Problem
Unable to configure cloud storage and getting an error after passing the credentials page in the cloud storage configuration wizard.
Error Message
Error in BE UI :
The Server was unable to complete the requested operation.
Unable to connect to the CloudStorage device. Ensure that the network is properly configured between the device and the Backup Exec server.
BEMSDK Failure Code: E0009B3F
Error in SGMON :
BESERVER: [07/12/17 14:00:39] [11856] 51 STSOBJECT: STS Debug Info: session (20864620): 'AmzResiliency: <RETRY HISTORY> cURL error: 60(Peer certificate cannot be authenticated with given CA certificates), multi cURL error: 0(OK), STS Error: 2060017(system call failed), HTTP status: 0, Retry type: RETRY_NOT_APPLICABLE, Wait before retry: 0 Sec, Retry Time: Jul 12 14:00:39'
Cause
Backup Exec is configured to trust a number of well known public CA's related to Cloud storage. However, it is possible that some vendor certificates may need to be appended in BE cacert.pem file which is located in BE Install Path\ in order for the configuration to work.
Solution
Obtain the updated SSL CA Certificate information from the Cloud Provider or Vendor.
Use the following instructions to add a missing or replace an expired certificate issued by the cloud provider, or Certificate Authority (CA) to the cacert.pem file at BE Install Path.
** NOTE ** An upgrade of the Backup Exec will revert any changes made to the cacert.pem file. The steps will need to be done again when BE is upgraded or updated.
1) Confirm that the self-signed or public CA certificate is in Base64 PEM (Privacy Enhanced Mode) format.
2) Edit cacert.pem from BE Install Path on BE server :
3) Append the self-signed or public CA certificate to the beginning or at the bottom of cacert.pem, and save the file. The entry will look similar to the following example:
Custom Certificate Header
============================
----BEGIN CERTIFICATE-----
dGVtcyBUcnVzdCBDZW50ZXIxJTAjBgNVBAMMHFQtVGVsZVNl
HbG9iYWxSb290IENsYXNzIDMwggEiMA0GCSqGSIb3DgMq92oV
3Ox+M6pCSzyU9XDFES4hqX2iys52qMzVNn6chr3IhUciJFrf2blw2
.........
LzM8BMZLZGOMivgkeGj5asuRrDFR6fUNOuImle9eiPZaGzPImNC1q
kp2aGtAw4l1OBLBfiyB+d8E9lYLRRpo7PHi4b6HQDWSieB4pTp==
-----END CERTIFICATE-----
If the device certificate was issued by one or more intermediary CAs, then the entire SSL Certifcate chain should be appended to the cacert.pem file.
Open a text editor and paste the entire body of each certificate into one text file in the following order to create the certificate chain:
... Device Certificate ... Intermediate Certificate L2 ... Intermediate Certificate L1 ... Root Certificate
Make sure to include the beginning and end tags on each certificate. The resulting certificate chain should look like this:
-----BEGIN CERTIFICATE-----
(Device SSL certificate: YourDeviceName.crt)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Intermediate certificate L2: L2CertIssuer.crt)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Intermediate certificate L1: L1CertIssuer.crt)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your Root certificate: TrustedRootCA.crt)
-----END CERTIFICATE-----
4) Restart all BE services and reconfigure or re-run the specific operation to verify the working.
Example 1: Adding a cloud bucket from Chunghwa Telecom will need the following certificate to be appended to cacert.pem ( Restart BE services after appending and saving the below certificate to cacert.pem file)
-----BEGIN CERTIFICATE-----
MIIF+TCCA+GgAwIBAgIQFDWW8kQacWeYP/yVl0GbUzANBgkqhkiG9w0BAQsFADBe
MQswCQYDVQQGEwJUVzEjMCEGA1UECgwaQ2h1bmdod2EgVGVsZWNvbSBDby4sIEx0
ZC4xKjAoBgNVBAsMIWVQS0kgUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAe
Fw0xNDEyMTEwODUxNTlaFw0zNDEyMTEwODUxNTlaMGAxCzAJBgNVBAYTAlRXMSMw
IQYDVQQKDBpDaHVuZ2h3YSBUZWxlY29tIENvLiwgTHRkLjEsMCoGA1UECwwjUHVi
bGljIENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzIwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQDoZb9Rajtfyy5ggweoejMEaTKKALXa8s/SO/k6NaH2
b55gz3SBMazyWWn8rXUndm//t0HJibE/mWJzbUKhmMxtoOPCL5oGTdkxKsNEcIqg
SnUQIhc4HRuTfVcLNS76MYE6HpLlDzGX5BfVqIdfze+Y/T2Mm7xBvtxu48SS9poV
79BsP7w7hIUAo7gLBhnovNLKaKFci/bnok24R/un7PKH5H1UlhCvhsSyuMvMCL7p
kean0CYO+ucTIZ7CobzuzpGthtxlt9rSR9XpzHKZ7HSr+/Dz/i+UG6eQ5ppFs+gP
IQQZAKBuWtCNwKW+6KEfJ+kIz4YqJP/YVpLeG0RV57g5AgMBAAGjggGvMIIBqzAf
BgNVHSMEGDAWgBQeDPe2Z/LhkiYJRcBVOS53P0JKojAdBgNVHQ4EFgQUy4N9ZRWv
qcnzqKn0ZHx5UgV0QGEwDgYDVR0PAQH/BAQDAgEGMEAGA1UdHwQ5MDcwNaAzoDGG
L2h0dHA6Ly9lY2EuaGluZXQubmV0L3JlcG9zaXRvcnkvQ1JMX1NIQTIvQ0EuY3Js
MIGLBggrBgEFBQcBAQR/MH0wRAYIKwYBBQUHMAKGOGh0dHA6Ly9lY2EuaGluZXQu
bmV0L3JlcG9zaXRvcnkvQ2VydHMvSXNzdWVkVG9UaGlzQ0EucDdiMDUGCCsGAQUF
BzABhilodHRwOi8vb2NzcC5lY2EuaGluZXQubmV0L09DU1Avb2NzcEcxc2hhMjAS
BgNVHRMBAf8ECDAGAQH/AgEAMHUGA1UdIARuMGwwDQYLKwYBBAGBtyNkAAEwDQYL
KwYBBAGBtyNkAAIwDQYLKwYBBAGBtyNkAAMwCQYHYIZ2AWQAATAJBgdghnYBZAAC
MAkGB2CGdgFkAAMwCAYGZ4EMAQIBMAgGBmeBDAECAjAIBgZngQwBAgMwDQYJKoZI
hvcNAQELBQADggIBAIfkDpU4Yj1QLp4CTeI1b5Q5xKYsUdaBx1V/VD+F+KV6flV5
mNbiHQ3KA337GC4vQqJBBHM15eaaaPCgci0YnNhi68wWrdetQ9E1zCFZw/HCsnJr
dKNgAWjCPe/4tK/AcJyztnMVeU3I+A3ApYVysfu9HhA6V7uAh1AVyrv6Ivlui2tZ
amgOgpMd3qirzm4s3LCPTttJ0Q5oAIrxdw+lxPm8/Ef/yR2Dkq2dcrbPO6HdO3Lw
bn0/WtZMeWlfU+WuoixM59yCPg72Y/RqAGI2neC3Na3QM+0g08OcBQGtSjQfdyGs
a8egWnsDNRunYmTZ13RwVRWKXXeCWFjI+URbErttSTO8sf4mXbIoyCz1JfVfZzVa
ZMBN7y0td5JWz1M+L9FMu/cWnuqWPiGc20C11LGjNfG5ejqc15TE7WOeWDPTR1Mo
pXM35I4NZKVlxfSR53g87DD1kvjtwxjAGOoqZzpXOoe1GakMRUA2tBd6FG6GttbE
l2QZK1w/t/zMlCfpdlTyG7zOcz/lKbn4GEPGwx5FPUPWVpVIZgeeFn5MWru7ts2n
vuFULQzP3Cfl94o9IkNHlXEfX0P/vXYjQnsOt3tr70+4ww9yOx3zBcvUNpYnYXDw
RLVTe4UDo++xEwimY7U7uEg3ukwCK+mlnsnabQYKflkSTf/EqonpTlEbhZve
-----END CERTIFICATE-----
Example 2 : Adding a cloud bucket from Dell EMC ECS S3 compatible Cloud provider may need below certificate appended to cacert.pem.
-----BEGIN CERTIFICATE-----
MIIEFTCCAv2gAwIBAgIJAN6BnESf6X3lMA0GCSqGSIb3DQEBCwUAMIGKMQswCQYD
VQQGEwJJTjELMAkGA1UECAwCTUgxDTALBgNVBAcMBFBVTkUxEDAOBgNVBAoMB1ZF
UklUQVMxCzAJBgNVBAsMAkJFMRYwFAYDVQQDDA0qLnZlcml0YXMuY29tMSgwJgYJ
KoZIhvcNAQkBFhlnYXVyYXZsYWtzaHlhMjNAZ21haWwuY29tMB4XDTIzMDYyNzA1
MDkwOVoXDTIzMDcyNzA1MDkwOVowgYoxCzAJBgNVBAYTAklOMQswCQYDVQQIDAJN
SDENMAsGA1UEBwwEUFVORTEQMA4GA1UECgwHVkVSSVRBUzELMAkGA1UECwwCQkUx
FjAUBgNVBAMMDSoudmVyaXRhcy5jb20xKDAmBgkqhkiG9w0BCQEWGWdhdXJhdmxh
a3NoeWEyM0BnbWFpbC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQChDR7XttX+xRuZNnGJdtH4nyOZ1mxBep+ewpSJng4dKXN1B5A5uI3FW3G6PNq1
qjD3Ifs3pb2MMYsS7hiDM1cRgJEd6DHzWrTpe8PIWXaT7PjeHBfI8wNHvfk9PqtT
dN0I1jddeumycba4hnvbmFVuhdkabWjCA8qz3KDxS6GtDdMmposiJRClp7EuaJIc
Cj0nMViQ8YrRTCRTyrOBTOPaTc9GVY5fc0CBTtbWsiCmw60V/Dy9M0+wCyqCi3SJ
yM/LQdL0kOLMd0YiT4RjdDYIBpXQ4VZ9+/oKXYPx90/19JBDwnXp1TLdABFXuIkI
6dQ0IoVz5434iOVtgGslqQRLAgMBAAGjfDB6MCkGA1UdEQQiMCCCGGx1bmEucnN2
LnZlbi52ZXJpdGFzLmNvbYcEClQMRDALBgNVHQ8EBAMCBeAwEwYDVR0lBAwwCgYI
KwYBBQUHAwEwHQYDVR0OBBYEFOepkDievrvSQ2hTxyWq4BuHsJSoMAwGA1UdEwQF
MAMBAf8wDQYJKoZIhvcNAQELBQADggEBAFVBFxXBTka5w0syK/6cQ8nSvL3vfn8G
QYtriFVnwpGZlbFcn5uSP2Dmk9tyHd2R0iT7f5nHcyxCBx0wEdDNPOksQmB9mESE
XnzEYdLt1BIRdkPi4XZYgrYVdyI3XWdKwnITwrMBbHfmv9usty3thRiw0eGuUwIT
HyR/BBI9cbTSMlI+vtSTFilLtHwcR+UcDt7EZ5gZOWDNjuGNIfV+5DYN5AEYKa3Z
oLexOc4QvGdS3VzXBIG5btTf0vp7zDBoDLvxVebVTTSKgnUB4kgomNX0Um5rYOln
yqjbB9lij1d5Dx9q/O5qXMFCnPt1f9ySutqwi34PjSAwzFRwQCUCUXQ=
-----END CERTIFICATE-----
Related Knowledge Base Articles
References
Was this content helpful?
Translated Content
Please note that this document is a translation from English, and may have been machine-translated. It is possible that updates have been made to the original version after this document was translated and published. Veritas does not guarantee the accuracy regarding the completeness of the translation. You may also refer to the English Version of this knowledge base article for up-to-date information.