Veritas NetBackup™ Troubleshooting Guide
- Introduction
- Troubleshooting procedures
- Troubleshooting NetBackup problems
- Troubleshooting vnetd proxy connections
- Troubleshooting security certificate revocation
- Verifying host name and service entries in NetBackup
- Frozen media troubleshooting considerations
- Troubleshooting problems with the NetBackup web services
- Resolving PBX problems
- Troubleshooting problems with validation of the remote host
- About troubleshooting Auto Image Replication
- Using NetBackup utilities
- About the NetBackup support utility (nbsu)
- About the NetBackup consistency check utility (NBCC)
- About the robotic test utilities
- Disaster recovery
- About disk recovery procedures for UNIX and Linux
- About clustered NetBackup server recovery for UNIX and Linux
- About disk recovery procedures for Windows
- About clustered NetBackup server recovery for Windows
- About recovering the NetBackup catalog
- About NetBackup catalog recovery and OpsCenter
- About recovering the entire NetBackup catalog
- About recovering the NetBackup catalog image files
- About recovering the NetBackup relational database
Troubleshooting issues with external CA-signed certificate revocation
The NetBackup CRL cache is updated with the required CRLs using either ECA_CRL_PATH or CDPs.
For more details, refer to the About certificate revocation lists for external CA chapter from the NetBackup Security and Encryption Guide.
The certificate revocation list is unavailable (NetBackup status code - 5982)
The NetBackup is not configured with correct CRL path or the certificate does not contain valid CDP.
The host does not have a CRL cached in the NetBackup CRL cache.
- If the ECA_CRL_PATH setting is specified in the NetBackup configuration file, ensure the following:
ECA_CRL_PATH has the correct CRL directory path
CRL directory contains CRLs for all required certificate issuers (based on the ECA_CRL_CHECK setting)
If the CDP is used (ECA_CRL_PATH is not specified)
Ensure that the certificate has at least one CDP (with HTTP/HTTPS protocol) that points to a CRL that includes revocation information for all reasons.
CDP URL is accessible.
- Ensure that the CRL is valid in the directory specified for ECA_CRL_PATH or at CDP location.
CRL is in PEM or DER format.
CRL is not expired.
CRL is not a delta CRL.
CRL's last update date is not in future.
- If the bpclntcmd -crl_download service is running, terminate it using the bpclntcmd -terminate command and retry the operation.
- Examine the required CRLs are available in the NetBackup CRL cache at the following location:
UNIX:/usr/openv/var/vxss/crl
Windows: install_path\NetBackup\var\vxss\crl
- If the issue persists, examine bpclntcmd logs at the following location:
UNIX: /usr/openv/netbackup/logs/bpclntcmd
Windows: install_path\NetBackup\logs\bpclntcmd
The NetBackup is functioning correctly even if the certificate is revoked or the NetBackup operations are failing with the error 'certificate is revoked' even if the certificate is not revoked.
The NetBackup host's CRL cache is not updated.
- Verify if the CRLs at the following location are updated:
UNIX: /usr/openv/var/vxss/crl
Windows: install_path\NetBackup\var\vxss\crl
If not, cleanup the cached CRLs for issuers in the certificate chain as per the ECA_CRL_CHECK setting.
For cleanup operation, use the nbcertcmd -cleanupCRLCache -issuerHash SHA-1_hash_of_CRL_issuer_name command.
- If the ECA_CRL_PATH setting is specified in the NetBackup configuration file, ensure that it contains the latest CRLs for all the required issuers.
- If the bpclntcmd -crl_download service is running, terminate it using the bpclntcmd -terminate command and retry the operation.