Certificates

Since NetBackup 8.1 all hosts within a NetBackup domain running that version of NetBackup or a later version require a hostid certificate to communicate with either the Master server or a media server. If the client host is not known to the Master server it will require an install token to retrieve a certificate from the Master. If the client is known to the Master, i.e. it has images in the catalog or is present in a policy then the certificate can be pulled by the client without a token.

 

If a client certificate has been revoked then a reissue token will be required by the client before a new certificate can be obtained.

When working with certificates through the Java Console additional authentication is not required as the user has been authenticated by NetBackup through the process of logging into the console. However, when working with certificates through the command line, unless the user has logged into the host as root additional authentication via VxSS is required. In many environments the NetBackup administrator may not have access to the root account and instead must run commands via sudo or sudo to root. Even if the administrator can sudo to the root account on a host a VxSS login will still be required to perform some certificate operations.

 

The VxSS user is also required when configuring access to the NetBackup API. The user which is created can be used for both tasks.

 

The following technote gives details on how to set up the VxSS user :

https://www.veritas.com/support/en_US/article.100042908

 

When creating the VxSS user the NBU services must be restarted on the Master server when prompted otherwise you may find some operations do not function as expected.

 

When the user has been created as per the technote, an interactive login can be attempted by entering the following 

/usr/openv/netbackup/bin/bpnbat -login -logintype web

testmaster

0

vx

testUser

testDomain

Test1234

It is also possible to automate this login via a HERE document as per the sample script below.

 

When configuring the cript the following fields will need to be modified if any of the values have changed when deploying into a production envionment:

testmaster : change this to the correct name of the master server

testuser : change this to the correct name of the VxSS user

testdomain : change this to the correct name of the VxSS domain

password : change this to the correct password

#!/bin/ksh

#

/usr/openv/netbackup/bin/bpnbat -login -logintype web 2>&1 > /dev/null << EOF

testmaster

0

vx

testuser

testdomain

password

EOF

Once the VxSS user has logged in then all possible certificate and host management commands  can be performed such as listing all domain certificates

 

/usr/openv/netbackup/bin/nbcertcmd -listalldomaincertificates

list all tokens

 

/usr/openv/netbackup/bin/nbcertcmd -listtoken

revoke a certificate

/usr/openv/netbackup/bin/nbcertcmd -revokecertificate -host <hostname> -reasoncode <reasoncode>

generate a reissue token

/usr/openv/netbackup/bin/nbcertcmd -createtoken -name <token_name> -reissue -host <hostname> -validfor 2D

Confirm the security level which determines how certificates are deployed

/usr/openv/netbackup/bin/nbcertcmd -getsecconfig -certdeploylevel

List all hostname and alias mappings, this information is presented in the Java console under Security Management -> Host Managements

/usr/openv/netbackup/bin/admincmd/nbhostmgmt -list

When troubleshooting certificate issues with clients a very useful command is the auditreport command which can list events related to various aspects of NetBackup for the previous 7 days. The command can track events for a number of different areas within NetBackup including certificates and policies. The certificate information can be viewed in the GUI under Security Managment -> Security Events.

To view all information held related to certificates use the following command. It is possible to further narrow down the output with start and end times etc.

/usr/openv/netbackup/bin/admincmd/nbauditreport -ctgy CERT