How to configure and troubleshoot external certificates during installation

How to configure and troubleshoot external certificates during installation

Article: 100044300
Last Published: 2019-05-28
Ratings: 2 0
Product(s): NetBackup

Description

  1. Installation completed successfully but external certificate enrollment has failed resulting in client failed to connect to media/master.

Use the following steps to validate the certificate enrollment.

  1. The NetBackup web server must be configured to use external CA-signed certificates. To validate the configuration, run the following command on a NetBackup 8.1.2.1 or later client with respect to a specific master server:

nbcertcmd -getSecConfig -caUsage

If the command output is 'ECA: ON', the server is configured. Else, refer to the NetBackup Security and Encryption Guide to learn how to configure the NetBackup web server to use external CA-signed certificates.

  1. Verify the local certificate details by running the following command:

nbcertcmd -getExternalCertDetails

  1. Verify the host certificates and master server certificate on the External Certificate tab in the NetBackup master server web UI.
  1. Ensure that the host can communicate with the master server by running the following command from master: bptestbpcd -host <client name> -verbose bptestbpcd should be able to successfully connect to the client. On successful execution the output of the command will look like

    [root@jarvis 163] > bptestbpcd -host avenger12 -verbose

    1 1 1

    127.0.0.1:45374 -> 127.0.0.1:54006 PROXY 10.210.58.22:46050 -> 10.210.130.212:1556

    127.0.0.1:42067 -> 127.0.0.1:60928 PROXY 10.210.58.22:59979 -> 10.210.130.212:1556

    LOCAL_CERT_ISSUER_NAME = O=vx,OU=root@jarvis.pne.ven.veritas.com,CN=broker

    LOCAL_CERT_SUBJECT_COMMON_NAME = 78b5054b-1ba1-4db7-b795-e6708701db2c

    PEER_CERT_ISSUER_NAME = O=vx,OU=root@jarvis.pne.ven.veritas.com,CN=broker

    PEER_CERT_SUBJECT_COMMON_NAME = 8e5a3527-d2b0-4980-907c-f139ac999c2e

    PEER_NAME = jarvis.pne.ven.veritas.com

    HOST_NAME = avenger12.pne.ven.veritas.com

    CLIENT_NAME = avenger12.pne.ven.veritas.com

    VERSION = 0x08140000

    PLATFORM = linuxR_x86_2.6.32

    PATCH_VERSION = 8.1.4.0 Beta3

    SERVER_PATCH_VERSION = -1.-1.-1.-1

    MASTER_SERVER = jarvis.pne.ven.veritas.com

    EMM_SERVER = jarvis.pne.ven.veritas.com

    NB_MACHINE_TYPE = CLIENT

    SERVICE_TYPE = VNET_DOMAIN_CLIENT_TYPE

    PROCESS_HINT = 8e5a3527-d2b0-4980-907c-f139ac999c2e

If the NetBackup web UI does not show the external certificates or the hosts cannot communicate with the master server, the external CA-signed certificate was not successfully enrolled. Enroll the certificate manually. Refer section B. to manually configure external certificates after installation

If you face any issue with enrollment of the certificate, you can refer the section "Troubleshooting file-based external certificate issues" of NetBackup's troubleshooting guide.

  1. Use this section to manually enroll an external CA-signed certificate for a NetBackup host with the master server domain. The enrolled certificate is used for host communication.

Prerequisites

  • NetBackup web server must be configured to use external CA-signed certificates.
  • External certificate for the master server should be enrolled.
  • External certificates for the NetBackup web server and the master server must be issued by the same CA. If the two CAs do not match, NetBackup web service communication fails.
  • Certificate revocation lists (CRL) are available and accessible.

To enroll an external certificate of a host with the master server

  1. Update the configuration file (bp.conf file or Windows registry) with the required external certificate-specific parameters on the host (media server or client):

For more details on the parameters, refer to the NetBackup Administrator's Guide, Volume I.

For file-based certificates

  1. Use the nbsetconfig command to configure the following parameters:
  • ECA_CERT_PATH
  • ECA_PRIVATE_KEY_PATH
  • ECA_TRUST_STORE_PATH
  • ECA_KEY_PASSPHRASEFILE (optional)
  • ECA_MASTER_SERVER_LIST (this is applicable only for NetBackup 8.1.2.1, which is a limited availability release)
  • ECA_CRL_CHECK (optional)
  • ECA_CRL_PATH (optional)
  • ECA_CRL_PATH_SYNC_HOURS (optional)
  • ECA_CRL_REFRESH_HOURS (optional)
  • ECA_DISABLE_SYNCENROLLMENT (optional) (this is applicable only for NetBackup 8.1.2.1, which is a limited availability release)

For Windows certificate store

  1. Use the nbsetconfig command to configure the following parameters:
  • ECA_CERT_PATH
  • ECA_MASTER_SERVER_LIST (this is applicable only for NetBackup 8.1.2.1, which is a limited availability release)
  • ECA_CRL_CHECK (optional)
  • ECA_CRL_PATH (optional)
  • ECA_CRL_PATH_SYNC_HOURS (optional)
  • ECA_CRL_REFRESH_HOURS (optional)
  • ECA_DISABLE_SYNCENROLLMENT (optional) (this is applicable only for NetBackup 8.1.2.1, which is a limited availability release)
  • ECA_DR_BKUP_WIN_CERT_STORE (optional)
  1. Run the following command on the host:

nbcertcmd -enrollCertificate

For more details on the command, refer to the NetBackup Commands Reference Guide.

Applies to
NetBackup 8.1.2.1 (limited availability release) and later

References

Etrack : 3966956

Was this content helpful?