Netbackup client certificate

problem solution

Absence of security certificate on a

NetBackup host Deploying a
security certificate
Description
Deploying a security certificate on a NetBackup host
NetBackup hosts may require a security certificate for authentication for various purposes. If so,
you must use a NetBackup command to deploy a certificate for each host that requires one.
When using the NetBackup Administration Console to log into a host that does not have a
security certificate installed, the following message appears, stating that a security certificate is
mandatory.

Choose one of the following procedures to deploy a security certificate on NetBackup hosts:
Deployment scenario
(Actual procedures follow this Purpose
table)
Use this procedure to:
Deploying a security
certificate for a master
server, including a master
server in a cluster

Deploying a security

Deploy or re-create a security certificate for a stand

alone master server.
Deploy security certificates to all of the nodes in a
NetBackup master server cluster.
Exception: Not required for a Microsoft Windows Server Failover
Cluster (WSFC) after a NetBackup push installation to the
WSFC.
This procedure uses IP address verification to identify the

certificate for media

servers or clients

target NetBackup host and then deploy the certificate.

With this procedure, you can deploy a certificate for an
individual host, for all media servers, or for all clients.

Creating a host identity

and then deploying a
security certificate for a
media server or client

This procedure requires that you run a command on the

NetBackup master server to create an identity for the target
host. Then, you must run a command on the target host to
obtain the certificate from the master server.
With this procedure, you can deploy a certificate for an
individual host.

Notes:

These procedures assume that the hotfix has been installed as described
in VTS16-001.

You must be a NetBackup administrator to deploy certificates.

Deploying a security certificate is a one-time activity for a given NetBackup

host.

Deploying a security certificate for a master server including a master server in a cluster

Perform this procedure for the master server. If the master server is part of a cluster, perform this
procedure on the active node.
To deploy a security certificate for a NetBackup master server
1. Run the following command on the master server:

Windows: install_path\NetBackup\bin\admincmd\bpnbaz
-ConfigureAuth -force
UNIX: /usr/openv/netbackup/bin/admincmd/bpnbaz -ConfigureAuth
-force
2. Stop and restart all NetBackup processes and services:
To stop all NetBackup processes and services:
On Windows systems:
install_path\NetBackup\bin\bpdown -f
On UNIX and Linux systems:
/usr/openv/netbackup/bin/bp.kill_all
To start all NetBackup processes and services:
On Windows systems:
install_path\NetBackup\bin\bpup -f

 On UNIX and Linux systems:

/usr/openv/netbackup/bin/bp.start_all
3. If the master server is part of a cluster, restart the NetBackup Service Layer
service and the NetBackup Vault Manager service on the active node of the
master server.
Deploying a security certificate for media servers or clients

This procedure works well when deploying certificates to many hosts at one time. As with
NetBackup deployment in general, this method assumes that the network is secure.
To deploy a security certificate for media servers or clients
1. Run the following command on the master server, depending on your
environment. Specify the name of an individual host, specify
-AllMediaServers, or specify -AllClients.

Windows: install_path\NetBackup\bin\admincmd\bpnbaz
-ProvisionCert host_name|-AllMediaServers|-AllClients
UNIX: /usr/openv/netbackup/bin/admincmd/bpnbaz
-ProvisionCert host_name|-AllMediaServers|-AllClients
NetBackup appliance (as a NetBackup command line user): bpnbaz
-ProvisionCert Media_server_name
2. Restart the NetBackup Service Layer service on the master server.

No services need to be restarted if the target host is a NetBackup client.

Creating a host identity and then deploying a security certificate for a media server or client

This procedure works best when deploying certificates to a small number of hosts. The same
password must be entered once on the master server, and then again on the target host, so this
method is considered to be more secure.
To create a host identity and then deploy a security certificate for a media server or client
1. Run the following command on the master server to create an identity for the
target NetBackup host:

Windows: install_path\NetBackup\bin\bpnbat
addmachine target_hostname
UNIX: /usr/openv/netbackup/bin/bpnbat
addmachine target_hostname
Enter a password of your choice when prompted and make a note of it.
2. Run the following command on the target NetBackup host to obtain a
certificate from the master server and deploy it:

Windows: install_path\NetBackup\bin\bpnbat loginmachine

UNIX: /usr/openv/netbackup/bin/bpnbat loginmachine
Enter the master server name as the authentication broker name when prompted. Enter the same
computer name and password that were used to create the target host identity on the master
server.
Note: If a target host has multiple host names, repeat the steps for each host name.
Terms of use for this information are found in Legal Notices.