Forum Discussion

quebek's avatar
quebek
Moderator
5 years ago

FQName in output nbemmcmd -listhosts -verbose for master - how to change it?

Hello

Recently a master server which was installed using short name instead of FQDN was moved from one Aactive Directory domain to the other. Since hostname remained the same I did not had to engage VRTS for this work.

Let's assume master server name was nbumaster and it was in domain premigration.com and output from

nbemmcmd -listhosts -verbose

was looking like:

C:\>nbemmcmd -listhosts -verbose
NBEMMCMD, Version: 8.1.2
The following hosts were found:
nbumaster
        MachineName = "nbumaster"
        FQName = "nbumaster.premigration.com"
        MachineDescription = ""
        MachineNbuType = server (6)
nbumaster
        ClusterName = ""
        MachineName = "nbumaster"
        FQName = "nbumaster.premigration.com"
        GlobalDriveSeed = "VEND:#.:PROD:#.:IDX"
        LocalDriveSeed = ""
        MachineDescription = ""
        MachineFlags = 0x17
        MachineNbuType = master (3)
        MachineState = active for tape and disk jobs (14)
        NetBackupVersion = 8.1.2.0 (812000)
        OperatingSystem = windows (11)
        ScanAbility = 5
Command completed successfully.

Now after migration to postmigration.com I see NBU is working well - starting OK, no issues with certificates, but when I do run the same command I still see in FQName fields premigration.com. Do you have any idea how to change it so output from this command will be showing nbumaster.postmigration.com ?? Will it hurt in the future??

8.1.2
Windows Server 2016
  • Krutons's avatar
    Krutons
    5 years ago

    I recently went through this when we changed domains (master is registered with shortname). Let me see if I can find the documentation for what to do about fixing the certs, it does require re-deploying new certs to all your clients, just a heads up. I would recommend working with a backline engineer or talking to your BCAM / BCS team at Veritas if you have that support and they will work with you. I'll post the info anyways though.

    Also for the nbemm, we ended up opening a ticket and having a backline engineer work with us on changing that but the changes he thought didn't do anything and he suggested we just wait til 8.2 because it's easier to 'manage' the nbemm configs he said. They wanted us to restore the Catalog WITHOUT the DRPKG file, so that it would re-create the EMM DB entries. There is an option to perform a DR of the master upon install, no not select this option.

    Alright, the cert info. First, verify that /usr/openv/var/global/webrootcert.pem is there (we had one of our master servers have this file missing).


    In order to resolve the issue, we had to perform the following:
    Install Web Certs
    Path:  /usr/openv/netbackup/bin/admincmd/
      ./nbcertconfig -u -i                -u: Installs web service user certificate
      ./nbcertconfig -m                  -m: Installs machine certificate
      ./nbcertconfig -t                  -t: Installs tomcat certificate
      ./nbcertconfig -t -f                -t: Installs tomcat certificate (force)
    Note: If "-user" option is not specified then it reads "web service user" name from bp.conf (WEBSVC_USER).
    If not in found in bp.conf then defaults to "nbwebsvc".

    Configure Web Services
    Path:  /usr/openv/wmc/bin/install/
        ./configureWmc         Configure web services preparation; sslStore, jkskeys, ports, webrootcert.pem…
        ./configureCerts       Configure web services; update the Java Keystore files from the certificate files…
        ./setupWmc             Setup web services; permissions…

    Verified / CertMapInfo File - against Master Server Host ID: The shouldn't match, this just proves it
    cat /usr/openv/var/vxss/certmapinfo.json
      [
           {
                         "hostID": "0c2b7b20-bfba-424a-aea6-c5eac5a322cc",
                         "serverName": "<MASTER>",
                         "issuerName": "<MASTER>",
                         "certType": 1,
                         "isServerMaster": 1,
                         "issuedBy": "/CN=broker/OU=root@<MASTER FQDN>/O=vx",
                         "crlPath": "/usr/openv/var/vxss/crl/5a4d6050.crl",
                         "securityLevel": 1,
                         "crlNextRefreshTime": 1561678429,
                         "crlLastRefreshTime": 1561664029,
                         "masterHostId": "fa9d1ddf-7fe7-4b41-a813-562f749e3236"

    Executed New Cert for Master to Update Host ID / Mapping
    ./nbcertcmd -getCertificate -force -token
    Now, both hostID and Master Host ID – match…
                                         "hostID": "fa9d1ddf-7fe7-4b41-a813-562f749e3236",
                                         "masterHostId": "fa9d1ddf-7fe7-4b41-a813-562f749e3236"

    Then we were able to update certs for Media Servers, and have them connect to the master.

     

4 Replies

Sort By
  • quebek's avatar
    quebek
    Moderator
    5 years ago

    About certificates ...

    I do stand corrected as I see this

    C:\Windows\system32>nbcertcmd -listAllCertificates
[
   {
      "Subject Name": "/CN=nbatd/OU=root@nbumaster.premigration.com/O=vx",
      "Start Date": "Nov 06 12:51:15 2019 GMT",
      "Expiry Date": "Nov 01 14:06:15 2039 GMT",
      "SHA1 Fingerprint": "39:E7:D5:8D:6E:18:2F:9E:EB:56:19:0C:0B:80:CA:99:22:94:CD:49",
      "Certificate Path": "C:\\Program Files\\Veritas\\NetBackup\\var\\webtruststore\\cacert.pem"
   },
   {
      "Issued By": "/CN=broker/OU=root@nbumaster.premigration.com/O=vx",
      "Subject Name": "/CN=000ef950-2209-4bca-9d65-54185e73d0d6/OU=NBU_HOSTS/O=vx",
      "Expiry Date": "Nov  5 14:08:42 2020 GMT",
      "SHA1 Fingerprint": "52:24:02:6A:33:BD:4E:6B:CE:3A:72:AE:3A:34:C6:2D:4F:6C:3A:66",
      "Serial Number": "0x626656cb00000007",
      "Certificate Dir": "C:\\Program Files\\Veritas\\NetBackup\\var\\vxss\\at"
   },
   {
      "Issued By": "/CN=broker/OU=root@nbumaster.premigration.com/O=vx",
      "Subject Name": "/CN=tapon001/OU=NBU_Machines@nbumaster.premigration.com/O=vx",
      "Expiry Date": "Nov  5 14:06:59 2020 GMT",
      "SHA1 Fingerprint": "8D:AC:18:A0:EB:D1:87:7E:E6:D7:2E:C5:14:F0:17:3B:50:FF:AF:62",
      "Serial Number": "0x5f06946800000002",
      "Certificate Dir": "C:\\Program Files\\Veritas\\NetBackup\\var\\vxss\\at"
   },
   {
      "Issued By": "/CN=broker/OU=root@nbumaster.premigration.com/O=vx",
      "Subject Name": "/CN=nbumaster.premigration.com/OU=NBU_Machines@nbumaster.premigration.com/O=vx",
      "Expiry Date": "Nov  5 14:07:00 2020 GMT",
      "SHA1 Fingerprint": "88:95:55:2A:1B:16:04:26:55:DA:58:B6:2F:49:F1:7E:45:01:DC:61",
      "Serial Number": "0x6b84068f00000003",
      "Certificate Dir": "C:\\Program Files\\Veritas\\NetBackup\\var\\vxss\\at"
   },
   {
      "Issued By": "/CN=broker/OU=root@nbumaster.premigration.com/O=vx",
      "Subject Name": "/CN=tapon001/OU=TOMCAT@nbumaster.premigration.com/O=vx",
      "Expiry Date": "Nov  5 14:07:11 2020 GMT",
      "SHA1 Fingerprint": "B9:07:34:ED:A2:E7:49:4F:95:E7:C9:45:76:DD:21:19:93:D6:07:3A",
      "Serial Number": "0x42a4673200000006",
      "Certificate Dir": "C:\\Program Files\\Veritas\\NetBackup\\var\\global\\vxss\\tomcatcreds\\nbwebsvc"
   },
   {
      "Issued By": "/CN=broker/OU=root@nbumaster.premigration.com/O=vx",
      "Subject Name": "/CN=tapon001/OU=NBU_Machines@nbumaster.premigration.com/O=vx",
      "Expiry Date": "Nov  5 14:07:10 2020 GMT",
      "SHA1 Fingerprint": "3B:59:51:15:69:D9:F8:4B:E6:2B:A5:21:0D:BB:76:88:56:8F:83:68",
      "Serial Number": "0x77a60a8700000005",
      "Certificate Dir": "C:\\Program Files\\Veritas\\NetBackup\\var\\global\\vxss\\websvccreds\\at\\nbwebsvc"
   },
   {
      "Issued By": "/CN=broker/OU=root@nbumaster.premigration.com/O=vx",
      "Subject Name": "/CN=nbwebsvc/OU=NBU_HOSTS@nbumaster.premigration.com/O=vx",
      "Expiry Date": "Nov  5 14:07:09 2020 GMT",
      "SHA1 Fingerprint": "2F:6D:E8:E5:D2:7C:44:FF:B3:24:5F:8E:8F:80:26:54:30:B3:D5:2D",
      "Serial Number": "0x6dc3f1d400000004",
      "Certificate Dir": "C:\\Program Files\\Veritas\\NetBackup\\var\\global\\vxss\\nbcertservice\\nbwebsvc"
   }
]

    Any idea if we can recreate these using new postmigration.com domain?

    • Krutons's avatar
      Krutons
      Moderator
      5 years ago

      I recently went through this when we changed domains (master is registered with shortname). Let me see if I can find the documentation for what to do about fixing the certs, it does require re-deploying new certs to all your clients, just a heads up. I would recommend working with a backline engineer or talking to your BCAM / BCS team at Veritas if you have that support and they will work with you. I'll post the info anyways though.

      Also for the nbemm, we ended up opening a ticket and having a backline engineer work with us on changing that but the changes he thought didn't do anything and he suggested we just wait til 8.2 because it's easier to 'manage' the nbemm configs he said. They wanted us to restore the Catalog WITHOUT the DRPKG file, so that it would re-create the EMM DB entries. There is an option to perform a DR of the master upon install, no not select this option.

      Alright, the cert info. First, verify that /usr/openv/var/global/webrootcert.pem is there (we had one of our master servers have this file missing).


      In order to resolve the issue, we had to perform the following:
      Install Web Certs
      Path:  /usr/openv/netbackup/bin/admincmd/
        ./nbcertconfig -u -i                -u: Installs web service user certificate
        ./nbcertconfig -m                  -m: Installs machine certificate
        ./nbcertconfig -t                  -t: Installs tomcat certificate
        ./nbcertconfig -t -f                -t: Installs tomcat certificate (force)
      Note: If "-user" option is not specified then it reads "web service user" name from bp.conf (WEBSVC_USER).
      If not in found in bp.conf then defaults to "nbwebsvc".

      Configure Web Services
      Path:  /usr/openv/wmc/bin/install/
          ./configureWmc         Configure web services preparation; sslStore, jkskeys, ports, webrootcert.pem…
          ./configureCerts       Configure web services; update the Java Keystore files from the certificate files…
          ./setupWmc             Setup web services; permissions…

      Verified / CertMapInfo File - against Master Server Host ID: The shouldn't match, this just proves it
      cat /usr/openv/var/vxss/certmapinfo.json
        [
             {
                           "hostID": "0c2b7b20-bfba-424a-aea6-c5eac5a322cc",
                           "serverName": "<MASTER>",
                           "issuerName": "<MASTER>",
                           "certType": 1,
                           "isServerMaster": 1,
                           "issuedBy": "/CN=broker/OU=root@<MASTER FQDN>/O=vx",
                           "crlPath": "/usr/openv/var/vxss/crl/5a4d6050.crl",
                           "securityLevel": 1,
                           "crlNextRefreshTime": 1561678429,
                           "crlLastRefreshTime": 1561664029,
                           "masterHostId": "fa9d1ddf-7fe7-4b41-a813-562f749e3236"

      Executed New Cert for Master to Update Host ID / Mapping
      ./nbcertcmd -getCertificate -force -token
      Now, both hostID and Master Host ID – match…
                                           "hostID": "fa9d1ddf-7fe7-4b41-a813-562f749e3236",
                                           "masterHostId": "fa9d1ddf-7fe7-4b41-a813-562f749e3236"

      Then we were able to update certs for Media Servers, and have them connect to the master.

       

      • quebek's avatar
        quebek
        Moderator
        5 years ago

        Hey

        Thank you! I can't wait for your further updates... in regards of certificates...

        so the bottom line for FQname is to leave it as is?  until 8.2 upgrade?