Forum Discussion

zmlat's avatar
zmlat
Level 4
2 years ago

Is there a way to deploy new NB master Certificate from a current NB master?

Hello,

I need to migrate 1000s of clients from an 8.3 NBU domain to a new 9.1 domain (master and media servers). I will be using nbsetconfig from the current master to update the NB server list on all the clients to include the new NB master and media servers (already tested to make sure I "append" instead of "replace" SERVER =). My issue question is: can push out new certificate info for the new master from the current master? I found a similar VOX discussion on this topic, and it referenced a utility: NBCertDeploy, but it sounds like that also involves Veritas PS (?). I've been playing with the command "nbcertupdater" but thus far I can't get around having to run a command on the client.

The NB servers are all linux, and the clients are a mix blend of windows and linux, in case that matters.

Thanks

  • Hi zmlat 

    NBCertDeploy would certainly be the simplest way - but you are right it will involve Veritas consulting. 

    What is required is to organise to run two commands on each client you want to migrate. The first is to obtain the CA certificate from the new master, the second is to obtain a host certificate from that master. The challenge as you have identified is to make this happen without having to log into each client. This is where NBCertDeploy manages the process for you. You have also identified that you need to add the target master name to each client's SERVER list. 

    In a nutshell, the utility restores a script to each client (that when run gets the certis from the target master), then uses NetBackup to execute that script (using an Oracle type policy). There is a whole lot of smarts wrapped around this to make it clean.

    Another way to do this without NetBackup would be by using something like Puppet or Anisible (and the Windows equivalent) to perform the necessary commands. 

    Cheers
    David

  • Hi zmlat 

    NBCertDeploy would certainly be the simplest way - but you are right it will involve Veritas consulting. 

    What is required is to organise to run two commands on each client you want to migrate. The first is to obtain the CA certificate from the new master, the second is to obtain a host certificate from that master. The challenge as you have identified is to make this happen without having to log into each client. This is where NBCertDeploy manages the process for you. You have also identified that you need to add the target master name to each client's SERVER list. 

    In a nutshell, the utility restores a script to each client (that when run gets the certis from the target master), then uses NetBackup to execute that script (using an Oracle type policy). There is a whole lot of smarts wrapped around this to make it clean.

    Another way to do this without NetBackup would be by using something like Puppet or Anisible (and the Windows equivalent) to perform the necessary commands. 

    Cheers
    David

  • Thanks David.

    Funny enough, I have done something similar (the backup admin version of puppet) by using NB to backup a backup notify script from a backup server. I'd then restore that script to the clients. The script would only run after a specific backup policy ran. I'd then manually run that policy (to backup 1 file), which would result in that script being executed on each client. I was trying to avoid that.