Netbackup 证书过期问题处理办法-NBU Error 8506

        从NBU8.1开始，NBU加入了证书机制，用于加密NBU客户端和NBU服务器之间的通讯，确保通讯传输安全，提高了备份系统的安全性。在安全性提高的同时，也为一直以来特别稳定的NBU备份平台带来了诸多问题。目前在NBU的诸多售后服务事件中，由于证书问题引起的NBU备份系统故障，占到了很大的比例。

        近期遇到一个问题，NBU证书过期，导致以下报错：

        A backup job fails with Status 8506: The certificate has expired.
        NetBackup Administration Console fails to login to the Master Server with Status 7656: Certificate Revocation List is out of date.
        "nbcertcmd -getCertificate -force" fails with Status 8625: Server is unavailable to process the request. Please try later.

        解决办法1：

        安装eeb补丁，需要用客户账户下载。目前为止，8.2之前的版本都有。自动续约NBU证书。下载eeb时有详细文档，大概就是停止服务，安装eeb即可。

        解决办法2：

        重新办法证书。

        非集群Windows NBU操作如下：
注意第四部版本问题！
0) set WEBSVC_PASSWORD=<nbwebsvc password>
1) C:\Windows\System32\sc.exe stop "NetBackup Web Management Console"
2) <Install_Path>\NetBackup\bin\admincmd\nbcertconfig -u -i
3) <Install_Path>\NetBackup\bin\admincmd\nbcertconfig -m
4) On 8.0 and 8.1: <Install_Path>\NetBackup\bin\admincmd\nbcertconfig -t      
    On 8.1.1 and 8.1.2: <Install_Path>\NetBackup\bin\admincmd\nbcertconfig -t -f
5) <Install_Path>\NetBackup\wmc\bin\install\configureWmc
6) <Install_Path>\NetBackup\wmc\bin\install\configureCerts
7) <Install_Path>\NetBackup\wmc\bin\install\setupWmc
8) C:\Windows\System32\sc.exe start "NetBackup Web Management Console"
9) <Install_Path>\NetBackup\bin\nbcertcmd -getCACertificate
10) <Install_Path>\NetBackup\bin\nbcertcmd -getCertificate -force
      If the operation fails, perform the steps at "Create a token" section then return to this step.
11) Remove the <install_path>\NetBackup\var\global\vxss\nbcertservice\install_token file

如果第十部执行失败，参考如下内容：

Create a token:

Perform the following steps on the Master Server in order to get "nbcertcmd -getcerfiticate -force" finished successfully.

  a) For Cluster Aware and Non-Cluster Aware:

    Windows:     <install_path>\NetBackup\bin\bpnbat -login -loginType WEB

    You will be prompted to enter the information as the following example.

  e.g.

    Authentication Broker [MasterServer1 is default]:
    Authentication port [0 is default]:
    Authentication type (NIS, NISPLUS, WINDOWS, vx, unixpwd, ldap) [unixpwd is default]:
    Domain [MasterServer1 is default]:  example.netbackup.com
    Login Name [root is default]:
    Password:

  b) For Cluster Aware and Non-Cluster Aware:

    Windows:     <Install_Path>\netbackup\bin\nbcertcmd -createToken -name <token_name> -reissue -host <Master server name>

 e.g. nbcertcmd -createtoken -name token1 -reissue -host MasterServer1

    Token EFITVNDRKTWHXRCM created successfully.

  c) For Non-Cluster Aware:

      Windows:    <install_path>\NetBackup\bin\nbcertcmd -getCACertificate
                  <install_path>\NetBackup\bin\nbcertcmd -getCertificate -token <token_ID> -force

    e.g. nbcertcmd -getcertificate -token EFITVNDRKTWHXRCM -force

非集群Linux NBU操作如下：

UNIX/Linux: Clustered Master Server: Active Node:

   1) /usr/openv/netbackup/bin/nbwmc -terminate
   2) /usr/openv/netbackup/bin/admincmd/nbcertconfig -u -i
   3) /usr/openv/netbackup/bin/admincmd/nbcertconfig -m
   4) On 8.0 and 8.1: /usr/openv/netbackup/bin/admincmd/nbcertconfig -t      
      On 8.1.1 and 8.1.2:  /usr/openv/netbackup/bin/admincmd/nbcertconfig -t -f
   5) /usr/openv/wmc/bin/install/configureWmc
   6) /usr/openv/wmc/bin/install/configureCerts
   7) /usr/openv/wmc/bin/install/setupWmc
   8) /usr/openv/netbackup/bin/nbwmc -start
   9) /usr/openv/netbackup/bin/nbcertcmd -getCACertificate
  10) /usr/openv/netbackup/bin/nbcertcmd -getCACertificate -cluster
  11) /usr/openv/netbackup/bin/nbcertcmd -getCertificate -cluster -force
  12) /usr/openv/netbackup/bin/nbcertcmd -getCertificate -force
      If the operation fails, perform the steps at "Create a token" section on this node then return to this step.
  13) Remove the /usr/openv/var/global/vxss/nbcertservice/install_token file

如果第十部执行失败，我在第十部未失败，所以无法进行阐述，只能参考KB如下：

 

Create a token:

Perform the following steps on the Master Server in order to get "nbcertcmd -getcerfiticate -force" finished successfully.

  a) For Cluster Aware and Non-Cluster Aware:

    UNIX/Linux:  /usr/open/netbackup/bin/bpnbat -login -loginType WEB
 

    You will be prompted to enter the information as the following example.

  e.g.

    Authentication Broker [MasterServer1 is default]:
    Authentication port [0 is default]:
    Authentication type (NIS, NISPLUS, WINDOWS, vx, unixpwd, ldap) [unixpwd is default]:
    Domain [MasterServer1 is default]:  example.netbackup.com
    Login Name [root is default]:
    Password:

  b) For Cluster Aware and Non-Cluster Aware:

    UNIX/Linux:  /usr/openv/netbackup/bin/nbcertcmd -createToken -name <token_name> -reissue -host <Master server name>
 

 e.g. nbcertcmd -createtoken -name token1 -reissue -host MasterServer1

    Token EFITVNDRKTWHXRCM created successfully.

  c) For Non-Cluster Aware:

      UNIX/Linux: /usr/openv/netbackup/bin/nbcertcmd -getCACertificate
                  /usr/openv/netbackup/bin/nbcertcmd -getCertificate -token <token_ID> -force

    e.g. nbcertcmd -getcertificate -token EFITVNDRKTWHXRCM -force

Media和client证书过期参考如下：

Workaround on Media Servers and Clients:

   Perform the following commands on each Media Server and Client to obtain the new certificate. 

   UNIX/Linux: /usr/openv/netbackup/bin/nbcertcmd -getCACertificate
                  /usr/openv/netbackup/bin/nbcertcmd -getCertificate -force

Notes: In case NetBackup Clients are in cluster environments, perform the above commands on each node.

资料参考：https://www.veritas.com/support/en_US/article.100044601

北京信诺时代科技发展有限公司

www.sinoage.com

Backup &DR Team