Tomcat and nbwebsvc certificates are not renewed automatically on the master server with non-English locale.

Tomcat and nbwebsvc certificates are not renewed automatically on the master server with non-English locale.

Article: 100044601
Last Published: 2019-02-04
Ratings: 4 2
Product(s): Appliances, NetBackup

Problem

Tomcat and nbwebsvc certificates are not renewed automatically on the master server with non-English locale.
Tomcat and nbwebsvc certificates expire one year after their issue date. They are supposed to be automatically renewed 180 days before the expiration date.
But they are not renewed automatically if non-English local is used for the master server.
The issue affects NetBackup 8.0 through 8.1.2 on all of the operating system using non-English locale.

For example, you may experience the following situation when a certificate expires.

  -. The expiration of these certificates results in failures of all of the NetBackup operations such as running backups, logging in to NetBackup Administration Console.
  -. You cannot login to NetBackup Administration Console, but the backup jobs will continue to run as normal after the expiration of the certificates.

Error Message

The renewal process is performed every 24 hours, and nbwebservice log shows the following messages (java.text.ParseException: Unparseable date) each time.
You can see these messages in OID 466 (NetBackup 8.1 and earlier) or OID 495 (NetBackup version 8.1.1 and later).

  NBCertRenewTask failed to renew nbwebsvc user credentials - java.text.ParseException: Unparseable date
  NBCertRenewTask failed to renew web service NBAC credentials - java.text.ParseException: Unparseable date
  NBCertRenewTask failed to renew TOMCAT credentials - java.text.ParseException: Unparseable date

When certificate expires, the following errors appear depending on the situation.

  A backup job fails with Status 8506: The certificate has expired.
  NetBackup Administration Console fails to login to the Master Server with Status 7656: Certificate Revocation List is out of date.
  "nbcertcmd -getCertificate -force" fails with Status 8625: Server is unavailable to process the request. Please try later.

Cause

The renewal process on non-English locale fails to parse expiry date. When NBCertRenew class of renewal process does format and parse dates with Java SimpleDateFormat class, an exception occurs because it does not consider locale.

Solution

Veritas Technologies LLC is aware that the above-mentioned issue (Etrack 3966961) is present in the current version(s) of the product(s) mentioned in this article. Veritas is committed to product quality and satisfied customers.

Please note that Veritas reserves the right to remove any fix from the targeted release if it does not pass quality assurance tests or introduces new risks to overall code stability. Veritas' plans are subject to change and any action taken by you based on the above information or your reliance upon the above information is made at your own risk.

Workaround:

Hotfix EEB for each version is available, which can be downloaded from "Related Articles" section below.
If the certificate has already been expired or you want to manually regenerate the certificates before installing EEB, perform the following steps on NetBackup master server.

  UNIX/Linux:
  1) /usr/openv/netbackup/bin/nbwmc -terminate
  2) /usr/openv/netbackup/bin/admincmd/nbcertconfig -u -i
  3) /usr/openv/netbackup/bin/admincmd/nbcertconfig -m
  4) /usr/openv/netbackup/bin/admincmd/nbcertconfig -t
  5) /usr/openv/wmc/bin/install/configureWmc
  6) /usr/openv/wmc/bin/install/configureCerts
  7) /usr/openv/wmc/bin/install/setupWmc
  8) /usr/openv/netbackup/bin/nbwmc -start
  9) /usr/openv/netbackup/bin/nbcertcmd -getCACertificate
    If the configuration is a cluster, also run:
    /usr/openv/netbackup/bin/nbcertcmd -getCACertificate -cluster -force
  10) /usr/openv/netbackup/bin/nbcertcmd -getCertificate -force
    If the configuration is a cluster, also run the following to generate the local host id-based certificate for the cluster:
    /usr/openv/netbackup/bin/nbcertcmd -getCertificate -cluster -force
  11) Remove the /usr/openv/var/global/vxss/nbcertservice/install_token file

  Windows:

  1) <Install_Path>\NetBackup\bin\bpdown -e "NetBackup Web Management Console" -f -v
  2) <Install_Path>\NetBackup\bin\admincmd\nbcertconfig -u -i
  3) <Install_Path>\NetBackup\bin\admincmd\nbcertconfig -m
  4) <Install_Path>\NetBackup\bin\admincmd\nbcertconfig -t
  5) <Install_Path>\NetBackup\wmc\bin\install\configureWmc
  6) <Install_Path>\NetBackup\wmc\bin\install\configureCerts
  7) <Install_Path>\NetBackup\wmc\bin\install\setupWmc
  8) <Install_Path>\NetBackup\bin\bpup -e "NetBackup Web Management Console" -f -v
  9) <Install_Path>\NetBackup\bin\nbcertcmd -getCACertificate
    If the configuration is a cluster, also run:
    <install_path>\Veritas\NetBackup\bin\nbcertcmd -getCACertificate -cluster -force
  10) <Install_Path>\NetBackup\bin\nbcertcmd -getCertificate -force
    If the configuration is a cluster, also run the following to generate the local host id-based certificate for the cluster:
    <install_path>\Veritas\NetBackup\bin\nbcertcmd -getCertificate -cluster -force
  11) Remove the <install_path>\NetBackup\var\global\vxss\nbcertservice\install_token file

  *) In the case of Windows, perform "set WEBSVC_PASSWORD=<nbwebsvc password>" command in advance.
  *) If NetBackup master server is 8.1.1 or above, step 4) is "nbcertconfig -t -f".
  *) If step 10) fails, then run the following command to create a token.

    a) Login to bpnbat as follows

      UNIX/Linux:  /usr/open/netbackup/bin/bpnbat -login -loginType WEB
      Windows:     <install_path>\Veritas\NetBackup\bin\bpnbat -login -loginType WEB

      Provide the following information:

      Authentication Broker [MasterServer1 is default]:
      Authentication port [0 is default]:
      Authentication type (NIS, NISPLUS, WINDOWS, vx, unixpwd, ldap) [unixpwd is default]:
      Domain [MasterServer1 is default]:  example.netbackup.com
      Login Name [root is default]:
      Password:

    b) Run the following to create a reissue token

      UNIX/Linux:  /usr/openv/netbackup/bin/nbcertcmd -createToken -name token-YYYYMMDD -reissue -host <Master server name>
      Windows:     <Install_Path>Veritas\netbackup\bin\nbcertcmd -createToken -name token-YYYYMMDD -reissue -host <Master server name>

      Note: The token name token-YYYYMMDD is just an example, enter a relevant name for token and use the one that you get after running the command.

    c) Run the nbcertcmd command, to store the Certificate Authority certificate and to generate the host certificate.

      UNIX/Linux: /usr/openv/netbackup/bin/nbcertcmd -getCACertificate
                             /usr/openv/netbackup/bin/nbcertcmd -getCertificate -token <a reissue token> -force

      Windows:    <install_path>\Veritas\NetBackup\bin\nbcertcmd -getCACertificate
                           <install_path>\Veritas\NetBackup\bin\nbcertcmd -getCertificate -token <a reissue token> -force

      Note: In above command replace <a reissue token> with actual token obtained in previous command without brackets.

If the certificate has already been expired on NetBackup media server or client before installing EEB, perform the following steps on NetBackup media server or client.

  UNIX/Linux: /usr/openv/netbackup/bin/nbcertcmd -getCACertificate
                         /usr/openv/netbackup/bin/nbcertcmd -getCertificate -force

  Windows:    <install_path>\Veritas\NetBackup\bin\nbcertcmd -getCACertificate
                       <install_path>\Veritas\NetBackup\bin\nbcertcmd -getCertificate -force

References

Etrack : 3966961

Was this content helpful?