cancel
Showing results for 
Search instead for 
Did you mean: 

Certificate on master server expired

Kai2209
Level 4

i have a problem with a NB master server 8.0 which was not used for more than one year. Now i cannot connect since the security certificate is expired. It is the master server itself.

I tried to renew on the server with "nbcertcmd -renewCertificate" but without success.

Then i tried to revoke the certificate and reissue with a generated token but to do so i have to login to WEB Mangement service with "bpnbat -login -logintype WEB". But this is also failing. (Login to Authentication Broker only is successful but does not help)

Any help is appreciated

thanks

Kai

1 ACCEPTED SOLUTION

Accepted Solutions

Hamza_H
Moderator
Moderator
   VIP   

@Kai2209 try all down this , if possible please share every command's result/output.

  UNIX/Linux:

   1) /usr/openv/netbackup/bin/nbwmc -terminate
   2) /usr/openv/netbackup/bin/admincmd/nbcertconfig -u -i
   3) /usr/openv/netbackup/bin/admincmd/nbcertconfig -m
   4) On 8.0 and 8.1: /usr/openv/netbackup/bin/admincmd/nbcertconfig -t      
      On 8.1.1 and 8.1.2:  /usr/openv/netbackup/bin/admincmd/nbcertconfig -t -f
   5) /usr/openv/wmc/bin/install/configureWmc
   6) /usr/openv/wmc/bin/install/configureCerts
   7) /usr/openv/wmc/bin/install/setupWmc
   8) /usr/openv/netbackup/bin/nbwmc -start
   9) /usr/openv/netbackup/bin/nbcertcmd -getCACertificate
  10) /usr/openv/netbackup/bin/nbcertcmd -getCertificate -force
      If the operation fails, perform the steps at "Create a token" section then return to this step.
  11) Remove the /usr/openv/var/global/vxss/nbcertservice/install_token file

  Windows:

   0) set WEBSVC_PASSWORD=<nbwebsvc password>
   1) C:\Windows\System32\sc.exe stop "NetBackup Web Management Console"
   2) <Install_Path>\NetBackup\bin\admincmd\nbcertconfig -u -i
   3) <Install_Path>\NetBackup\bin\admincmd\nbcertconfig -m
   4) On 8.0 and 8.1: <Install_Path>\NetBackup\bin\admincmd\nbcertconfig -t      
      On 8.1.1 and 8.1.2: <Install_Path>\NetBackup\bin\admincmd\nbcertconfig -t -f
   5) <Install_Path>\NetBackup\wmc\bin\install\configureWmc
   6) <Install_Path>\NetBackup\wmc\bin\install\configureCerts
   7) <Install_Path>\NetBackup\wmc\bin\install\setupWmc
   8) C:\Windows\System32\sc.exe start "NetBackup Web Management Console"
   9) <Install_Path>\NetBackup\bin\nbcertcmd -getCACertificate
  10) <Install_Path>\NetBackup\bin\nbcertcmd -getCertificate -force
      If the operation fails, perform the steps at "Create a token" section then return to this step.
  11) Remove the <install_path>\NetBackup\var\global\vxss\nbcertservice\install_token file

 

make sure that all commands complete succesfully

which OS do you have on your master server?

 

View solution in original post

10 REPLIES 10

Marianne
Moderator
Moderator
Partner    VIP    Accredited Certified

Have you tried to manually restart nbwmc?
Can you confirm that nbwebsvc account has a password that does not expire?

If you still have the machine state as it was before you started, you could simply change the system time to before the certificate expires. NetBackup should be stopped and restarted, the certificate should then auto renew (although you may want to use the "nbcertcmd -renewcertificate" command to speed this up.

Marinanne,

yes i have stopped and restarted netbackup services and nbwmc is running. Or should i restart the single service separately?

nbwebsvc has no passwd.

davidmoline,

it is not a vm so i cant revert. But no jobs are running (except a daily cleanup jobs) on the system until now. Do you think i can change the time without having a corrupt database at the end?

thanks again

Hamza_H
Moderator
Moderator
   VIP   

Hello,

did you try this?: https://www.veritas.com/support/en_US/article.100043900

UNIX/Linux Steps:

  1. /usr/openv/netbackup/bin/admincmd/nbcertconfig -t
    Note: The -t and -f options will be needed for NetBackup versions 8.1.1 and higher.
    /usr/openv/netbackup/bin/admincmd/nbcertconfig -t -f
  2. /usr/openv/wmc/bin/install/configureCerts
  3. /usr/openv/wmc/bin/install/setupWmc
  4. /usr/openv/netbackup/bin/nbwmc stop
  5. /usr/openv/netbackup/bin/nbwmc start
  6. /usr/openv/netbackup/bin/nbcertcmd -getCACertificate
  7. usr/openv/netbackup/bin/nbcertcmd -getCertificate -force

Windows Steps:

  1. On the Master, run services.msc and locate NetBackup Web Management Console service (nbwmc)
  2. Identify the account used to start the nbwmc service
  3. Locate /  Acquire the password for this account
  4. Open an Administrator CMD prompt on the Master
  5. Create the following Environment Variable for the CMD window by running: set WEBSVC_PASSWORD=<passwordHere>
  6. Run: install_path\NetBackup\bin\admincmd\nbcertconfig -t
    Note: The -t and -f options will be needed for NetBackup versions 8.1.1 and higher.
    install_path\NetBackup\bin\admincmd\nbcertconfig -t -f
    • If this fails, it is likely to be due to an incorrect password.
      To verify the password is correct, use the following command to spawn a new CMD prompt window running as the account in question: runas /user:<user> cmd.exe
      Example local account: runas /user:nbwebsvc cmd.exe
      Example domain account: runas /user:COMPANY\nbwebsvc cmd.exe
    • If the new CMD window opens successfully, it means the credentials were correct and the new window can simply be closed.
    • If the new CMD window fails to open, examine the on-screen language to identify why.
  7. CD into install_path\NetBackup\wmc\bin\install
  8. Run: configureCerts.bat
  9. Run: setupWmc
  10. Restart the nbwmc service
  11. Run: nbcertcmd -getCACertificate
  12. Run: nbcertcmd -getCertificate -force

hha_mea,

thanks but this is not working. Maybe it is just for 8.1 and above. Still getting

EXIT STATUS 8506: The certificate has expired

Hamza_H
Moderator
Moderator
   VIP   

@Kai2209 try all down this , if possible please share every command's result/output.

  UNIX/Linux:

   1) /usr/openv/netbackup/bin/nbwmc -terminate
   2) /usr/openv/netbackup/bin/admincmd/nbcertconfig -u -i
   3) /usr/openv/netbackup/bin/admincmd/nbcertconfig -m
   4) On 8.0 and 8.1: /usr/openv/netbackup/bin/admincmd/nbcertconfig -t      
      On 8.1.1 and 8.1.2:  /usr/openv/netbackup/bin/admincmd/nbcertconfig -t -f
   5) /usr/openv/wmc/bin/install/configureWmc
   6) /usr/openv/wmc/bin/install/configureCerts
   7) /usr/openv/wmc/bin/install/setupWmc
   8) /usr/openv/netbackup/bin/nbwmc -start
   9) /usr/openv/netbackup/bin/nbcertcmd -getCACertificate
  10) /usr/openv/netbackup/bin/nbcertcmd -getCertificate -force
      If the operation fails, perform the steps at "Create a token" section then return to this step.
  11) Remove the /usr/openv/var/global/vxss/nbcertservice/install_token file

  Windows:

   0) set WEBSVC_PASSWORD=<nbwebsvc password>
   1) C:\Windows\System32\sc.exe stop "NetBackup Web Management Console"
   2) <Install_Path>\NetBackup\bin\admincmd\nbcertconfig -u -i
   3) <Install_Path>\NetBackup\bin\admincmd\nbcertconfig -m
   4) On 8.0 and 8.1: <Install_Path>\NetBackup\bin\admincmd\nbcertconfig -t      
      On 8.1.1 and 8.1.2: <Install_Path>\NetBackup\bin\admincmd\nbcertconfig -t -f
   5) <Install_Path>\NetBackup\wmc\bin\install\configureWmc
   6) <Install_Path>\NetBackup\wmc\bin\install\configureCerts
   7) <Install_Path>\NetBackup\wmc\bin\install\setupWmc
   8) C:\Windows\System32\sc.exe start "NetBackup Web Management Console"
   9) <Install_Path>\NetBackup\bin\nbcertcmd -getCACertificate
  10) <Install_Path>\NetBackup\bin\nbcertcmd -getCertificate -force
      If the operation fails, perform the steps at "Create a token" section then return to this step.
  11) Remove the <install_path>\NetBackup\var\global\vxss\nbcertservice\install_token file

 

make sure that all commands complete succesfully

which OS do you have on your master server?

 

hha_mea,

it is a linux system and steps you mentioned were successful now. A new certificate was issued  ! Thank you so much for help.

I still cannot access with my java console but this seems to be a differnt issue now :(

 

 

Hamza_H
Moderator
Moderator
   VIP   

Hello @Kai2209 

Glad that helped :)

Mark this discussion as solved and open a new one for your java console problem we will try to help you solve it :)

thanks again !

Hello, could you please elaborate step 10 (If the operation fails, perform the steps at "Create a token" section then return to this step). Steps 1-9 worked btw.

I struggle with that step 10 and I am not sure, if this ...

https://www.veritas.com/content/support/en_US/doc/21733320-127424841-0/v120724185-127424841

... is the step you mention?

I am not sure that I use the following command ...

nbcertcmd -createToken -name token_name -reissue -host host_name

... the right way. Unfortunately there is no example and the master server is telling me that a token with this name already exist.

In other words ... I cannot provide a reissue token (it's mandatory) and therefore our master server token is still expired.

Edited: I repeated step 1-10 and got the following message ...

nbcertcmd -getCertificate -force
nbcertcmd: The -getCertificate operation failed for server NBUSERVER.
EXIT STATUS 5940: Reissue token is mandatory, please provide a reissue token.

That's the command I used to create a token ...

nbcertcmd -createtoken -name Reissue-Certificate -reissue -host NBUSERVER -server NBUSERVER -validFor 12D6H30M