11-28-2022 09:09 AM
NetBackup 220.127.116.11 on master and media
Version 18.104.22.168 client software installed on AIX VM.
The backup fails with 7654 - The Certificate Revocation List is invalid.
We have removed and totally re-installed the NBU client software. Issue still happens. Reissue a new token that is valid for a few days and backups run fine until the "Valid for" days expires for the reissue token. I have 2 AIX servers that are doing this and I can't figure out why. All other servers in the enterprise run just fine, Windows, Linux, HP-UX, and other AIX servers. AIX version is 7.1.
11-28-2022 12:58 PM
Have you run from the client "nbcertcmd -getcrl" - that usually resolved this error.
I'm also trying to understand why it works while the token is valid - tokens are only meant to be used to download a cerificate from the master.
One thing to check on the client is to run the command "nbcertcmd -listallcertificates" maybe an old expired one is left, if so, use the appropriate nbcertcmd to delete this cert from the client.
11-30-2022 05:24 AM
Hello and thanks for the reply. I will need to get with the sysadmin of this server to see what we can find out next. We've even gone through totally removing the NBU client software and installing totally new client software and for some reason we continue to have this problem. Here's a bit more info from the sysadmin side:
Maybe this is a bit more confusing than it is helpful. But I'll try and do better with detailed steps done and what happens.
11-30-2022 03:05 PM
Interesting, nothing looks out of the ordinary other than the self check - a couple of additional things to check and review. The nbcertcmd logs (nbcert) may provide some more information (from both client and master) on the problem (and also the nbpxyhelper, although this is harder to read IMHO). One question - is all the output shown, some of those commands should provide some output?
Then check on the client the contents of the /usr/openv/var/vxss/certmapinfo.json file to check that the crlPath value points to a valid file. The folder /usr/openv/var/vxss/crl should also exist and contain the crl file.
Feel free to post/send the nbcertcmd log if you are still unable to get things working.
11-30-2022 03:39 PM
Another thing to check (although given everything else seems to be working it will probably be fine) is the status of the tomcat certificate on the master.
Use the nbcertcmd -listallcertificates (on the master) and review the TOMCAT cert expiry date. If it is expired, there is a process to renew, but better to engage support to help as there is scope to break things badly.