Veritas NetBackup™ Troubleshooting Guide
- Introduction
- Troubleshooting procedures
- About troubleshooting procedures
- Troubleshooting NetBackup problems
- Troubleshooting installation problems
- Troubleshooting configuration problems
- Device configuration problem resolution
- Testing the master server and clients
- Testing the media server and clients
- Resolving network communication problems with UNIX clients
- Resolving network communication problems with Windows clients
- Troubleshooting vnetd proxy connections
- vnetd proxy connection requirements
- Where to begin to troubleshoot vnetd proxy connections
- Verify that the vnetd process and proxies are active
- Verify that the host connections are proxied
- Test the vnetd proxy connections
- Examine the log files of the connecting and accepting processes
- Viewing the vnetd proxy log files
- Troubleshooting security certificate revocation
- Troubleshooting cloud provider's revoked SSL certificate issues
- Troubleshooting cloud provider's CRL download issues
- How a host's CRL affects certificate revocation troubleshooting
- NetBackup job fails because of revoked certificate or unavailability of CRLs
- NetBackup job fails because of apparent network error
- NetBackup job fails because of unavailable resource
- Master server security certificate is revoked
- Determining a NetBackup host's certificate state
- Troubleshooting issues with external CA-signed certificate revocation
- About troubleshooting networks and host names
- Verifying host name and service entries in NetBackup
- Example of host name and service entries on UNIX master server and client
- Example of host name and service entries on UNIX master server and media server
- Example of host name and service entries on UNIX PC clients
- Example of host name and service entries on UNIX server that connects to multiple networks
- About the bpclntcmd utility
- Using the Host Properties window to access configuration settings
- Resolving full disk problems
- Frozen media troubleshooting considerations
- Troubleshooting problems with the NetBackup web services
- Troubleshooting problems with the NetBackup web server certificate
- Resolving PBX problems
- Troubleshooting problems with validation of the remote host
- About troubleshooting Auto Image Replication
- Troubleshooting network interface card performance
- About SERVER entries in the bp.conf file
- About unavailable storage unit problems
- Resolving a NetBackup Administration operations failure on Windows
- Resolving garbled text displayed in NetBackup Administration Console on a UNIX computer
- Unable to logon to the NetBackup Administration Console after external CA configuration
- Troubleshooting file-based external certificate issues
- Troubleshooting Windows certificate store issues
- Troubleshooting backup failures
- Troubleshooting backup failure issues with NAT clients
- Troubleshooting issues with the NetBackup Messaging Broker (or nbmqbroker) service
- Using NetBackup utilities
- About NetBackup troubleshooting utilities
- About the analysis utilities for NetBackup debug logs
- About the Logging Assistant
- About network troubleshooting utilities
- About the NetBackup support utility (nbsu)
- About the NetBackup consistency check utility (NBCC)
- About the NetBackup consistency check repair (NBCCR) utility
- About the nbcplogs utility
- About the robotic test utilities
- Disaster recovery
- About disaster recovery
- About disaster recovery requirements
- Disaster recovery packages
- About disaster recovery settings
- Recommended backup practices
- About disk recovery procedures for UNIX and Linux
- About clustered NetBackup server recovery for UNIX and Linux
- About disk recovery procedures for Windows
- About clustered NetBackup server recovery for Windows
- Generating a certificate on a clustered master server after disaster recovery installation
- About restoring disaster recovery package
- About the DR_PKG_MARKER_FILE environment variable
- Restoring disaster recovery package on Windows
- Restoring disaster recovery package on UNIX
- About recovering the NetBackup catalog
- About NetBackup catalog recovery on Windows computers
- About NetBackup catalog recovery from disk devices
- About NetBackup catalog recovery and symbolic links
- About NetBackup catalog recovery and OpsCenter
- NetBackup disaster recovery email example
- About recovering the entire NetBackup catalog
- About recovering the NetBackup catalog image files
- About recovering the NetBackup relational database
- Recovering the NetBackup catalog when NetBackup Access Control is configured
- Recovering the NetBackup catalog from a nonprimary copy of a catalog backup
- Recovering the NetBackup catalog without the disaster recovery file
- Recovering a NetBackup user-directed online catalog backup from the command line
- Restoring files from a NetBackup online catalog backup
- Unfreezing the NetBackup online catalog recovery media
- Steps to carry out when you see exit status 5988 during catalog recovery
Troubleshooting web service issues after external CA configuration
The web service does not start or respond after external certificate (ECA) configuration.
Check the web server logs at the following location:
install_path/wmc/webserver/logs/catalina.log
Check if the logs contain any of the following strings:
SEVERE [main] org.apache.tomcat.util.net.SSLUtilBase.getStore Failed to load keystore type [JKS] with path [C:\Program Files\Veritas\NetBackup\var\global\wsl\credentials\tpcredentials\nbwebservice.jks] due to [Illegal character in opaque part at index 2: C:\Program Files\Veritas\NetBackup\var\global\wsl\credentials\tpcredentials\nbwebservice.jks]
Caused by: java.lang.IllegalArgumentException: Keystore was tampered with, or password was incorrect
The root cause can be: The keystore of the external CA used by the NetBackup web service is tampered or deleted.
Verify that NetBackup Web Management Console service is running.
Run the following command:
On UNIX: /usr/openv/netbackup/bin/bpps -x
On Windows: Use the NetBackup Activity Monitor or the services application of the Windows Control Panel.
If the status is FAIL, reconfigure the external certificate by executing the following command:
On Windows:Install path\netbackup\wmc\bin\configureWebServerCerts -addExternalCert -nbHost -certPath file_path -privateKeyPath file_path -trustStorePath file_path
On Unix:/usr/openv/netbackup/bin/configureWebServerCerts -addExternalCert -nbHost -certPath file_path -privateKeyPath file_path -trustStorePath file_path
Try to start the NetBackup web service.
For windows:Install path\netbackup\wmc\bin\nbwmc.exe -start -srvname "NetBackup Web Management Console"
For Unix:/usr/openv/netbackup/bin/nbwmc start
External certificate is not configured.
The issue can occur because of the following:
Invalid certificate, private key, or trust store.
Error message : The certificate could not be added. Please check the configureWebServerCerts logs.
Certificate does not contain server name in the subject alternative name (SAN) of the certificate.
Open web server configuration logs
Location: <install dir>/NetBackup/wmc/webserver/logs/configureWebServerCerts.log
Review the log messages:
If the logs have the following message:
unable to load private key 22308:error:0906D06C:PEM routines:PEM_read_bio:no start line:.\crypto\pem\pem_lib.c:697:Expecting: ANY PRIVATE KEY Could not export certificates in PKCS#12 format, 1.
The private key does not t match the private key of the certificate that is provided.
Provide the appropriate private key.
If the logs have following message:
Error occurred while adding certificate to keystore. Exception: java.security.cert.CertificateParsingException: signed overrun, bytes = 918 Exiting.. Could not import CA certificates in JAVA keystore, -1.
The file path that is provided for the -trustStorePath option is not a valid file path or a valid trust store CA certificate is not present at the given file path.
Provide the trust store bundle path for the -trustStorePath option.
The following error message is displayed:
The server name server_name was not found in the web service certificate.
The certificate could not be added. Please check configureWebServerCerts logs.
For successful configuration, ensure the following:
Common name of the subject name and the SAN names should not be empty at the same time.
If the SAN is not empty, host name must be present in the SAN entry.
If SAN is empty, common name of the subject name must be host name.
Only PEM formatted certificates are allowed.
Note:
The host name is the name provided for the master server at the time of installation. Host name can be found in the setenv file with the NB_HOSTNAME property.
Location of the file:
On UNIX : /usr/openv/wmc/bin/setenv
On Windows: install_path\Veritas\NetBackup\wmc\bin\setenv
Communication can be successful in the following scenarios:
The certificate contains all host names that the master server is known by (host names that are listed in the SERVER entries of other hosts in the domain) in the SAN field of the certificate.
Server authentication attributes are set in the certificate.
Check the logs for the missing entry.
Add the missing host name in the SAN of the certificate.