Search <book_title>...

Veritas NetBackup™ Commands Reference Guide

Last Published: 2017-07-21

Product(s): NetBackup (8.0)

Introduction
Appendix A. NetBackup Commands
1. acsd
2. add_media_server_on_clients
3. backupdbtrace
4. backuptrace
5. bmrc
6. bmrconfig
7. bmrepadm
8. bmrprep
9. bmrs
10. bmrsrtadm
11. bp
12. bparchive
13. bpbackup
14. bpbackupdb
15. bpcatarc
16. bpcatlist
17. bpcatres
18. bpcatrm
19. bpcd
20. bpchangeprimary
21. bpclient
22. bpclimagelist
23. bpclntcmd
24. bpclusterutil
25. bpcompatd
26. bpconfig
27. bpdbjobs
28. bpdbm
29. bpdgclone
30. bpdown
31. bpduplicate
32. bperror
33. bpexpdate
34. bpfis
35. bpflist
36. bpgetconfig
37. bpgetdebuglog
38. bpimage
39. bpimagelist
40. bpimmedia
41. bpimport
42. bpinst
43. bpkeyfile
44. bpkeyutil
45. bplabel
46. bplist
47. bpmedia
48. bpmedialist
49. bpminlicense
50. bpnbat
51. bpnbaz
52. bppficorr
53. bpplcatdrinfo
54. bpplclients
55. bppldelete
56. bpplinclude
57. bpplinfo
58. bppllist
59. bpplsched
60. bpplschedrep
61. bppolicynew
62. bpps
63. bprd
64. bprecover
65. bprestore
66. bpretlevel
67. bpschedule
68. bpschedulerep
69. bpsetconfig
70. bpstsinfo
71. bpstuadd
72. bpstudel
73. bpstulist
74. bpsturep
75. bptestbpcd
76. bptestnetconn
77. bptpcinfo
78. bpup
79. bpverify
80. cat_convert
81. cat_export
82. cat_import
83. configurePorts
84. create_nbdb
85. csconfig
86. duplicatetrace
87. importtrace
88. jbpSA
89. jnbSA
90. ltid
91. mklogdir
92. nbauditreport
93. nbcatsync
94. NBCC
95. NBCCR
96. nbcertcmd
97. nbcertupdater
98. nbcomponentupdate
99. nbcplogs
100. nbdb_admin
101. nbdb_backup
102. nbdb_move
103. nbdb_ping
104. nbdb_restore
105. nbdb_unload
106. nbdbms_start_server
107. nbdbms_start_stop
108. nbdc
109. nbdecommission
110. nbdelete
111. nbdeployutil
112. nbdevconfig
113. nbdevquery
114. nbdiscover
115. nbdna
116. nbemm
117. nbemmcmd
118. nbexecute
119. nbfindfile
120. nbfirescan
121. nbftadm
122. nbftconfig
123. nbgetconfig
124. nbhba
125. nbholdutil
126. nbhypervtool
127. nbjm
128. nbkmsutil
129. nboraadm
130. nbpem
131. nbpemreq
132. nbperfchk
133. nbplupgrade
134. nbrb
135. nbrbutil
136. nbregopsc
137. nbreplicate
138. nbrestorevm
139. nbseccmd
140. nbsetconfig
141. nbsnapimport
142. nbsnapreplicate
143. nbsqladm
144. nbstl
145. nbstlutil
146. nbsu
147. nbsvrgrp
148. resilient_clients
149. restoretrace
150. stopltid
151. tl4d
152. tl8d
153. tl8cd
154. tldd
155. tldcd
156. tlhd
157. tlhcd
158. tlmd
159. tpautoconf
160. tpclean
161. tpconfig
162. tpext
163. tpreq
164. tpunmount
165. verifytrace
166. vltadm
167. vltcontainers
168. vlteject
169. vltinject
170. vltoffsitemedia
171. vltopmenu
172. vltrun
173. vmadd
174. vmchange
175. vmcheckxxx
176. vmd
177. vmdelete
178. vmoprcmd
179. vmphyinv
180. vmpool
181. vmquery
182. vmrule
183. vmupdate
184. vnetd
185. vxlogcfg
186. vxlogmgr
187. vxlogview
188. W2KOption

Name

nbcertcmd — request and manage the host ID-based security certificates and tokens that are used to authorize certificate requests.

SYNOPSIS

nbcertcmd
-cleanupToken [-server master_server_name]

nbcertcmd
-createCertRequest -requestFile request_file_name [-server master_server_name]

nbcertcmd
-createToken -name token_name [-reissue -host host_name | -hostId host_id] [-maxUses number] [-validFor numDnumHnumM] [-reason description_for_auditing] [-server master_server_name]

nbcertcmd -checkClockSkew [-server master_server_name]

nbcertcmd
-deleteToken -name token_name [-reason description_for_auditing] [-server master_server_name]

nbcertcmd
-deployCertificate -certificateFile certificate_file_name

nbcertcmd
-displayToken -name token_name [-json] [-server master_server_name]

nbcertcmd -getCACertificate [-file hash_file_name] [-cluster] [-server master_server_name]

nbcertcmd
-getCertificate [-token | -file authorization_token_file] [-force] [-cluster] [-server master_server_name]

nbcertcmd -getSecConfig -certDeployLevel [-server master_server_name]

nbcertcmd -listAllCertificates [-jks]

nbcertcmd
-listCACertDetails [-json] [-cluster]

nbcertcmd
-listCertDetails [-json] [-cluster]

nbcertcmd
-listToken [-all] [-json] [-server master_server_name]

nbcertcmd -removeCACertificate -fingerPrint certificate_fingerprint [-cluster]

nbcertcmd
-renewCertificate [-cluster] [-server master_server_name]

nbcertcmd
-revokeCertificate -host host_name | -hostId host_id [-reasonCode value] [-server master_server_name]

nbcertcmd -setSecConfig -certDeployLevel level [-server master_server_name]

nbcertcmd
-signCertificate -token | -file authorization_token_file -requestFile request_file_name -certificateFile certificate_file_name

On UNIX systems, the directory path to this command is

/usr/openv/netbackup/bin/

On Windows systems, the directory path to this command is

<install path>\NetBackup\bin\

DESCRIPTION

The nbcertcmd command is used to request and manage host ID-based security certificates on each NetBackup host. A NetBackup host can be a master server, media server, or client.

This command is also used to create and manage the authorization tokens that may be required to request certificates for NetBackup hosts.

Additionally the command is used to set and retrieve the security configuration attributes.

The Privilege details table lists the operations that require administrator privileges and also the operations that do not require special privileges.

Table: Privilege details

Commands that require NetBackup administrator privileges	-cleanupToken, -createToken, -deleteToken, -displayToken, -listToken, -revokeCertificate, and -setSecConfig Note: These operations require a bpnbat web log-on (bpnbat -login -logintype WEB) using an account that has NetBackup administrator privileges.
Commands that require host administrator privileges	-createCertRequest, -deployCertificate, -getCACertificate, -getCertificate, -listAllCertificates, -listCertDetails, -removeCACertificate, and -renewCertificate
Commands that do not require special privileges	-checkClockSkew, -getSecConfig, -listCACertDetails, and -signCertificate

For more information about host ID-based security certificates and authorization tokens, see the NetBackup Security and Encryption Guide.

The nbcertcmd supports the following operations:

-cleanupToken	Deletes the tokens that have reached their maximum usage count or have expired.
-createCertRequest	Generates a host ID-based security certificate signing request on the NetBackup host and saves it into the specified file. The command should be used on the NetBackup host when there is no connectivity with the master server. The command must be executed on the NetBackup host for which you want to request the certificate. Use the - server option to specify the master server name in the certificate signing request. This name is the master server from which the NetBackup host expects the certificate.
-createToken	Creates a token for authorizing certificate requests.
-checkClockSkew	Displays the time difference (in seconds) between the current host and the master server.
-deleteToken	Deletes the specified token.
-deployCertificate	Reads the host security certificate from the specified certificate file and deploys it on the NetBackup host. The command must be executed on the NetBackup host on which the certificate signing request was generated.
-displayToken	Displays the attributes and the value of a specified token.
-getCACertificate	Connects to the master server and gets the certificate of the Certificate Authority (CA). It then displays the fingerprint of the certificate and adds it to the local trust store after confirmation from the user.
-getCertificate	Requests for a host ID-based security certificate for the NetBackup host from the master server and adds it to the local certificate store.
-getSecConfig	Retrieves the specified security configuration attribute.
-listAllCertificates	Lists the details of all security certificates that are available on the NetBackup host.
-listCACertDetails	Lists the details of trusted CA certificates that are stored in the local trust store of the NetBackup host.
-listCertDetails	Lists the certificate details for each security certificate that is deployed on the NetBackup host.
-listToken	Lists the tokens. The option does not display the token value.
-removeCACertificate	Removes the CA certificate from the trust store whose fingerprint matches the input fingerprint. Use the -listCACertDetails option to view fingerprint of existing CA certificates.
-renewcertificate	Renews an existing NetBackup host ID-based security certificate.
-revokeCertificate	Revokes a host ID-based security certificate. The NetBackup host can no longer use the certificate to communicate with the master server.
-setSecConfig	Sets the specified security configuration attribute.
-signCertificate	Reads the certificate signing request from the specified request file and sends it to the master server that is listed in the signing request. The signed certificate is stored in the specified certificate file. The command must be executed on the NetBackup host which has connectivity with the master server.

Note:

Clustered NetBackup hosts have two certificate stores, a local certificate store and a global certificate store. The command operates on the local certificate store by default, unless the -cluster option is specified.

Note:

Please be aware the nbcertcmd command does not support non-US ASCII (non-7 bit ASCII) characters for user-defined strings.

OPTIONS

-all

Displays all tokens, including the tokens that have reached their maximum usage count or have expired.

-certDeployLevel level

Specifies the certificate's deployment level. The option is applicable for both the -getSecConfig and -setSecConfig commands. The -setSecConfig command requires that you specify a level. Certificate deployment levels for the -setSecConfig parameter are:

0 - Very High: Automatic certificate deployment is disabled.

1 - High: Certificates are automatically deployed to known hosts.

2 - Medium: Certificates are automatically deployed to all requesting hosts.

-certificateFile certificate_file_name

Specifies the path of the certificate file.

-cluster

Performs the operation on the global certificate store.

-file file_name

Specifies the path of the file containing either the authorization token (on the first line) or the CA certificate hash.

-fingerPrint certificate_fingerprint

Specify the CA certificate fingerprint.

-force

Overwrites the certificate if it exists.

-host host_name

Specifies the host name.

-hostId host_id

Specifies the NetBackup host ID.

-jks

Displays the Tomcat certificate information from Java keystore. This option is available only on the NetBackup master server.

-json

Generates output data in json format.

-maxUses number

Specifies the maximum usage count of the token. If this option is not specified, the default value is 1. The maximum value for maxUses is 99999.

-name token_name

Specifies the token name.

-reason description_for_auditing

Specifies the reason that is stored in the audit record for this operation.

-reasonCode value

Specifies a reason code for revocation of a certificate. The values that are shown are the only valid numbers for the -reasonCode value:

0 - Unspecified, 1 - Key Compromise, 2 - CA Compromise, 3 - Affiliation Changed, 4 - Superseded, 5 - Cessation of Operation

-reissue

Creates a token that can be used to reissue a certificate. Use this option with either the -host option or the -hostID option.

-requestFile file_name

Specifies the path of the certificate request file.

-server master_server_name

Specifies an alternate master server. By default, this command uses the first server entry in the NetBackup configuration.

-token

Indicates that an authorization token is used for the request. Prompts the user to securely specify a token.

-validFor numDnumHnumM

Specifies the validity of the token. Input format for this value should be for number of days, hours, and minutes. For example, 12D6H30M, would have a validity of 12 days, 6 hours, and 30 minutes. You can choose to specify one or more values. If this option is not specified, the default value is 24 hours. Please note that if you want to set the validity of the token to 12 hours, you don't need to specify values for days or minutes. You can specify 12H. The maximum validity period that you can specify is 999 days.

EXAMPLES

Example 1: Create a token to request a certificate re-issue.

# nbcertcmd -createToken -name acme01_HR05 -reissue -validFor 10D -host HRfileserver.acme.com -reason "issued token on request of Alice through email dated 12/08/2016"

Token XXXXXXXXXXXXXXXX created successfully.

Example 2: Obtain a certificate from a specified master using a token

# nbcertcmd -getCertificate -token -server nbmaster01.acme.com

Authorization Token: 
Host certificate received successfully from server nbmaster01.acme.com.

Example 3: Request and deploy a certificate on a NetBackup host that has no connectivity with the master server.

Run the command that is shown on the NetBackup host that has no connectivity with the master server:
# nbcertcmd -createCertRequest -requestFile /tmp/request_file_name -server master.servername
Host certificate request generated successfully.
Copy the /tmp/request_file_name to a NetBackup host that has connectivity with the master server and run the command that is shown on that NetBackup host:
# nbcertcmd -signCertificate -file authorization_token_file -requestFile /tmp/request_file_name -certificateFile /tmp/signed_certificate
```
Sending certificate request to server: master.servername

Host certificate request signed successfully.
```

Copy the /tmp/signed_certificate to the original NetBackup host where the request file (/tmp/request_file_name) was generated and run the command shown:

# nbcertcmd -deployCertificate -certificateFile /tmp/signed_certificate
Deploying certificate from master server: master.servername

Host certificate deployed successfully