cancel
Showing results for 
Search instead for 
Did you mean: 

FQName in output nbemmcmd -listhosts -verbose for master - how to change it?

quebek
Moderator
Moderator
   VIP    Certified

Hello

Recently a master server which was installed using short name instead of FQDN was moved from one Aactive Directory domain to the other. Since hostname remained the same I did not had to engage VRTS for this work.

Let's assume master server name was nbumaster and it was in domain premigration.com and output from

nbemmcmd -listhosts -verbose

was looking like:

C:\>nbemmcmd -listhosts -verbose
NBEMMCMD, Version: 8.1.2
The following hosts were found:
nbumaster
        MachineName = "nbumaster"
        FQName = "nbumaster.premigration.com"
        MachineDescription = ""
        MachineNbuType = server (6)
nbumaster
        ClusterName = ""
        MachineName = "nbumaster"
        FQName = "nbumaster.premigration.com"
        GlobalDriveSeed = "VEND:#.:PROD:#.:IDX"
        LocalDriveSeed = ""
        MachineDescription = ""
        MachineFlags = 0x17
        MachineNbuType = master (3)
        MachineState = active for tape and disk jobs (14)
        NetBackupVersion = 8.1.2.0 (812000)
        OperatingSystem = windows (11)
        ScanAbility = 5
Command completed successfully.

Now after migration to postmigration.com I see NBU is working well - starting OK, no issues with certificates, but when I do run the same command I still see in FQName fields premigration.com. Do you have any idea how to change it so output from this command will be showing nbumaster.postmigration.com ?? Will it hurt in the future??

1 ACCEPTED SOLUTION

Accepted Solutions

Krutons
Moderator
Moderator
   VIP   

I recently went through this when we changed domains (master is registered with shortname). Let me see if I can find the documentation for what to do about fixing the certs, it does require re-deploying new certs to all your clients, just a heads up. I would recommend working with a backline engineer or talking to your BCAM / BCS team at Veritas if you have that support and they will work with you. I'll post the info anyways though.

Also for the nbemm, we ended up opening a ticket and having a backline engineer work with us on changing that but the changes he thought didn't do anything and he suggested we just wait til 8.2 because it's easier to 'manage' the nbemm configs he said. They wanted us to restore the Catalog WITHOUT the DRPKG file, so that it would re-create the EMM DB entries. There is an option to perform a DR of the master upon install, no not select this option.

Alright, the cert info. First, verify that /usr/openv/var/global/webrootcert.pem is there (we had one of our master servers have this file missing).


In order to resolve the issue, we had to perform the following:
Install Web Certs
Path:  /usr/openv/netbackup/bin/admincmd/
  ./nbcertconfig -u -i                -u: Installs web service user certificate
  ./nbcertconfig -m                  -m: Installs machine certificate
  ./nbcertconfig -t                  -t: Installs tomcat certificate
  ./nbcertconfig -t -f                -t: Installs tomcat certificate (force)
Note: If "-user" option is not specified then it reads "web service user" name from bp.conf (WEBSVC_USER).
If not in found in bp.conf then defaults to "nbwebsvc".

Configure Web Services
Path:  /usr/openv/wmc/bin/install/
    ./configureWmc         Configure web services preparation; sslStore, jkskeys, ports, webrootcert.pem…
    ./configureCerts       Configure web services; update the Java Keystore files from the certificate files…
    ./setupWmc             Setup web services; permissions…

Verified / CertMapInfo File - against Master Server Host ID: The shouldn't match, this just proves it
cat /usr/openv/var/vxss/certmapinfo.json
  [
       {
                     "hostID": "0c2b7b20-bfba-424a-aea6-c5eac5a322cc",
                     "serverName": "<MASTER>",
                     "issuerName": "<MASTER>",
                     "certType": 1,
                     "isServerMaster": 1,
                     "issuedBy": "/CN=broker/OU=root@<MASTER FQDN>/O=vx",
                     "crlPath": "/usr/openv/var/vxss/crl/5a4d6050.crl",
                     "securityLevel": 1,
                     "crlNextRefreshTime": 1561678429,
                     "crlLastRefreshTime": 1561664029,
                     "masterHostId": "fa9d1ddf-7fe7-4b41-a813-562f749e3236"

Executed New Cert for Master to Update Host ID / Mapping
./nbcertcmd -getCertificate -force -token
Now, both hostID and Master Host ID – match…
                                     "hostID": "fa9d1ddf-7fe7-4b41-a813-562f749e3236",
                                     "masterHostId": "fa9d1ddf-7fe7-4b41-a813-562f749e3236"

Then we were able to update certs for Media Servers, and have them connect to the master.

 

View solution in original post

4 REPLIES 4

quebek
Moderator
Moderator
   VIP    Certified

About certificates ...

I do stand corrected as I see this

C:\Windows\system32>nbcertcmd -listAllCertificates
[
   {
      "Subject Name": "/CN=nbatd/OU=root@nbumaster.premigration.com/O=vx",
      "Start Date": "Nov 06 12:51:15 2019 GMT",
      "Expiry Date": "Nov 01 14:06:15 2039 GMT",
      "SHA1 Fingerprint": "39:E7:D5:8D:6E:18:2F:9E:EB:56:19:0C:0B:80:CA:99:22:94:CD:49",
      "Certificate Path": "C:\\Program Files\\Veritas\\NetBackup\\var\\webtruststore\\cacert.pem"
   },
   {
      "Issued By": "/CN=broker/OU=root@nbumaster.premigration.com/O=vx",
      "Subject Name": "/CN=000ef950-2209-4bca-9d65-54185e73d0d6/OU=NBU_HOSTS/O=vx",
      "Expiry Date": "Nov  5 14:08:42 2020 GMT",
      "SHA1 Fingerprint": "52:24:02:6A:33:BD:4E:6B:CE:3A:72:AE:3A:34:C6:2D:4F:6C:3A:66",
      "Serial Number": "0x626656cb00000007",
      "Certificate Dir": "C:\\Program Files\\Veritas\\NetBackup\\var\\vxss\\at"
   },
   {
      "Issued By": "/CN=broker/OU=root@nbumaster.premigration.com/O=vx",
      "Subject Name": "/CN=tapon001/OU=NBU_Machines@nbumaster.premigration.com/O=vx",
      "Expiry Date": "Nov  5 14:06:59 2020 GMT",
      "SHA1 Fingerprint": "8D:AC:18:A0:EB:D1:87:7E:E6:D7:2E:C5:14:F0:17:3B:50:FF:AF:62",
      "Serial Number": "0x5f06946800000002",
      "Certificate Dir": "C:\\Program Files\\Veritas\\NetBackup\\var\\vxss\\at"
   },
   {
      "Issued By": "/CN=broker/OU=root@nbumaster.premigration.com/O=vx",
      "Subject Name": "/CN=nbumaster.premigration.com/OU=NBU_Machines@nbumaster.premigration.com/O=vx",
      "Expiry Date": "Nov  5 14:07:00 2020 GMT",
      "SHA1 Fingerprint": "88:95:55:2A:1B:16:04:26:55:DA:58:B6:2F:49:F1:7E:45:01:DC:61",
      "Serial Number": "0x6b84068f00000003",
      "Certificate Dir": "C:\\Program Files\\Veritas\\NetBackup\\var\\vxss\\at"
   },
   {
      "Issued By": "/CN=broker/OU=root@nbumaster.premigration.com/O=vx",
      "Subject Name": "/CN=tapon001/OU=TOMCAT@nbumaster.premigration.com/O=vx",
      "Expiry Date": "Nov  5 14:07:11 2020 GMT",
      "SHA1 Fingerprint": "B9:07:34:ED:A2:E7:49:4F:95:E7:C9:45:76:DD:21:19:93:D6:07:3A",
      "Serial Number": "0x42a4673200000006",
      "Certificate Dir": "C:\\Program Files\\Veritas\\NetBackup\\var\\global\\vxss\\tomcatcreds\\nbwebsvc"
   },
   {
      "Issued By": "/CN=broker/OU=root@nbumaster.premigration.com/O=vx",
      "Subject Name": "/CN=tapon001/OU=NBU_Machines@nbumaster.premigration.com/O=vx",
      "Expiry Date": "Nov  5 14:07:10 2020 GMT",
      "SHA1 Fingerprint": "3B:59:51:15:69:D9:F8:4B:E6:2B:A5:21:0D:BB:76:88:56:8F:83:68",
      "Serial Number": "0x77a60a8700000005",
      "Certificate Dir": "C:\\Program Files\\Veritas\\NetBackup\\var\\global\\vxss\\websvccreds\\at\\nbwebsvc"
   },
   {
      "Issued By": "/CN=broker/OU=root@nbumaster.premigration.com/O=vx",
      "Subject Name": "/CN=nbwebsvc/OU=NBU_HOSTS@nbumaster.premigration.com/O=vx",
      "Expiry Date": "Nov  5 14:07:09 2020 GMT",
      "SHA1 Fingerprint": "2F:6D:E8:E5:D2:7C:44:FF:B3:24:5F:8E:8F:80:26:54:30:B3:D5:2D",
      "Serial Number": "0x6dc3f1d400000004",
      "Certificate Dir": "C:\\Program Files\\Veritas\\NetBackup\\var\\global\\vxss\\nbcertservice\\nbwebsvc"
   }
]

Any idea if we can recreate these using new postmigration.com domain?

Krutons
Moderator
Moderator
   VIP   

I recently went through this when we changed domains (master is registered with shortname). Let me see if I can find the documentation for what to do about fixing the certs, it does require re-deploying new certs to all your clients, just a heads up. I would recommend working with a backline engineer or talking to your BCAM / BCS team at Veritas if you have that support and they will work with you. I'll post the info anyways though.

Also for the nbemm, we ended up opening a ticket and having a backline engineer work with us on changing that but the changes he thought didn't do anything and he suggested we just wait til 8.2 because it's easier to 'manage' the nbemm configs he said. They wanted us to restore the Catalog WITHOUT the DRPKG file, so that it would re-create the EMM DB entries. There is an option to perform a DR of the master upon install, no not select this option.

Alright, the cert info. First, verify that /usr/openv/var/global/webrootcert.pem is there (we had one of our master servers have this file missing).


In order to resolve the issue, we had to perform the following:
Install Web Certs
Path:  /usr/openv/netbackup/bin/admincmd/
  ./nbcertconfig -u -i                -u: Installs web service user certificate
  ./nbcertconfig -m                  -m: Installs machine certificate
  ./nbcertconfig -t                  -t: Installs tomcat certificate
  ./nbcertconfig -t -f                -t: Installs tomcat certificate (force)
Note: If "-user" option is not specified then it reads "web service user" name from bp.conf (WEBSVC_USER).
If not in found in bp.conf then defaults to "nbwebsvc".

Configure Web Services
Path:  /usr/openv/wmc/bin/install/
    ./configureWmc         Configure web services preparation; sslStore, jkskeys, ports, webrootcert.pem…
    ./configureCerts       Configure web services; update the Java Keystore files from the certificate files…
    ./setupWmc             Setup web services; permissions…

Verified / CertMapInfo File - against Master Server Host ID: The shouldn't match, this just proves it
cat /usr/openv/var/vxss/certmapinfo.json
  [
       {
                     "hostID": "0c2b7b20-bfba-424a-aea6-c5eac5a322cc",
                     "serverName": "<MASTER>",
                     "issuerName": "<MASTER>",
                     "certType": 1,
                     "isServerMaster": 1,
                     "issuedBy": "/CN=broker/OU=root@<MASTER FQDN>/O=vx",
                     "crlPath": "/usr/openv/var/vxss/crl/5a4d6050.crl",
                     "securityLevel": 1,
                     "crlNextRefreshTime": 1561678429,
                     "crlLastRefreshTime": 1561664029,
                     "masterHostId": "fa9d1ddf-7fe7-4b41-a813-562f749e3236"

Executed New Cert for Master to Update Host ID / Mapping
./nbcertcmd -getCertificate -force -token
Now, both hostID and Master Host ID – match…
                                     "hostID": "fa9d1ddf-7fe7-4b41-a813-562f749e3236",
                                     "masterHostId": "fa9d1ddf-7fe7-4b41-a813-562f749e3236"

Then we were able to update certs for Media Servers, and have them connect to the master.

 

quebek
Moderator
Moderator
   VIP    Certified

Hey

Thank you! I can't wait for your further updates... in regards of certificates...

so the bottom line for FQname is to leave it as is?  until 8.2 upgrade? 

Krutons
Moderator
Moderator
   VIP   

I updated my post. Yea, from my understanding in regards to the nbemm hosts, I'd just wait till 8.2, it doesn't hurt anything having it there.