Problem
When the certmapinfo.json file doesn’t exist, or is corrupted :
-Backups will fail with the error :
The peer proxy cannot find usable certificates for the certificate protocol (7660)
-For NetBackup deployment on Kubernetes clusters, the MSDP Scaleout pods (msdpx) may fail to start.
This is also "Issue 1: A corrupted certmapinfo.json file.” as referenced in the master article for troubleshooting CRL related problems, 100039941.
Error Message
Example, job details:Sep 1, 2017 5:01:36 PM - Error bpbrm (pid=27612) [PROXY] Received status: 7660 with message Unable to read the certificate mapping file.
...
Sep 1, 2017 5:01:36 PM - Info bpbkar (pid=0) done. status: 7660: The peer proxy cannot find usable certificates for the certificate protocol
Sep 1, 2017 5:01:36 PM - started process bpbrm (pid=27612)
Sep 1, 2017 5:01:36 PM - end writing
The peer proxy cannot find usable certificates for the certificate protocol (7660)
If you see any of the errors below, it could be because of a missing or corrupted certmapinfo.json file.
On the client reporting the error, if nbcertcmd -hostselfcheck returns with a status 5949, the certmapinfo.json file may be corrupted :
Example:<install_path>/netbackup/bin/nbcertcmd -hostselfcheck
Unable to read CRL for server = nbmaster2, error = 13.
Unable to read certificate.
EXIT STATUS 5949: Certificate does not exist.
The nbcert log file will show an error stating it was “Failed to read mapping file”:
16:25:25.672 [3473.1] <16> doGetCertMapInfo: Failed to read mapping file [/usr/openv/var/vxss/certmapinfo.json]
...
16:25:25.673 [3473.1] <16> nbcertcmd: Failed to read certificate. error = 13
16:25:25.673 [3473.1] <2> nbcertcmd: EXIT STATUS 5949: Certificate does not exist.
Reminder: For information about log file verbose or debug levels, see the parent article, 100039941.
Cause
NA
Solution
A) On build-your-own (BYO) client or media server
1. Move or remove the certmapinfo.json file.
Certmapinfo.json default location:
Windows: <install_path>\NetBackup\var\vxss\certmapinfo.json
Unix/Linux: /usr/openv/var/vxss/certmapinfo.json
2.a). If the certificate is not revoked, run: nbcertcmd -getCertificate -force
Example:
nbcertcmd -getCertificate -forceHost certificate and certificate revocation list received successfully from server nbmaster.
2.b). If the certificate is revoked, a reissue token will be required. For details on generating a reissue token, see NetBackup 8.1 Security and Encryption Guide.
Once the reissue token has been received, execute:
nbcertcmd -getCertificate -token <reissue_token> -force
Once completed, hostselfcheck should return the correct state:nbcertcmd -hostselfcheck
Certificate is not revoked.
B) For MSDP Scaleout (msdpx) in NetBackup deployment on Kubernetes clusters
You can use the NetBackup deduplication shell or login to the pod.
Refer to 'Importing certificates from the deduplication shell' topic of NetBackup deduplication guide to get the required certificates. Importing certificates will fix the corrupted certmapinfo.json file.
OR
Login to the pod and run the below command as msdpsvc user :
sudo -E -u msdpsvc /usr/openv/pdde/pdopensource/nbcertcmdtool/nbcertcmdtool -atLibPath /usr/openv/pdde/pdopensource/nbcertcmdtool -getcertificate -force -token -standalone
To login to the pod, refer to 'Logging in to the pods' topic of NetBackup Deployment Guide for Kubernetes Clusters.
For details on generating a reissue token, see NetBackup 8.1 Security and Encryption Guide.
Related Knowledge Base Articles
References
Was this content helpful?
Translated Content
Please note that this document is a translation from English, and may have been machine-translated. It is possible that updates have been made to the original version after this document was translated and published. Veritas does not guarantee the accuracy regarding the completeness of the translation. You may also refer to the English Version of this knowledge base article for up-to-date information.