Creating a reissue token
A host ID-based certificate can be reissued if the non-primary host is already registered with the primary server but its host ID-based certificate is no longer valid. For example, a certificate is not valid when it has expired, is revoked, or is lost.
A reissue token is a type of token that can be used to reissue a certificate. It is a special type of token because it retains the same host ID as the original certificate. Since a reissue token is bound to a specific host, the token cannot be used to request certificates for additional hosts.
To create a reissue a token
- Open the NetBackup web UI.
- On the left, select Security > Certificates.
- Select the host that requires a reissue token.
- Click Generate Reissue Token.
- Enter the name for the token.
- Select a date for token validity from the Valid for option.
- In the Reason field, enter a reason for the reissue token. The reason appears in the log as an audit event.
- Click Generate.
- Click Copy to clipboard to copy the token value.
- Convey the token value to the administrator of the non-primary host. How the token is conveyed depends on various security factors in the environment. The token may be transmitted by email, by file, or verbally.
The administrator of the non-primary host deploys the token to obtain another host ID-based certificate. See the following topic for instructions:
To create a reissue a token using the nbcertcmd command
- The primary server administrator must be logged in to the NetBackup Web Management Service to perform this task. Use the following command to login:
bpnbat -login -logintype WEB
- Run one of the following commands on the primary server:
Use the host name for which the certificate needs to be reissued:
nbcertcmd -createToken -name token_name -reissue -host host_name
Note:
You must provide the primary name of the host for which you want to reissue the certificate. If you provide any of the host ID-to-host name mappings that are added for the host, the certificate cannot be reissued.
Use the host ID for which the certificate needs to be reissued:
nbcertcmd -createToken -name token_name -reissue -hostId host_id
Additional parameters can be used to indicate validity duration and the reason for creation.
For information about the nbcertcmd command, see the NetBackup Commands Reference Guide.
In addition to reissuing a token, the following steps are required to request a certificate for a renamed NetBackup host.
To request a certificate for a host after a host name change
- The NetBackup administrator of the primary server generates a reissue token for the renamed NetBackup host.
- Add the new host name as one of the approved host ID-to-host name mappings by using NetBackup web UI.
See Adding host ID to host name mappings.
Alternatively, you can use the nbhostmgmt -add command-line interface option.
For more information about the command, see the NetBackup Commands Reference Guide.
- The NetBackup administrator must revoke the host ID-based certificate for the renamed host.
See Revoking a host ID-based certificate.
Note:
After the certificate is revoked, the host is unable to communicate with the NetBackup Web Management Console service (nbwmc). When the host obtains a new certificate using the reissue token, the host can communicate with nbwmc again.
- After the certificate is revoked, the administrator of the non-primary host must use the reissue token to get a certificate for the renamed host.