cancel
Showing results for 
Search instead for 
Did you mean: 

Unable to access NetBackup java console for non-root user from remote windows machine

DPO
Moderator
Moderator
   VIP   

Planning to grant NB access to individual users instead of using common "admin/root" account.Created NetBackup user and update auth.conf file accordingly on the NetBackup Master (5240 appliance). We usually access NB java console from a remote windows machine for which we have full rights (Administrator account). Also created individual account with basic privileges  on remote windows machine for each invidual . User is successfully able to take RDP to windows machine  and When this user tried to login to NB java console getting "NetBackup could not initiate a trust relationship with the host "FQDN" . Ensure that your DNS server resolves to host to correct IP. 

But to test that, from the same windows machine logged in as Administrator and tried to access NB java console as the user created above works. Is there anything at Windows level blocking a regular/invidual user to access a remote NB java console. I checked UAC is disabled and NB host is resolvable (we also have local hosts file updated) but suprisingly getting this when we login to remote windows machine with an invidual user account . 

 

4 REPLIES 4

Tousif
Level 6

Hello,

 

Enable the java log "bpjava-msvc" on the Master server and reattempt to login.

Share the logs for more information.

Article:

https://www.veritas.com/support/en_US/doc/86063237-127664549-0/v121749215-127664549

 

Regards,

DPO
Moderator
Moderator
   VIP   

06:35:55.499 [99355] <2> session_dispatch: Request count = 0 tag = 510
06:35:55.499 [99355] <2> populateCertificatePath: Master server name is [abcdefg]
06:35:55.500 [99355] <2> getCertPath: Host Certificate path is [/usr/openv/var/vxss/credentials/9fff4f79-a3eb-41b4-9667-89651bd3d937]
06:35:55.500 [99355] <2> populateCertificatePath: received hostid cert, path is [/usr/openv/var/vxss/credentials/9fff4f79-a3eb-41b4-9667-89651bd3d937]
06:35:55.500 [99355] <2> populateCertificatePath: Certificate to be used for SSL [/usr/openv/var/vxss/credentials/9fff4f79-a3eb-41b4-9667-89651bd3d937]
06:35:55.500 [99355] <4> command_SECURE_CHANNEL_INIT: Using certificate [/usr/openv/var/vxss/credentials/9fff4f79-a3eb-41b4-9667-89651bd3d937] and Responding SECURE_CHANNEL_PROCEED.
06:35:55.651 [99355] <4> session_secure_lookup: Initiating SSL Accept
06:35:55.651 [99355] <2> tls_vxss_accept: Get dataDirType for VssInitEx
06:35:55.651 [99355] <2> populateCertificatePath: Master server name is [abcdefg]
06:35:55.652 [99355] <2> getCertPath: Host Certificate path is [/usr/openv/var/vxss/credentials/9fff4f79-a3eb-41b4-9667-89651bd3d937]
06:35:55.652 [99355] <2> populateCertificatePath: received hostid cert, path is [/usr/openv/var/vxss/credentials/9fff4f79-a3eb-41b4-9667-89651bd3d937]
06:35:55.652 [99355] <2> populateCertificatePath: Certificate to be used for SSL [/usr/openv/var/vxss/credentials/9fff4f79-a3eb-41b4-9667-89651bd3d937]
06:35:55.691 [99355] <16> bpjava@EAT_LOG: (../at_utils.c,144) ERROR STACK REPORT BEGIN
06:35:55.691 [99355] <16> bpjava@EAT_LOG: (../at_utils.c,148) Frame :0
06:35:55.691 [99355] <16> bpjava@EAT_LOG: (../at_utils.c,154) String: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
06:35:55.691 [99355] <16> bpjava@EAT_LOG: (../at_utils.c,158) File: s3_pkt.c:1493
06:35:55.691 [99355] <16> bpjava@EAT_LOG: (../at_utils.c,161) Error data: SSL alert number 48
06:35:55.691 [99355] <16> bpjava@EAT_LOG: (../at_utils.c,171) ERROR STACK REPORT END
06:35:55.691 [99355] <16> bpjava@EAT_LOG: (../at_utils.c,144) ERROR STACK REPORT BEGIN
06:35:55.691 [99355] <16> bpjava@EAT_LOG: (../at_utils.c,148) Frame :0
06:35:55.691 [99355] <16> bpjava@EAT_LOG: (../at_utils.c,158) File: ../sslconn.c:934
06:35:55.691 [99355] <16> bpjava@EAT_LOG: (../at_utils.c,161) Error data: SSLCOMM_ERR_FAILED_OPERATION
06:35:55.691 [99355] <16> bpjava@EAT_LOG: (../at_utils.c,171) ERROR STACK REPORT END
06:35:55.691 [99355] <16> bpjava@VssAccept: (../../libVnbat/vss_auth.cpp,2528): vrtsAtSecConnAcceptEx returned FAILURE
06:35:55.691 [99355] <16> tls_vxss_accept: ../io.c.3372: VssAccept( ) failed
06:35:55.691 [99355] <16> session_secure_lookup: Unexpected error occurred while establishing TLS session.Possibly this could be a NetBackup Console establishing trust with the broker or User opted not to trust issuer of Machine certificate.This may also occur due to network blip or due to expired or invalid Machine certificate.
06:35:55.691 [99355] <16> session_dispatch: session_secure_lookup FAILED!!! fd = 0
06:35:55.692 [99354] <16> poll_listen: can't find file descriptor in polling table
06:35:55.776 [99357] <2> session_dispatch: Request count = 0 tag = 510
06:35:55.776 [99357] <2> populateCertificatePath: Master server name is [abcdefg]
06:35:55.777 [99357] <2> getCertPath: Host Certificate path is [/usr/openv/var/vxss/credentials/9fff4f79-a3eb-41b4-9667-89651bd3d937]
06:35:55.777 [99357] <2> populateCertificatePath: received hostid cert, path is [/usr/openv/var/vxss/credentials/9fff4f79-a3eb-41b4-9667-89651bd3d937]
06:35:55.777 [99357] <2> populateCertificatePath: Certificate to be used for SSL [/usr/openv/var/vxss/credentials/9fff4f79-a3eb-41b4-9667-89651bd3d937]
06:35:55.777 [99357] <4> command_SECURE_CHANNEL_INIT: Using certificate [/usr/openv/var/vxss/credentials/9fff4f79-a3eb-41b4-9667-89651bd3d937] and Responding SECURE_CHANNEL_PROCEED.
06:35:55.827 [99357] <4> session_secure_lookup: Initiating SSL Accept
06:35:55.827 [99357] <2> tls_vxss_accept: Get dataDirType for VssInitEx
06:35:55.827 [99357] <2> populateCertificatePath: Master server name is [abcdefg]
06:35:55.828 [99357] <2> getCertPath: Host Certificate path is [/usr/openv/var/vxss/credentials/9fff4f79-a3eb-41b4-9667-89651bd3d937]
06:35:55.828 [99357] <2> populateCertificatePath: received hostid cert, path is [/usr/openv/var/vxss/credentials/9fff4f79-a3eb-41b4-9667-89651bd3d937]
06:35:55.828 [99357] <2> populateCertificatePath: Certificate to be used for SSL [/usr/openv/var/vxss/credentials/9fff4f79-a3eb-41b4-9667-89651bd3d937]
06:35:55.835 [99357] <16> bpjava@EAT_LOG: (../sslconn.c,1315)No peer certificate attached to connection 10a7810
06:35:55.835 [99357] <4> tls_vxss_accept: ../io.c.3381: SSL Channel established for fd[0]
06:35:55.835 [99357] <4> session_secure_lookup: SSL Connection Accepted!

Hello,

 

As per the log detail. It looks like the users do not intact with the CA certificate deployed on the jump server.

Could you please add one of the user in local admin group and check the behavior? 

Could you please create new Local user with admin privileges on jump server and try to login Java Console?

 

Logs:

06:35:55.652 [99355] <2> populateCertificatePath: Certificate to be used for SSL [/usr/openv/var/vxss/credentials/9fff4f79-a3eb-41b4-9667-89651bd3d937]
06:35:55.691 [99355] <16> bpjava@EAT_LOG: (../at_utils.c,144) ERROR STACK REPORT BEGIN
06:35:55.691 [99355] <16> bpjava@EAT_LOG: (../at_utils.c,148) Frame :0
06:35:55.691 [99355] <16> bpjava@EAT_LOG: (../at_utils.c,154) String: error:14094418Smiley FrustratedSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
06:35:55.691 [99355] <16> bpjava@EAT_LOG: (../at_utils.c,158) File: s3_pkt.c:1493
06:35:55.691 [99355] <16> bpjava@EAT_LOG: (../at_utils.c,161) Error data: SSL alert number 48
06:35:55.691 [99355] <16> bpjava@EAT_LOG: (../at_utils.c,171) ERROR STACK REPORT END
06:35:55.691 [99355] <16> bpjava@EAT_LOG: (../at_utils.c,144) ERROR STACK REPORT BEGIN
06:35:55.691 [99355] <16> bpjava@EAT_LOG: (../at_utils.c,148) Frame :0
06:35:55.691 [99355] <16> bpjava@EAT_LOG: (../at_utils.c,158) File: ../sslconn.c:934
06:35:55.691 [99355] <16> bpjava@EAT_LOG: (../at_utils.c,161) Error data: SSLCOMM_ERR_FAILED_OPERATION
06:35:55.691 [99355] <16> bpjava@EAT_LOG: (../at_utils.c,171) ERROR STACK REPORT END
06:35:55.691 [99355] <16> bpjava@VssAccept: (../../libVnbat/vss_auth.cpp,2528): vrtsAtSecConnAcceptEx returned FAILURE
06:35:55.691 [99355] <16> tls_vxss_accept: ../io.c.3372: VssAccept( ) failed
06:35:55.691 [99355] <16> session_secure_lookup: Unexpected error occurred while establishing TLS session.Possibly this could be a NetBackup Console establishing trust with the broker or User opted not to trust issuer of Machine certificate.This may also occur due to network blip or due to expired or invalid Machine certificate.
06:35:55.691 [99355] <16> session_dispatch: session_secure_lookup FAILED!!! fd = 0
06:35:55.692 [99354] <16> poll_listen: can't find file descriptor in polling table

 

Regards,

DPO
Moderator
Moderator
   VIP   

User is already part of Administrator group on Jump server (windows machine). Surprisingly , If we login with only Administrator account on Jump server and connect to Java console with the NetBackup user we created, he can access.

I'm concerned about this error. It appears to me that we need to create certificates for each NB or remote user ? At this path /usr/openv/var/global/vxss/eab/data  , i can see only root user. We don't use NBAC.

> session_secure_lookup: Unexpected error occurred while establishing TLS session.Possibly this could be a NetBackup Console establishing trust with the broker or User opted not to trust issuer of Machine certificate.This may also occur due to network blip or due to expired or invalid Machine certificate.