AIR failures will occur after MSDP servers are upgraded to 8.1.2 or later until certificates are deployed to the source.
Problem
Auto Image Replication (A.I.R.) will fail after Source and Target MSDP servers are upgraded to 8.1.2 or later until the CA certificate is deployed to the source.
Error Message
The following message can be seen in a failed AIR replication job 'Detailed Status':
Dec 5, 2018 4:47:31 PM - Critical bpdm (pid=186739) Storage Server Error: (Storage server: PureDisk:mysourcemsdp) CALaunchAIRReplicate: Failed to complete launchAIRReplicate webservice (Could not setup replication: get Remote SPA ( mytargetmsdp ) webservice failed, could not determine whether target is PDDE or PDDO (can not find nbu certificate) ) V-454-61
Dec 5, 2018 4:47:31 PM - Error bpdm (pid=186739) <async> copy image failed: error 2060401: Can not find certificate of target server. Please make sure prerequisite steps have been done before using Auto Image Replication. See NetBackup Dedupe Guide for details.
Dec 5, 2018 4:47:31 PM - Error bpdm (pid=186739) copy failed: error 174
Dec 5, 2018 4:47:31 PM - Error bpdm (pid=186739) <async> cancel failed: error 2060001: one or more invalid arguments
Dec 5, 2018 4:47:31 PM - Error bpdm (pid=186739) copy cancel failed: error 174
Note: The error above is referring to this page in the Veritas NetBackup Deduplication Guide...
The following popup message/window will appear when configuring a target in the source PureDisk/MSDP storage server as a replication target:
Error in configuring <TARGET-MSDP-SERVER> as replication
target for <SOURCE-MSDP-SERVER>:
client/server handshaking failed(26)
Reconfiguration failed for storage server
PureDisk:<SOURCE-MSDP-SERVER>. Can not find certificate of target server. Please make sure prerequisite steps have been done before using Auto Image Replication. See NetBackup Dedupe Guide for details.
Cause
MSDP now supports secure communications between two media servers from two different NetBackup domains. The secure communication is set up when you run Auto Image Replication (A.I.R.). The two media servers must use the same CA to do the certificate security check. The source MSDP server uses the CA of the target NetBackup domain and the certificate that is authorized by the target NetBackup domain.
If CA and certificate is not added or missing on the source MSDP server, then replication can fail with above error "can not find nbu certificate".
Solution
After upgrading to NetBackup 8.1.2 or later, manually deploy a CA certificate on the source MSDP server before using Auto Image Replication.
- On the target NetBackup master server, run the following command to display the CA fingerprint:
Windows:
install_path\NetBackup\bin\nbcertcmd -displayCACertDetailUNIX/Linux:
/usr/openv/netbackup/bin/nbcertcmd -displayCACertDetail
- On the source MSDP storage server, run the following command to get CA from target NetBackup master server:
Windows:
install_path\NetBackup\bin\nbcertcmd -getCACertificate -server target_master_serverUNIX/Linux:
/usr/openv/netbackup/bin/nbcertcmd -getCACertificate -server target_master_server- Note: When you accept the CA, ensure that the CA fingerprint is the same as displayed in the previous step.
- Note: When you accept the CA, ensure that the CA fingerprint is the same as displayed in the previous step.
- Generate authorization token on target Master server.
- On the target NetBackup master server, log on to NetBackup Administration Console and open Security Management > Certificate Management > Token Management.
- Click the Create Token option to create a token, or right-click the blank area of the Token records list view and select the New Token menu item to create a token.
- On the source MSDP storage server, run the following command to get a certificate generated by target NetBackup master server:
Windows:
install_path\NetBackup\bin\nbcertcmd -getCertificate -server target_master_server -token token_generated_step3 -forceUNIX/Linux:
/usr/openv/netbackup/bin/nbcertcmd -getCertificate -server target_master_server -token token_generated_step3 -force
Was this content helpful?
Translated Content
Please note that this document is a translation from English, and may have been machine-translated. It is possible that updates have been made to the original version after this document was translated and published. Veritas does not guarantee the accuracy regarding the completeness of the translation. You may also refer to the English Version of this knowledge base article for up-to-date information.