Use of underscore ( _ ) in the NetBackup Master Server hostname is not supported

Use of underscore ( _ ) in the NetBackup Master Server hostname is not supported

Article: 100047335
Last Published: 2021-03-29
Ratings: 2 0
Product(s): Appliances, NetBackup

Problem

Use of underscores in NetBackup Server or OpsCenter Server hostname are not supported in NetBackup 8.1 and later releases.

This statement was made public in the NetBackup 8.1 Release Notes, published October 2017.

Veritas NetBackup™ Release Notes - NetBackup 8.1
https://www.veritas.com/content/support/en_US/doc/103228346-127350715-0/v124746605-127350715

This document serves to include OpsCenter Server as a 'NetBackup Server' and to consolidate non-Veritas references that explain why use of underscores is no longer permitted or supported.

Error Message

Underscore in the system hostname will cause certificate related operations throughout NetBackup to fail.

Some issues encountered when an underscore is present in the NetBackup Master hostname:

  • Upgrade from NetBackup 7.7.x to 8.x fails
  • JAVA GUI fails to connect
  • Certificate renewal fails

Cause

Underscores have been used in hostnames for a long time but have not been officially allowed by IETF since 1985.

After the introduction of NetBackup Web Services in NetBackup 8.0, some customers began reporting issues with failed upgrades, connectivity issues and certificate related operations.
The main cause was revealed to be due to underscores "_" in the Master Server hostname.

Veritas NetBackup 8.x and later uses certificates for multiple parts of the product to maintain security. The result is that Netbackup can no longer allow the use of underscores. This is to comply with IETF restrictions in certificate handling and Certificate Authority (CA) naming.

Solution

Customers with an underscore in the hostname must change the name of the master server to remove the "underscore" to remain in an operational and supported configuration.

Master Server name changes are not provided as a service through Veritas Support and requires the assistance of Veritas Consulting Services.

References

In 2018, the regulating body for all Certificate Authorities, CA/B Forum, voted down the use of undercores in hostnames for CA and CRL.

CA/B Forum - Ballot SC12: Sunset of Underscores in dNSNames [ November 2018]
https://cabforum.org/2018/11/12/ballot-sc-12-sunset-of-underscores-in-dnsnames/

— MOTION BEGINS —
Add the following language to BR section 7.1.4.2.1 (Subject Alternative Name Extension):

Prior to April 1, 2019, certificates containing underscore characters (“_”) in domain labels in dNSName entries MAY be issued as follows:

dNSName entries MAY include underscore characters such that replacing all underscore characters with hyphen characters (“-“) would result in a valid domain label, and;
Underscore characters MUST NOT be placed in the left most domain label, and;
Such certificates MUST NOT be valid for longer than 30 days.
All certificates containing an underscore character in any dNSName entry and having a validity period of more than 30 days MUST be revoked prior to January 15, 2019.

After April 30, 2019, underscore characters (“_”) MUST NOT be present in dNSName entries.
— MOTION ENDS —

 

Additional supporting links showing underscores are not allowed in hostnames and Certificate names.

IETF

Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile
[May 2008]
https://tools.ietf.org/html/rfc5280
[See Appendix B. ASN.1 Notes]

 

DOD INTERNET HOST TABLE SPECIFICATION [October 1985]
https://www.ietf.org/rfc/rfc952.txt
[See ASSUMPTIONS]

A "name" (Net, Host, Gateway, or Domain name) is a text string up to 24 characters drawn from the alphabet (A-Z), digits (0-9), minus sign (-), and period (.). Note that periods are only allowed when they serve to delimit components of "domain style names".


Requirements for Internet Hosts -- Application and Support [October 1989]
https://tools.ietf.org/html/rfc1123
[See section 2.1 "Host Names and Numbers"]

Common DNS Operational and Configuration Errors [February 1996]
https://www.ietf.org/rfc/rfc1912.txt
[See Section 2.1 Inconsistent, Missing, or Bad Data]

 

Clarifications to the DNS Specification [July 1997]
https://tools.ietf.org/html/rfc2181
[See section 11 - Name Syntax]


MICROSOFT

Complying with Name Restrictions for Hosts and Domains [July 2012]
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959336(v=technet.10)

Naming conventions in Active Directory for computers, domains, sites, and OUs
https://support.microsoft.com/en-us/help/909264/naming-conventions-in-active-directory-for-computers-domains-sites-and

DNS host names cannot contain the following characters:

  • comma (,)
  • tilde (~)
  • colon (:)
  • exclamation point (!)
  • at sign (@)
  • number sign (#)
  • dollar sign ($)
  • percent (%)
  • caret (^)
  • ampersand (&)
  • apostrophe (')
  • period (.)
  • parentheses (())
  • braces ({})
  • underscore (_)
  • white space (blank)

The underscore has a special role, as it is permitted for the first character in SRV records by RFC definition, but newer DNS servers may also allow it anywhere in a name. For more details, see Complying with Name Restrictions for Hosts and Domains.

Related Articles:

In NetBackup 8.0 or higher, the Java Console displays "Status Code: 130 System Error Occurred" when attempting connection to a host with an underscore in its hostname.
https://www.veritas.com/support/en_US/article.100033400

 

Was this content helpful?