Veritas NetBackup™ Commands Reference Guide
- Introduction
- Appendix A. NetBackup Commands
- acsd
- add_media_server_on_clients
- backupdbtrace
- backuptrace
- bmrc
- bmrconfig
- bmrepadm
- bmrprep
- bmrs
- bmrsrtadm
- bp
- bparchive
- bpbackup
- bpbackupdb
- bpcatarc
- bpcatlist
- bpcatres
- bpcatrm
- bpcd
- bpchangeprimary
- bpclient
- bpclimagelist
- bpclntcmd
- bpclusterutil
- bpcompatd
- bpconfig
- bpdbjobs
- bpdbm
- bpdgclone
- bpdown
- bpduplicate
- bperror
- bpexpdate
- bpfis
- bpflist
- bpgetconfig
- bpgetdebuglog
- bpimage
- bpimagelist
- bpimmedia
- bpimport
- bpinst
- bpkeyfile
- bpkeyutil
- bplabel
- bplist
- bpmedia
- bpmedialist
- bpminlicense
- bpnbat
- bpnbaz
- bppficorr
- bpplcatdrinfo
- bpplclients
- bppldelete
- bpplinclude
- bpplinfo
- bppllist
- bpplsched
- bpplschedrep
- bpplschedwin
- bppolicynew
- bpps
- bprd
- bprecover
- bprestore
- bpretlevel
- bpschedule
- bpschedulerep
- bpsetconfig
- bpstsinfo
- bpstuadd
- bpstudel
- bpstulist
- bpsturep
- bptestbpcd
- bptestnetconn
- bptpcinfo
- bpup
- bpverify
- cat_convert
- cat_export
- cat_import
- configureCerts
- configureCertsForPlugins
- configureMQ
- configurePorts
- configureWebServerCerts
- create_nbdb
- csconfig cldinstance
- csconfig cldprovider
- csconfig meter
- csconfig reinitialize
- csconfig throttle
- duplicatetrace
- importtrace
- jbpSA
- jnbSA
- ltid
- manageClientCerts
- mklogdir
- nbauditreport
- nbcatsync
- NBCC
- NBCCR
- nbcertcmd
- nbcertupdater
- nbcldutil
- nbcloudrestore
- nbcomponentupdate
- nbcplogs
- nbcredkeyutil
- nbdb_admin
- nbdb_backup
- nbdb_move
- nbdb_ping
- nbdb_restore
- nbdb_unload
- nbdb2adutl
- nbdbms_start_server
- nbdbms_start_stop
- nbdc
- nbdecommission
- nbdelete
- nbdeployutil
- nbdevconfig
- nbdevquery
- nbdiscover
- nbdna
- nbemm
- nbemmcmd
- nbfindfile
- nbfirescan
- nbftadm
- nbftconfig
- nbgetconfig
- nbhba
- nbholdutil
- nbhostidentity
- nbhostmgmt
- nbhypervtool
- nbidpcmd
- nbimageshare
- nbinstallcmd
- nbjm
- nbkmiputil
- nbkmscmd
- nbkmsutil
- nboraadm
- nborair
- nbpem
- nbpemreq
- nbmlb
- nbperfchk
- nbplupgrade
- nbrb
- nbrbutil
- nbregopsc
- nbreplicate
- nbrepo
- nbrestorevm
- nbseccmd
- nbsetconfig
- nbsnapimport
- nbsnapreplicate
- nbsqladm
- nbstl
- nbstlutil
- nbstop
- nbsu
- nbsvrgrp
- resilient_clients
- restoretrace
- stopltid
- tldd
- tldcd
- tpautoconf
- tpclean
- tpconfig
- tpext
- tpreq
- tpunmount
- verifytrace
- vltadm
- vltcontainers
- vlteject
- vltinject
- vltoffsitemedia
- vltopmenu
- vltrun
- vmadd
- vmchange
- vmcheckxxx
- vmd
- vmdelete
- vmoprcmd
- vmphyinv
- vmpool
- vmquery
- vmrule
- vmupdate
- vnetd
- vssat
- vwcp_manage
- vxlogcfg
- vxlogmgr
- vxlogview
- W2KOption
- Index
Name
nbcertcmd — request and manage the host ID-based security certificates and tokens that are used to authorize certificate requests. Enroll an external certificate with a NetBackup host.
SYNOPSIS
-checkClockSkew [-server master_server_name]
-cleanupCRLCache -expired | -issuerHash SHA-1_hash_of_CRL_issuer_name
-cleanupToken [-server master_server_name]
-createCertRequest -requestFile request_file_name [-servermaster_server_name]
-createECACertEntry -host host_name | -hostId host_ID -subject subject_name_of_the_certificate [-server master_server_name]
-createToken -name token_name [-reissue -host host_name | -hostId host_id] [-maxUses number] [-validFor numDnumHnumM] [-reason description_for_auditing] [-server master_server_name]
-deleteAllCertificates
-deleteCertificate -hostId host_id [-cluster]
-deleteECACertEntry -subject subject_name [-server master_server_name]
-deleteToken -name token_name [-reason description_for_auditing] [-server master_server_name]
-deployCertificate -certificateFile certificate_file_name
-displayCACertDetail [-server master_server_name] [-json | -json_compact]
-displayToken -name token_name [-json | -json_compact] [-server master_server_name]
-ecaHealthCheck [-trustStorePath path_to_CA_certificate_file] [-certPath path_to_certificate_file] [-privateKeyPath path_to_certificate_key_file] [-passphraseFile path_to_passphrase_file] [-crlCheckLevel LEAF | CHAIN | DISABLE] [-crlPath path_to_CRLs] [-cluster] [-web] [-fmt details | failures_only] [-json | -json_compact]
-enrollCertificate [-force] [-preCheck] [-cluster] [-server master_server_name] [-remoteHost remote_host_name]
-getCACertificate [-file hash_file_name] [-cluster] [-server master_server_name] [-updateTrustVersion]
-getCertificate [-token | -envtoken environment_variable | -file authorization_token_file] [-force] [-cluster] [-server master_server_name] [-json | -json_compact]
-getCRL [-server master_server_name] [-cluster]
-getExternalCertDetails -certPath path_to_certificate_file [-json | -json_compact]
-getNBKeysize [-server master_server_name] [-json]
-getSecConfig [-certDeployLevel] [-caUsage] [-server master_server_name]
-hostSelfCheck [-cluster] [-server master_server_name]
-listAllCertificates [-jks]
-listAllDomainCertificates [-json | -json_compact] [-server master_server_name]
-listCACertDetails [-json | -json_compact] [-cluster]
-listCertDetails [-ECA | -NBCA] [-json | -json_compact] [-cluster]
-listEnrollmentStatus [-remoteHost remote_client_name] [-cluster] [-json | -json_compact]
-listToken [-all] [-json | -json_compact] [-server master_server_name]
-reissueCertificates [-cluster] [-server master_server_name]
-removeCACertificate -fingerPrint certificate_fingerprint [-cluster]
-removeEnrollment [-cluster] [-server master_server_name] [-remoteHost remote_client_name]
-renewCertificate [-hostnameCerts] [-host host_name] [-cluster] [-server master_server_name]
-revokeCertificate -host host_name | -hostId host_id [-reasonCode value] [-server master_server_name]
-setSecConfig -certDeployLevel level [-server master_server_name]
-signCertificate -token | -file authorization_token_file-requestFile request_file_name -certificateFile certificate_file_name
-updateConf
-updateCRLCache
On UNIX systems, the directory path to this command is /usr/openv/netbackup/bin/
On Windows systems, the directory path to this command is install_path\NetBackup\bin\
DESCRIPTION
The nbcertcmd command is used to request and manage host ID-based security certificates on each NetBackup host. A NetBackup host can be a master server, media server, or client. Use the command to enroll an external CA signed certificate with a NetBackup host.
This command is also used to create and manage the authorization tokens that may be required to request certificates for NetBackup hosts.
Additionally the command is used to set and retrieve the security configuration attributes.
The Privilege details table lists the operations that require administrator privileges and also the operations that do not require special privileges.
Table: Privilege details
|
Commands that require NetBackup administrator privileges |
-cleanupToken, -createECACertEntry, -createToken, -deleteToken, -deleteECACertEntry, -displayToken, -listAllDomainCertificates, -listToken, -reissueCertificates, -revokeCertificate, and -setSecConfig Note: These operations require a bpnbat web log-on (bpnbat -login -logintype WEB) using an account that has NetBackup administrator privileges. |
|
Commands that require host administrator privileges |
-cleanupCRLCache, -createCertRequest, -deleteAllCertificates, -deleteCertificate, -deployCertificate, -displayCACertDetail, -ecaHealthCheck, -enrollCertificate, -getCACertificate, -getCertificate, -getCRL, -hostSelfCheck, -listAllCertificates, -listCertDetails, -listEnrollmentStatus, -removeCACertificate, -removeEnrollment, -updateCRLCache, -renewCertificate, and -updateConf |
|
Commands that do not require special privileges |
-checkClockSkew, -getExternalCertDetails,-getNBKeysize, -getSecConfig, -listCACertDetails, and -signCertificate. |
For more information about host ID-based security certificates and authorization tokens, see the NetBackup Security and Encryption Guide.
The nbcertcmd supports the following operations:
|
-cleanupCRLCache |
Cleans up the NetBackup Certificate Revocation List (CRL) cache. This command option is only applicable for external CA-signed certificates. |
|
-cleanupToken |
Deletes the tokens that have reached their maximum usage count or have expired. This command option is only applicable for NetBackup CA-signed certificates. |
|
-createCertRequest |
Generates a NetBackup security certificate signing request on the NetBackup host and saves it into the specified file. The command should be used on the NetBackup host when there is no connectivity with the master server. The command must be executed on the NetBackup host for which you want to request the certificate. Use the - server option to specify the master server name in the certificate signing request. This name is the master server from which the NetBackup host expects the certificate. |
|
-createECACertEntry |
Adds an entry for the host and the associated subject name of the certificate in the NetBackup database for secure communication with the master server. If you want to provide the subject name using the OpenSSL API, ensure that it is in the RFC 2253 format. This command option is only applicable for external CA-signed certificates. |
|
-createToken |
Creates a token for authorizing certificate requests. This command option is only applicable for NetBackup CA-signed certificates. |
|
-checkClockSkew |
Displays the time difference (in seconds) between the current host and the master server. |
|
-deleteAllCertificates |
Deletes all NetBackup certificates and keys that are available on the NetBackup host. This option is only applicable on media servers and clients. This command option is only applicable for NetBackup CA-signed certificates. |
|
-deleteCertificate |
Deletes the NetBackup certificate of the NetBackup host that is associated with the specified host ID and removes the specified host ID entries from the This command option is only applicable for NetBackup CA-signed certificates. |
|
-deleteECACertEntry |
Removes the association of the external certificate with the host. The certificate entry is deleted from the database. This command option is only applicable for external CA-signed certificates. |
|
-deleteToken |
Deletes the specified token. This command option is only applicable for NetBackup CA-signed certificates. |
|
-deployCertificate |
Reads the host security certificate from the specified certificate file and deploys it on the NetBackup host. The command must be executed on the NetBackup host on which the certificate signing request was generated. This command option is only applicable for NetBackup CA-signed certificates. |
|
-displayCACertDetail |
Displays the NetBackup CA certificate details from the specified master server. This command option is only applicable for NetBackup CA-signed certificates. |
|
-displayToken |
Displays the attributes and the value of a specified token. This command option is only applicable for NetBackup CA-signed certificates. |
|
-ecaHealthCheck |
Checks whether the details that you have provided for the external CA-signed certificate are valid. This command option is applicable only for external CA-signed certificates |
|
-enrollCertificate |
Enrolls an external CA signed certificate with the NetBackup domain. This certificate is used during host communication. This command option is only applicable for external CA-signed certificates. |
|
-getCACertificate |
Connects to the master server and gets the certificate of the NetBackup Certificate Authority (CA). It then displays the fingerprint of the certificate and adds it to the NetBackup trust store after confirmation from the user. This command option is only applicable for NetBackup CA-signed certificates. |
|
-getCertificate |
This option performs the following actions:
This command option is only applicable for NetBackup CA-signed certificates. |
|
-getCRL |
Fetches the latest certificate revocation list from the NetBackup CA on the master server. You can use the - server option to specify an alternate master server. Use the -cluster option to fetch the latest CRL from the global certificate store. This command option is only applicable for NetBackup CA-signed certificates. |
|
-getExternalCertDetails |
Lists the details of the specified external CA-signed certificate. This command option is only applicable for external CA-signed certificates. |
|
-getNBKeysize |
Displays the key size for the new certificate key pair that NetBackup generates. |
|
-getSecConfig |
Retrieves the specified security configuration attribute. |
|
-hostSelfCheck |
Indicates if the host's certificate is revoked or not revoked. In case of NetBackup CA-signed certificates, to ensure that you have the latest CRL information, first run nbcertcmd -getCRL. In case of external CA-signed certificates, to ensure that you have the latest CRL information, first run nbcertcmd -updateCRLCache. Before running the nbcertcmd - updateCRLCache, ensure that the latest CRLs are available at the location that is defined in the ECA_CRL_PATH configuration option. |
|
-listAllCertificates |
Lists the details of all security certificates that are available on the NetBackup host. |
|
-listAllDomainCertificates |
Requests all of the NetBackup certificates for the domain from a NetBackup master server. By default, this operation uses the first server entry in the NetBackup configuration ( This command option is only applicable for NetBackup CA-signed certificates. |
|
-listCACertDetails |
Lists the details of trusted CA certificates that are stored in the NetBackup trust store of the NetBackup host. |
|
-listCertDetails |
Lists the certificate details for each security certificate that is deployed on the NetBackup host. |
|
-listEnrollmentStatus |
Retrieves the enrollment status for the associated master servers from the local certificate store. The enrollment status of a master server can be one of the following:
|
|
-listToken |
Lists the tokens. The option does not display the token value. This command option is only applicable for NetBackup CA-signed certificates. |
|
-reissueCertificates |
Generates a new key pair and reissues the host ID-based and host name-based certificates to the host. In a cluster, do the following to reissue certificates:
|
|
-removeCACertificate |
Removes the NetBackup CA certificate from the NetBackup trust store that is used for secure communications, whose fingerprint matches with the input fingerprint. Use the -listCACertDetails option to view fingerprint of existing CA certificates. This command option is only applicable for NetBackup CA-signed certificates. |
|
-removeEnrollment |
Removes the external certificate details with respect to the specified master server from the local certificate store. The certificate is neither deleted from the system nor from the NetBackup database. |
|
-renewCertificate |
Renews an existing host ID-based certificate. Use the -hostnameCerts option to renew host name-based certificates. Use the -host option to change the primary name of the host. This command option is only applicable for NetBackup CA-signed certificates. |
|
-revokeCertificate |
Revokes a NetBackup certificate. The NetBackup host can no longer use the certificate to communicate with the master server. This command option is only applicable for NetBackup CA-signed certificates. |
|
-setSecConfig |
Sets the specified security configuration attribute. |
|
-signCertificate |
Reads the certificate signing request from the specified request file and sends it to the NetBackupCA on the master server that is listed in the signing request. The signed certificate is stored in the specified certificate file. The command must be executed on the NetBackup host which has connectivity with the master server. This command option is only applicable for NetBackup CA-signed certificates. Note: Be sure to use the -signCertificate option on a host with the same or higher NetBackup version where the certificate signing request (CSR) was generated. |
|
-updateConf |
Updates the external certificate-specific configuration options once the ecaHealthCheck command is successfully run. |
|
-updateCRLCache |
Updates the NetBackup CRL cache with the CRL files that are present at ECA_CRL_PATH. The ECA_CRL_PATH setting is specified in the NetBackup configuration file. The CRL file present at ECA_CRL_PATH is used if it is valid and more current then the cached CRL copy. This command option is only applicable for external CA-signed certificates. |
Note:
Clustered NetBackup hosts have two certificate stores, a local certificate store and a global certificate store. The command operates on the local certificate store by default, unless the -cluster option is specified.
Note:
Please be aware the nbcertcmd command does not support non-US ASCII (non-7 bit ASCII) characters for user-defined strings.
OPTIONS
- -all
Displays all tokens, including the tokens that have reached their maximum usage count or have expired.
- -caUsage
Specifies the certificate authorities (CA) - NetBackup CA, external CA, or both - that the NetBackup domain supports. The output of the command can be one of the following:
NBCA:ON ECA:OFF - Indicates that the web server uses only the NetBackup certificate authority signed certificates.
NBCA:OFF ECA:ON - Indicates that the web server uses only the external certificate authority signed certificates.
NBCA:ON ECA:ON - Indicates that the web server uses both the NetBackup certificate authority-signed certificates as well as the external certificate authority signed certificates.
- -certDeployLevel level
Specifies the NetBackup certificate's deployment level. The option is applicable for both the -getSecConfig and -setSecConfig commands. The -setSecConfig command requires that you specify a level. Certificate deployment levels for the -setSecConfig parameter are:
0 - Very High: Automatic certificate deployment is disabled.
1 - High: Certificates are automatically deployed to known hosts.
2 - Medium: Certificates are automatically deployed to all requesting hosts.
- -certPath
Specifies the path to the certificate file.
- -crlCheck
Specifies the revocation check level for external certificates of the host. You can specify the following values:
DISABLE or 0: Revocation check is disabled. Revocation status of the certificate is not validated against the CRL during host communication.
LEAF or 1: The revocation status of the leaf certificate is validated against the CRL. LEAF is the default value for this option.
CHAIN or 2: The revocation status of all certificates in the certificate chain are validated against the CRL.
- -crlPath
Specifies the path to the directory where the certificate revocation lists (CRL) of the external CA are located.
- -ECA
Lists the certificate details for each external certificate authority signed certificate that is deployed on the NetBackup host. If this option is not specified, the NetBackup certificate details are retrieved.
- -envtoken environment_variable
Indicates the name of an environment variable that contains the authorization token to be used for the request.
- -file file_name
Specifies the path of the file containing either the authorization token (on the first line) or the CA certificate hash.
- -fingerPrint certificate_fingerprint
Specify the CA certificate fingerprint.
- -fmt details | failures_only
Provides details of the validation checks that are run for the external certificate-specific configuration options. The details option provides a report of all successful and all failed validation checks. The failures_only option provides a report of only the failed checks.
- -force
If the option is used with the -getCertificate option, the certificate is overwritten, if it exists. If the option is used with the -enrollCertificate option, the given certificate is enrolled irrespective of the existing enrollment status.
- -host host_name
Specifies the host name.
- -hostId host_id
Specifies the NetBackup host ID.
- -hostnameCerts
Specifies that you want to renew host name-based certificates.
- -jks
Displays the web server certificate information from Java keystore. This option is available only on the NetBackup master server.
- -json
Generates output data in
jsonformat that spans multiple lines.- -json_compact
Generates output data in
jsonformat on a single line.- -maxUses number
Specifies the maximum usage count of the token. If this option is not specified, the default value is 1. The maximum value for maxUses is 99999.
- -name token_name
Specifies the token name.
- -NBCA
Lists the certificate details for each NetBackup certificate that is deployed on the NetBackup host.
- -passphrasePath
Specifies the path to the passphrase file that stores the passphrase, which is used to decrypt the private key.
- -privateKeyPath
Specifies the path to the private key file of the certificate.
- -preCheck
Examines the external certificate and determines if it can be enrolled.
- -reason description_for_auditing
Specifies the reason that is stored in the audit record for this operation.
- -reasonCode value
Specifies a reason code for revocation of a certificate. The values that are shown are the only valid numbers for the -reasonCode value:
0 - Unspecified, 1 - Key Compromise, 2 - CA Compromise, 3 - Affiliation Changed, 4 - Superseded, 5 - Cessation of Operation
- -reissue
Creates a token that can be used to reissue a certificate. Use this option with either the -host option or the -hostID option.
- -remoteHost
When you use -remoteHost with the -removeEnrollment option, an external certificate is enrolled for the specified remote host with the master server that you provide with the -server option.
When you use -remoteHost with the -listEnrollmentStatus option, the -remoteHost option lists the enrollment status for the master servers that are associated with the specified remote host.
When you use -remoteHost with the -removeEnrollment option, the -remoteHost option removes the enrollment of the specified remote host that exists with the specified master server.
Ensure that the name of the server from where you run the -remoteHost option is listed in the SERVER configuration option of the remote host.
For example: If you want to enroll a certificate for remoteHost1 from Server1, ensure the following in the configuration file on the remoteHost1: SERVER = Server1
- -requestFile file_name
Specifies the path of the certificate request file.
- -server master_server_name
Specifies an alternate master server. By default, this command uses the first server entry in the NetBackup configuration.
- -subject
Specifies the subject name of the external certificate. If you want to provide the subject name using the OpenSSL API, ensure that it is in the RFC 2253 format.
- -token
Indicates that an authorization token is used for the request. Prompts the user to securely specify a token.
- -trustStorePath
Specifies the path to the certificate authority bundle file.
- -updateTrustVersion
Updates the NetBackup database with the host's trust version. For successful activation of the NetBackup CA migration, the host's trust version should match the master server's trust version. A trust version of a host is an automatically-generated alphanumeric value and it defines the host's CA setup. Each time the CA setup is changed, for example a CA is removed from the host's trust store, the trust version is updated.
A host's trust version can be different than the master server's trust version in the following scenarios:
One or more CA certificates from the master server's trust store are not present in the host's trust store
The host's trust version is not updated in the NetBackup database
- -validFor numDnumHnumM
Specifies the validity of the token. Input format for this value should be for number of days, hours, and minutes. For example, 12D6H30M, would have a validity of 12 days, 6 hours, and 30 minutes. You can choose to specify one or more values. If this option is not specified, the default value is 24 hours. Please note that if you want to set the validity of the token to 12 hours, you don't need to specify values for days or minutes. You can specify 12H. The maximum validity period that you can specify is 999 days.
- -web
Configures an external certificate for communication with the NetBackup web user interface.
EXAMPLES
Example 1: Create a token to request a certificate re-issue.
# nbcertcmd -createToken -name acme01_HR05 -reissue -validFor 10D -host HRfileserver.acme.com -reason "issued token on request of Alice through email dated 12/08/2016"
Token XXXXXXXXXXXXXXXX created successfully.
Example 2: Obtain a certificate from a specified master using a token
# nbcertcmd -getCertificate -token -server nbmaster01.acme.com
Authorization Token: Host certificate received successfully from server nbmaster01.acme.com.
Example 3: Request and deploy a certificate on a NetBackup host that has no connectivity with the master server.
Run the command that is shown on the NetBackup host that has no connectivity with the master server:
# nbcertcmd -createCertRequest -requestFile /tmp/request_file_name -server master.servername
Host certificate request generated successfully.
Copy the /tmp/request_file_name to a NetBackup host that has connectivity with the master server and run the command that is shown on that NetBackup host:
Be sure to use the -signCertificate option on a host with the same or higher NetBackup version where the certificate signing request (CSR) was generated.
# nbcertcmd -signCertificate -file authorization_token_file -requestFile /tmp/request_file_name -certificateFile /tmp/signed_certificate
Sending certificate request to server: master.servername Host certificate request signed successfully.
Copy the
/tmp/signed_certificateto the original NetBackup host where the request file (/tmp/request_file_name) was generated and run the command shown:# nbcertcmd -deployCertificate -certificateFile /tmp/signed_certificate Deploying certificate from master server: master.servername Host certificate deployed successfully
SEE ALSO
See bpnbat.