How to create a reissue token in NetBackup 8.x

Description

Creating a reissue token

A host ID-based certificate can be reissued if the non-master host is already registered with the master server but its host ID-based certificate is no longer valid. For example, a certificate is not valid when it has expired, is revoked, or is lost.

A reissue token is a type of token that can be used to reissue a certificate. It is a special type of token because it retains the same host ID as the original certificate. Since a reissue token is bound to a specific host, the token cannot be used to request certificates for additional hosts.

To create a reissue a token using the NetBackup Administration Console

1. In the NetBackup Administration Console, expand Security Management > Certificate Management.
2. In the right pane, select the host that requires a reissue token.
3. From the Actions menu, select Generate Reissue Token.
4. In the Create Reissue Token dialog, enter a name for the token.
5. Select a date for token validity from the Valid until option.

   Note:

   The Maximum Uses Allowed setting is not available as it is when a new token is created. A reissue token must be used one time for a specific host.

6. In the Reason field, enter a reason for the reissue token. The reason appears in the log as an audit event.
7. Click Create.
8. The reissue token appears in a dialog. Select Copy to save the token value to the clipboard.
9. Convey the token value to the administrator of the non-master host. How the token is conveyed depends on various security factors in the environment. The token may be transmitted by email, by file, or verbally.

   The administrator of the non-master host deploys the token to obtain another host ID-based certificate. See the following topic for instructions:

   See Deploying host ID-based certificates.

To create a reissue a token using the nbcertcmd command

1. The master server administrator must be logged in to the NetBackup Web Management Service to perform this task. Use the following command to login:

   bpnbat -login -logintype WEB

   See Web login requirements for nbcertcmd command options.

2. Run one of the following commands on the master server:

   Use the host name for which the certificate needs to be reissued:

   nbcertcmd -createToken -name token_name -reissue -host host_name

   Note:

   You must provide the primary name of the host for which you want to reissue the certificate. If you provide any of the host ID-to-host name mappings that are added for the host, the certificate cannot be reissued.

   Use the host ID for which the certificate needs to be reissued:

   nbcertcmd -createToken -name token_name -reissue -hostId host_id

   Additional parameters can be used to indicate validity duration and the reason for creation.

Additional steps to request a certificate for a renamed NetBackup host

In addition to reissuing a token, the following steps are required to request a certificate for a renamed NetBackup host.

To request a certificate for a host after a host name change

1. The NetBackup administrator of the master server generates a reissue token for the renamed NetBackup host.
2. Add the new host name as one of the approved host ID-to-host name mappings by using NetBackup Administration Console.

   See Adding host ID to host name mappings.

   Alternatively, you can use the nbhostmgmt -add command-line interface option.

   For more information about the nbhostmgmt command, see 'nbhostmgmt' section from the Command References Guide.

3. The NetBackup administrator must revoke the host ID-based certificate for the renamed host.

   See Revoking a host ID-based certificate.

   Note:

   After the certificate is revoked, the host is unable to communicate with the NetBackup Web Management Console service (nbwmc). When the host obtains a new certificate using the reissue token, the host can communicate with nbwmc again.

4. After the certificate is revoked, the administrator of the non-master host must use the reissue token to get a certificate for the renamed host.

   See Deploying host ID-based certificates.