After performing catalog recovery on DR/rebuilt/reinstalled master server, backups are failing with error - NetBackup status code: 7641 Failed to find a common CA Root for secure handshake.
Problem
Master server and client have conflicting CA or Master server Host ID information.
Error Message
status code: 7641 Failed to find a common CA Root for secure handshake.
Cause
certmapinfo.json file on client and master server contains different values for "masterHostId" or NetBackup relational database (NBDB) on master server has a different host id for master server.
Location of certmapinfo.json file:
Windows: <Install_path>\Veritas\NetBackup\var\VxSS\
Unix/Linux: /usr/openv/var/vxss/
Example: "masterHostId": "e9c74800-e61c-4fdb-b25f-f24a14eba34b"
masterHostId value has to match with the master server's host ID.
During NetBackup installation on the DR site or rebuilt or reinstall on production site Disaster Recovery Master Server option was not selected. This caused NetBackup to deploy new Certificate Authority (CA) to issue certificates and a new host id is allocated to master server.
Solution
An ideal solution is to select Disaster Recovery Master Server option at the time of installation and provide a DR package (generated during catalog backup) so that original CA and master server certificate information can be recovered prior to catalog recovery.
Another option is to use nbhostidentity command to recover the original CA and master server certificate information from DR package. You will need disaster recovery passphrase to complete this action. Close the NetBackup administration console and stop all NetBackup services on the master server. Veritas strongly recommends that you immediately perform catalog recovery after the execution of this command.
Command to use: nbhostidentity -import -infile file_path
Example: nbhostidentity -import -infile M:\NB_DR_FILE\NBCAT_nbmaster1_1531458511_FULL.drpkg
If the above command fails, it may be due to conflicts in the access control list (ACL) for the user. You need to perform the restore of this information to an alternate location without ACLS. The restored files maintain a folder structure that tells you where to paste/replace these files.
Command to use: nbhostidentity -import -infile file_path -altdir directory_path -noacls
Example: nbhostidentity -import -infile M:\NB_DR_FILE\NBCAT_nbmaster1_1531458511_FULL.drpkg -altdir M:\Alternate_restore -noacls
Command execution example:
Example 1:
C:\Program Files\Veritas\NetBackup\bin\admincmd>nbhostidentity.exe -import -infile M:\NB_DR_FILE\NBCAT_nbmaster1_1531458511_FULL.drpkgWARNING - If new certificates are deployed on the media servers or clients after NetBackup master server installation, certificates on those hosts should be redeployed. To identify the hosts that need certificate redeployment, go to NetBackup Administration Console > Host Properties > Clients.
This process requires you to restart the NetBackup services.
Veritas strongly recommends that you immediately perform catalog recovery after the execution of this command.
Are you sure you want to proceed (y/n)? y
Enter the passphrase for the disaster recovery package. The passphrase is used to decrypt the disaster recovery package that you want to import.
Passphrase: ********
Initiating import of the host identity...
Starting the NetBackup database...
The NetBackup database process has successfully started.
Stopping the NetBackup database...
The database process has stopped successfully.
The host identity is successfully imported.
The host identity import is complete. Start all NetBackup processes.
Veritas strongly recommends that you immediately perform catalog recovery.
Command is successfully carried out.
Example 2:
C:\Program Files\Veritas\NetBackup\bin\admincmd>nbhostidentity.exe -import -infile M:\NB_DR_FILE\NBCAT_nbmaster1_1531458511_FULL.drpkg -altdir M:\Alternate_restore -noaclsCaution: Ensure that the specified alternate location is secure and that the disaster recovery package files are deleted after use. The identity of NetBackup hosts may be compromised if the disaster recovery package files are disclosed.
Enter the passphrase for the disaster recovery package. The passphrase is used to decrypt the disaster recovery package that you want to import.
Passphrase: ********
Initiating import of the host identity...
Restoring the disaster recovery package to the following location: M:\Alternate_restore\drpkg-03336531459592552896000000000-a07896.
Command is successfully carried out.
Was this content helpful?
Translated Content
Please note that this document is a translation from English, and may have been machine-translated. It is possible that updates have been made to the original version after this document was translated and published. Veritas does not guarantee the accuracy regarding the completeness of the translation. You may also refer to the English Version of this knowledge base article for up-to-date information.