NBCERTCMD

Section: NetBackup Commands (1M)
Updated: 2019-05-01
Index
 

NAME

nbcertcmd - request and manage the host ID-based security certificates and tokens that are used to authorize certificate requests. Enroll an external certificate with a NetBackup host.  

SYNOPSIS

nbcertcmd -checkClockSkew [-server master_server_name]

nbcertcmd -cleanupCRLCache -expired | -issuerHash SHA-1_hash_of_CRL_issuer_name

nbcertcmd -cleanupToken [-server master_server_name]

nbcertcmd -createCertRequest -requestFile request_file_name [-servermaster_server_name]

nbcertcmd -createECACertEntry -host host_name | -hostId host_ID -subject subject_name_of_the_certificate [-server master_server_name]

nbcertcmd -createToken -name token_name [-reissue -host host_name | -hostId host_id] [-maxUses number] [-validFor numDnumHnumM] [-reason description_for_auditing] [-server master_server_name]

nbcertcmd -deleteAllCertificates

nbcertcmd -deleteCertificate -hostId host_id [-cluster]

nbcertcmd -deleteECACertEntry -subject subject_name [-server master_server_name]

nbcertcmd -deleteToken -name token_name [-reason description_for_auditing]     [-server master_server_name]

nbcertcmd -deployCertificate -certificateFile certificate_file_name

nbcertcmd -displayCACertDetail [-server master_server_name] [-json | -json_compact]

nbcertcmd -displayToken -name token_name [-json | -json_compact] [-server master_server_name]

nbcertcmd-ecaHealthCheck [-trustStorePath path_to_CA_certificate_file] [-certPath path_to_certificate_file] [-privateKeyPath path_to_certificate_key_file] [-passphraseFile path_to_passphrase_file] [-crlCheckLevel LEAF | CHAIN | DISABLE] [-crlPath path_to_CRLs] [-cluster] [-web] [-fmt details | failures_only] [-json | -json_compact]

nbcertcmd -enrollCertificate [-force] [-preCheck] [-cluster] [-server master_server_name] [-remoteHost remote_host_name]

nbcertcmd -getCACertificate [-file hash_file_name] [-cluster] [-server master_server_name]

nbcertcmd -getCertificate [-token | -envtoken environment_variable | -file authorization_token_file] [-force] [-cluster] [-server master_server_name] [-json | -json_compact]

nbcertcmd -getCRL [-server master_server_name] [-cluster]

nbcertcmd -getExternalCertDetails -certPath path_to_certificate_file [-json | -json_compact]

nbcertcmd -getSecConfig [-certDeployLevel] [-caUsage] [-server master_server_name]

nbcertcmd -hostSelfCheck [-cluster] [-server master_server_name]

nbcertcmd -listAllCertificates [-jks]

nbcertcmd -listAllDomainCertificates [-json | -json_compact] [-server master_server_name]

nbcertcmd -listCACertDetails [-json | -json_compact] [-cluster]

nbcertcmd -listCertDetails [-ECA | -NBCA] [-json | -json_compact] [-cluster]

nbcertcmd -listEnrollmentStatus [-remoteHost remote_client_name] [-cluster] [-json | -json_compact]

nbcertcmd -listToken [-all] [-json | -json_compact] [-server master_server_name]

nbcertcmd -removeCACertificate -fingerPrint certificate_fingerprint\fB [-cluster]

nbcertcmd -removeEnrollment [-cluster] [-server master_server_name] [-remoteHost remote_client_name]

nbcertcmd -renewCertificate [-host host_name] [-cluster] [-server master_server_name]

nbcertcmd -revokeCertificate -host host_name | -hostId host_id [-reasonCode value] [-server master_server_name]

nbcertcmd -setSecConfig -certDeployLevel level [-server master_server_name]

nbcertcmd -signCertificate -token | -file authorization_token_file-requestFile request_file_name -certificateFile certificate_file_name

nbcertcmd -updateConf

nbcertcmd -updateCRLCache

On UNIX systems, the directory path to this command is /usr/openv/netbackup/bin/

On Windows systems, the directory path to this command is install_path\NetBackup\bin\  

DESCRIPTION

The nbcertcmd command is used to request and manage host ID-based security certificates on each NetBackup host. A NetBackup host can be a master server, media server, or client. Use the command to enroll an external CA signed certificate with a NetBackup host.

This command is also used to create and manage the authorization tokens that may be required to request certificates for NetBackup hosts.

Additionally the command is used to set and retrieve the security configuration attributes.

The Privilege details table lists the operations that require administrator privileges and also the operations that do not require special privileges. Table A.1. Privilege details.PP Commands that require NetBackup administrator privileges

-cleanupToken, -createECACertEntry, -createToken, -deleteToken, -deleteECACertEntry, -displayToken, -listAllDomainCertificates\fR, -listToken, -revokeCertificate, and -setSecConfig

Note: These operations require a bpnbat web log-on (bpnbat -login -logintype WEB) using an account that has NetBackup administrator privileges.

Commands that require host administrator privileges

-cleanupCRLCache, -createCertRequest, -deleteAllCertificates, -deleteCertificate, -deployCertificate, -displayCACertDetail, -ecaHealthCheck, -enrollCertificate, -getCACertificate, -getCertificate, -getCRL, -hostSelfCheck, -listAllCertificates, -listCertDetails, -listEnrollmentStatus, -removeCACertificate, -removeEnrollment, -updateCRLCache, -renewCertificate, and -updateConf

Commands that do not require special privileges

-checkClockSkew, -getExternalCertDetails,-getSecConfig, -listCACertDetails, and -signCertificate.

For more information about host ID-based security certificates and authorization tokens, see the [1]NetBackup Security and Encryption Guide.

The nbcertcmd supports the following operations:

-cleanupCRLCache

Cleans up the NetBackup Certificate Revocation List (CRL) cache.

This command option is only applicable for external CA-signed certificates.

-cleanupToken

Deletes the tokens that have reached their maximum usage count or have expired.

This command option is only applicable for NetBackup CA-signed certificates.

-createCertRequest

Generates a NetBackup security certificate signing request on the NetBackup host and saves it into the specified file. The command should be used on the NetBackup host when there is no connectivity with the master server. The command must be executed on the NetBackup host for which you want to request the certificate.

Use the -server option to specify the master server name in the certificate signing request. This name is the master server from which the NetBackup host expects the certificate.

-createECACertEntry

Adds an entry for the host and the associated subject name of the certificate in the NetBackup database for secure communication with the master server.

This command option is only applicable for external CA-signed certificates.

-createToken

Creates a token for authorizing certificate requests.

This command option is only applicable for NetBackup CA-signed certificates.

-checkClockSkew

Displays the time difference (in seconds) between the current host and the master server.

-deleteAllCertificates

Deletes all NetBackup certificates and keys that are available on the NetBackup host. This option is only applicable on media servers and clients.

This command option is only applicable for NetBackup CA-signed certificates.

-deleteCertificate

Deletes the NetBackup certificate of the NetBackup host that is associated with the specified host ID and removes the specified host ID entries from the CertMapInfo.json file. This option is available on all NetBackup hosts.

This command option is only applicable for NetBackup CA-signed certificates.

-deleteECACertEntry

Removes the association of the external certificate with the host. The certificate entry is deleted from the database.

This command option is only applicable for external CA-signed certificates.

-deleteToken

Deletes the specified token.

This command option is only applicable for NetBackup CA-signed certificates.

-deployCertificate

Reads the host security certificate from the specified certificate file and deploys it on the NetBackup host. The command must be executed on the NetBackup host on which the certificate signing request was generated.

This command option is only applicable for NetBackup CA-signed certificates.

-displayCACertDetail

Displays the NetBackup CA certificate details from the specified master server.

This command option is only applicable for NetBackup CA-signed certificates.

-displayToken

Displays the attributes and the value of a specified token.

This command option is only applicable for NetBackup CA-signed certificates.

-ecaHealthCheck

Checks whether the details that you have provided for the external CA-signed certificate are valid.

This command option is applicable only for external CA-signed certificates

-enrollCertificate

Enrolls an external CA signed certificate with the NetBackup domain. This certificate is used during host communication.

This command option is only applicable for external CA-signed certificates.

-getCACertificate

Connects to the master server and gets the certificate of the NetBackup Certificate Authority (CA). It then displays the fingerprint of the certificate and adds it to the NetBackup trust store after confirmation from the user.

This command option is only applicable for NetBackup CA-signed certificates.

-getCertificate

This option performs the following actions:

*
Requests a NetBackup certificate for the NetBackup host from the master server.
*
Adds the certificate to the NetBackup trust store.
*
Fetches the latest NetBackup certificate revocation list (CRL) and security level from the master server.

This command option is only applicable for NetBackup CA-signed certificates.

-getCRL

Fetches the latest certificate revocation list from the NetBackup CA on the master server. You can use the -server option to specify an alternate master server. Use the -cluster option to fetch the latest CRL from the global certificate store.

This command option is only applicable for NetBackup CA-signed certificates.

-getExternalCertDetails

Lists the details of the specified external CA-signed certificate.

This command option is only applicable for external CA-signed certificates.

-getSecConfig

Retrieves the specified security configuration attribute.

-hostSelfCheck

Indicates if the host's certificate is revoked or not revoked. In case of NetBackup CA-signed certificates, to ensure that you have the latest CRL information, first run nbcertcmd -getCRL. In case of external CA-signed certificates, to ensure that you have the latest CRL information, first run nbcertcmd -updateCRLCache. Before running the nbcertcmd -updateCRLCache, ensure that the latest CRLs are available at the location that is defined in the ECA_CRL_PATH configuration option.

-listAllCertificates

Lists the details of all security certificates that are available on the NetBackup host.

-listAllDomainCertificates

Requests all of the NetBackup certificates for the domain from a NetBackup master server. By default, this operation uses the first server entry in the NetBackup configuration (bp.conf). You can use the -server option to specify an alternate master server.

This command option is only applicable for NetBackup CA-signed certificates.

-listCACertDetails

Lists the details of trusted CA certificates that are stored in the NetBackup trust store of the NetBackup host.

-listCertDetails

Lists the certificate details for each security certificate that is deployed on the NetBackup host.

-listEnrollmentStatus

Retrieves the enrollment status for the associated master servers from the local certificate store. The enrollment status of a master server can be one of the following:

*
Enrolled
*
Not enrolled
*
To be updated

-listToken

Lists the tokens. The option does not display the token value.

This command option is only applicable for NetBackup CA-signed certificates.

-removeCACertificate

Removes the NetBackup CA certificate from the NetBackup trust store that is used for secure communications, whose fingerprint matches with the input fingerprint. Use the -listCACertDetails option to view fingerprint of existing CA certificates.

This command option is only applicable for NetBackup CA-signed certificates.

-removeEnrollment

Removes the external certificate details with respect to the specified master server from the local certificate store. The certificate is neither deleted from the system nor from the NetBackup database.

-renewCertificate

Renews an existing NetBackup certificate. Use the -host option to change primary name of host.

This command option is only applicable for NetBackup CA-signed certificates.

-revokeCertificate

Revokes a NetBackup certificate. The NetBackup host can no longer use the certificate to communicate with the master server.

This command option is only applicable for NetBackup CA-signed certificates.

-setSecConfig

Sets the specified security configuration attribute.

-signCertificate

Reads the certificate signing request from the specified request file and sends it to the NetBackupCA on the master server that is listed in the signing request. The signed certificate is stored in the specified certificate file. The command must be executed on the NetBackup host which has connectivity with the master server.

This command option is only applicable for NetBackup CA-signed certificates.

-updateConf

Updates the external certificate-specific configuration options once the ecaHealthCheck command is successfully run.

-updateCRLCache

Updates the NetBackup CRL cache with the CRL files that are present at ECA_CRL_PATH. The ECA_CRL_PATH setting is specified in the NetBackup configuration file.

The CRL file present at ECA_CRL_PATH is used if it is valid and more current then the cached CRL copy.

This command option is only applicable for external CA-signed certificates.

Note: Clustered NetBackup hosts have two certificate stores, a local certificate store and a global certificate store. The command operates on the local certificate store by default, unless the -cluster option is specified.
Note: Please be aware the nbcertcmd command does not support non-US ASCII (non-7 bit ASCII) characters for user-defined strings.
 

OPTIONS

-all
Displays all tokens, including the tokens that have reached their maximum usage count or have expired.
-caUsage
Specifies the certificate authorities (CA) - NetBackup CA, external CA, or both - that the NetBackup domain supports. The output of the command can be one of the following:
*
NBCA:ON ECA:OFF - Indicates that the web server uses only the NetBackup certificate authority signed certificates.
*
NBCA:OFF ECA:ON - Indicates that the web server uses only the external certificate authority signed certificates.
*
NBCA:ON ECA:ON - Indicates that the web server uses both the NetBackup certificate authority-signed certificates as well as the external certificate authority signed certificates.
-certDeployLevel level
Specifies the NetBackup certificate's deployment level. The option is applicable for both the -getSecConfig and -setSecConfig commands. The -setSecConfig command requires that you specify a level. Certificate deployment levels for the -setSecConfig parameter are:

0 - Very High: Automatic certificate deployment is disabled.

1 - High: Certificates are automatically deployed to known hosts.

2 - Medium: Certificates are automatically deployed to all requesting hosts.

-certPath
Specifies the path to the certificate file.
-crlCheck
Specifies the revocation check level for external certificates of the host. You can specify the following values:
*
DISABLE or 0: Revocation check is disabled. Revocation status of the certificate is not validated against the CRL during host communication.
*
LEAF or 1: The revocation status of the leaf certificate is validated against the CRL. LEAF is the default value for this option.
*
CHAIN or 2: The revocation status of all certificates in the certificate chain are validated against the CRL.
-crlPath
Specifies the path to the directory where the certificate revocation lists (CRL) of the external CA are located.
-ECA
Lists the certificate details for each external certificate authority signed certificate that is deployed on the NetBackup host. If this option is not specified, the NetBackup certificate details are retrieved.
-envtoken environment_variable
Indicates the name of an environment variable that contains the authorization token to be used for the request.
-file file_name
Specifies the path of the file containing either the authorization token (on the first line) or the CA certificate hash.
-fingerPrint certificate_fingerprint
Specify the CA certificate fingerprint.
-fmt details | failures_only
Provides details of the validation checks that are run for the external certificate-specific configuration options. The details option provides a report of all successful and all failed validation checks. The failures_only option provides a report of only the failed checks.
-force
If the option is used with the -getCertificate option, the certificate is overwritten, if it exists. If the option is used with the -enrollCertificate option, the given certificate is enrolled irrespective of the existing enrollment status.
-host host_name
Specifies the host name.
-hostId host_id
Specifies the NetBackup host ID.
-jks
Displays the web server certificate information from Java keystore. This option is available only on the NetBackup master server.
-json
Generates output data in json format that spans multiple lines.
-json_compact
Generates output data in json format on a single line.
-maxUses number
Specifies the maximum usage count of the token. If this option is not specified, the default value is 1. The maximum value for maxUses is 99999.
-name token_name
Specifies the token name.
-NBCA
Lists the certificate details for each NetBackup certificate that is deployed on the NetBackup host.
-passphrasePath
Specifies the path to the passphrase file that stores the passphrase, which is used to decrypt the private key.
-privateKeyPath
Specifies the path to the private key file of the certificate.
-preCheck
Examines the external certificate and determines if it can be enrolled.
-reason description_for_auditing
Specifies the reason that is stored in the audit record for this operation.
-reasonCode value
Specifies a reason code for revocation of a certificate. The values that are shown are the only valid numbers for the -reasonCode value:

0 - Unspecified, 1 - Key Compromise, 2 - CA Compromise, 3 - Affiliation Changed, 4 - Superseded, 5 - Cessation of Operation

-reissue
Creates a token that can be used to reissue a certificate. Use this option with either the -host option or the -hostID option.
-remoteHost
When you use -remoteHost with the -removeEnrollment option, an external certificate is enrolled for the specified remote host with the master server that you provide with the -server option.

When you use -remoteHost with the -listEnrollmentStatus option, the -remoteHost option lists the enrollment status for the master servers that are associated with the specified remote host.

When you use -remoteHost with the -removeEnrollment option, the -remoteHost option removes the enrollment of the specified remote host that exists with the specified master server.

Ensure that the name of the server from where you run the -remoteHost option is listed in the SERVER configuration option of the remote host.

For example: If you want to enroll a certificate for remoteHost1 from Server1, ensure the following in the configuration file on the remoteHost1: SERVER = Server1

-requestFile file_name
Specifies the path of the certificate request file.
-server master_server_name
Specifies an alternate master server. By default, this command uses the first server entry in the NetBackup configuration.
-token
Indicates that an authorization token is used for the request. Prompts the user to securely specify a token.
-trustStorePath
Specifies the path to the certificate authority bundle file.
-validFor numDnumHnumM
Specifies the validity of the token. Input format for this value should be for number of days, hours, and minutes. For example, 12D6H30M, would have a validity of 12 days, 6 hours, and 30 minutes. You can choose to specify one or more values. If this option is not specified, the default value is 24 hours. Please note that if you want to set the validity of the token to 12 hours, you don't need to specify values for days or minutes. You can specify 12H. The maximum validity period that you can specify is 999 days.
-web
Configures an external certificate for communication with the NetBackup web user interface.
 

EXAMPLES

Example 1: Create a token to request a certificate re-issue.

# nbcertcmd -createToken -name acme01_HR05 -reissue -validFor 10D -host HRfileserver.acme.com -reason "issued token on request of Alice through email dated 12/08/2016"

Token XXXXXXXXXXXXXXXX created successfully.

Example 2: Obtain a certificate from a specified master using a token

# nbcertcmd -getCertificate -token -server nbmaster01.acme.com 

Authorization Token: 
Host certificate received successfully from server nbmaster01.acme.com.

Example 3: Request and deploy a certificate on a NetBackup host that has no connectivity with the master server.

*
Run the command that is shown on the NetBackup host that has no connectivity with the master server:

# nbcertcmd -createCertRequest -requestFile /tmp/request_file_name -server master.servername

Host certificate request generated successfully.

*
Copy the /tmp/request_file_name to a NetBackup host that has connectivity with the master server and run the command that is shown on that NetBackup host:

# nbcertcmd -signCertificate -file authorization_token_file -requestFile /tmp/request_file_name -certificateFile /tmp/signed_certificate 

Sending certificate request to server: master.servername

Host certificate request signed successfully.
*
Copy the /tmp/signed_certificate to the original NetBackup host where the request file (/tmp/request_file_name) was generated and run the command shown: 

# nbcertcmd -deployCertificate -certificateFile /tmp/signed_certificate
Deploying certificate from master server: master.servername

Host certificate deployed successfully
 

SEE ALSO

bpnbat  

REFERENCES

1. NetBackup Security and Encryption Guide
http://www.veritas.com/docs/DOC5332

 

Index

NAME
SYNOPSIS
DESCRIPTION
OPTIONS
EXAMPLES
SEE ALSO
REFERENCES
This document was created by man2html, using the manual pages.
Time: 14:51:33 GMT, September 20, 2022