NetBackup Web Management Console fails to start '/usr/openv/wmc/webserver/logs/nbwmc.log: Permission denied'

NetBackup Web Management Console fails to start '/usr/openv/wmc/webserver/logs/nbwmc.log: Permission denied'

Article: 100044639
Last Published: 2019-02-08
Ratings: 1 0
Product(s): NetBackup


This issue has been observed on UNIX master servers in the following ways.

1. Upgrading to NetBackup 8.1.x fails.

From the install trace log

Unable to configure target host.
Deploying AT certificate for web user.

WARNING: Failed to deploy AT certificate for web user.
        You must separately run /usr/openv/netbackup/bin/admincmd/nbcertconfig -u to
        resolve the issue.
Deploying AT certificate for web services.

2. After an upgrade the NetBackup services fails to start NBWMC (NetBackup Web Management Console).

# /usr/openv/netbackup/bin/goodies/netbackup start
NetBackup network daemon started.
NetBackup Database Server started.
NetBackup Authentication daemon started.
NetBackup Authorization daemon started.
NetBackup Audit Manager started.
Starting NetBackup Web Management Console could take a couple of minutes .sh: /usr/openv/wmc/webserver/logs/nbwmc.log: Permission denied

3. Manually running 'nbcertconfig -u -i' as part of a troubleshooting or reconfiguration procedure.

# /usr/openv/netbackup/bin/admincmd/nbcertconfig -u -i
NetBackup AT service configuration for web service user failed.

Error Message

nbcert log

Log Path:

17:08:34.046 [26263] <8> nbcertconfig: EAT_LOG:(../os_abstraction.c,132)Failed to stat file (/usr/openv/var); err 13
17:08:34.046 [26263] <16> nbcertconfig: EAT_LOG:(../atlocal_config.c,1081)Failed to create local config from data directory </usr/openv/var/global/vxss/nbcertservice/nbwebsvc>
... <content removed for clarity>
17:08:34.046 [26263] <8> nbcertconfig: EAT_LOG:(../api.c,598)vrtsatLibraryUnload: load count now 2
17:08:34.046 [26263] <16> nbcertconfig: EAT_LOG:(../api.c,1101)vrtsAtInit(S): initialize failed 24630
17:08:34.046 [26263] <16> initializeATHandle: vrtsAtInitEx() for data_dir /usr/openv/var/global/vxss/nbcertservice/nbwebsvc FAILED 24630
17:08:34.046 [26263] <16> authenticateUser: initializeATHandle() failed, error =103
17:08:34.046 [26263] <16> generateNbWebSvcUserCert: authenticateUser() failed, error = 116
17:08:34.046 [26263] <16> nbcertconfig: EXIT STATUS 116 AT configuration for web service user failed


The above symptoms have been observed in two scenarios.

1. With incorrect permissions on the /usr/openv directory.

2. In a cluster install with incorrect permissions on the /opt/VRTSnbu/var directory.

Example of incorrect permissions (700):

# ls -l /usr | grep openv
drwx------   20 root root  4096 Apr 30  2018 openv

In a cluster:

# ls -l /opt/VRTSnbu/ | grep var
drwx------  3 root bin    96 Mar 16  2016 var/


The correct (default) permissions are 755:

# ls -l /usr | grep openv
drwxr-xr-x   20 root root  4096 Apr 30  2018 openv

In a cluster:
# ls -l /opt/VRTSnbu/ | grep var
drwxr-xr-x 3 root root 96 Sep 27 11:29 var/

If the permissions on /usr/openv and or /opt/VRTSnbu/ are found to be incorrect, do the following:

1. Stop all NetBackup services.

a. If this is a VCS cluster, freeze the nbu_group.
# /opt/VRTSvcs/bin/haconf -makerw
# /opt/VRTSvcs/bin/hagrp -freeze nbu_group -persistent

b. Stop NetBackup.
# /usr/openv/netbackup/bin/goodies/netbackup stop

2. Change the permissions.

# chmod 755 /usr/openv

If a cluster:
# chmod 755 /opt/VRTSnbu/var

3. Start NetBackup.

a. If this is a VCS cluster.

Check for and clear any faults:

# /opt/VRTSvcs/bin/hastatus -sum

# /opt/VRTSvcs/bin/hagrp -clear nbu_group -sys (nodename)

Unfreeze the cluster group:

# /opt/VRTSvcs/bin/hagrp -unfreeze nbu_group -persistent

# /opt/VRTSvcs/bin/haconf -dump -makero

b. Start the master server.

# /usr/openv/netbackup/bin/goodies/netbackup start



It is important that the entire parent directory structure starting with /usr have default permissions (755) so that the websvc_user can read and search the contents of /usr/openv/var.

If /usr/openv is a symbolic link, all 3 of the following must also have default permissions (755) to allow access:

  • The directory in which the symbolic link resides
  • The target directory to which the link refers
  • The parent directory of the target directory


In a VCS Cluster /usr/openv/var/global is a link to /opt/VRTSnbu/var/global

[root@node /]# ls -l /usr/openv/var/global
lrwxrwxrwx 1 root root 23 Feb  7 09:55 /usr/openv/var/global -> /opt/VRTSnbu/var/global


Was this content helpful?