cancel
Showing results for 
Search instead for 
Did you mean: 

Installing Netbackup 8.0 to Centos 7 - unable to retrieve master certificate

Lotfi_BOUCHERIT
Level 5

Hello,

We have an old physical server that is running CentOS 7, and we need to install Netbackup agent to it to secure our data,

We have our master server in Windows Server 2012 R2, so we try to install Netbackup agent 8.0 to our client. the setup was successful.

The first thing that we tried to do, is retrieving master server CA Certificate with the command, nbcertcmd getCertificate, but we receive the following error:

[root@siege-gea-nas bin]# ./nbcertcmd -getCertificate -server siege-adm-003.siege.seaal
Request to get the certificate deployment level failed.
EXIT STATUS 8500: Connection with the web service was not established.

we tested network connectivity, and name resolutions and they work correctly. we even made sure that there's no firewall, weither in the master, media servers, or in the centos client.

Could you please, tell us what we can do to install the client successfully?

5 REPLIES 5

davidmoline
Level 6
Employee

Hi @Lotfi_BOUCHERIT 

The first command to obtain the CA cedrtificate is "nbcertcmd -getCACertificate" (with optional server argument if required). Once you have the CA cefrtificate you can then run your command to get the host certificate. 

This begs the question though, how did you install the client? Certificate dpeloyment is normally done for you as part of the install. And if you have just manually installed the RPMs (which is one way), have you setup the bp.conf file so it knows what all the servers are (and its client name etc.).

One additional thing to check is that ports 1556 and 13724 (both bi-directional) are open between the master and this client. [update - ignore this I missed you had already checked firewalls]

David

Hello @davidmoline 

Thank you for your answer.

Here are the answers for your questions:

- How the client was installed? i downloaded Clients package from Veritas, then installed redhat agent (similar to centos architecture).

- For the command ./nbcertcmd -getCACertificate -server MASTER-SERVER, it does give the same error message.

- For network ports, i assure you, no firewalls enabled weither in netbackup servers nor the linux host (tested with telnet ip port commands)

Thank you in advance,

 

DPeaco
Moderator
Moderator
   VIP   

@Lotfi_BOUCHERIT 

I think....what @davidmoline was asking about on the client install......is.....During the client install, it does the certificate work and if it can't, it asks if you want to continue with the install even thought the certificate exchange could not be done. 

At least I "think" that's what David was asking on that question.

You'll need to check to make sure that TLS/SSL for port 443 is allowed TCP bi-directional. This can also prevent the certificate exchange from happening. This has been our experiences with these issues over the past 2 years.

I've also found that it does help, at times, to add the new client host to the master server in a dummy backup policy and then do the client install or manually run the commands for the CA Certificate between master and client:

Thanks,
Dennis

Hi @Lotfi_BOUCHERIT 

I just realised - you are installing NetBackup 8.0 on the Centos client. There is no requirement (or ability I think) to obtain certificates from your 8.2 master. 

You will need to make sure you have the security option checked to "Enable insecure communications with NetBackup 8.0 and earlier hosts". This can be found under the Global Security Settings in the java GUI.

Why not install a more recent NetBackup client version? Centos 7 (depending on sub version) can support 8.2 quite happily.

Cheers
David

Hamza_H
Moderator
Moderator
   VIP   
Hello,
I was just about to tell you that you don’t need to deploy certificate for version 8.0 and as @David mentioned you need to verify that security option is checked on your master server.
If the setup was okey, why did you try to establish certificate ? Do you have problem with your backup? If yes, I am sure thar is not related to certificates, but to either ports that are not open in case of firewall or name resolution.
You can test using bptestbpcd command on your master and share the output to help you.

Cheers.