run 'nbcertcmd -getCertificate' will now experience an EXIT STATUS 5989 indicating a Reissue Token is required.  But because the host is incompletely registered within the NetBackup database (present on Host Mangement but not present on Certificate Management), it will not be possible to produce the required Reissue Token.

Starting in NetBackup 8.1.1, NetBackup has been enhanced so that if a host finds itself incompletely registered, subsequent attempts to request a Certificate for the host will work without a Reissue Token, thereby making a proper pairing on the Host Management and Certificate Management tables.

For those customers running NetBackup 8.1, a call into Veritas Support may be necessary.
Reference this Knowledge Article and Etrack Number 3935808.

This issue was scheduled to be addressed in the following release:

• NetBackup Release Update 8.1.1