Not able to create a reissue token for a revoked client, since it is not visible under Certificate Management
Problem
It has been observed that if a revoked client certificate is NOT visible under "Certificate Management", it could be possible this revoked client is mapped to another client / server
Error Message
When trying to redeploy the certificate / token on the client, it says a reissue token is required. Here are several errors that could be observed while attempting to redeploy the revoked certificate that is not visible under Certificate Management:
Examples, from NetBackup Client:
<NetBackup Client> # /usr/openv/netbackup/bin/nbcertcmd -getCertificate
nbcertcmd: The -getCertificate operation failed for server <Master Server>.
EXIT STATUS 5989: Reissue token is mandatory as a certificate is already issued to this host. Revoke the existing certificate if it is active and map this host name to the associated host ID.
<NetBackup Client> # /usr/openv/netbackup/bin/nbcertcmd -getCertificate -host <NetBackup Client> -server <Master Server> -token <Token Manually Created> -force
nbcertcmd: The -getCertificate operation failed for server <Master Server>
EXIT STATUS 5940: Reissue token is mandatory, please provide a reissue token.
Example, from NetBackup Master:
<Master Server> # /usr/openv/netbackup/bin/admincmd/bptestbpcd -client <NetBackup Client>
<16>bptestbpcd main: Function ConnectToBPCD(NetBackup Client) failed: 7653
<16>bptestbpcd main: The Peer Certificate is revoked
The Peer Certificate is revoked
Example, from Activity Monitor job details:
May 19, 2021 9:10:11 AM - Error bpbrm (pid=57054) [PROXY] Connecting host: nbmedia9bkp.domain.local
May 19, 2021 9:10:11 AM - Error bpbrm (pid=57054) [PROXY] ConnectionId: {12AB345C-678D-90EF-G123-4H65I78901J2}:OUTBOUND
May 19, 2021 9:10:11 AM - Error bpbrm (pid=57054) [PROXY] pid: 9001
May 19, 2021 9:10:11 AM - Error bpbrm (pid=57054) [PROXY] Received status: 7653 with message The peer host certificate is revoked. Revocation Reason Code : 4(Superseded), Revocation Time : May 18 19:30:45 2021 GMT, Serial Number : 0x1AB2345678900001
May 19, 2021 9:10:11 AM - Error bpbrm (pid=57054) bpcd on nbclient01a.domain.local exited with status 7653: The Peer Certificate is revoked
May 19, 2021 9:10:11 AM - Error bpbrm (pid=57054) [PROXY] Connecting host: nbmedia9bkp.domain.local
May 19, 2021 9:10:11 AM - Error bpbrm (pid=57054) [PROXY] ConnectionId: {1357A9B0-246C-80DE-F1GH-3579I02468JK}:OUTBOUND
May 19, 2021 9:10:11 AM - Error bpbrm (pid=57054) [PROXY] pid: 9001
May 19, 2021 9:10:11 AM - Error bpbrm (pid=57054) [PROXY] Received status: 7653 with message The peer host certificate is revoked. Revocation Reason Code : 4(Superseded), Revocation Time : May 18 19:30:45 2021 GMT, Serial Number : 0x1AB2345678900001
May 19, 2021 9:10:11 AM - Error bpbrm (pid=57054) cannot send mail because BPCD on nbclient01a.domain.local exited with status 61: the vnetd proxy encountered an error
May 19, 2021 9:10:11 AM - Info bpbkar (pid=0) done. status: 7653: The Peer Certificate is revoked
The Peer Certificate is revoked (7653)
Cause
In this case it was found that the revoked client was also mapped to another working client /server, under Host Management.
Solution
- Under Host Management search for the revoked client / server name (in the search window).
- Confirm if it shows up for a different server.
- If so, remove any incorrect mappings.
- Under Certificate Management you should be able to see the revoked client.
- Then, Create a reissue token.
- For further details on the reissue token, see the Veritas NetBackup Security and Encryption Guide.
Or ...
- In the NetBackup Administration Console, expand Security Management > Host Management.
- In the details pane, on the Hosts tab, right-click the client host that you want to modify (once found and or search for it).
- Click the Add or Remove Host Mappings option.
- On the Add or Remove Host Mappings screen, host ID of the selected client host is displayed along with the existing mappings.
- Select the mapping that you want to remove.
- Click Remove.
- On the Remove Mapping dialog box, specify the audit reason for removing the selected mapping for auditing purpose.
- Click Yes.
Was this content helpful?
Translated Content
Please note that this document is a translation from English, and may have been machine-translated. It is possible that updates have been made to the original version after this document was translated and published. Veritas does not guarantee the accuracy regarding the completeness of the translation. You may also refer to the English Version of this knowledge base article for up-to-date information.