Veritas NetBackup™ Troubleshooting Guide
- Introduction
- Troubleshooting procedures
- Troubleshooting NetBackup problems
- Troubleshooting vnetd proxy connections
- Troubleshooting security certificate revocation
- Verifying host name and service entries in NetBackup
- Frozen media troubleshooting considerations
- Troubleshooting problems with the NetBackup web services
- Resolving PBX problems
- Troubleshooting problems with validation of the remote host
- About troubleshooting Auto Image Replication
- Using NetBackup utilities
- About the NetBackup support utility (nbsu)
- About the NetBackup consistency check utility (NBCC)
- About the robotic test utilities
- Disaster recovery
- About disk recovery procedures for UNIX and Linux
- About clustered NetBackup server recovery for UNIX and Linux
- About disk recovery procedures for Windows
- About clustered NetBackup server recovery for Windows
- About recovering the NetBackup catalog
- About NetBackup catalog recovery and OpsCenter
- About recovering the entire NetBackup catalog
- About recovering the NetBackup catalog image files
- About recovering the NetBackup relational database
Determining a NetBackup host's certificate state
You can determine the state of a NetBackup certificate: Active or Revoked. Doing so may help troubleshoot connection and communication problems. Three methods exist to determine a certificate state, as follows:
Verify a host certificate from the host itself | The method uses the NetBackup nbcertcmd command. |
Verify a host certificate from a NetBackup server | The method uses the NetBackup bptestbpcd command. See “To verify from a NetBackup server if a different host's certificate is revoked”. |
Verify a host certificate from the NetBackup Administration Console | See “To verify a host's certificate using the NetBackup Administration Console”. |
To verify the host's certificate state from the host
- Optionally, on the NetBackup host run the following command as an administrator to get the most recent certificate revocation list:
UNIX: /usr/openv/netbackup/bin/nbcertcmd -getCRL [-server master_server_name]
Windows: install_path\NetBackup\bin\nbcertcmd -getCRL [-server master_server_name]
To get a CRL from a NetBackup domain other than the default, specify the -server master_server_name option and argument.
- On the NetBackup host, run the following command as an administrator:
UNIX: /usr/openv/netbackup/bin/nbcertcmd -hostSelfCheck [-cluster] [-server master_server_name]
Windows: install_path\NetBackup\bin\nbcertcmd -hostSelfCheck [-cluster] [-server master_server_name]
Use one or both of the following options if necessary:
-cluster
Use this option on the active node of a NetBackup master server cluster to verify the certificate of the virtual host.
-server
Use this option with the master_server_name argument to verify a certificate from a master server other than the default.
- Examine the command output. The output indicates that either the certificate is or is not revoked.
To verify from a NetBackup server if a different host's certificate is revoked
- As an administrator on the NetBackup master server or a NetBackup media server, run the following command:
UNIX: /usr/openv/netbackup/bin/admincmd/bptestbpcd - host hostname -verbose
Windows: install_path\NetBackup\bin\bptestbpcd - host hostname -verbose
For - host hostname, specify the host for which you want to verify the certificate.
- Examine the command output. If the certificate on the specified host is revoked, the command output includes the string The Peer Certificate is revoked. If the command output does not include that string, the certificate is valid.
To verify a host's certificate using the NetBackup Administration Console
- In NetBackup Administration Console, expand Security Management > Certificate Management.
- For the host of interest, examine the Certificate State column for state of the certificate.
You can determine the state of an external CA-signed host certificate: Active or Revoked. Doing so may help troubleshoot connection and communication problems.
Two methods exist to determine a certificate state, as follows:
Verify a host certificate from the host itself | |
Verify a host certificate from a NetBackup server | See “To verify from a NetBackup server if a different host's certificate is revoked”. |
To verify a host certificate from the host itself
- Refresh the CRLs in the NetBackup CRL cache.
See Troubleshooting issues with external CA-signed certificate revocation.
- On the NetBackup host, run the following command as an administrator:
UNIX: /usr/openv/netbackup/bin/nbcertcmd -hostSelfCheck [-cluster]
Windows: install_path\NetBackup\bin\nbcertcmd -hostSelfCheck [-cluster]
Use the -cluster option on the active node of a clustered master server to verify the certificate of the virtual name.
- Examine the command output. The output indicates whether the certificate is revoked or not.
To verify from a NetBackup server if a different host's certificate is revoked
- As an administrator on the NetBackup master server or a NetBackup media server, run the following command:
UNIX: /usr/openv/netbackup/bin/admincmd/bptestbpcd -host hostname -verbose
Windows: install_path\NetBackup\bin\bptestbpcd -host hostname -verbose
For -host hostname, specify the host for which you want to verify the certificate.
- Examine the command output. If the certificate on the specified host is revoked, the command output includes the string 'The Peer Certificate is revoked'. If the command output does not include that string, the certificate is valid.