Cannot login to Administrator Java GUI after ECA certificate applied.

Cannot login to Administrator Java GUI after ECA certificate applied.

Article: 100046207
Last Published: 2019-11-29
Ratings: 0 0
Product(s): NetBackup

Problem

After applying ECA certificate cannot login to Administrator Java GUI    "Verification of X.509 certificate failed when connecting to the bpjava msvc service"

Error Message

"Verification of X.509 certificate failed when connecting to the bpjava msvc service"

Cause

If you have an intermediate certificate (from a certificate chain), sequence of the certificates in the path should be as leaf certificate > intermediate certificate

Solution

For Netbackup 8.1.2.1 & 8.2

  1. Append the two certificates "ECA_CERT" & "ECA_TRUST_STORE" certificate.

# grep ECA /usr/openv/net*/bp.conf
ECA_CERT_PATH=/etc/server_certs/master-server-name.domain.com.cer  >>> this includes host id certificate
ECA_PRIVATE_KEY_PATH=/etc/server_certs/new_certificatekey_master_server_name.pem
ECA_TRUST_STORE_PATH=/etc/server_certs/trust.pem   >>>>> this includes 2 Certificates of ROOT & Intermediate
ECA_MASTER_SERVER_LIST=master-server-name.domain.com

  1. Take a backup of above certificates.
  1. Appended the intermediary CA details to the host cert by running the x509 on both certificates and then append the content together in this format:

For example -  root CA +  intermediate-CA  is displayed as follows :

-----BEGIN CERTIFICATE-----
(Your certificate's base64 data here)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE----
(intermediate certificate's base64 data here)
-----END CERTIFICATE-----

+ host_name certificate is displayed as follows

-----BEGIN CERTIFICATE----
(intermediate certificate's base64 data here)
-----END CERTIFICATE-----

  1.  Root CA +  Intermediate-CA + host_name certificate all shall be configured. Thus run the following command :

cat trust.pem >> master-server-name.domain.com.cer  (it is cer and not cert )

All the certificates root CA +  intermidiate-CA + host_name certificate get configured in a single file. Thus the single file of certificates is now added as "ECA_CERT_PATH"

-----BEGIN CERTIFICATE-----
(Your certificate's base64 data here)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE----
(intermediate certificate's base64 data here)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE----
(intermediate certificate's base64 data here)
-----END CERTIFICATE-----


 

  1. Now add this new certificate file for "ECA_CERT_PATH" 

Run the command :

<install_path>/wmc/bin/install/configureWebServerCerts -addExternalCert -all  -certPath /etc/server_certs/master-server-name.domain.com.cer -privateKeyPath /etc/server_certs/new_certificatekey_master_server_name.pem -trustStorePath /etc/server_certs/trust.pem

  1. Now enroll them with nbcertcmd -enrollcertificate

On UNIX systems, the directory path to this command is

/usr/openv/netbackup/bin/

On Windows systems, the directory path to this command is

<install path>\NetBackup\bin\

  1. Now you can login to Java GUI.

NOTE:  Customer needs to check how many intermediate CA (certificate) they have in their environment.

Another way to confirm same, try to connect on WEBUI and not being able to connect on Java GUI.

So check on WEBUI link, by clicking on Certificate icon.

For more information refer : Veritas NetBackup™ Security and Encryption Guide

 

References

Etrack : 3960324 Etrack : 3983399

Was this content helpful?