Veritas NetBackup™ Commands Reference Guide
- Introduction
- Appendix A. NetBackup Commands
- acsd
- add_media_server_on_clients
- backupdbtrace
- backuptrace
- bmrc
- bmrconfig
- bmrepadm
- bmrprep
- bmrs
- bmrsrtadm
- bp
- bparchive
- bpbackup
- bpbackupdb
- bpcatarc
- bpcatlist
- bpcatres
- bpcatrm
- bpcd
- bpchangeprimary
- bpclient
- bpclimagelist
- bpclntcmd
- bpclusterutil
- bpcompatd
- bpconfig
- bpdbjobs
- bpdbm
- bpdgclone
- bpdown
- bpduplicate
- bperror
- bpexpdate
- bpfis
- bpflist
- bpgetconfig
- bpgetdebuglog
- bpimage
- bpimagelist
- bpimmedia
- bpimport
- bpinst
- bpkeyfile
- bpkeyutil
- bplabel
- bplist
- bpmedia
- bpmedialist
- bpminlicense
- bpnbat
- bpnbaz
- bppficorr
- bpplcatdrinfo
- bpplclients
- bppldelete
- bpplinclude
- bpplinfo
- bppllist
- bpplsched
- bpplschedrep
- bpplschedwin
- bppolicynew
- bpps
- bprd
- bprecover
- bprestore
- bpretlevel
- bpschedule
- bpschedulerep
- bpsetconfig
- bpstsinfo
- bpstuadd
- bpstudel
- bpstulist
- bpsturep
- bptestbpcd
- bptestnetconn
- bptpcinfo
- bpup
- bpverify
- cat_convert
- cat_export
- cat_import
- configurePorts
- configureTPCerts
- create_nbdb
- csconfig cldinstance
- csconfig cldprovider
- csconfig meter
- csconfig throttle
- duplicatetrace
- importtrace
- jbpSA
- jnbSA
- ltid
- manageClientCerts
- mklogdir
- nbauditreport
- nbcatsync
- NBCC
- NBCCR
- nbcertcmd
- nbcertupdater
- nbcldutil
- nbcloudrestore
- nbcomponentupdate
- nbcplogs
- nbdb_admin
- nbdb_backup
- nbdb_move
- nbdb_ping
- nbdb_restore
- nbdb_unload
- nbdbms_start_server
- nbdbms_start_stop
- nbdc
- nbdecommission
- nbdelete
- nbdeployutil
- nbdevconfig
- nbdevquery
- nbdiscover
- nbdna
- nbemm
- nbemmcmd
- nbfindfile
- nbfirescan
- nbftadm
- nbftconfig
- nbgetconfig
- nbhba
- nbholdutil
- nbhostidentity
- nbhostmgmt
- nbhypervtool
- nbinstallcmd
- nbjm
- nbkmsutil
- nboraadm
- nborair
- nbpem
- nbpemreq
- nbperfchk
- nbplupgrade
- nbrb
- nbrbutil
- nbregopsc
- nbreplicate
- nbrepo
- nbrestorevm
- nbseccmd
- nbsetconfig
- nbsnapimport
- nbsnapreplicate
- nbsqladm
- nbstl
- nbstlutil
- nbstop
- nbsu
- nbsvrgrp
- resilient_clients
- restoretrace
- stopltid
- tl4d
- tl8d
- tl8cd
- tldd
- tldcd
- tlhd
- tlhcd
- tlmd
- tpautoconf
- tpclean
- tpconfig
- tpext
- tpreq
- tpunmount
- verifytrace
- vltadm
- vltcontainers
- vlteject
- vltinject
- vltoffsitemedia
- vltopmenu
- vltrun
- vmadd
- vmchange
- vmcheckxxx
- vmd
- vmdelete
- vmoprcmd
- vmphyinv
- vmpool
- vmquery
- vmrule
- vmupdate
- vnetd
- vssat
- vwcp_manage
- vxlogcfg
- vxlogmgr
- vxlogview
- W2KOption
Name
nbcertcmd — request and manage the host ID-based security certificates and tokens that are used to authorize certificate requests.
SYNOPSIS
-cleanupToken [-server master_server_name]
-createCertRequest -requestFile request_file_name [-servermaster_server_name]
-createToken -name token_name [-reissue -host host_name | -hostId host_id] [-maxUses number] [-validFor numDnumHnumM] [-reason description_for_auditing] [-server master_server_name]
-checkClockSkew [-server master_server_name]
-deleteAllCertificates
-deleteCertificate -hostId host_id [-cluster]
-deleteToken -name token_name [-reason description_for_auditing] [-server master_server_name]
-deployCertificate -certificateFile certificate_file_name
-displayCACertDetail [-server master_server_name] [-json | -json_compact]
-displayToken -name token_name [-json | -json_compact] [-server master_server_name]
-getCACertificate [-file hash_file_name] [-cluster] [-server master_server_name]
-getCertificate [-token | -envtoken environment_variable | -file authorization_token_file] [-force] [-cluster] [-server master_server_name] [-json | -json_compact]
-getCRL [-server master_server_name] [-cluster]
-getSecConfig -certDeployLevel [-server master_server_name]
-hostSelfCheck [-cluster] [-server master_server_name]
-listAllCertificates [-jks]
-listAllDomainCertificates [-json | -json_compact] [-server master_server_name]
-listCACertDetails [-json | -json_compact] [-cluster]
-listCertDetails [-json | -json_compact] [-cluster]
-listToken [-all] [-json | -json_compact] [-server master_server_name]
-removeCACertificate -fingerPrint certificate_fingerprint [-cluster]
-renewCertificate [-host host_name] [-cluster] [-server master_server_name]
-revokeCertificate -host host_name | -hostId host_id [-reasonCode value] [-server master_server_name]
-setSecConfig -certDeployLevel level [-server master_server_name]
-signCertificate -token | -file authorization_token_file-requestFile request_file_name -certificateFile certificate_file_name
On UNIX systems, the directory path to this command is /usr/openv/netbackup/bin/
On Windows systems, the directory path to this command is install_path\NetBackup\bin\
DESCRIPTION
The nbcertcmd command is used to request and manage host ID-based security certificates on each NetBackup host. A NetBackup host can be a master server, media server, or client.
This command is also used to create and manage the authorization tokens that may be required to request certificates for NetBackup hosts.
Additionally the command is used to set and retrieve the security configuration attributes.
The Privilege details table lists the operations that require administrator privileges and also the operations that do not require special privileges.
Table: Privilege details
|
Commands that require NetBackup administrator privileges |
-cleanupToken, -createToken, -deleteToken, -displayToken, -hostSelfCheck, -listAllDomainCertificates, -listToken, -revokeCertificate, and -setSecConfig Note: These operations require a bpnbat web log-on (bpnbat -login -logintype WEB) using an account that has NetBackup administrator privileges. |
|
Commands that require host administrator privileges |
-createCertRequest, -deleteAllCertificates, -deleteCertificate, -deployCertificate, -displayCACertDetail, -getCACertificate, -getCertificate, -getCRL, -listAllCertificates, -listCertDetails, -removeCACertificate, and -renewCertificate |
|
Commands that do not require special privileges |
-checkClockSkew, -getSecConfig, -listCACertDetails, and -signCertificate. |
For more information about host ID-based security certificates and authorization tokens, see the NetBackup Security and Encryption Guide.
The nbcertcmd supports the following operations:
|
-cleanupToken |
Deletes the tokens that have reached their maximum usage count or have expired. |
|
-createCertRequest |
Generates a host ID-based security certificate signing request on the NetBackup host and saves it into the specified file. The command should be used on the NetBackup host when there is no connectivity with the master server. The command must be executed on the NetBackup host for which you want to request the certificate. Use the - server option to specify the master server name in the certificate signing request. This name is the master server from which the NetBackup host expects the certificate. |
|
-createToken |
Creates a token for authorizing certificate requests. |
|
-checkClockSkew |
Displays the time difference (in seconds) between the current host and the master server. |
|
-deleteAllCertificates |
Deletes all security certificates and keys that are available on the NetBackup host. This option is only applicable on media servers and clients. |
|
-deleteCertificate |
Deletes the security certificate of the NetBackup host that is associated with the specified host ID and removes the specified host ID entries from the |
|
-deleteToken |
Deletes the specified token. |
|
-deployCertificate |
Reads the host security certificate from the specified certificate file and deploys it on the NetBackup host. The command must be executed on the NetBackup host on which the certificate signing request was generated. |
|
-displayCACertDetail |
Displays the CA certificate details from the specified master server. |
|
-displayToken |
Displays the attributes and the value of a specified token. |
|
-getCACertificate |
Connects to the master server and gets the certificate of the Certificate Authority (CA). It then displays the fingerprint of the certificate and adds it to the local trust store after confirmation from the user. |
|
-getCertificate |
This option performs the following actions:
|
|
-getCRL |
Fetches the latest certificate revocation list from the master server. You can use the - server option to specify an alternate master server. Use the -cluster option to fetch the latest CRL from the global certificate store. |
|
-getSecConfig |
Retrieves the specified security configuration attribute. |
|
-hostSelfCheck |
Indicates if the host's certificate is revoked or not revoked in the local certificate revocation list (CRL). To ensure that you have the latest CRL information, first run nbcertcmd -getCRL. |
|
-listAllCertificates |
Lists the details of all security certificates that are available on the NetBackup host. |
|
-listAllDomainCertificates |
Requests all of the security certificates for the domain from a NetBackup master server. By default, this operation uses the first server entry in the NetBackup configuration ( |
|
-listCACertDetails |
Lists the details of trusted CA certificates that are stored in the local trust store of the NetBackup host. |
|
-listCertDetails |
Lists the certificate details for each security certificate that is deployed on the NetBackup host. |
|
-listToken |
Lists the tokens. The option does not display the token value. |
|
-removeCACertificate |
Removes the CA certificate from the trust store whose fingerprint matches the input fingerprint. Use the -listCACertDetails option to view fingerprint of existing CA certificates. |
|
-renewCertificate |
Renews an existing NetBackup host ID-based security certificate. Use the -host option to change primary name of host. |
|
-revokeCertificate |
Revokes a host ID-based security certificate. The NetBackup host can no longer use the certificate to communicate with the master server. |
|
-setSecConfig |
Sets the specified security configuration attribute. |
|
-signCertificate |
Reads the certificate signing request from the specified request file and sends it to the master server that is listed in the signing request. The signed certificate is stored in the specified certificate file. The command must be executed on the NetBackup host which has connectivity with the master server. |
Note:
Clustered NetBackup hosts have two certificate stores, a local certificate store and a global certificate store. The command operates on the local certificate store by default, unless the -cluster option is specified.
Note:
Please be aware the nbcertcmd command does not support non-US ASCII (non-7 bit ASCII) characters for user-defined strings.
OPTIONS
- -all
Displays all tokens, including the tokens that have reached their maximum usage count or have expired.
- -certDeployLevel level
Specifies the certificate's deployment level. The option is applicable for both the -getSecConfig and -setSecConfig commands. The -setSecConfig command requires that you specify a level. Certificate deployment levels for the -setSecConfig parameter are:
0 - Very High: Automatic certificate deployment is disabled.
1 - High: Certificates are automatically deployed to known hosts.
2 - Medium: Certificates are automatically deployed to all requesting hosts.
- -certificateFile certificate_file_name
Specifies the path of the certificate file.
- -cluster
Performs the operation on the global certificate store.
- -envtoken environment_variable
Indicates the name of an environment variable that contains the authorization token to be used for the request.
- -file file_name
Specifies the path of the file containing either the authorization token (on the first line) or the CA certificate hash.
- -fingerPrint certificate_fingerprint
Specify the CA certificate fingerprint.
- -force
Overwrites the certificate if it exists.
- -host host_name
Specifies the host name.
- -hostId host_id
Specifies the NetBackup host ID.
- -jks
Displays the Tomcat certificate information from Java keystore. This option is available only on the NetBackup master server.
- -json
Generates output data in
jsonformat that spans multiple lines.- -json_compact
Generates output data in
jsonformat on a single line.- -maxUses number
Specifies the maximum usage count of the token. If this option is not specified, the default value is 1. The maximum value for maxUses is 99999.
- -name token_name
Specifies the token name.
- -reason description_for_auditing
Specifies the reason that is stored in the audit record for this operation.
- -reasonCode value
Specifies a reason code for revocation of a certificate. The values that are shown are the only valid numbers for the -reasonCode value:
0 - Unspecified, 1 - Key Compromise, 2 - CA Compromise, 3 - Affiliation Changed, 4 - Superseded, 5 - Cessation of Operation
- -reissue
Creates a token that can be used to reissue a certificate. Use this option with either the -host option or the -hostID option.
- -requestFile file_name
Specifies the path of the certificate request file.
- -server master_server_name
Specifies an alternate master server. By default, this command uses the first server entry in the NetBackup configuration.
- -token
Indicates that an authorization token is used for the request. Prompts the user to securely specify a token.
- -validFor numDnumHnumM
Specifies the validity of the token. Input format for this value should be for number of days, hours, and minutes. For example, 12D6H30M, would have a validity of 12 days, 6 hours, and 30 minutes. You can choose to specify one or more values. If this option is not specified, the default value is 24 hours. Please note that if you want to set the validity of the token to 12 hours, you don't need to specify values for days or minutes. You can specify 12H. The maximum validity period that you can specify is 999 days.
EXAMPLES
Example 1: Create a token to request a certificate re-issue.
# nbcertcmd -createToken -name acme01_HR05 -reissue -validFor 10D -host HRfileserver.acme.com -reason "issued token on request of Alice through email dated 12/08/2016"
Token XXXXXXXXXXXXXXXX created successfully.
Example 2: Obtain a certificate from a specified master using a token
# nbcertcmd -getCertificate -token -server nbmaster01.acme.com
Authorization Token: Host certificate received successfully from server nbmaster01.acme.com.
Example 3: Request and deploy a certificate on a NetBackup host that has no connectivity with the master server.
Run the command that is shown on the NetBackup host that has no connectivity with the master server:
# nbcertcmd -createCertRequest -requestFile /tmp/request_file_name -server master.servername
Host certificate request generated successfully.
Copy the /tmp/request_file_name to a NetBackup host that has connectivity with the master server and run the command that is shown on that NetBackup host:
# nbcertcmd -signCertificate -file authorization_token_file -requestFile /tmp/request_file_name -certificateFile /tmp/signed_certificate
Sending certificate request to server: master.servername Host certificate request signed successfully.
Copy the
/tmp/signed_certificateto the original NetBackup host where the request file (/tmp/request_file_name) was generated and run the command shown:# nbcertcmd -deployCertificate -certificateFile /tmp/signed_certificate Deploying certificate from master server: master.servername Host certificate deployed successfully
SEE ALSO
See bpnbat.