Cloud Storage Server Wizard fails with error "Login credentials or certificate verification failed for server" when Subject Name in the SSL certificate and Service Hostname defined in NetBackup do not match.
Problem
Cloud Storage Server GUI Wizard fails with the following error:
Creating storage server my-ecs.sts-server
Login credentials or certificate verification failed for server media_server
Rolling back storage server creation for my-ecs.sts-server
If the cloud, or object storage vendor credentials (Access and Secret) have been verified to work outside of NetBackup, ensure SSL (Secure Sockets Layer) is configured properly on the private cloud server.
NetBackup supports only Certificate Authority (CA)-signed certificates while it communicates with cloud storage in the SSL mode. Ensure that the cloud server has CA-signed certificate. If it does not have the CA-signed certificate, data transfer between NetBackup and the cloud provider fails in the SSL mode.
Error Message
Logs related to this error can be found in the following folder:
Linux/Unix: /usr/openv/volmgr/debug/tpcommand
Windows: C:\Program Files\Veritas\Volmgr\debug\tpcommand
08:39:40.911 [5804.8988] <4> tpconfig:main(): D:\Program Files\Veritas\Volmgr\bin\tpconfig.exe -noverbose -add -storage_server my-ecs.sts-server -stype EMC-ECS_rawc -sts_user_id ****** -password ****** -key ******
08:39:40.940 [5804.8988] <4> tpconfig: emmserver_port = 1556
08:39:41.563 [5804.8988] <4> tpconfig:main(): OpenStorage host name "my-ecs.sts-server" specified
08:39:41.563 [5804.8988] <4> tpconfig:main(): OpenStorage type "EMC-ECS_rawc" specified
08:39:48.224 [5804.8988] <2> calnbumed01: EMC-ECS: Entry buildGetBucketsHeaders
08:39:48.224 [5804.8988] <2> calnbumed01: EMC-ECS: Adding configured headers for 1 level
08:39:48.224 [5804.8988] <2> calnbumed01: EMC-ECS: Adding header- user-agent:APN/1.0 Veritas/1.0 NetBackup/8.1
08:39:48.224 [5804.8988] <2> calnbumed01: EMC-ECS: Setting request type- GET
08:39:48.224 [5804.8988] <2> calnbumed01: EMC-ECS: Exit buildGetBucketsHeaders
08:39:48.227 [5804.8988] <2> calnbumed01: EMC-ECS: s3 URL: https://ecs.s3lab.svc-host:443/
08:39:48.227 [5804.8988] <2> calnbumed01: EMC-ECS: Setting Url: https://ecs.s3lab.svc-host:443/
08:39:48.227 [5804.8988] <2> calnbumed01: EMC-ECS: Building header:
08:39:48.227 [5804.8988] <2> calnbumed01: EMC-ECS: stringToSign in object- GET Mon, 22 Jul 2019 12:39:48 GMT
08:39:48.266 [5804.8988] <16> calnbumed01: EMC-ECS: Error checking credential, HTTP code 0, no response data from server.
Cause
The value of s3 URL in the above log file shows the Service host name that NetBackup uses to connect to the cloud/object storage endpoint.
Check the ContextName (CN) value for the Subject - for which a certificate was issued. This can be achieved using native OS tools or using the NetBackup equivalent vxsslcmd command found at:
Linux/Unix: /usr/openv/netbackup/bin/goodies/vxsslcmd
Windows: C:\Program Files\Veritas\NetBackup\goodies\vxsslcmd
# echo | vxsslcmd s_client -showcerts -connect ecs.s3lab.svc-host:443 | grep CN=
0 s:/C=CA/ST=FL/L=Heathrow/O=Veritas Labs/CN=s3lab.svc-host/emailAddress=lk@vrts.com
i:/DC=CAN/DC=PROD/CN=Prod SHA2 Server CA
1 s:/DC=CAN/DC=PROD/CN=Prod SHA2 Server CA
i:/CN=Prod SHA2 Root CA
subject=/C=CA/ST=FL/L=Heathrow/O=Veritas Labs/CN=s3lab.svc-host/emailAddress=lk@vrts.com
issuer=/DC=CAN/DC=PROD/CN=Prod SHA2 Server CA
For example, the above command output shows the CN value for the subject as s3lab.svc-host
This differs from the S3 ServiceHost value defined in NetBackup as ecs.s3lab.svc-host
Solution
1. Engage the Certificate vendor/team to request a new certificate that matches the Cloud storage endpoint.
2. Utilize vendor-specific procedures to import this certificate onto any on-premise cloud object storage endpoint.
3. The corresponding certificate chain must also be appended to the cacert.pem file in NetBackup. This file is located at the paths below.
Pre-8.2 NetBackup versions
Windows C:\Program Files\Veritas\NetBackup\db\cloud\cacert.pem
Linux /usr/openv/netbackup/db/cloud/cacert.pem
NetBackup version 8.2 onwards:
Windows C:\Program Files\Veritas\NetBackup\var\global\wmc\cloud\cacert.pem
Linux /usr/openv/var/global/wmc/cloud/cacert.pem
Was this content helpful?
Translated Content
Please note that this document is a translation from English, and may have been machine-translated. It is possible that updates have been made to the original version after this document was translated and published. Veritas does not guarantee the accuracy regarding the completeness of the translation. You may also refer to the English Version of this knowledge base article for up-to-date information.