The server certificate issuer is not a trusted CA. How to configure external CA certificate or ECA for NetBackup WebUI
Problem
Unable to integrate NBU 8.1.2 WebUI with MSFT AD via LDAPS. The server certificate issuer is not a trusted CA. Configuring external CA certificate or ECA for NetBackup WebUI.
Error Message
TLS certificate verification: Error, unable to get local issuer certificate
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in error
TLS trace: SSL_connect:error in error
TLS: can't connect: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (unable to get local issuer certificate).
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
Cause
External CA variable not set.
Solution
- Run the following command to add an AD domain or an LDAP domain in the NetBackup master
Example:
vssat addldapdomain -d nbudomain -s ldap://example.com -f PATHE TO THE PEM FILE -u " "OU=Users,DC=example,DC=com" -g "OU=Groups,DC=example,DC=com" -m "CN=TestUser,OU=Users,DC=example,DC=com" -t msad -b BOB
It will request for password. Once password is added it will display the message
Successfully added LDAP domain.
- Run the vssat validateprpl command to verify whether the specified AD or LDAP domain is successfully added or not and using vssat listldapdomains the added domains can be listed.
Example:
/usr/openv/netbackup/sec/at/bin/vssat listldapdomains
Using data dir: /usr/openv/var/global/vxss/eab/data
listldapdomains
----------------------
----------------------
Found: 1
Domain Name : domain-name
Server URL : ldaps://example.com
SSL Enabled : Yes
CA Certificates PEM File : certificate.pem
User Base DN : DC=zone1,DC=zone2,DC=net
User Object Class : user
User Attribute : sAMAccountName
User GID Attribute : memberOf
User Display Name Attribute : displayName
User ID Attribute : objectSid
User Description Attribute : description
Group Base DN : DC=zone1,DC=zone1,DC=net
Group Object Class : group
Group Attribute : sAMAccountName
Group GID Attribute : cn
Group Display Name Attribute : displayName
Group ID Attribute : objectSid
Group Description Attribute : description
Group GID Attribute Type :
Auth Type : BOB
Admin User : CN=username,OU=Data Management,OU=Admin,DC=zone1,DC=zone2,DC=net
Admin User Password :
Search Scope : SUB
- Run vssat authenticate CLI to confirm if the user can authenticate
Example:
root@servername[DEV][~] # /usr/openv/netbackup/sec/at/bin/vssat authenticate
/usr/openv/netbackup/sec/at/bin/vssat authenticate -p username -d DOMAIN_NAME -b broker_host:1556:nbatd
Using data dir: /usr/openv/var/vxss/at
Enter password for username : <PASSWORD>
If the user account cannot authenticate using external certificate set the LDAPTLS_CACERT variable.
set env var LDAPTLS_CACERT to EXTERNAL_CERTIFICATE.pem
Path to the external CA pem file: /usr/openv/var/global/vxss/eab/data/root/.VRTSat/profile/certstore/trusted/pluggins/ldap/
Then, export the external certificate
Export LDAPTLS_CACERT=/usr/openv/var/global/vxss/eab/data/root/.VRTSat/profile/certstore/trusted/pluggins/ldap/EXTERNAL_CERTIFICATE
- You can additional use ldapsearch to verify if the connection works.
Example:
./ldapsearch -H ldaps://example.com -D "CN=username, OU=Data Management, OU=Admin, DC=zone1,DC=zone2,DC=net" -w ******** -d 5 -o nettimeout=60
Applies to
NetBackup 8.1.2 WebUI
Reference:
Veritas NetBackup™ Security and Encryption Guide:
Adding AD or LDAP domains in NetBackup.
Troubleshooting AD or LDAP domain configuration issues