Status 7656 or 8506 is detected on Windows although none of the certificates are expired.

Problem

nbwebservice.jks cannot be updated due to insufficient access rights to the "<install_path>\NetBackup\var\global\wsl\credentials\nbwebservice.jks" file, and an error occurs.

The nbwebservice.jks file is automatically updated 180 days before the certificate expiration date.

However, if the web services account(nbwebsvc) have not been grant write access to the "nbwebservice.jks" file, the "nbwebservice.jks" file will not be updated automatically and will cause problems.

When the problem occurs, status 7656 error occurs when logging in to the Java Administration Console while certificate has not expired with "nbcertcmd -listallcertificates" command.

Error Message

Error Message：
-When a issue occurs, the following error is output when logging in to the Java Administration Console.

-------------------------
Unable to login, status:7656
The revocation status of the host certificate cannot be verified using
the Certificate Revocation List (CRL) because the CRL expired. The CRL is older
than 7 days.
-------------------------

-When "nbcertcmd -getCRL" command  is executed, you will get the following error.

-------------------------
Failed to fetch security level for <Master Server Name>. 8506:The Certificate has expired
Failed to fetch certificate revocation list for <Master Server Name>. 8506:The Certificate has expired
EXIT STATUS 5978: Attempt to refresh certificate revocation list failed.
-------------------------

Cause

If the access right to the nbwebservice.jks file is insufficient, the certificate cannot be renewed.
To confirm whether it has sufficient access rights or not, run the "icacls" Microsoft Windows command.

Example command)
icacls "<install_path>\NetBackup\var\global\wsl\credentials\nbwebservice.jks"

Example output)
<install_path>\NetBackup\var\global\wsl\credentials\nbwebservice.jks 　NBMASTER1\nbwebsvc:(I)(RX)
                                                                               　　　　　　　　　　　　　 NT AUTHORITY\SYSTEM:(I)(F)
                                                                               　　　　　　　　　　　　　 BUILTIN\Administrators:(I)(F)
                                                                               　　　　　　　　　　　　　 BUILTIN\Users:(I)(RX)

In the example above, you can see that web services account(nbwebsvc) have not been grant write access to "nbwebservice.jks" file.

In this case, the problem occurs.

Environment

・Only happens on Windows platforms
・Only happens on NetBackup 8.1 or 8.1.X

Operation

The issue is observed on Windows Master Server only and may cause by either of the following scenarios:
・The Master Server was direct upgraded 8.1 or 8.1.X from 7.7.2 or 7.7.3
・The Master Server Reinstall.

Solution

Please take the following actions.
If the certificate expiration date is more than 181 days, only step 1 is necessary.
This step must be run with Administrator permissions.

1.  Run following command to setup appropriate grant.
   
    "<install_path>\NetBackup\wmc\bin\install\setupWmcPermissions.bat"

 When web services account(nbwebsvc) has been grant write access to "nbwebservice.jks" file,the result of "icacls" Microsoft Windows command is below.

Example command)
icacls "<install_path>\NetBackup\var\global\wsl\credentials\nbwebservice.jks"

Example output)
<install_path>\NetBackup\var\global\wsl\credentials\nbwebservice.jks 　NBMASTER1\nbwebsvc:(I)(RX)
                                                                               　　　　　　　　　　　　　 NT AUTHORITY\SYSTEM:(I)(F)
                                                                              　 　　　　　　　　　　　　 BUILTIN\Administrators:(I)(F)
                                                                               　　　　　　　　　　　　　 NBMASTER1\nbwebsvc:(I)(F)
                                                                               　　　　　　　　　　　　　 BUILTIN\Users:(I)(RX)

2. Run following command to reconfigure for nbwebservice.jks.
    "<install_path>\NetBackup\wmc\bin\install\configureCerts.bat"

3. Restart the "NetBackup Web Management Console" service with following commands.
    sc stop "NetBackup Web Management Console"
    sc start "NetBackup Web Management Console"

Fixed in a future release

There are no plans to address this issue by way of a patch or hotfix in the current or previous versions of the software at the present time.
However, the issue is currently scheduled to be addressed in the next major revision of the product. 
Please note that Veritas Technologies LLC reserves the right to remove any fix from the targeted release if it does not pass quality assurance tests. 

Veritas’ plans are subject to change and any action taken by you based on the above information or your reliance upon the above information is made at your own risk.