Please enter search query.
Search <product_name> all support & community content...
Article: 100039944
Last Published: 2020-12-16
Ratings: 0 2
Product(s): NetBackup & Alta Data Protection
Problem
This is "Issue 3: A corrupted local host ID-based certificate” as referenced in the master article for troubleshooting CRL related problems, 000127887Default file location:
Windows:
Unix/Linux:
<install_path>\NetBackup\var\vxss\credentials\<randomly-generated-hostid-name>
Unix/Linux:
/usr/openv/var/vxss/credentials/<randomly-generated-hostid-name>
Note There may also be host name-based certificates in this location. This article focus is on the host ID-based certificate. It is easy to differentiate between the files, as the hostname certificate, will have the hostname or an alias to the server in the file name.
Example:
ls -al /usr/openv/var/vxss/credentials may show:
-rw------- 1 root root 2539 Sep 1 11:56 684851de-30e5-4a05-ac9a-c4dc82770043
-rw------- 1 root root 2186 Sep 1 11:56 nbmaster2.fqdn.com
In this example:
The host ID-based certificate is named: 684851de-30e5-4a05-ac9a-c4dc82770043
The host name-based certificate is named: nbmaster2.fqdn.com
In the event that the local host ID certificate is corrupted / unreadable, backups will fail in the following manner:
Media server:
If the media server host ID-based certificate is corrupted, backups will exit with status codes 25 and 7625:
Sep 5, 2017 11:38:54 AM - Info nbjm (pid=15375) started backup (backupid=nbmedia2_1504625934) job for client nbmedia2, policy nbmedia2-policy, schedule Full on storage unit nbmedia2-hcart2-robot-tld-1
Sep 5, 2017 11:38:55 AM - Error nbjm (pid=15375) [PROXY] Connecting host: nbmaster2.fqdn.com
Sep 5, 2017 11:38:55 AM - Error nbjm (pid=15375) [PROXY] ConnectionId: {53425B84-9250-11E7-B9E4-D29D695EC920}:OUTBOUND
Sep 5, 2017 11:38:55 AM - Error nbjm (pid=15375) [PROXY] pid: 14926
Sep 5, 2017 11:38:55 AM - Error nbjm (pid=15375) [PROXY] Received status: 7625 with message A SSL connect failed. Status: 5 Msg: A non-recoverable I/O error occurred. The ssl error queue was empty
Sep 5, 2017 11:38:55 AM - Error nbjm (pid=15375)
cannot connect on socket (25)
Client:
If the client host ID-based certificate is corrupted or otherwise incorrect, backups will exit with a 7625. An example of job detail reports:
Sep 5, 2017 12:09:54 PM - Error bpbrm (pid=24239) [PROXY] Received status: 7625 with message A SSL connect failed. Status: 5 Msg: A non-recoverable I/O error occurred. The ssl error queue was empty
Sep 5, 2017 12:09:54 PM - Error bpbrm (pid=24239) bpcd on nbclient1 exited with status 7625: A SSL socket connect failed
Sep 5, 2017 12:09:54 PM - Error bpbrm (pid=24239) [PROXY] Connecting host: nbmaster2.nbulab.symc
Sep 5, 2017 12:09:54 PM - Error bpbrm (pid=24239) [PROXY] Received status: 7625 with message A SSL connect failed. Status: 5 Msg: A non-recoverable I/O error occurred. The ssl error queue was empty
Sep 5, 2017 12:09:54 PM - Info bpbkar (pid=0) done. status: 7625: A SSL socket connect failed
Sep 5, 2017 12:09:54 PM - started process bpbrm (pid=24239)
Sep 5, 2017 12:09:54 PM - end writing
A SSL socket connect failed. (7625)
On the media server or client, if the local host-id base certificate can’t be read,
nbcertcmd -listCertDetails will return with a return value
13 and status
5942:
nbcertcmd -listCertDetails
Failed to display certificate details for server [nbmaster2]
nbcertcmd: The -listCertDetails operation failed.
EXIT STATUS 5942: Certificate could not be read
The nbcert log on the media server or client will show that the host ID-based certificate is not present and can't be read:
11:59:06.718 [824.3156] <16> nbcertcmd@VssGetCertInfo: (../../libVnbat/vss_auth.cpp,761): vrtsAtExtractInfo returned FAILURE
//cut//
11:59:06.718 [824.3156] <16> DisplayCertDetails: Host certificate is not present for hostID [4bbbf167-d7eb-455e-87e1-7953c8791b2e]
11:59:06.718 [824.3156] <16> nbcertcmd: DisplayCertDetails failed. retval =13
11:59:06.718 [824.3156] <16> nbcertcmd: nbcertcmd command failed to list certificate details.
11:59:06.718 [824.3156] <2> nbcertcmd: EXIT STATUS 5942: Certificate could not be read
Reminder: For information about log file verbose or debug levels, see the parent article, 000127887
Solution
To correct this issue, complete the following on the host (client or media server) reporting the error:1. Attempt to retrieve a valid host ID-based certificate:
nbcertcmd –getCertificate
2. Confirm that the
nbcertcmd –listCertDetails functions properly. Example:
nbcertcmd -listCertDetails
Master Server : nbmaster2
Host ID : 4bbbf167-d7eb-455e-87e1-7953c8791b2e
Issued By : /CN=broker/OU=root@nbmaster2.fqdn.com/O=vx
Serial Number : 0x6c3726920000000d
Expiry Date : Sep 05 16:06:12 2018 GMT
SHA1 Fingerprint : [Master CA Certificate fingerprint]
Related Knowledge Base Articles
Was this content helpful?
Translated Content
Please note that this document is a translation from English, and may have been machine-translated. It is possible that updates have been made to the original version after this document was translated and published. Veritas does not guarantee the accuracy regarding the completeness of the translation. You may also refer to the English Version of this knowledge base article for up-to-date information.