Forum Discussion

phaul's avatar
phaul
Level 4
11 years ago

KMS Failed to create a new Key Group Exit Error: Cannot connect on socket

Hi Guys,

 

I have Netbackup 7.1.0.4 master server. I just installed KMS. The problem is after i created Key Group i got this error message:

 

E:\Veritas\NetBackup\bin\admincmd>nbkmsutil.exe -createkg -kgname ENCR_offsite

Failed to create a new Key Group

EXIT error: cannot connect on socket
EXIT status = 25

 

Please see the logs:

11:11:02.685 [4940.4944] <2> logparams: nbkmsutil.exe -createkg -kgname ENCR_offsite
11:11:02.701 [4940.4944] <2> nbconf_create_authentication_domain_rec: ../../libvlibs/nbconf_private.c.261: AT Domain Name: <domain>
11:11:02.701 [4940.4944] <2> nbconf_create_authentication_domain_rec: ../../libvlibs/nbconf_private.c.262: AT Domain Type: 4 4 0x00000004
11:11:02.701 [4940.4944] <2> nbconf_create_authentication_domain_rec: ../../libvlibs/nbconf_private.c.261: AT Domain Name: NBUSVR
11:11:02.701 [4940.4944] <2> nbconf_create_authentication_domain_rec: ../../libvlibs/nbconf_private.c.262: AT Domain Type: 4 4 0x00000004
11:11:02.701 [4940.4944] <2> nbconf_create_authorization_service_rec: ../../libvlibs/nbconf_private.c.384: AZ Service Host: nbusvr.domain.com
11:11:02.701 [4940.4944] <2> nbconf_create_authorization_service_rec: ../../libvlibs/nbconf_private.c.385: AZ Service Port: 0 0 0x00000000
11:11:02.701 [4940.4944] <2> nbkmsutil.::NbKMSUtilCLI::ProcessRequest: Entering function...
11:11:02.701 [4940.4944] <2> nbkmsutil.::ValidateCmdStr: Cmd: -createkg
11:11:02.701 [4940.4944] <2> nbkmsutil.::NbKMSUtilCLI::ParseArgs: Entering function...
11:11:02.701 [4940.4944] <2> nbkmsutil.::NbKMSUtilCLI::IsDuplicateOption: Option: 2
11:11:02.701 [4940.4944] <2> nbkmsutil.::NbKMSUtilCLI::GetOptValueFromArgsList: Arg count: 2
11:11:02.701 [4940.4944] <2> nbkmsutil.::IsValidName: Name: ENCR_offsite
11:11:02.701 [4940.4944] <2> nbkmsutil.::NbKMSUtilCLI::ProcessRequest: Cmd bitmap: = 2
11:11:02.701 [4940.4944] <2> nbkmsutil.::NbKMSUtilCLI::CreateKG: Entering function...
11:11:02.701 [4940.4944] <2> nbkmsutil.::NbKMSUtilCLI::InitModifyFacetInstance: Entering function...
11:11:02.701 [4940.4944] <2> nbkmsutil.::NbKMSUtilCLI::ConnectToKMS: Entering function...
11:11:02.701 [4940.4944] <2> nbkmsutil.::NbKMSUtilCLI::ConnectToKMS: Trying to initialize the Orb
11:11:02.701 [4940.4944] <2> nbconf_create_authentication_domain_rec: ../../libvlibs/nbconf_private.c.261: AT Domain Name: DOMAIN
11:11:02.701 [4940.4944] <2> nbconf_create_authentication_domain_rec: ../../libvlibs/nbconf_private.c.262: AT Domain Type: 4 4 0x00000004
11:11:02.701 [4940.4944] <2> nbconf_create_authentication_domain_rec: ../../libvlibs/nbconf_private.c.261: AT Domain Name: NBUSVR
11:11:02.701 [4940.4944] <2> nbconf_create_authentication_domain_rec: ../../libvlibs/nbconf_private.c.262: AT Domain Type: 4 4 0x00000004
11:11:02.701 [4940.4944] <2> nbconf_create_authorization_service_rec: ../../libvlibs/nbconf_private.c.384: AZ Service Host: nbusvr.domain.com
11:11:02.701 [4940.4944] <2> nbconf_create_authorization_service_rec: ../../libvlibs/nbconf_private.c.385: AZ Service Port: 0 0 0x00000000
11:11:02.748 [4940.4944] <2> Orb::init: initializing ORB Default_CLIENT_Orb with: Unknown -ORBSvcConfDirective "-ORBDottedDecimalAddresses 0" -ORBSvcConfDirective "static VxSSIOP_Factory '-enable_keepalive -session_id_string_only NBUSSLSessionIDStr -qop NoProtection -eat_home_dir E:\Veritas\NETBAC~1\sec\at -eat_data_dir E:\Veritas\NETBAC~1\var\vxss\at'" -ORBSvcConfDirective "static EndpointSelectorFactory ''" -ORBSvcConfDirective "static Resource_Factory '-ORBProtocolFactory VxSSIOP_Factory'" -ORBSvcConfDirective "static Resource_Factory '-ORBProtocolFactory IIOP_Factory'" -ORBDefaultInitRef '' -ORBSvcConfDirective "static PBXIOP_Evaluator_Factory '-orb Default_CLIENT_Orb'" -ORBSvcConfDirective "static Resource_Factory '-ORBConnectionCacheMax 1024 '" -ORBSvcConf nul -ORBSvcConfDirective "static Server_Strategy_Factory '-ORBMaxRecvGIOPPayloadSize 268435456'"(../Orb.cpp:823)
11:11:02.748 [4940.4944] <2> Orb::init: caching EndpointSelectorFactory(../Orb.cpp:838)
11:11:02.748 [4940.4944] <2> Orb::setOrbRequestTimeout: timeout seconds: 14400(../Orb.cpp:1487)
11:11:02.748 [4940.4944] <2> nbkmsutil.::NbKMSUtilCLI::ConnectToKMS: Orb initialization is succesful
11:11:02.748 [4940.4944] <2> nbkmsutil.::NbKMSUtilCLI::ConnectToKMS: Trying to connect to NBSL on: localhost
11:11:02.764 [4940.4944] <2> nbkmsutil.::NbKMSUtilCLI::ConnectToKMS: Trying establish a session with NBSL
11:11:02.780 [4940.4944] <2> nbkmsutil.::NbKMSUtilCLI::ConnectToKMS: Trying to get KMS manager
11:11:02.780 [4940.4944] <2> nbkmsutil.::NbKMSUtilCLI::InitModifyFacetInstance: Trying to get an instance of KMS modifyable facet
11:11:02.780 [4940.4944] <2> nbkmsutil.::NbKMSUtilCLI::CreateKG: Get defaults seeded Key Group Object
11:11:02.796 [4940.4944] <16> nbkmsutil.::NbKMSUtilCLI::CreateKG: Failed to create a new Key Group
11:11:02.796 [4940.4944] <16> nbkmsutil.::NbKMSUtilCLI::CreateKG: CORBA Exception caught as user exception, ID 'IDL:Symantec/NetBackup/SL/NBSLOpException:1.0'
11:11:02.796 [4940.4944] <16> nbkmsutil.::NbKMSUtilCLI::CreateKG: Error: [EC= 25] cannot connect on socket
 

Any idea will appreaciate.

 

Thanks.

 

  • Yes I think it has something to do with NBAC.

    We know nbkms is working. We can see ksstat return information as administrator. This matches the information provided in the link below exactly. Browse allowed - create not allowed.

    http://www.symantec.com/docs/HOWTO46974

    You need to add Administrator to the "NBU_KMS admin" group.

    See Netbackup Security and encryption guide page 257.

7 Replies

  • OK - KMS i running but not listing to you I think ;-)

    As a test I killed NBKMS on a linux system and ran the same command as you:

    # nbkmsutil -createkg -kgname ENCR_offsite
     
    Failed to create a new Key Group
     
    EXIT error: cannot connect on socket
    EXIT status = 25
     
    Same error as you see. I then started nbkms and re-ran the command:
     
    # nbkms
    [root@ural msdp-data]# nbkmsutil -createkg -kgname ENCR_offsite
     
    New Key Group creation is successful
     
    Can you run a command like ?:
     
    # nbkmsutil -ksstats
  • Yes I think it has something to do with NBAC.

    We know nbkms is working. We can see ksstat return information as administrator. This matches the information provided in the link below exactly. Browse allowed - create not allowed.

    http://www.symantec.com/docs/HOWTO46974

    You need to add Administrator to the "NBU_KMS admin" group.

    See Netbackup Security and encryption guide page 257.

  • Did you remember to start the KMS service ?

    See http://www.symantec.com/docs/TECH67972 for installation instructions of  KMS

  • Hi Mark,

    I already started the KMS services. Pelase see bpps output

    E:\Veritas\NetBackup\bin>bpps
    * NBUSVR                                                 9/05/13 12:51:59.368
    COMMAND           PID      LOAD             TIME   MEM                  START
    bpcompatd        1328    0.000%            0.906   11M   9/05/13 10:57:22.515
    dbsrv11          1472    0.000%            6.765   26M   9/05/13 10:57:28.781
    nbatd            1596    0.000%            1.390   12M   9/05/13 10:57:29.390
    nbevtmgr         1632    0.000%            0.953   25M   9/05/13 10:57:29.750
    vnetd            1820    0.000%            0.296  6.0M   9/05/13 10:57:32.625
    nbrmms           1848    0.000%            0.453   27M   9/05/13 10:57:32.703
    nbrb             1916    0.000%            0.375   29M   9/05/13 10:57:33.609
    nbsl             2044    0.000%            0.906   32M   9/05/13 10:57:34.406
    nbsvcmon          312    0.000%            0.500   21M   9/05/13 10:57:35.250
    nbstserv          340    0.000%            2.015   38M   9/05/13 10:57:35.500
    nbazd            2116    0.000%            1.093   14M   9/05/13 10:57:37.187
    nbars            2140    0.000%            0.437   27M   9/05/13 10:57:37.390
    nbaudit          2176    0.000%            0.375   24M   9/05/13 10:57:38.078
    nbemm            2264    0.000%            4.375   45M   9/05/13 10:57:38.484
    bpinetd          2340    0.000%            0.062  8.2M   9/05/13 10:57:39.703
    bpcd             2508    0.000%            0.343  6.8M   9/05/13 10:57:40.046
    bpdbm            2568    0.000%            0.828   17M   9/05/13 10:57:40.265
    bprd             2852    0.000%            0.984   18M   9/05/13 10:57:42.453
    bpjobd           2868    0.000%            0.156   17M   9/05/13 10:57:42.781
    vmd              2924    0.000%            0.312   18M   9/05/13 10:57:43.546
    nbpem            1316    0.000%            0.406   27M   9/05/13 10:57:45.957
    nbvault           272    0.000%            0.171   19M   9/05/13 10:57:46.957
    ltid             3092    0.000%            0.343   21M   9/05/13 10:57:47.233
    nbproxy          3128    0.000%            0.250   21M   9/05/13 10:57:47.405
    tldd             3752    0.000%            0.125   17M   9/05/13 10:57:54.557
    avrd             3764    0.000%            1.390   17M   9/05/13 10:57:54.592
    tldcd            3960    0.000%            0.515   18M   9/05/13 10:57:57.005
    nbproxy          2468    0.000%            0.109   18M   9/05/13 11:02:43.185
    bpdbm            4236    0.000%            0.109   17M   9/05/13 12:45:51.990
    nbkms            1424    0.000%            0.140   19M   9/05/13 12:50:41.101
    bpps             3560    0.000%            0.015  4.8M   9/05/13 12:51:58.352

    I already checked this technote which is the same guide in Netbackup Security Encryption Guide.

     

    Thanks.

     

  • Hi Nicolai,

     

    I tried the trick you did but it still it didn't worked. :-(

     

    E:\Veritas\NetBackup\bin\admincmd>nbkmsutil.exe -createkg -kgname ENCR_offsite

    Failed to create a new Key Group

    EXIT error: cannot connect on socket
    EXIT status = 25



    E:\Veritas\NetBackup\bin\admincmd>nbkmsutil.exe -ksstats

    Total Key Groups         : 0
    Total Keys               : 0
    Outstanding Quiesce Calls: 0

    nbkms.exe process is running. Is this something to do with NBAC? I also configured NBAC in my environment. But i'm using Administrator account.

     

    Thank you.

  • Hi Nicolai,

    I just successfully created Key group. I just add the Administrator account to NBU_KMS_Admin on the Access Management like what you said.

    E:\Veritas\NetBackup\bin\admincmd>nbkmsutil.exe -createkg -kgname ENCR_offsite

    New Key Group creation is successful

     

    Thanks for your help. :-)

  • Glad I could help. You mentioning NBAC gave me the clue.

    Best Regards

    Nicolai