cancel
Showing results for 
Search instead for 
Did you mean: 

AIX backup fails with certificate error

DPeaco
Moderator
Moderator
   VIP   

NetBackup 9.1.0.1 on master and media

Version 9.1.0.1 client software installed on AIX VM.

The backup fails with 7654 - The Certificate Revocation List is invalid.

We have removed and totally re-installed the NBU client software. Issue still happens. Reissue a new token that is valid for a few days and backups run fine until the "Valid for" days expires for the reissue token. I have 2 AIX servers that are doing this and I can't figure out why. All other servers in the enterprise run just fine, Windows, Linux, HP-UX, and other AIX servers. AIX version is 7.1.

Thanks,
Dennis
4 REPLIES 4

davidmoline
Level 6
Employee

Hi @DPeaco 

Have you run from the client "nbcertcmd -getcrl" - that usually resolved this error. 

I'm also trying to understand why it works while the token is valid - tokens are only meant to be used to download a cerificate from the master. 

One thing to check on the client is to run the command "nbcertcmd -listallcertificates" maybe an old expired one is left, if so, use the appropriate nbcertcmd to delete this cert from the client. 

Cheers
David

DPeaco
Moderator
Moderator
   VIP   

@davidmoline

Hello and thanks for the reply. I will need to get with the sysadmin of this server to see what we can find out next. We've even gone through totally removing the NBU client software and installing totally new client software and for some reason we continue to have this problem. Here's a bit more info from the sysadmin side:

nbcertcmd -getCRL

nbcertcmd -getCertificate

Host certificate already exists for master server [nbumaster01], will get certificate revocation list

nbcertcmd -getCertificate -force

nbcertcmd -getCACertificate

NetBackup CA certificate is successfully stored from the master server nbumaster01.

nbcertcmd -hostselfcheck

NetBackup CA-signed certificate verification status:

----------------------------------------------------

Unable to read CRL for server = nbumaster01, error = 9308.

Maybe this is a bit more confusing than it is helpful. But I'll try and do better with detailed steps done and what happens.

Thanks,
Dennis

Hi @DPeaco

Interesting, nothing looks out of the ordinary other than the self check - a couple of additional things to check and review. The nbcertcmd logs (nbcert) may provide some more information (from both client and master) on the problem (and also the nbpxyhelper, although this is harder to read IMHO). One question - is all the output shown, some of those commands should provide some output?

Then check on the client the contents of the /usr/openv/var/vxss/certmapinfo.json file to check that the crlPath value points to a valid file. The folder /usr/openv/var/vxss/crl should also exist and contain the crl file.

Feel free to post/send the nbcertcmd log if you are still unable to get things working.

Cheers
David

HI @DPeaco

Another thing to check (although given everything else seems to be working it will probably be fine) is the status of the tomcat certificate on the master.

Use the nbcertcmd -listallcertificates (on the master) and review the TOMCAT cert expiry date. If it is expired, there is a process to renew, but better to engage support to help as there is scope to break things badly.

David