Problem
Customers may want to configure a 3rd Party CA Certificate for use for the WebUI in NetBackup versions 8.1.2 and later. Below are steps that may help TSE's and customers with configuration of those certificates.
Solution for 8.1.2
Prior to running through the instructions below, the following should be verified or made available:
1. Verify the WebUI is operational without the 3rd party CA Certificate installed:
2. From the CA Vendor, gather the following:
- The CA Certificate
- The LEAF Certificate
- The LEAF Private Key
After the above has been completed/gathered, move on to creating the Java KeyStore file.
Creating the Java KeyStore file
There are 5 steps to successfully importing a 3rd party Certificate. All must be completed successfully
1. Convert PEM formatted x509 Cert and Private Key to a PKCS# 12, using the following commands:
openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -name nbwmc -CAfile certificate.crt -passout pass:password1
**For more information on openssl usage, refer to https://www.openssl.org/.
Note: Ensure that you secure the PKCS #12 file with a password. When the password is not applied to the file, you may get a null reference exception when you try to import the file
2. Import the pkcs12 certificate file to a Java Keystore, using the following commands:
keytool -importkeystore -noprompt -deststorepass password2 -destkeypass password2 -destkeystore kestorefile.jks -srckeystore server.p12 -srcstoretype PKCS12 -alias nbwmc -srcstorepass password1
Note: Specify the same password for -deststorepass and -destkeypass options. Otherwise, you may get an exception when the web server starts. For the password, only alphanumeric characters are supported.
3. Import the root CA certificate into JAVA KeyStore using the following command,
keytool -importcert -noprompt -trustcacerts -file certificate.crt -keystore kestorefile.jks -storepass password2 -alias ca1
4. Create a key password file with any name, and place the password designated in the "-storepass" field in step 3.
5. Configure the certificates in NetBackup.
6. Stop and restart nbwmc
Solution for 8.1.2.1 and later:
The 8.1.2.1 version of NetBackup introduces the configureWebServerCerts script which will replace the steps listed for the 8.1.2 version.
To configure the 3rd party certificate in 8.1.2.1, complete the following:
1. Run configureWebServerCerts with the location of the CA certificate, local/LEAF certificate and key file:
Linux/Unix: /usr/openv/wmc/bin/install/configureWebServerCerts -addExternalCert -webUI -certPath /Certs/master.pem -privateKeyPath /Certs/master_privatekey.pem -trustStorePath /Certs/CACert.pem
Windows:
"C:\Program Files\Veritas\NetBackup\wmc\bin\install\configureWebServerCerts -addExternalCert -webUI -certPath C:\Certs\nbmaster1.pem -privateKeyPath C:\Certs\nbmaster1_privatekey.pem -trustStorePath C:\Certs\CACert.pem
2. Stop and restart nbwmc
Examples for 8.1.2
Actual commands will vary based on installation path and certificate types/names.
Linux/Unix
For the "Example:" entries in the process below, the following files will be used:
/Certs/CACert.pem -- CA Certificate
/Certs/master.pem -- LEAF Certificate
/Certs/master_privatekey.pem -- LEAF private key.
*Note that actual file names may vary. For example, the certificate (in place of LEAF Certificate) may end with a .cer or other type, and the key files may end with .key. Please consult your security administrator to help map the file names correctly in order to run the commands.
1. Convert PEM formatted x509 Cert and Private Key to a PKCS# 12:
openssl pkcs12 -export -in /Certs/master.pem -inkey /Certs/master_privatekey.pem -out server.p12 -name nbwmc -CAfile /Certs/CACert.pem -passout pass:password1
2. Import the pkcs12 certificate file to a Java Keystore:
keytool -importkeystore -noprompt -deststorepass password2 -destkeypass password2 -destkeystore /Certs/keystorefile.jks -srckeystore /Certs/server.p12 -srcstoretype PKCS12 -alias nbwmc -srcstorepass password1
3. Import the root CA certificate into JAVA KeyStore:
keytool -importcert -noprompt -trustcacerts -file /Certs/CACert.pem -keystore /Certs/keystorefile.jks -storepass password2 -alias ca1
4. Create a key password file with any name, and place the password designated in the "-storepass" field in step 3. In this case named password.txt with the password "password2" in it.
a. vi /Certs/password.txt
b. Put password2 in the file, then save and exit.
5. Configure the certificates in NetBackup:
/usr/openv/wmc/bin/install/configureTPCerts -keystorefile /Certs/keystorefile.jks -keystorepassfile /Certs/password.txt
6. Stop and restart nbwmc
Windows
For the "Example:" entries in the process below, the following files will be used:
C:\Certs\CACert.pem -- CA
C:\Certs\nbmaster1.pem LEAF cert
C:\Certs\nbmaster1_privatekey.pem LEAF private key
*Note that actual file names may vary. For example, the certificate (in place of LEAF Certificate) may end with a .cer, and the key files may end with .key. Please consult your security administrator to help map the file names correctly in order to run the commands.
1. Convert PEM formatted x509 Cert and Private Key to a PKCS# 12:
"C:\Program Files\Veritas\NetBackup\bin\goodies\vxsslcmd" pkcs12 -export -in C:\Certs\nbmaster1.pem -inkey C:\Certs\nbmaster1_privatekey.pem -out C:\Certs\nbmaster1.p12 -name nbwmc -CAfile C:\Certs\CACert.pem -passout pass:password1
2. Import the pkcs12 certificate file to a Java Keystore:
"C:\Program Files\Veritas\NetBackup\jre\bin\keytool" -importkeystore -noprompt -deststorepass password2 -destkeypass password2 -destkeystore C:\Certs\kestorefile.jks -srckeystore C:\Certs\nbmaster1.p12 -srcstoretype PKCS12 -alias nbwmc -srcstorepass password1
3. Import the root CA certificate into JAVA KeyStore:
"C:\Program Files\Veritas\NetBackup\jre\bin\keytool" -importcert -noprompt -trustcacerts -file C:\Certs\CACert.pem -keystore C:\Certs\keystorefile.jks -storepass password2 -alias ca1
4. Create a key password file with any name, and place the password designated in the "-storepass" field in step 3. In this case named password.txt with the password "password2" in it.
a. Open Notepad or WordPad
b. Put password2 in the file, then saved and exited.
5. Configure the certificates in NetBackup:
"C:\Program Files\Veritas\NetBackup\wmc\bin\install\configureTPCerts" -keystorefile C:\Certs\kestorefile.jks -keystorepassfile C:\Certs\password.txt
6. Stop and restart nbwmc
For additional information, see the topic "About external CA support in NetBackup" in the NetBackup Security and Encryption Guide version 8.2 or later.
Related Knowledge Base Articles
Was this content helpful?
Translated Content
Please note that this document is a translation from English, and may have been machine-translated. It is possible that updates have been made to the original version after this document was translated and published. Veritas does not guarantee the accuracy regarding the completeness of the translation. You may also refer to the English Version of this knowledge base article for up-to-date information.