The server certificate issuer is not a trusted CA. How to configure external CA certificate or ECA for NetBackup WebUI

Article: 100045242
Last Published: 2019-05-15
Ratings: 0 0
Product(s): NetBackup & Alta Data Protection

Problem

Unable to integrate NBU 8.1.2 WebUI with MSFT AD via LDAPS. The server certificate issuer is not a trusted CA. Configuring external CA certificate or ECA for NetBackup WebUI.

Error Message

TLS certificate verification: Error, unable to get local issuer certificate
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in error
TLS trace: SSL_connect:error in error
TLS: can't connect: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (unable to get local issuer certificate).
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

Cause

External CA variable not set.

Solution

  •        Run the following command to add an AD domain or an LDAP domain in the NetBackup master

  vssat addldapdomain -d DomainName -s server_URL -u user_base_DN -g group_base_DN [-f trusted_CA_file_name] [-t rfc2307 | msad | {-c user_object_class -a user_attribute -q user_GID_attribute -un user_display_name_attribute -ui user_ID_attribute[:value_type] -ud user_description_attribute -x group_object_class -y group_attribute -z group_GID_attribute -gn group_display_name_attribute -gi group_ID_attribute[:value_type] -gd group_description_attribute [-k DN | UID]]} [-b FLAT | BOB] -m admin_user_DN [-w admin_user_password] [-p SUB | ONE | BASE]

Example:

vssat addldapdomain -d nbudomain -s ldap://example.com -f PATHE TO THE PEM FILE -u " "OU=Users,DC=example,DC=com" -g "OU=Groups,DC=example,DC=com" -m "CN=TestUser,OU=Users,DC=example,DC=com" -t msad -b BOB

It will request for password. Once password is added it will display the message

Successfully added LDAP domain.

  • Run the vssat validateprpl command to verify whether the specified AD or LDAP domain is successfully added or not and using  vssat listldapdomains the added domains can be listed.

Example:

/usr/openv/netbackup/sec/at/bin/vssat listldapdomains
Using data dir: /usr/openv/var/global/vxss/eab/data

listldapdomains
----------------------
----------------------

Found:  1

Domain Name :           domain-name
Server URL :            ldaps://example.com
SSL Enabled :           Yes
CA Certificates PEM File :      certificate.pem
User Base DN :          DC=zone1,DC=zone2,DC=net
User Object Class :     user
User Attribute :        sAMAccountName
User GID Attribute :    memberOf
User Display Name Attribute :   displayName
User ID Attribute :     objectSid
User Description Attribute :    description
Group Base DN :         DC=zone1,DC=zone1,DC=net
Group Object Class :    group
Group Attribute :       sAMAccountName
Group GID Attribute :   cn
Group Display Name Attribute :  displayName
Group ID Attribute :    objectSid
Group Description Attribute :   description
Group GID Attribute Type :
Auth Type :     BOB
Admin User :    CN=username,OU=Data Management,OU=Admin,DC=zone1,DC=zone2,DC=net
Admin User Password :
Search Scope :  SUB

  • Run vssat authenticate CLI to confirm if the user can authenticate

Example:             

root@servername[DEV][~] # /usr/openv/netbackup/sec/at/bin/vssat authenticate 
               
/usr/openv/netbackup/sec/at/bin/vssat authenticate -p username -d DOMAIN_NAME -b broker_host:1556:nbatd
Using data dir: /usr/openv/var/vxss/at
Enter password for username : <PASSWORD>
      
If the user account cannot authenticate using external certificate set the LDAPTLS_CACERT variable.

set env var LDAPTLS_CACERT to EXTERNAL_CERTIFICATE.pem

Path to the external CA pem file: /usr/openv/var/global/vxss/eab/data/root/.VRTSat/profile/certstore/trusted/pluggins/ldap/

Then, export the external certificate 
Export LDAPTLS_CACERT=/usr/openv/var/global/vxss/eab/data/root/.VRTSat/profile/certstore/trusted/pluggins/ldap/EXTERNAL_CERTIFICATE

  • You can additional use ldapsearch to verify if the connection works.

Example:

 ./ldapsearch -H ldaps://example.com -D "CN=username, OU=Data Management, OU=Admin, DC=zone1,DC=zone2,DC=net" -w ******** -d 5 -o nettimeout=60

Applies to

NetBackup 8.1.2 WebUI

Reference:

Veritas NetBackup™ Security and Encryption Guide:

Adding AD or LDAP domains in NetBackup.
Troubleshooting AD or LDAP domain configuration issues   

 

Was this content helpful?