Veritas NetBackup™ Commands Reference Guide
- Introduction
- Appendix A. NetBackup Commands
Name
configureWebServerCerts — provides a way to enable the NetBackup domain to support NetBackup or external certificate authorities. Lets the user configure certificates for the NetBackup web server.
SYNOPSIS
-addNBCert
-removeNBCert [-force]
-addExternalCert [-nbHost | -webUI | -all] {[-certPath path_to_certificate_file] [-privateKeyPath path_to_certificate_key_file] [-trustStorePath path_to_CA_certificate_file] [-passphrasePath path_to_passphrase_file]} [-crlCheckLevel DISABLE | LEAF | CHAIN] [-crlPath directory_path_to_CRLs]
-addExternalCert [-nbHost | -webUI] [-copyNbHost | -copyWebUI ]
-removeExternalCert [-nbHost | -webUI | -all] [-force]
-validateExternalCert {[-certPath path_to_certificate_file] [-privateKeyPath path_to_certificate_key_file] [-trustStorePathpath_to_CA_certificate_file] [-passphrasePathpath_to_passphrase_file] [-crlCheckLevel DISABLE | LEAF | CHAIN] [-crlPath directory_path_to_CRLs] [-fmt DETAILS | FAILURES_ONLY]}
On UNIX systems, the directory path to this command is /usr/openv/wmc/bin/install/
On Windows systems, the directory path to this command is install_path\NetBackup\wmc\bin\install\
DESCRIPTION
The configureWebServerCerts command provides a way to configure external or NetBackup certificates for the NetBackup web server. A NetBackup web server instance uses the Java Keystore as the repository for security certificates.
You must have root or administrator rights on the master server to run this command.
If you are running this command for the first time, you need to restart the NetBackup Web Management Console service (nbwmc) after you run the command.
If the NetBackup Messaging Broker (nbmqbroker
) service is enabled, then you must restart the service after you successfully run the configureWebServerCerts command.
NetBackup does not support Windows certificate store as a source for the NetBackup web server certificates.
This command does not apply to the NetBackup appliance.
OPTIONS
- -addExternalCert
Configures an external certificate for the web server.
- -addNBCert
Configures the NetBackup certificate authority signed certificate for the web server.
- -all
Configures an external certificate for communication between NetBackup hosts as well as with the NetBackup web user interface.
- -certPath
Specifies the path to the certificate file. This command does not support the use of Windows certificate store paths.
A certificate file must have a certificate chain with certificates in the correct order. The chain starts with the server certificate, also known as the leaf certificate, followed by zero or more intermediate certificates. The chain must contain all intermediate certificates up to the Root CA certificate but should not contain the Root CA certificate itself. The chain is created such that each certificate in the chain signs the previous certificate in the chain.
The certificate file should be in one of the following formats:
PKCS #7 or P7B file that is either DER or PEM encoded that has certificates in the specified order.
A file with the PEM certificates that are concatenated together in the specified order.
- -copyNbHost
Specifies that web UI communication uses the same certificate that is used for host communication.
- -copyWebUI
Specifies that host communication uses the same certificate that is used for web UI communication.
- -crlCheckLevel
Specifies the revocation check level for external certificates of the host. You can specify the following values:
DISABLE: Revocation check is disabled. Revocation status of the certificate is not validated against the CRL during host communication.
LEAF: The revocation status of the leaf certificate is validated against the certificate revocation list (CRL). LEAF is the default value for this option.
CHAIN: The revocation status of all certificates in the certificate chain are validated against the CRL.
- -crlPath
Specifies the path to the directory where the certificate revocation lists (CRL) of the external CA are located.
- -fmt DETAILS | FAILURES_ONLY
Provides details of the validation checks that are run for the external certificate-specific configuration options. The DETAILS option provides a report of all successful and all failed validation checks. The FAILURES_ONLY option provides a report of only the failed checks.
- -force
Use the -force option to forcefully remove certificate. After the removal, if there is no certificate configured for the web server, the NetBackup Web Management Console service cannot start.
- -nbHost
Configures an external certificate for communication between NetBackup hosts.
- -passphrasePath
Specifies the path to the passphrase file that stores the passphrase, which is used to encrypt the private key.
- -privateKeyPath
Specifies the path to the private key file of the certificate.
NetBackup supports PKCS #1 and PKCS #8 formatted private keys that are either plain text or encrypted. These may either be PEM or DER encoded. If, however, the key is PKCS #1 encrypted, it must be PEM encoded. For encrypted private keys, NetBackup supports the following encryption algorithms:
DES, 3DES, and AES if the private key is in the PKCS #1 format.
DES, 3DES, AES, RC2, and RC4 if the private key is in the PKCS #8 format.
- -removeExternalCert
Removes the external certificate that you have configured for the web server for communication between NetBackup hosts, the NetBackup web user interface, or both, based on the option you have configured. Use this command with the -nbHost, -webUI, or -all options.
- -removeNBCert
Removes the NetBackup certificate that you have configured for the web server for communication between NetBackup hosts as well as with the NetBackup web user interface.
- -trustStorePath
Specifies the path to the certificate authority bundle file. The certificate authority bundle file should be in one of the following formats:
PKCS #7 or P7B file having certificates of the trusted root certificate authorities that are bundled together. This file may either be PEM or DER encoded.
A file containing the PEM encoded certificates of the trusted root certificate authorities that are concatenated together.
- -validateExternalCert
Verifies whether the external certificate-specific configurations that are provided are valid or not. It provides a report of successful and failed validation checks.
- -webUI
Configures an external certificate for communication with the NetBackup web user interface.
EXAMPLES
Example 1: Configure an external certificate for the web server for NetBackup host communication.
configureWebServerCerts -addExternaCert -nbHost -certPath /root/ example_certs/device.crt -privateKeyPath /root/example_certs/ device.key -trustStorePath /root/example_certs/rootCA.pem -passphrasePath root/example_certs/PassPhrase.txt
Example 2: Configure an external certificate for the web server for host communication using the certificate that you have configured for communication with web UI.
configureWebServerCerts -addExternalCert -webUI -copyNbHost
Example 3: Remove the external certificates that you have configured for all kinds of communication - web UI and NetBackup host.
configureWebServerCerts -removeExternalCert -all