Veritas NetBackup™ Status Codes Reference Guide
- NetBackup status codes
- NetBackup status codes
- NetBackup KMS status codes
- NetBackup status codes
- Media Manager status codes
- Media Manager status codes
- Media Manager status codes
- Device configuration status codes
- Device configuration status codes
- Device configuration status codes
- Device management status codes
- Device management status codes
- Device management status codes
- Robotic status codes
- Robotic status codes
- Robotic status codes
- Robotic error codes
- Robotic error codes
- Robotic error codes
- Security services status codes
- Security services status codes
- Security services status codes
- NetBackup alert notification status codes
NetBackup status code: 8779
Explanation: The nbcertcmd -ecaHealthCheck command validates the external certificate-specific configurations that you have provided and shows a report of all successful and all failed validations.
Recommended Action: Each failed validation is associated with a validation ID. For each failure, there may be a specific reason and you can carry out certain troubleshooting steps. Review the following list of validations for the ecaHealthCheck command.
Validation ID:USER_INPUT_CERT_PATH_VALIDATION
Causes:
The certificate path is empty.
The file at the specified path
filename
cannot be accessed.
Recommended actions:
Ensure that the certificate path is not blank.
Ensure that the file has the Read permissions for the corresponding user.
Validation ID:USER_INPUT_CERTIFICATES_VALIDATION
Causes:
Error in reading the certificate file.
Recommended actions:
Ensure that the certificate file contains a certificate.
Ensure that the certificate file format is one that NetBackup supports. The supported certificate formats are PEM, P7BPEM, P7BDER.
Validation ID:USER_INPUT_PRIVATE_KEY_PATH_VALIDATION
Causes:
The private key path is empty.
The file at the specified path
filename
cannot be accessed.
Recommended actions:
Ensure that the private key path is not blank.
Ensure that the file has the Read permissions for the corresponding user.
Validation ID:USER_INPUT_PRIVATE_KEY_READ_VALIDATION
Causes:
Error in reading the private key: File read failed.
Error in reading the private key: The private key of the external certificate is encrypted, but the passphrase is not provided.
Error in reading the private key: The private key of the external certificate is encrypted, but the passphrase is blank.
Recommended actions:
Ensure that the private key format or key algorithms format is one of those supported by NetBackup. The supported key formats are PEM and DER.
If the private key is encrypted, ensure that the ECA_KEY_PASSPHRASEFILE or -passphraseFile with its value as
passphrase
file path location is given.If the private key is encrypted and the
passphrase
file is given, ensure that thepassphrase
file is not empty and the passphrase in it is correct.
Validation ID:USER_INPUT_TRUST_STORE_PATH_VALIDATION
Causes:
The trust store path is empty.
The file at the specified path
filename
cannot be accessed.
Recommended actions:
Ensure that the trust store path is not blank.
Ensure that the file has the Read permissions for the corresponding user.
Validation ID:USER_INPUT_TRUST_STORE_VALIDATION
Causes:
Error in reading the trust store path.
Recommended actions:
Ensure that the trust store certificate file contains a trusted certificate.
Ensure that the certificate file format is one that NetBackup supports. The supported certificate formats are PEM, P7BPEM, P7BDER.
Validation ID:LEAF_CERTIFICATE_ENHANCED_KEY_USAGE_VALIDATION
Causes:
The required extended key usages are not available in the given certificate.
Recommended actions:
Execute the following command:
For Windows:
install_path\bin\goodies\vxsslcmd.exe x509 -text -in end_entity_certificate
For UNIX:
install_path/bin/goodies/vxsslcmd x509 -text -in end_entity_certificate
If the certificate has a X509v3 Key Usage extension present, it must include the following key usage purposes:
For the web server certificate: At least one of the Digital Signature or Key Encipherment should be present.
For a NetBackup host certificate: Digital Signature purpose should be present. Key Encipherment may or may not be present.
For a certificate that is used for both web server and NetBackup host: Digital Signature purpose should be present. Key Encipherment may or may not be present.
The certificate may have other key usage purposes listed in addition to the purposes specified here. These additional purposes are ignored.
The X509v3 Key Usage extension may be either critical or non-critical.
A certificate without a X509v3 Key Usage extension is also usable with NetBackup.
If the certificate has a X509v3 Extended Key Usage extension present, it must include the following key usage purposes:
For the web server certificate: TLS Web Server Authentication.
For a NetBackup host certificate: TLS Web Server Authentication and TLS Web Client Authentication.
For a certificate that is used for both web server and NetBackup host: TLS Web Server Authentication and TLS Web Client Authentication.
The certificate may have other key usage purposes listed in addition to the purposes specified here. These additional purposes are ignored.
The X509v3 Extended Key Usage extension may be either critical or non-critical.
A certificate without a X509v3 Extended Key Usage extension is also usable with NetBackup.
If the certificate doesn't meet the requirements that are listed in this Recommend actions section, contact your certificate provider to obtain a new certificate.
Validation ID:CERTIFICATE_SUBJECT_DN_LENGTH_VALIDATION
Causes:
The
subject name
contains more than 255 characters
Recommended actions:
A
subject name
with a length greater that 255 characters is not supported. Contact your external certificate provider.
Validation ID:CERTIFICATE_SAN_HOSTNAME_VALIDATION
Causes:
The Subject Alternative Name field in the certificate is not empty and the
hostname
is not present in the field.
Recommended actions:
If the certificate Subject Alternative Name is non-empty, ensure that it has host name present in it.
To view Subject Alternative Name run the following command:
vxsslcmd x509 -text -in end_entity_certificate_file
X509v3 Subject Alternative Name: DNS:
host FQDN
DNS:host name
Validation ID:PRIVATE_KEY_VALIDATION
Causes:
The private key does not match the certificate.
Recommended actions:
Ensure that the certificate and its corresponding private key are given.
Validation ID:CERTIFICATE_SUBJECT_DN_ASCII_VALIDATION
Causes:
A non-ASCII character was found in the Subject: subject name of the certificate.
Recommended actions:
A certificate subject with characters other than ascii 7-bit characters is not supported. Contact your external certificate provider.
Validation ID:CERTIFICATE_CHAIN_VALIDATION_AGAINST_TRUST_STORE
Causes:
Certificate chain verification can fail due to many reasons. The only common sentence that is displayed is
The certificate chain verification failed
. The rest of the error is displayed with whateveropenssl
returns.
Recommended actions:
Ensure that certificate with given subject name is present in the provided trust store.
Review the
openssl
error and rectify per the error text.
Validation ID:CERTIFICATE_CN_EMPTINESS_VALIDATION
Causes:
The Common Name field in the certificate is empty.
Recommended actions:
Ensure that certificate common name is not empty. Contact your external certificate provider.
Run the following command to verify:
vxsslcmd x509 -subject -in certificate_file
Verify that the value of CN in the subject is not empty.
Validation ID:CERTIFICATES_ORDER
Causes:
The signature of the certificate
subject name
cannot be verified with the public key of the current certificatesubject name
.
Recommended actions:
If you use a PEM-formatted certificate, ensure that in the certificate file, the leaf certificate is present first followed by its issuer, followed by the issuer of the leaf's issuer and so on.
Validation ID:CERTIFICATE_CHAIN_EXPIRY_VALIDATION
Causes:
The certificate with the subject
subject name
is expired.
Recommended actions:
Renew your certificate or use a certificate that is currently valid.
To ensure, run the following command:
vxsslcmd x509 -dates -in certificate_file
Output:
notBefore=date before which certificate is not valid notAfter=date after which certificate is not valid
Validation ID:CERTIFICATE_CHAIN_CURRENT_ACTIVE_VALIDATION
Causes:
The certificate with the subject
subject name
is not yet active.
Recommended actions:
Use a certificate that is currently valid.
To ensure, run the following command:
vxsslcmd x509 -dates -in certificate_file
Output:
notBefore=date before which certificate is not valid notAfter=date after which certificate is not valid
Validation ID:USER_INPUT_WIN_CERT_PATH_VALIDATION
Causes:
The certificate with the given subject name cannot be found.
Recommended actions:
Ensure that the Windows certificate store certificate path is provided correctly and the certificate exists in the given certificate store. Refer to the External CA support in NetBackup from the NetBackup Security and Encryption Guide.
Validation ID:CERTIFICATE_SAN_CN_HOSTNAME_VALIDATION
Causes:
The Subject Alternative Name field in the certificate is empty and the host name
hostname
is not present in the Common Name field.
Recommended actions:
If the certificate Subject Alternative Name is empty, ensure that the Common Name field has a host name present in it.
To view the Subject Alternative Name, run the following command:
vxsslcmd x509 -text -in end_entity_certificate_file
X509v3 Subject Alternative Name: DNS:
host FQDN
DNS:host name
To view Common Name, run the following command:
vxsslcmd x509 -text -in end_entity_certificate_file
X509v3 Subject Alternative Name: DNS:
host FQDN
DNS:host name
Validation ID:USER_INPUT_WIN_CERT_VALIDATION
Causes:
Cannot open the provided certificate store.
Issuer of the certificate is not found.
Certificate with the provided subject is not found.
The host name of the computer cannot be fetched. [Used with special keyword
$hostname
]Certificate is not valid yet.
Certificate is expired.
Private key is not found for the certificate.
The required purposes (Client Authentication & Server Authentication) are not present in the certificate.
Recommended actions: (The following actions should be performed in Windows certificate store)
Ensure that certificate path is in correct format:
store-name\issuer-name\subject
Check the certificate's Valid from field. The value (date) should be in current date range.
Check the certificate's Valid to field. The value (date) should be in current date range.
Ensure that the private key is present that corresponds to the end entity certificate.
Ensure that the Enhanced Key Usage field contains Server Authentication (1.3.6.1.5.5.7.3.1) and Client Authentication (1.3.6.1.5.5.7.3.2). All purpose is also accepted.
Validation ID:USER_INPUT_CRL_PATH_VALIDATION
Causes:
The CRL path is not accessible.
The CRL path is empty.
The CRL path contains only 0-KB files.
Recommended actions:
Ensure that the CRL path is correct and not empty.
Validation ID:USER_INPUT_CRL_PATH_CONTAINS_CRLS
Causes:
The CRL path does not contain any CRL files.
Recommended actions:
Ensure that the CRL path is correct and not empty.
Validation ID:CRL_CDP_URL_VALIDATION
Causes:
The CRL Distribution Point in the certificate does not contain valid URLs. NetBackup supports only HTTP or HTTPS URLs.
Recommended actions:
Ensure that the CRL Distribution Point contains valid URLs.
Validation ID:ALL_CRLS_READABLE
Causes:
CRL files available are not readable or invalid CRLs.
Recommended actions:
Ensure that valid CRLs are available in the CRL path.
Click here to view technical notes and other information on the website about this status code.