cancel
Showing results for 
Search instead for 
Did you mean: 

How to renew NBU 812 Master Server security certificate?

andrew_mcc1
Level 6
   VIP   

Hi, Does anyone know how to renew a NBU 812. Master Server security certificate? 

Scenario is a lab master server that isn't always running; if left shutdown for more than ~10-14 days the Web Management Console fails to start and I get "Unable to login,status : 7656"  and Certificate Revocation List (CRL) older than 7 days errors when trying to log in to the Admin Console. Also "nbcertcmd -listCertDetails" shows its security certificate has expired.

The documentation and technotes I can find seem to cover renewing certificates on clients or media servers assuming the master is running.

Thanks, Andrew

1 ACCEPTED SOLUTION

Accepted Solutions

Unfortunately starting NetBackup 8.1 if nbwmc isn’t starting or running properly you would end up with all kinds of problems with the GUI or certificate related commands..

The key step to start troubleshooting around certificate related issues is to ensure that nbwmc is running correctly.

View solution in original post

16 REPLIES 16

RiaanBadenhorst
Moderator
Moderator
Partner    VIP    Accredited Certified

Try

 

nbcertcmd -renewCertificate

RiaanBadenhorst
Moderator
Moderator
Partner    VIP    Accredited Certified

Or if you've already upgraded and now its messed up (i had that too) do this

Regenerated Tomcat certificates following below article;
 
set WEBSVC_PASSWORD=<Password of User>
nbcertconfig -t -user <User Name>
 
Then do this
 
Rename credentials directory location: %install_dir%\NetBackup\var\vxss.

Execute bpnbaz -configureauth -force and nbcertcmd -getcertificate -force
 
If that doesn't do it, call support :)

Riaan, Thanks for this; yes I had tried "nbcertcmd -renewCertificate" which failed:

  nbcertcmd: The -renewCertificate operation failed.
  EXIT STATUS 5930: The request could not be authorized

I tried your other suggestion but that failed at the bpnbaz command:

  C:\Users\Administrator>bpnbaz -configureauth -force
  Gathering configuration information.
  Waiting for the security services to start operation.
  Generating identity for host 'xxx.yyy.com'
  Setting up security on target host: xxx.yyy.com
  Unable to configure target host.

I'll try and get a support call raised but any other thoughts? As its a lab machine I can change dates back in the meantime which does work.

Anyway many thanks, Andrew

RiaanBadenhorst
Moderator
Moderator
Partner    VIP    Accredited Certified

No sorry, I had followed those steps in that order twice recently and it works. Unfortunately, since there is no #$@T^@$^@ documentation that really explains what is going on with all these certificates I have no clue what I'm doing, just following instructions like a sheep.

Completey agree... Just a shame all this valuable feedback doesn't seem to be used to improve NetBackup. Anyway, thanks, Andrew

mph999
Level 6
Employee Accredited

If I'm not mistaken, all that needs renewing is the revoked certificate list.

nbcertcmd -getCRL

 

 

andrew_mcc1
Level 6
   VIP   

Thnaks, I had tried that but it errors:

  C:\Users\Administrator>nbcertcmd -getCRL
  Failed to fetch security level for  'xxx.yyy.com'. 26: client/server handshaking failed
  Failed to fetch certificate revocation list for 'xxx.yyy.com'. 26: client/server handshaking failed
  EXIT STATUS 5978: Attempt to refresh certificate revocation list failed.

From the commands doc, this will retrieve the latest revocation list from the master but doesn't seem to work if the master doesn't already have a good certificate. I can see it does refresh the list if the master certificate is valid. Seems to be Catch22...

Thanks, Andrew

andrew_mcc1
Level 6
   VIP   

I should mention this master was installed at NBU 7601 and upgraded to 8.0 and then to 8.1.2... Thanks, Andrew

RiaanBadenhorst
Moderator
Moderator
Partner    VIP    Accredited Certified

To reconfirm, my upgrade was also from 8.0 to 8.1.2. Those steps worked, and the order was really important. On the first upgrade we did it in the correct order but the TSE didn't document both steps. When i tried the second master upgrade it failed too, so I performed the rename of the credentials folder but that alone didn't do the trick. Had to do the WebSvC thing first.

And to clarify the behaviour, after the upgrade we were not able to login to the java console. It gave some certificate issue and error in the 500 range. The operation on the WEbSvc resovled this but while logging in it complained about connection to NBSL. That issue was resolved using the rename procedure.

HTH

Please talk to Veritas Support. I think they can help you.

I think this is the key statement in the problem description: "Scenario is a lab master server that isn't always running."

The master server's certificate automatically renews itself before it has a chance to time out - if the server is running. I recently deployed a VM template with NetBackup 8.1 that had been made over a year ago, and my certificate had timed out. I couldn't fix it with nbcertcmd. An internal expert pointed me to a process that backline support has. It worked for me. There are a lot of steps in the process. You would need a WebEx with Support (not me) to follow it.

Even if your problem is different from the one I had, backline support has a diagnostic tool that may help figure out your issue. The tool is a work in progress. So far it is only for Linux and only available to backline.

Your nbcertcmd command seems to have returned with a status 26.. That means nbwmc is not correctly running on the master server.. since it seems to be a windows machine open task manager and see how many peocesses are running under the nbwebsvc account.. There should be 4 processes running. If not that needs to be fixed..

Logging a support call would definitely help speed up things..

If the 4 processes are not correctly running I would go to logs.. Start with the catalina logs and the nbwebservices logs

andrew_mcc1
Level 6
   VIP   

OK, thanks for this though it doesn't sound great news! I'm not around for a few days but I'll try and raise a call (though as a small partner its not always easy).

But thanks, Andrew

andrew_mcc1
Level 6
   VIP   

Thanks for this, I thought nbwmc not being able to start was a symptom of the problem notteh actual cause but I will check this more. Thanks, Andrew

Unfortunately starting NetBackup 8.1 if nbwmc isn’t starting or running properly you would end up with all kinds of problems with the GUI or certificate related commands..

The key step to start troubleshooting around certificate related issues is to ensure that nbwmc is running correctly.

Michal_Mikulik1
Moderator
Moderator
Partner    VIP    Accredited Certified

Well, today I also encountered errors 8506 (certificate expired) for all backup/restore jobs, Media Servers going to Offline state etc. on one Master.

I had also followed steps with nbcerconfig + ConfigureCerts mentioned above and now it is ok.

It was exactly 1 year after upgrade to 8.1. Not sure why this certificate has expired, because this Master was running 24x7. Nothing useful on Google and in doc...

Michal

Amol Nair was right, it was an issue with the nbwebsvc account; once this was fixed the CRL certificate refreshed itself automatically and NBU now works. My apologies for not catching this (embarassed). Thanks again, Andrew