How to configure an External Certificate Authority (ECA) to be used for the WebUI (port 443) on a NetBackup 10.5 Cloud Scale

Description

During installation, a Cloud Scale environment is configured to use a certificate issued by the NetBackup Certificate Authority for the WebUI (port 443). You can use the steps in this document to replace this default certificate with an External Certificate Authority (ECA) on a NetBackup 10.5 Cloud Scale.

Prerequisites

Ensure you have the following artifacts ready before proceeding:

1. A PEM-formatted file, ca.pem, containing the Root CA certificate from which the WebUI certificate was issued.
2. A PEM-formatted file, cert.pem, that includes the WebUI certificate chain, consisting of the leaf certificate and any intermediate CA certificates.
3. PKCS #8 PEM-formatted file, privatekey.pem, containing the encrypted private key for the WebUI certificate.
4. A plaintext file, passphrase.txt, containing the passphrase used to encrypt the private key. Make sure the plaintext file contains only a single line with the passphrase and does not end with a newline.

Use the following steps to perform a basic sanity check on ca.pem, cert.pem, privatekey.pem and passphrase.txt

1. Match privatekey.pem and cert.pem by executing the below commands. Ensure that the output of both commands matches.

   $ openssl x509 -noout -modulus -in cert.pem | openssl sha256 $ openssl rsa -noout -modulus -in privatekey.pem -passin file:passphrase.txt | openssl sha256

2. Check validity of certificate and presence of primary server name in certificate.  Execute below command to list the certificate details. Check fields "Not Before" and "Not After" to confirm that the certificate is currently valid and has not expired. Confirm that the primary server name appears in the "X509v3 Subject Alternative Name". If "X509v3 Subject Alternative Name" is missing, confirm that the primary server name appears in the "Subject" as a "CN".

   $ openssl x509 -text -in cert.pem -noout

3. Verify that a complete certificate chain exists in cert.pem and ca.pem.

   $ openssl verify -CAfile ca.pem -untrusted cert.pem cert.pem cert.pem: OK

Configuring an external certificate for the first time

Configure the external certificate by using the below steps. Replace <primary_pod_name> in the commands with the name of the NetBackup primary pod and <namespace> with the namespace.

1. Log in to the host where you manage the Kubernetes cluster and have the kubectl command available.

2. Execute the below commands to create the tpcredentials directory and copy the artifacts into the primary pod

   $ kubectl exec -it <primary_pod_name> -n <namespace> -- mkdir -p /usr/openv/var/global/wsl/credentials/tpcredentials $ kubectl cp <path_to_ca.pem> <primary_pod_name>:/usr/openv/var/global/wsl/credentials/tpcredentials/ca.pem -n <namespace> $ kubectl cp <path_to_cert.pem> <primary_pod_name>:/usr/openv/var/global/wsl/credentials/tpcredentials/cert.pem -n <namespace> $ kubectl cp <path_to_privatekey.pem> <primary_pod_name>:/usr/openv/var/global/wsl/credentials/tpcredentials/privatekey.pem -n <namespace> $ kubectl cp <path_to_passphrase.txt> <primary_pod_name>:/usr/openv/var/global/wsl/credentials/tpcredentials/passphrase.txt -n <namespace>

3. Execute the below commands to ensure the directory and files are created with correct ownership. Also ensure that the owner has full permission on the directory and files.

   $ kubectl exec -it <primary_pod_name> -n <namespace> -- chown -R nbwebsvc:nbwebgrp /usr/openv/var/global/wsl/credentials/tpcredentials $ kubectl exec -it <primary_pod_name> -n <namespace> -- chmod u+rwx /usr/openv/var/global/wsl/credentials/tpcredentials $ kubectl exec -it <primary_pod_name> -n <namespace> -- chmod -R u+rw /usr/openv/var/global/wsl/credentials/tpcredentials

4. Restart the nbwsapp pod.

   List all the pods from the namespace, select the nbwsapp pod and delete it. Doing this will cause the pod to be recreated because K8S is declarative, it will create a new pod based on the specified configuration.

   $ kubectl get pods -n <namespace> $ kubectl delete pod <nbwsapp_pod_name> -n <namespace>

5. Make sure nbwsapp pod up and running

   $ kubectl get pods -n <namespace> | grep nbwsapp <nbwsapp_pod_name>                        4/4     Running   0          9m44s

6. Execute the below commands to create the keystore

   $ kubectl exec -it <nbwsapp_pod_name> -n <namespace> -- bash $ cp /usr/openv/var/global/wsl/credentials/tpcredentials/passphrase.txt /usr/openv/var/global/wsl/credentials/tpcredentials/jkskey $ /usr/openv/netbackup/bin/goodies/vxsslcmd pkcs12 -export -inkey /usr/openv/var/global/wsl/credentials/tpcredentials/privatekey.pem -in /usr/openv/var/global/wsl/credentials/tpcredentials/cert.pem -out /tmp/cert.p12 -passin file:/usr/openv/var/global/wsl/credentials/tpcredentials/passphrase.txt -passout file:/usr/openv/var/global/wsl/credentials/tpcredentials/jkskey -name eca

   Ignore the message "unable to write 'random state'" from last command if seen.

   $ ls -l /tmp/cert.p12 -rw-r--r-- 1 nbwebsvc nbwebgrp   4420 Sep 20 19:44 cert.p12   $ export KEYSTORE_PASS=$(cat /usr/openv/var/global/wsl/credentials/tpcredentials/jkskey)   $ /usr/lib/jvm/jre/bin/keytool -storetype BCFKS -providerpath /usr/openv/wmc/webserver/lib/ccj.jar -providerclass com.safelogic.cryptocomply.jcajce.provider.CryptoComplyFipsProvider -importkeystore -srckeystore /tmp/cert.p12  -srcstoretype pkcs12 -srcstorepass ${KEYSTORE_PASS} -destkeystore /tmp/nbwebservice.bcfks -deststorepass file:/usr/openv/var/global/wsl/credentials/tpcredentials/jkskey Importing keystore /tmp/cert.p12 to /tmp/nbwebservice.bcfks... Entry for alias eca successfully imported. Import command completed:  1 entries successfully imported, 0 entries failed or cancelled   $ mv /tmp/nbwebservice.bcfks /usr/openv/var/global/wsl/credentials/tpcredentials/

7. The new certificate will be automatically applied within 30 minutes, or you can restart the requestrouter pod to apply it immediately.

    

   $ kubectl get pods -n <namespace> $ kubectl delete pod <requestrouter_pod_name> -n <namespace>

Renewal or replacement of a previously configured external certificate

Use the following steps to replace the existing external certificate with a new external certificate.

1. 1. Log in to the host where you manage the Kubernetes cluster and have the kubectl command available.

   2. Execute the below commands to copy the new artifacts into the primary pod

      $ kubectl exec -it <primary_pod_name> -n <namespace> -- mkdir -p /usr/openv/var/global/wsl/credentials/tpcredentials $ kubectl cp <path_to_ca.pem> <primary_pod_name>:/usr/openv/var/global/wsl/credentials/tpcredentials/ca.pem -n <namespace> $ kubectl cp <path_to_cert.pem> <primary_pod_name>:/usr/openv/var/global/wsl/credentials/tpcredentials/cert.pem -n <namespace> $ kubectl cp <path_to_privatekey.pem> <primary_pod_name>:/usr/openv/var/global/wsl/credentials/tpcredentials/privatekey.pem -n <namespace> $ kubectl cp <path_to_passphrase.txt> <primary_pod_name>:/usr/openv/var/global/wsl/credentials/tpcredentials/passphrase.txt -n <namespace> $ kubectl exec -it <primary_pod_name> -n <namespace> -- mkdir -p /usr/openv/var/global/wsl/credentials/tpcredentials/backup $ kubectl exec -it <primary_pod_name> -n <namespace> -- mv /usr/openv/var/global/wsl/credentials/tpcredentials/nbwebservice.bcfks /usr/openv/var/global/wsl/credentials/tpcredentials/backup/

   3. Execute the below commands to ensure the directory and files are created with correct ownership and permissions.
       

      $ kubectl exec -it <primary_pod_name> -n <namespace> -- chown -R nbwebsvc:nbwebgrp /usr/openv/var/global/wsl/credentials/tpcredentials $ kubectl exec -it <primary_pod_name> -n <namespace> -- chmod u+rwx /usr/openv/var/global/wsl/credentials/tpcredentials $ kubectl exec -it <primary_pod_name> -n <namespace> -- chmod -R u+rw /usr/openv/var/global/wsl/credentials/tpcredentials

   4. Restart the nbwsapp pod.

      List all the pods from the namespace, select the nbwsapp pod and delete it. Doing this will cause the pod to be recreated because K8S is declarative, it will create a new pod based on the specified configuration.

      $ kubectl get pods -n <namespace> $ kubectl delete pod <nbwsapp_pod_name> -n <namespace>

   5. Make sure nbwsapp pod up and running

      $ kubectl get pods -n <namespace> | grep nbwsapp <nbwsapp_pod_name>                        4/4     Running   0          9m44s

   6. Execute the below commands to create the keystore

      $ kubectl exec -it <nbwsapp_pod_name> -n <namespace> -- bash $ chmod 2750 /usr/openv/var/global/wsl/credentials/tpcredentials/backup/ $ /usr/openv/netbackup/bin/goodies/vxsslcmd pkcs12 -export -inkey /usr/openv/var/global/wsl/credentials/tpcredentials/privatekey.pem -in /usr/openv/var/global/wsl/credentials/tpcredentials/cert.pem -out /tmp/cert.p12 -passin file:/usr/openv/var/global/wsl/credentials/tpcredentials/passphrase.txt -passout file:/usr/openv/var/global/wsl/credentials/tpcredentials/jkskey -name eca

      Ignore the message "unable to write 'random state'" from last command if seen.

      $ ls -l /tmp/cert.p12 -rw-r--r-- 1 nbwebsvc nbwebgrp   4420 Sep 20 19:44 cert.p12   $ export KEYSTORE_PASS=$(cat /usr/openv/var/global/wsl/credentials/tpcredentials/jkskey)   $ /usr/lib/jvm/jre/bin/keytool -storetype BCFKS -providerpath /usr/openv/wmc/webserver/lib/ccj.jar -providerclass com.safelogic.cryptocomply.jcajce.provider.CryptoComplyFipsProvider -importkeystore -srckeystore /tmp/cert.p12  -srcstoretype pkcs12 -srcstorepass ${KEYSTORE_PASS} -destkeystore /tmp/nbwebservice.bcfks -deststorepass file:/usr/openv/var/global/wsl/credentials/tpcredentials/jkskey Importing keystore /tmp/cert.p12 to /tmp/nbwebservice.bcfks... Entry for alias eca successfully imported. Import command completed:  1 entries successfully imported, 0 entries failed or cancelled   $ mv /tmp/nbwebservice.bcfks /usr/openv/var/global/wsl/credentials/tpcredentials/

   7. The new certificate will be automatically applied within 30 minutes, or you can restart the requestrouter pod to apply it immediately.

       

      $ kubectl get pods -n <namespace> $ kubectl delete pod <requestrouter_pod_name> -n <namespace>

Removing the external certificate

Use below steps to remove the external certificate for the WebUI (port 443) and replace it with the NetBackup Certificate Authority issued certificate:

1. Log in to the host where you manage the Kubernetes cluster and have the kubectl command available.

2. Execute the below commands to remove the artifacts

   $ kubectl exec -it <primary_pod_name> -n <namespace> -- rm -f /usr/openv/var/global/wsl/credentials/tpcredentials/ca.pem $ kubectl exec -it <primary_pod_name> -n <namespace> -- rm -f /usr/openv/var/global/wsl/credentials/tpcredentials/cert.pem $ kubectl exec -it <primary_pod_name> -n <namespace> -- rm -f /usr/openv/var/global/wsl/credentials/tpcredentials/privatekey.pem $ kubectl exec -it <primary_pod_name> -n <namespace> -- rm -f /usr/openv/var/global/wsl/credentials/tpcredentials/passphrase.txt $ kubectl exec -it <primary_pod_name> -n <namespace> -- rm -f /usr/openv/var/global/wsl/credentials/tpcredentials/nbwebservice.bcfks $ kubectl exec -it <primary_pod_name> -n <namespace> -- rm -f /usr/openv/var/global/wsl/credentials/tpcredentials/jkskey

3. Restart the requestrouter pod

   List all the pods from the namespace, select the requestrouter pod and delete it. Doing this will cause the pod to be recreated because K8S is declarative, it will create a new pod based on the specified configuration.

   $ kubectl get pods -n <namespace> $ kubectl delete pod <requestrouter_pod_name> -n <namespace>

Note

No certificate configuration is required after completing disaster recovery of the Cloud Scale environment, as the process automatically restores external certificates.