10-15-2018 06:03 AM
Hi, Does anyone know how to renew a NBU 812. Master Server security certificate?
Scenario is a lab master server that isn't always running; if left shutdown for more than ~10-14 days the Web Management Console fails to start and I get "Unable to login,status : 7656" and Certificate Revocation List (CRL) older than 7 days errors when trying to log in to the Admin Console. Also "nbcertcmd -listCertDetails" shows its security certificate has expired.
The documentation and technotes I can find seem to cover renewing certificates on clients or media servers assuming the master is running.
Solved! Go to Solution.
10-17-2018 01:58 AM
10-15-2018 06:06 AM
10-15-2018 06:08 AM
Or if you've already upgraded and now its messed up (i had that too) do this
10-15-2018 07:18 AM
Riaan, Thanks for this; yes I had tried "nbcertcmd -renewCertificate" which failed:
nbcertcmd: The -renewCertificate operation failed.
EXIT STATUS 5930: The request could not be authorized
I tried your other suggestion but that failed at the bpnbaz command:
C:\Users\Administrator>bpnbaz -configureauth -force
Gathering configuration information.
Waiting for the security services to start operation.
Generating identity for host 'xxx.yyy.com'
Setting up security on target host: xxx.yyy.com
Unable to configure target host.
I'll try and get a support call raised but any other thoughts? As its a lab machine I can change dates back in the meantime which does work.
Anyway many thanks, Andrew
10-15-2018 08:45 AM
No sorry, I had followed those steps in that order twice recently and it works. Unfortunately, since there is no #$@T^@$^@ documentation that really explains what is going on with all these certificates I have no clue what I'm doing, just following instructions like a sheep.
10-15-2018 02:54 PM
Completey agree... Just a shame all this valuable feedback doesn't seem to be used to improve NetBackup. Anyway, thanks, Andrew
10-15-2018 03:39 PM
If I'm not mistaken, all that needs renewing is the revoked certificate list.
10-15-2018 11:17 PM
Thnaks, I had tried that but it errors:
Failed to fetch security level for 'xxx.yyy.com'. 26: client/server handshaking failed
Failed to fetch certificate revocation list for 'xxx.yyy.com'. 26: client/server handshaking failed
EXIT STATUS 5978: Attempt to refresh certificate revocation list failed.
From the commands doc, this will retrieve the latest revocation list from the master but doesn't seem to work if the master doesn't already have a good certificate. I can see it does refresh the list if the master certificate is valid. Seems to be Catch22...
10-16-2018 12:37 AM
I should mention this master was installed at NBU 7601 and upgraded to 8.0 and then to 8.1.2... Thanks, Andrew
10-16-2018 12:52 AM
To reconfirm, my upgrade was also from 8.0 to 8.1.2. Those steps worked, and the order was really important. On the first upgrade we did it in the correct order but the TSE didn't document both steps. When i tried the second master upgrade it failed too, so I performed the rename of the credentials folder but that alone didn't do the trick. Had to do the WebSvC thing first.
And to clarify the behaviour, after the upgrade we were not able to login to the java console. It gave some certificate issue and error in the 500 range. The operation on the WEbSvc resovled this but while logging in it complained about connection to NBSL. That issue was resolved using the rename procedure.
10-16-2018 07:16 AM - edited 10-16-2018 07:17 AM
Please talk to Veritas Support. I think they can help you.
I think this is the key statement in the problem description: "Scenario is a lab master server that isn't always running."
The master server's certificate automatically renews itself before it has a chance to time out - if the server is running. I recently deployed a VM template with NetBackup 8.1 that had been made over a year ago, and my certificate had timed out. I couldn't fix it with nbcertcmd. An internal expert pointed me to a process that backline support has. It worked for me. There are a lot of steps in the process. You would need a WebEx with Support (not me) to follow it.
Even if your problem is different from the one I had, backline support has a diagnostic tool that may help figure out your issue. The tool is a work in progress. So far it is only for Linux and only available to backline.
10-16-2018 08:35 AM
10-17-2018 12:13 AM
OK, thanks for this though it doesn't sound great news! I'm not around for a few days but I'll try and raise a call (though as a small partner its not always easy).
But thanks, Andrew
10-17-2018 12:16 AM
Thanks for this, I thought nbwmc not being able to start was a symptom of the problem notteh actual cause but I will check this more. Thanks, Andrew
10-17-2018 01:58 AM
10-17-2018 05:52 AM
Well, today I also encountered errors 8506 (certificate expired) for all backup/restore jobs, Media Servers going to Offline state etc. on one Master.
I had also followed steps with nbcerconfig + ConfigureCerts mentioned above and now it is ok.
It was exactly 1 year after upgrade to 8.1. Not sure why this certificate has expired, because this Master was running 24x7. Nothing useful on Google and in doc...
10-18-2018 05:17 AM
Amol Nair was right, it was an issue with the nbwebsvc account; once this was fixed the CRL certificate refreshed itself automatically and NBU now works. My apologies for not catching this (embarassed). Thanks again, Andrew