Description
Customers may wish to configure a 3rd Party CA Certificate for use with the WebUI in NetBackup versions 8.1.2 and later. The following steps are intended to assist TSEs and customers with that configuration.
Solution for 8.1.2
Prior to running through the instructions below, the following should be verified or made available:
1. Verify the WebUI is operational without the 3rd party CA Certificate installed.
2. From the CA Vendor, gather the following:
- The CA Certificate
- The LEAF Certificate
- The LEAF Private Key
After the above has been completed and the necessary files have been gathered, proceed to the step for creating the Java KeyStore file.
Creating the Java KeyStore file
There are 5 steps required to successfully import a 3rd Party Certificate. All steps must be completed successfully.
1. Convert the PEM formatted x509 Certificate and Private Key to a PKCS12 file using the following command:
openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -name nbwmc -CAfile certificate.crt -passout pass:password1
Note: Ensure that you secure the PKCS#12 file with a password. If no password is applied, you may encounter a null reference exception when attempting to import the file.
For more information on openssl usage, refer to https://www.openssl.org.
2. Import the PKCS12 certificate file into a Java KeyStore using the following command:
keytool -importkeystore -noprompt -deststorepass password2 -destkeypass password2 -destkeystore kestorefile.jks -srckeystore server.p12 -srcstoretype PKCS12 -alias nbwmc -srcstorepass password1
Note: Specify the same password for both -deststorepass and -destkeypass options. Using different passwords may result in an exception when the web server starts. In the password, only alphanumeric characters are supported.
3. Import the root CA certificate into the Java KeyStore using the following command:
keytool -importcert -noprompt -trustcacerts -file certificate.crt -keystore kestorefile.jks -storepass password2 -alias ca1
4. Create a key password file with any name, and place the password designated in the "-storepass" field in step 3.
5. Configure the certificates in NetBackup.
6. Stop and restart nbwmc service.
Solution for 8.1.2.1 and later:
The 8.1.2.1 version of NetBackup introduces the configureWebServerCerts script which will replace the steps listed for the 8.1.2 version.
To configure the 3rd party certificate in 8.1.2.1, complete the following:
1. Run configureWebServerCerts with the location of the CA certificate, local/LEAF certificate and key file:
Linux/Unix
/usr/openv/wmc/bin/install/configureWebServerCerts -addExternalCert -webUI -certPath /Certs/master.pem -privateKeyPath /Certs/master_privatekey.pem -trustStorePath /Certs/CACert.pem
Windows
"C:\Program Files\Veritas\NetBackup\wmc\bin\install\configureWebServerCerts -addExternalCert -webUI -certPath C:\Certs\nbmaster1.pem -privateKeyPath C:\Certs\nbmaster1_privatekey.pem -trustStorePath C:\Certs\CACert.pem
2. Stop and restart nbwmc service.
Examples for 8.1.2
Actual commands will vary based on installation path and certificate types/names.
Linux/Unix
In the examples below, the following file paths are used:
- /Certs/CACert.pem — CA Certificate
- /Certs/master.pem — LEAF Certificate
- /Certs/master_privatekey.pem — LEAF Private Key
Note: Actual file names may vary. For example, the certificate (in place of the LEAF Certificate) may end with a .cer or another extension, and the key files may end with .key. Please consult your security administrator to help map the file names correctly in order to run the commands.
1. Convert PEM formatted x509 Cert and Private Key to a PKCS# 12:
openssl pkcs12 -export -in /Certs/master.pem -inkey /Certs/master_privatekey.pem -out server.p12 -name nbwmc -CAfile /Certs/CACert.pem -passout pass:password1
2. Import the pkcs12 certificate file to a Java Keystore:
keytool -importkeystore -noprompt -deststorepass password2 -destkeypass password2 -destkeystore /Certs/keystorefile.jks -srckeystore /Certs/server.p12 -srcstoretype PKCS12 -alias nbwmc -srcstorepass password1
3. Import the root CA certificate into JAVA KeyStore:
keytool -importcert -noprompt -trustcacerts -file /Certs/CACert.pem -keystore /Certs/keystorefile.jks -storepass password2 -alias ca1
4. Create a key password file with any name, and place the password designated in the "-storepass" field in step 3. In this case named password.txt with the password "password2" in it.
- A.
vi /Certs/password.txt - B. Put password2 in the file, then save and exit.
5. Configure the certificates in NetBackup:
/usr/openv/wmc/bin/install/configureTPCerts -keystorefile /Certs/keystorefile.jks -keystorepassfile /Certs/password.txt
6. Stop and restart nbwmc service.
Windows
In the examples below, the following file paths are used:
- C:\Certs\CACert.pem — CA Certificate
- C:\Certs\nbmaster1.pem — LEAF Certificate
- C:\Certs\nbmaster1_privatekey.pem — LEAF Private Key
Note: Actual file names may vary. For example, the certificate (in place of the LEAF Certificate) may end with a .cer or another extension, and the key files may end with .key. Please consult your security administrator to help map the file names correctly in order to run the commands.
1. Convert PEM formatted x509 Cert and Private Key to a PKCS# 12:
"C:\Program Files\Veritas\NetBackup\bin\goodies\vxsslcmd" pkcs12 -export -in C:\Certs\nbmaster1.pem -inkey C:\Certs\nbmaster1_privatekey.pem -out C:\Certs\nbmaster1.p12 -name nbwmc -CAfile C:\Certs\CACert.pem -passout pass:password1
2. Import the pkcs12 certificate file to a Java Keystore:
"C:\Program Files\Veritas\NetBackup\jre\bin\keytool" -importkeystore -noprompt -deststorepass password2 -destkeypass password2 -destkeystore C:\Certs\kestorefile.jks -srckeystore C:\Certs\nbmaster1.p12 -srcstoretype PKCS12 -alias nbwmc -srcstorepass password1
3. Import the root CA certificate into JAVA KeyStore:
"C:\Program Files\Veritas\NetBackup\jre\bin\keytool" -importcert -noprompt -trustcacerts -file C:\Certs\CACert.pem -keystore C:\Certs\keystorefile.jks -storepass password2 -alias ca1
4. Create a key password file with any name, and place the password designated in the "-storepass" field in step 3. In this case named password.txt with the password "password2" in it.
- A. Open Notepad or WordPad
- B. Put password2 in the file, then saved and exited.
5. Configure the certificates in NetBackup:
"C:\Program Files\Veritas\NetBackup\wmc\bin\install\configureTPCerts" -keystorefile C:\Certs\kestorefile.jks -keystorepassfile C:\Certs\password.txt
6. Stop and restart nbwmc service.
For additional information, see the topic About external CA support in NetBackup in the NetBackup Security and Encryption Guide version 8.2 or later.
Related Knowledge Base Articles
Was this content helpful?
Translated Content
Please note that this document is a translation from English, and may have been machine-translated. It is possible that updates have been made to the original version after this document was translated and published. Veritas does not guarantee the accuracy regarding the completeness of the translation. You may also refer to the English Version of this knowledge base article for up-to-date information.