How to perform automatic mini reset of NetBackup certificates using configureCerts script

Description

Mini Reset of NetBackup Certificates are manual steps which redeploy following certificates

• User Certificates
• Machine Name Certificate
• Tomcat Certificate
• Smart Card Certificate

The manual Steps are documented at this Article  Tomcat and nbwebsvc certificates are not renewed automatically on the master server with non-English locale

From NetBackup 10.2 onwards, It is possible to run configureCerts script to automatically reissue the web server certificate. The script is available on the primary server. 

To reset the web server (Tomcat) certificates, use the following configureCerts options:

• -reset_webserver_certs
• -validate_webserver_certs
• -rollback_webserver_certs

For each of these options, -verbose argument is available. It displays all the steps that are performed.

Details of the new configureCerts options: 

-reset_webserver_certs

• This option is used to reset the web service certificates.
• While performing this operation, backup files are created for each file at the same place with a suffix as "_backup".

• These files are backed up during the reset operation -

• {NB_INSTALL_DIR}/var/global/vxss/eab
• {NB_INSTALL_DIR}/var/global/vxss/nbgateway
• {NB_INSTALL_DIR}/var/global/vxss/tomcatcreds
• {NB_INSTALL_DIR}/var/global/vxss/websvccreds
• {NB_INSTALL_DIR}/var/global/vxss/nbcertservice
• {NB_INSTALL_DIR}/var/global/mqbroker
• {NB_INSTALL_DIR}/var/global/credjkskey
• {NB_INSTALL_DIR}/var/global/webrootcert.pem
• {NB_INSTALL_DIR}/var/global/wmc/config/tomcat.logging.properties
• {NB_INSTALL_DIR}/var/global/wsl/webserver/conf/server.xml
• {NB_INSTALL_DIR}/var/global/wsl/credentials/nbwebservice.bcfks
• {NB_INSTALL_DIR}/var/global/wsl/config/tomcat_config

• The locations of the backup files are displayed on the console.

• If the backup files are already present on the system as a part of a previous reset activity, the script asks to remove the existing files. If you choose yes, all backup files are removed and it proceeds resetting.
• If you choose no, the script stops and you will have to remove the existing backup files manually.
• After the reset operation if all operations succeed, you are prompted to perform the -validate_webserver_cert operation.
• During the reset operation if the script fails, the rollback operation is triggered internally and the system goes back to its earlier stage where the reset operation was started. 
   

-validate_webserver_certs

• This option is used to validate whether the existing web service certificates are configured and are working properly.
• We can use this option before or after the -reset_webserver_certs operation.
• This operation requires the nbwmc and nbmqbroker services to be running.

-rollback_webserver_certs 

• This option is used to rollback the -reset_webserver_certs operation.
• If the -validate_webserver_certs operation fails, use -rollback_webserver_certs option to rollback.
• This operation rolls back all the backup files that were created during the reset operation.
• If validation is successful, you can either retain backup files or remove them.  

Note: 

• If the reset option needs to be run on Windows, enter the websvc password or set WEBSVC_PASSWORD=<nbwebsvc_password>.
• While performing the reset operation, nbwmc and mqbroker services should be stopped and nbatd should be up.
• During the reset operation, some of the files are backed up. You can see on the console where the backup files are created.
• If the backup files are already present on the system as a part of a previous reset activity, the script asks to remove the existing files. If you choose yes, all backup files are removed and it proceeds resetting.
• If you choose no, the script stops and you will have to remove the existing backup files manually.
• After the reset operation if all operations succeed, you are prompted to perform the -validate_webserver_cert operation.
• During the reset operation if the script fails, the rollback operation is triggered internally and the system goes back to its earlier stage where the reset operation was started.  

Script location

• Linux: /usr/openv/wmc/bin/install/configureCerts
• Windows: install_path\NetBackup\wmc\bin\install\configureCerts.bat