cancel
Showing results for 
Search instead for 
Did you mean: 

ECA for WEBUI

PetrHanz
Level 4
Partner Accredited Certified

Hi all

NBU Virtual Master server 4.1

Configure ECA for WEBUI,  only

ecaHealtCheck - all items are valid but

(Ensuring that the host name is present in either SAN or CN)
LEAF_CERTIFICATE_X509_PURPOSES_VALIDATION FAIL
(Ensuring that the certificate can be used for intended purposes)

Cause of failure
----------------
Certificate cannot be used for the client because
of the following reasons:
Extended Key Usage (TLS Web Client Authentication)
is not present.

ECA is only for WEBUI. This message should be ignored ?!  - https://www.veritas.com/support/en_US/article.100047175

Following ........ 

configure certificate is succesfull

nbcertcmd -getExternalCertDetails -certPath  - ok - certtificate is valid

restart NBU/web services does not help - webui still use ICA certificate

vxsslcmd s_client -connect bck4:443 -showcerts
CONNECTED(00000003)
depth=0 C = US, ST = California, L = Mountain View, O = Veritas Technologies LLC, OU = Appliance Solutions, CN = bck4.domain.uk
verify error:num=18:self signed certificate
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Veritas Technologies LLC, OU = Appliance Solutions, CN = bck4.domain.uk
verify return:1
---
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Veritas Technologies LLC/OU=Appliance Solutions/CN=bck4.domain.uk
i:/C=US/ST=California/L=Mountain View/O=Veritas Technologies LLC/OU=Appliance Solutions/CN=bck4.domain.uk
-----BEGIN CERTIFICATE-----

 

check nbcertcmd -enrollCertificate

The following validations failed:
1. LEAF_CERTIFICATE_X509_PURPOSES_VALIDATION

Cause of failure
----------------
Certificate cannot be used for the client because
of the following reasons:
Extended Key Usage (TLS Web Client Authentication)
is not present.

My questions are:

1. Is not simply to create certificate with extended key. But ECA + WEBUI need not it ?  

2. Any idea how call ECA certificate instead ICA ?

 

 

2 REPLIES 2

X2
Moderator
Moderator
   VIP   

Does your config pass the healthcheck? (KB article)

/usr/openv/netbackup/bin/nbcertcmd -ecahealthcheck

If healthcheck passed, do perform "CTRL+R" to refresh the browser cache for the login page. I recently renewed the WebUI certificates and when I went to the login page, it was still using the old one. Had to do Ctrl+R before it saw the new one.

PetrHanz
Level 4
Partner Accredited Certified

Hi,

CTRL+R is not working.  vxsslcmd s_client -connect bck4:443 -showcerts - it is condition for working of CTRL+R.

Petr