NetBackup 8.0 Certificates for port 8443
So we ran into an issue with our PCI Compliance scan with our NetBackup 8.0 environments. This happened on both the appliance and the standard Unix system install. The issue was related to port 8443 using a certificate in which the subject common name (CN) didn't match the name of the box (usually because it was FQDN).
The appliances started off with the subject being "CN = nb-appliance, OU = NetBackup, O = nb-appliance". This I assume is a factory default setting. The standard install actually had it as "CN = servera, OU = NetBackup, O = servera" where "servera" is a name of the system (I obviously replaced our system name with this for confidentiality reasons).
The process to correct this problem was surprisingly easy, although not publicly documented well. This ONLY replaces the port 8443 certificates. It is as follows (Please only do this while under the supervision of a Veritas Support Engineer):
The appliances started off with the subject being "CN = nb-appliance, OU = NetBackup, O = nb-appliance". This I assume is a factory default setting. The standard install actually had it as "CN = servera, OU = NetBackup, O = servera" where "servera" is a name of the system (I obviously replaced our system name with this for confidentiality reasons).
The process to correct this problem was surprisingly easy, although not publicly documented well. This ONLY replaces the port 8443 certificates. It is as follows (Please only do this while under the supervision of a Veritas Support Engineer):
- Log into the appliance via SSH with a privileged account
- Go to the "Support" menu
- Go to the "Maintenance" menu
- Type in the password requested
- Disabled security on the appliance temporarily by typing the following command: "/opt/Symantec/sdcssagent/IPS/sisipsoverride.sh"
- Select option "2" then an appropriate time
- Type the command "elevate" and hit enter. This will place you at a command prompt.
- Stop the NetBackup services with the "service netbackup stop" command, or "/usr/openv/netbackup/bin/goodies/netbackup stop"
- Change to the "/usr/openv/wmc/bin" directory
- Edit the setenv file with your preferred text editor (vi or vim usually)
- Find the line that says "NB_HOSTNAME servera" (I'm not sure if it has an = in between or not, will try to check again later)
- Change it to "NB_HOSTNAME servera.fqdn.domain" (replace it with the appropriate FQDN for your server)
- Make a backup of your old keystore by running a move or copy command, ie: "mv /usr/openv/var/global/credentials/keystore /usr/openv/var/global/credentials/keystore.bak"
- Change to the "install" subdirectory (/usr/openv/wmc/bin/install)
- Run the "createSslStore" command. This regenerates your SSL Certificate.
- Start NetBackup using "service netbackup start" or "/usr/openv/netbackup/bin/goodies/netbackup start"
- Verify your Certificate is correct.
Hopefully your PCI scans go much smoother than mine do. The steps listed above will only generate a self-signed certificate, so if your company requires a company issued cert then obviously your process will be different. For Unix systems the process should be identical, except you will skip steps 2-7.
Information used in this document was from support cases opened. Additional information on the intrusion prevention mechanism referenced in step 5 can be viewed at:
For additional information on NetBackup certificates, please begin at the following page:
Have a nice day and I hope this helps!
Charles
@whitehattechs
hi Charles, experiencing same issues on Linux master server. When running bpnbat -login -loginType WEB were you getting HTTP connection ok, but the SSL cert error "Self signed certificate in certificate chain"?
ReplyDelete