Forum Discussion

jstoffel-tosh's avatar
jstoffel-tosh
Level 3
5 years ago
Solved

8.3: nbcertcommand -signCertificate fails on solaris with "-noPrompt" not valid when used with ...

Hi,

I'm in the middle of upgrading my 8.1.2 Solaris 10 and 11 Sparc clients to v8.3, but because some/most of the clients are behind firewalls or in the DMZ, I can't seem to run the nbcertcmd on them to get a certificate.  So now I'm trying to do the dance of:

on client:

nbcertcmd -createCertRequest -requestFile /tmp/cert-req -server nbu-server

then I copy the /tmp/cert-req file to my "nbu-server" and run on the "nbu-server" (which is running: Solaris 11.2 sun4v sparc) the nbcertcmd to sign the request, but the **bleep** thing fails.

 

# /usr/openv/netbackup/bin/nbcertcmd -signCertificate -validFor 2D -requestFile /tmp/cert-req -certificateFile /tmp/cert-signed
Option '-noPrompt' is not valid when used with operation '-signCertificate'.

Option '-file' or '-validFor' is mandatory to complete operation '-signCertificate'.

Usage: nbcertcmd -signCertificate
-validFor | -file <authorization_token_file>
-requestFile <request_file_name>
-certificateFile <certificate_file_name>
Description:
Reads the certificate signing request from the specified request file and sends
it to the master server to get a NetBackup CA-signed certificate. The signed
certificate is stored in the specified certificate file. The command must be
executed on the NetBackup host that has connectivity with the master server.

Options:
-certificateFile certificate_file_name
Specifies the path of the certificate file.
-file authorization_token_file
Path of the file containing authorization token on the first line.
-requestFile request_file_name
Specifies the path of the certificate request file.
-token
Indicates that an authorization token is used for the request. Prompts the user
to securely specify a token.

EXIT STATUS 20: invalid command parameter

 

 

I don't use the "-noPrompt" flag anywhere.  And I can't figure out how to make this work.  Do I really need to also regenerate a token for this client?  I have to say that this entire move to security has been a total pain in the ass, because it's makes things so fragile.  I wish I could just turn this off for internal only hosts.

 

8.1.2
8.3
nbcertcmd
Solaris
  • jstoffel-tosh's avatar
    jstoffel-tosh
    5 years ago

    I assume the GUI uses vxupdate behind the scenes?  In any case, I was able to do it all by just doing the pkgadd ... stuff by hand and it's all working nicely now.

     

5 Replies

Sort By
  • Tape_Archived's avatar
    Tape_Archived
    Moderator
    5 years ago

    How are you upgrading your Solaris clients??

    Were these clients securely connected to Master prior to upgrade?? If yes - check if this works => ./nbcertcmd -getCertificate -force

    • jstoffel-tosh's avatar
      jstoffel-tosh
      Level 3
      5 years ago

      I've been trying to use both the GUI upgrade process, then the CLI with install_client_files ssh <client>, and now I'm just copying the **bleep** packages over and doing 'pkgadd -a .pkg_defaults -d VRTSnbpck.pkg VRTSnbpck; ...' to try and get this to go forward.

      The VRTSnbpck package never installs properly because of the nbcertcmd failures, so I just skip it and do a force install of the VRTSnbclt, VRTSnbjre, etc as given in this document (typo corrected of course).

      https://www.veritas.com/content/support/en_US/doc/27801100-136237906-0/v136704387-136237906 

      So I'm not really screwing this up I don't think, it's that it's really just too **bleep** fragile.  And of course there's the lovely gem that says you need to login as root to the GUI otherwise you can't do any of the Certificate management, even though my user account has full Admin access.  

      No, I'm not frustrated on a friday afternoon.  :-)

       

      • davidmoline's avatar
        davidmoline
        Level 6
        5 years ago

        jstoffel-tosh out of curiousity - why do you need new certificates? You say you are upgrading 8.1.2 clients and these would have required certificates to operate. 

        How does/did NetBackup operate for these clients prior to your attempt to upgrade? 

        Have you checked the usage of the WEB_SERVER_TUNNEL and WEB_SERVER_TUNNEL_USE options for the clients to use a HTTP tunnel via the media server?