Please enter search query.
Search <product_name> all support & community content...
How to generate a Certificate Revocation List (CRL) when it is not automatically generated on the master server during installation.
Article: 100039736
Last Published: 2017-09-15
Ratings: 1 1
Product(s): NetBackup & Alta Data Protection
Problem
Under some circumstances, the certificate revocation list (CRL) may not be deployed automatically during installation. This article describes corrective actions that should be taken.Cause
This issue can be caused by one of the following:- The security web application has not started, took a long time to start, or took a long time to generate the certificate revocation list which caused the certificate revocation deployment to fail.
- Some of the NetBackup core services have not started.
- The web service user certificate that is used for communication with Certificate Authority (CA) is not deployed.
- The master server does not have a NetBackup host certificate for itself.
Solution
To resolve the issue, review the following possible causes:Cause 1 - The security web application has not started, took a long time to start, or took a long time to generate the certificate revocation list which caused the certificate revocation deployment to fail.
Complete the following procedure to manually deploy the certificate revocation list (CRL):
- Check whether the security web application in the NetBackup Web Management Console service (nbwmc) is up and running using bptestnetconn:
Windows:
<Install_Path>\NetBackup\bin\bptestnetconn -wnbwmc/security -T 5 -e 2 -H <master_server_name>
Unix:
/usr/openv/netbackup/bin/bptestnetconn -wnbwmc/security -T 5 -e 2 -H <master_server_name>
For example:
On Windows:
C:\Program Files\Veritas\NetBackup\bin\bptestnetconn -wnbwmc/security -T 5 -e 2 -H masterserver1
On Unix:
/usr/openv/netbackup/bin/netbackup/bin/bptestnetconn -wnbwmc/security -T 5 -e 2 -H masterserver
If the security web app status is SUCCESS, proceed to Step 3.
If the status is FAIL, proceed to Step 2.
- Restart the NetBackup Web Management Console service using the following commands:
On Windows:
<Install_Path>\NetBackup\bin\bpdown -e "NetBackup Web Management Console" -f –v
<Install_Path>\NetBackup\bin\bpup -e "NetBackup Web Management Console" -f –v
For example:
C:\Program Files\Veritas\NetBackup\bin\bpdown -e "NetBackup Web Management Console" -f –v
C:\Program Files\Veritas\NetBackup\bin\bpup -e "NetBackup Web Management Console" -f –v
Alternatively, you may use Service Control Manager to restart the NetBackup Web Management Console service.
On Unix:
/usr/openv/netbackup/bin/nbwmc -terminate
/usr/openv/netbackup/bin/nbwmc
- Run the following command to deploy the CRL:
On Windows:
<Install_Path>\NetBackup\bin\nbcertcmd -getCrl
Example:
C:\Program Files\Veritas\NetBackup\bin\nbcertcmd -getCrl
On Unix:
/usr/openv/netbackup/bin/nbcertcmd -getCrl
If on a NetBackup cluster use the -cluster argument to update the global certificate revocation list instead.
Example:
/usr/openv/netbackup/bin/nbcertcmd -getCrl -cluster
Note: For more details on CRL's in NetBackup, refer to the NetBackup Security and Encryption Guide.
https://www.veritas.com/docs/DOC5332
Cause 2 - Some of the NetBackup core services have not started.
Carry out the following procedure to resolve the issue:
- Check the status of the following services by running the bpps command from the NetBackup/bin directory:
- nbatd
- NB_dbsrv (on Unix) or the dbsrv16 (on Windows)
https://www.veritas.com/docs/DOC5332
- If either nbatd or NB_dbsrv / dbsrv16 are not started restart NetBackup.
- Deploy the certificate revocation list manually using the following command:
On Windows:
<Install_Path>\NetBackup\bin\nbcertcmd -getCrl
Example:
C:\Program Files\Veritas\NetBackup\bin\nbcertcmd -getCrl
On Unix:
/usr/openv/netbackup/bin/nbcertcmd -getCrl
If on a NetBackup cluster use the -cluster argument to update the global certificate revocation list instead.
Example:
/usr/openv/netbackup/bin/nbcertcmd -getCrl -cluster
Note: For more details on certificate revocation lists in NetBackup, refer to the NetBackup Security and Encryption Guide.
https://www.veritas.com/docs/DOC5332
Cause 3 - The web service user certificate that is used for communication with Certificate Authority (CA) is not deployed.
Carry out the following procedure to resolve the issue:
- Check the web service user certificate at the following location:
On Windows: <Install_Path>/NetBackup/var/global/vxss/nbcertservice
On Windows Cluster: <Shared_Disk>\var\global\nbcertservice
On Unix: /usr/openv/var/global/vxss/nbcertservice
There should be a directory using the name of the account, which was provided to the web service. For example, if the default web service user ‘nbwebsvc’ is used, the directory structure is as follows:
nbwebsvc/.VRTSat/profile/certstore
- If the path is not available, run the nbcertconfig command to generate the certificate:
On Windows:
<Install_Path>\NetBackup\bin\admincmd\nbcertconfig –u
Example:
C:\Program Files\Veritas\NetBackup\bin\admincmd\nbcertconfig –u
On Unix:
/usr/openv/netbackup/bin/admincmd/nbcertconfig –u
Note: On Windows, the web service user password must be set in the ‘WEBSVC_PASSWORD’ shell variable before executing the nbcertconfig command.
- Restart the NetBackup services.
- Run the following commands to deploy the certificate revocation list:
On Windows:
<Install_Path>\NetBackup\bin\nbcertcmd -getCrl
Example:
C:\Program Files\Veritas\NetBackup\bin\nbcertcmd -getCrl
On Unix:
/usr/openv/netbackup/bin/nbcertcmd -getCrl
If on a NetBackup cluster use the -cluster argument to update the global certificate revocation list instead.
Example:
/usr/openv/netbackup/bin/nbcertcmd -getCrl -cluster
Note: For more details on certificate revocation lists in NetBackup, refer to the NetBackup Security and Encryption Guide.
https://www.veritas.com/docs/DOC5332
If the problem persists, contact the Veritas Technical Support team.
Cause 4 - The master server does not have a NetBackup host certificate for itself.
Carry out the following procedure to resolve the issue:
- Check the list of deployed certificates for an entry corresponding to the master server hostname using the following command:
On Windows:
<Install_Path>\NetBackup\bin\nbcertcmd -listCertDetails
Example:
C:\Program Files\Veritas\NetBackup\bin\nbcertcmd -listCertDetails
On Unix:
/usr/openv/netbackup/bin/nbcertcmd -listCertDetails
If on a NetBackup cluster use the -cluster argument to check the global certificate store.
Example:
/usr/openv/netbackup/bin/nbcertcmd -listCertDetails -cluster
If the expected master server hostname is not present in the list of certificates proceed.
- Refer to the NetBackup Security and Encryption Guide to manually deploy the host certificate (and by extension certificate revocation list).
https://www.veritas.com/docs/DOC5332
Was this content helpful?
Translated Content
Please note that this document is a translation from English, and may have been machine-translated. It is possible that updates have been made to the original version after this document was translated and published. Veritas does not guarantee the accuracy regarding the completeness of the translation. You may also refer to the English Version of this knowledge base article for up-to-date information.