Problem
After applying ECA certificate cannot login to Administrator Java GUI "Verification of X.509 certificate failed when connecting to the bpjava msvc service"
Error Message
"Verification of X.509 certificate failed when connecting to the bpjava msvc service"
Cause
If you have an intermediate certificate (from a certificate chain), sequence of the certificates in the path should be as leaf certificate > intermediate certificate
Solution
For Netbackup 8.1.2.1 & 8.2
- Append the leaf certificate and intermediate certificates with leaf certificate on the top in a file, provide that file path in "ECA_CERT_PATH".
# grep ECA /usr/openv/net*/bp.conf
ECA_CERT_PATH=/etc/server_certs/master-server-name.domain.com.cer >>> this includes host + intermediate cert (certificate-int.pem)
ECA_PRIVATE_KEY_PATH=/etc/server_certs/new_certificatekey_master_server_name.pem
ECA_TRUST_STORE_PATH=/etc/server_certs/trust.pem >>>>> this includes root CA cert
ECA_MASTER_SERVER_LIST=master-server-name.domain.com
- Take a backup of above certificates.
- Appended the intermediate CA details to the host cert by running the x509 on both certificates and then append the content together in this format:
For example - host certificate + intermediate-CA is displayed as follows :
-----BEGIN CERTIFICATE-----
(host certificate's base64 data here)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE----
(intermediate certificate's base64 data here)
-----END CERTIFICATE-----
- Now add this new certificate file for "ECA_CERT_PATH"
Run the command :
<install_path>/wmc/bin/install/configureWebServerCerts -addExternalCert -all -certPath /etc/server_certs/certificate-int.pem -privateKeyPath /etc/server_certs/new_certificatekey_master_server_name.pem -trustStorePath /etc/server_certs/trust.pem
- Now enroll them with nbcertcmd -enrollcertificate
On UNIX systems, the directory path to this command is
/usr/openv/netbackup/bin/
On Windows systems, the directory path to this command is
<install path>\NetBackup\bin\
- Now you can login to Java GUI.
NOTE: Customer needs to check how many intermediate CA (certificate) they have in their environment.
Another way to confirm same, try to connect on WEBUI and not being able to connect on Java GUI.
So check on WEBUI link, by clicking on Certificate icon.
For more information refer : Veritas NetBackup™ Security and Encryption Guide
References
Was this content helpful?
Translated Content
Please note that this document is a translation from English, and may have been machine-translated. It is possible that updates have been made to the original version after this document was translated and published. Veritas does not guarantee the accuracy regarding the completeness of the translation. You may also refer to the English Version of this knowledge base article for up-to-date information.