Completely remove host certificates in 8.1

I have a customer that will potentially have hundreds of servers that will be used for a short period of time and then decomissioned.  In NetBackup 8.1 I know you can revoke the certificate for hosts that are no longer active.  However, this list will end up getting kind of messy.  I've hacked around a ton looking at commands and directory structures and I don't see anything obvious.  Does anyone know how to remove a host completly from the Host Certificate list?

 

Thanks,

Chris V.

Tags (1)
12 Replies

Re: Completely remove host certificates in 8.1

Assuming all clients are 8.1 - so the certificates are host ID-based.

In this case, old certificates can be removed by running nbcertcmd -deleteCertificate -hostid <host id> 

Re: Completely remove host certificates in 8.1

I believe that command works on the client itself to get of local certificates, which doesn't apply in this situation.  When I try to use it from the master I get:

[root@c1 openv]# /usr/openv/netbackup/bin/!/usr/openv/netbackup/bin/nbcertcmd -deleteCertificate -hostid 9be1107-93b4-48f9-a551-b55c75130718
Deleting security certificates can adversely impact the NetBackup functionality.
Do you want to proceed? (y/n) y
Failed to delete certificate.
EXIT STATUS 114: unimplemented error code 114

Tags (1)

Re: Completely remove host certificates in 8.1

This is expected because it's the client certificate you are resetting. If you need to revoke it so the client won't be able to connect to the master in question, you need to run nbcertcmd -revokeCertificate -hostID host_id

 

Re: Completely remove host certificates in 8.1

Thanks, but as I said in my first message I know that I can revoke it for them.  I'd like to COMPLETELY remove them from this list.  From the attached picture, I'd like c2.home to be completely gone.  My customer may have hundreds of revoked clients.  They'd like to clean up the list of host certificates so there is nothing for c2.home.

Chris V.

Re: Completely remove host certificates in 8.1

The Command Reference guide seems to be lacking detailed info for nbcertcmd and simply refers to NetBackup Security and Encryption Guide for 'more info'. 

Maybe good idea to log a call with Veritas Support due to the lack of info. 

Re: Completely remove host certificates in 8.1

I have a simiular case here. We had a client in one of our NB Domains but then relocated it to another NB Domain. Now I'm trying to remove the certificate from the orginal NB Domain. I currently have a case open with support and as of yesterday they are researching it. One thing the tech mentioned that I may have to wait until the certificate expires before it can be removed. 

Seems to me this may be one thing Veritas did not think about when implementing the certificate concept in NB 8.1..

If they come up with a method on how to delete the certificate I will update this thread..

NetBackup 8.1 at 10 sites
IBM 3584 LTO 6 - MSL 6480 LTO 6 - MSL 4048 LTO 6 - D2D
Tags (2)

Re: Completely remove host certificates in 8.1

Looks like you need the certificate equivalent of "bpclntcmd -clear_host_cache"

NetBackup 8.1.2 on Solaris 11, writing to DataDomain 9800
duplicating via SLP to LTO5 in SL8500 via ACSLS
Tags (2)

Re: Completely remove host certificates in 8.1

Yes, please let us know.  I've even tried moving the clock forward as a test, but that is messing up the CRL, even if I run the normal commands to fix it.  

Highlighted

Re: Completely remove host certificates in 8.1

I am also having this problem, and unfortunately have come across a technote which basically says "You can't do that!"

https://www.veritas.com/support/en_US/article.100041506

The relevant passage is at the end:

"Currently, it is not possible to remove entries from either the Host Management or Certificate Management tables. If a NetBackup host is moved from one NetBackup Master Server to another or is decommissioned entirely, it continues to be impossible to remove the host entries from either of these two tables. It is recommended to Revoke the certificate from the Certificate Management table, and add an appropriate Comment to the host entry on the Host Management table describing why the Certificate has been Revoked.

The reason why it is not possible to remove entries from these tables is a security measure. When a host is newly introduced to a Master Server, depending on the configuration, it is possible for the host to automatically be added to the list of known hosts (Host Management) without human interaction.  Revoking a hosts certificate causes the known host to become untrusted. If a host with that name and or known Revoked certificate attempts to connect, the Master Server knows not to trust it, and therefore refuses the connection. To re-establish a trust to the host, a human must create a reissue token, and that token must be used to re-establish the trust, thereby removing the Revoked state of the host's certificate.

If instead, a formerly untrusted (Revoked) host was entirely removed from those tables, and then if the host were to attempt a connection with the Master Server, the trust relationship would be handled as all new client trusts are handled (based upon the configuration).  And this could happen without the awareness of the NetBackup Administrator, and this may not always be desired."

Re: Completely remove host certificates in 8.1

Seems to me the reasoning in that tech note is rather specious.  If a customer is really worried about previously removed hosts attempting to re-connect with the master server, they can set the Security Level to Very High, thus requiring that they provide a token to every client trying to establish a first connection to the master.  The Very High security level provides the same protection as not letting us remove host and certificate entries.  So why not give us the option of removing the entries ourselves, since we have a fallback?

Re: Completely remove host certificates in 8.1

Landed on this discussions while trying to find out how to remove host certificates from both Certificate Management and Host Management when I have decommissioned a server (client that was backed up). It would be OK to revoke a client's certificate if it was temporarily not to be trusted (rebuild, relocation, etc). But when I know that the client is being decommissioned for good and will not come back, it would be nice to have the certificate removed too - to get it totally out of the system/clean up.

Re: Completely remove host certificates in 8.1

FYI, the KB article (100041506) posted by @Joseph_Vidal was written for the case that @WayneCierkowski mentioned above, suggest marking both of their posts as the solution.

Also keep in mind, the "nbcertcmd -deleteCertificate -hostid <host id>" command is intended to be run on a client (not on the master) to delete the client's hostID certificate from the local certificate store and it does not change any tables in EMM DB on the master. Thus, it will not change the contents of what is visible in the Certificate Management or Host Management tables as presented in the GUI, so the requested functionality is currently not available. However, it is possible in some future release that this functionality may be added or modified in some way.

Note: We do not recommend moving the clock forward for testing on your master server, as this could result in images expiring, causing a data loss condition.

JD | Veritas NetBackup Support
Tags (1)