Forum Discussion

mfalge's avatar
mfalge
Level 3
6 years ago

NetBackup 8.1.2 upgrade via SCCM

We’re trying to upgrade NetBackup from 7.5 to 8.1.2. on Windows clients remotely via our Linux Master. Due to significant changes between these two versions we are not able to deploy an upgrade as the certificate authentication tech has changed dramatically.

We now need to get this certificate installed on each of the clients before master/client communication can occur.

So, we won’t have to touch our hundreds of servers manually we are looking into ways of automating this via SCCM.

Is anyone aware of a way to deploy the 8.1.2. client with both cert and client packaged together via SCCM? How to find and package the certificate with the client? What are the best practices - deploy cert alone, combine cert and installer, remove 7.5 first then install 8.1.2?

Thanks,
Mark

  • I haven't tried to deploy using SCCM but I do find some details in the silentclient.cmd installation file about authenticating client if you want to install or upgrade.

    You can provide the token here in place of SKIP in the file. Token can be easily created with several criteria's through Java console under - Security Management => Certificate Management => Token Management

    REM If you were issued an authorization token by your backup administrator, provide it below.
    REM If no authorization token was issued, leave it as SKIP. To reinstall the NetBackup client,
    REM please provide the reissue token for the AUTHORIZATION_TOKEN value.
    REM
    REM *** WARNING!
    REM
    REM Because providing the authorization token in plain text presents a security risk, restrict
    REM access to the silentclient.cmd file to read access. Grant read access to NetBackup
    REM administrators and system administrators only. Delete the silentclient.cmd file following
    REM successful installation.
    REM
    REM -------------------------------------------------------------------------------------------
    SET AUTHORIZATION_TOKEN=SKIP
    REM -------------------------------------------------------------------------------------------

    • mfalge's avatar
      mfalge
      Level 3

      From what we are seeing. It appears that communication is failing because of a missing cert. We can't remotely install because the master/client won't authenticate.

      How do we find out which cert is required and where to deploy it on the clients?

      Here is the bptestbpcd output from a couple of clients.

      sample-master.com% sudo ./bptestbpcd -client sample-host-01.com
      <16>bptestbpcd main: Function ConnectToBPCD(sample-host-01.com) failed: 7641
      <16>bptestbpcd main: Failed to find a common CA Root for secure handshake
      Failed to find a common CA Root for secure handshake
      sample-master.com% sudo ./bptestbpcd -client sample-host-02.com
      <16>bptestbpcd main: Function ConnectToBPCD(sample-host-02.com) failed: 7641
      <16>bptestbpcd main: Failed to find a common CA Root for secure handshake
      Failed to find a common CA Root for secure handshake
      sample-master.com%

      • X2's avatar
        X2
        Moderator

        Make sure you have the following variables set in your silentclient.bat

        CA_CERTIFICATE_FINGERPRINT

        AUTHORIZATION_TOKEN (if it is a new client, and not "known" to the master server)

        For our setup, most of the stuff works except the certificate install. But that is due to the fact that the server is provisioned in an incubator environment and does not have the correct domain/IP setup.

        PS: SCCM works for us for provisioning. Upgrades are with VxUpdate now as we have 8.1.2.