Unable to create universal share - Failed to get version from the Storage Platform Web Service (SPWS).
Problem
Trust has not been set up properly between NetBackup web services and the Storage Platform Web Service.
Error Message
Failed to get version from the Storage Platform Web Service (SPWS). Ensure that Nginx is running and configured correctly on the selected MSDP storage server.
Error detailserrorCode: 4032 Details: No issuer certificate for certificate in certification path found.
pdde-config.log
Wed Sep 4 17:35:58 CDT 2024 **** Asking the NetBackup Webservice to trust the MSDP webserver (spws) ****
2024-0x-0x 17:35:58,815 INFO Checking if there is an MSDP SSL certificate record for media_server_name.
2024-0x-0x 17:35:58,918 ERROR Unexpected error when checking if SSL certificate record exists: The user does not have permission to perform the requested operation.
2024-0x-0x 17:35:58,918 ERROR NetBackup API call failed: netbackup/config/servers/msdp-servers/media_server_name.
2024-0x-0x 17:35:58,918 ERROR The user does not have permission to perform the requested operation.
2024-0x-0x 17:35:58,919 ERROR Cannot continue: /usr/openv/netbackup/bin/nblibcurlcmd failed (252):
API execution failed. HTTP Response Code = 401, NetBackup Error code = 8000, NetBackup Error Message = The user does not have permission to perform the requested operation.
Error: cannot continue: /usr/openv/netbackup/bin/nblibcurlcmd failed (252):
API execution failed. HTTP Response Code = 401, NetBackup Error code = 8000, NetBackup Error Message = The user does not have permission to perform the requested operation.
Cause
At the time SPWS was configured, the media server had insufficient access to establish a trust relationship with the web services of the primary.
Solution
1) Ensure the media server has the necessary access.
a. Verify the roles for the media server's current API session.
On the media server run
/usr/openv/netbackup/bin/nblibcurlcmd -get -masterServer primary_server_name -port 1556 -path '/netbackup/authorization-context?include=authContextRoles' -responseOnStdOut
Note that primary_server_name should be exactly what is configured as the primary server name in the media server's bp.conf.
Example output:API execution succeeded
Web Response :{"data":{"type":"authorizationContext","id":"ffe67675-2e7f-43d9-8930-e30d573229dc","attributes":{"subject":"ecf4b1d0-d1fe-4ee2-ba74-c312b52a6e95","issuer":"primary_server_name","issuedAt":"2024-0x-0xT20:05:17.549Z","expireDate":"2024-0x-0xT20:05:17.541Z","authToken":"ffe67675-2e7f-43d9-8930-e30d573229dc","isAdmin":false,"isMachine":true,"permissions":[],"roleIds":[2]},"relationships":{"authContextRoles":{"data":[{"type":"authContextRole","id":"2"}]}},"links":{"self":{"href":"/authorization-context"}}},"included":[{"type":"authContextRole","id":"2","attributes":{"name":"Any Machine"}}]}
The roles are in the included section. Specifically, the names:
[{"type":"authContextRole","id":"2","attributes":{"name":"Any Machine"}}]
This host has the following roles:
* Any Machine
On a media server we expect the following roles:
* Any Server
* Kubernetes Access Host
* Any Machine
* Any Malware Scan Manager
* Any Nutanix Access Host
If the roles from the API response match the expected roles, the media server has the required access. Skip to step 2.
b. Invalidate the media server's API session.
On the media server run
/usr/openv/netbackup/bin/nblibcurlcmd -post -masterServer primary_server_name -port 1556 -path '/netbackup/logout' -responseOnStdOut -dataFile path_to_empty_file
Note that earlier versions of NetBackup require the data file to be non-empty. If necessary, any arbitrary data will suffice. Additionally, primary_server_name should be exactly what is configured as the primary server name in the media server's bp.conf.
Example output:
API execution succeeded
c. Repeat step 1a to verify the issue has been fixed.
If the issue is fixed, skip to step 2.
d. Ensure the media server is configured as an additional server or media server.
See
https://www.veritas.com/support/en_US/doc/150157642-163004333-0/v77809698-163004333
e. Ensure the host mappings for the media server match value configured in step d.
See
https://www.veritas.com/support/en_US/doc/150157642-163004333-0/v130853112-163004333
https://www.veritas.com/support/en_US/doc/150157642-163004333-0/v132430490-163004333
Note that if you used a short name in step d an approved mapping must exist for the short name. Similarly, if you used a fully qualified domain name an approved mapping must be present for the fully qualified domain name.
f. Repeat step 1b to invalidate the media server's API session.
g. Repeat step 1a to verify the issue has been fixed.
If the issue is fixed, proceed to step 2. If the issue is not fixed, repeat steps 1d - 1g.
2) Establish a trust relationship between NetBackup web services and the Storage Platform Web Service.
On the media server run
/usr/openv/pdde/vpfs/bin/nb_admin_tasks --push_third_party_cert /etc/nginx/keys/spws.cert
If issues persist see the following for further troubleshooting.
https://www.veritas.com/support/en_US/doc/146133534-146134575-0/v141909538-146134575
Was this content helpful?
Translated Content
Please note that this document is a translation from English, and may have been machine-translated. It is possible that updates have been made to the original version after this document was translated and published. Veritas does not guarantee the accuracy regarding the completeness of the translation. You may also refer to the English Version of this knowledge base article for up-to-date information.