Creating authorization tokens
Depending on the certificate deployment security setting, NetBackup hosts may require an authorization token to obtain a host ID-based certificate from the Certificate Authority (primary server).
If the security setting is Very High, all certificate requests require a token. Perform the procedure that is described in this topic.
If the security setting is High, certificates are automatically deployed to hosts that are known to the primary server. If the host is not known to the primary server, the certificate must be deployed using an authorization token. In that case, perform the procedure that is described in this topic.
To understand what it means to be known to the primary server, see the following topic:
If the security setting is Medium, this procedure may be less likely because certificates are automatically deployed to all hosts that request one. However, the primary server must be able to cross verify the IP and host name of the host that is requesting a certificate.
Note:
A token is required to request a certificate on behalf of a host that has no connectivity with the primary server.
See Deploying certificates on a client that has no connectivity with the primary server.
Note:
Do not use this procedure to create an authorization token for a NetBackup host whose current certificate is not in a valid state because it is lost, corrupt, or expired. In these cases, a reissue token must be used.
The NetBackup administrator of the primary server can use the NetBackup web UI or the command line to create the token.
To create a token using the NetBackup web UI
- On the left, select Security > Tokens.
- Select Add.
- Enter a unique and meaningful name for the token. The field cannot be left blank.
For example, to create a token to request certificates for multiple hosts that belong to primary_server_1, name the token Token1_MS1. A good practice is to write a useful description in the Reason field for the token.
- Enter a number for the Maximum uses allowed option for the number of times the token can be used. The default is 1, which indicates that one host can use the token one time.
To use the same token for multiple hosts, enter any value between 1 and 99999. For example, to use the token for 8 hosts, enter 8. The ninth host that attempts to use the token will not succeed.
- Use the Valid for option to indicate how long the token can be used before it is invalid and cannot be used. After the Valid for date, the primary server must generate another token.
Select a period between 1 and 999 hours or days.
- Optionally, enter the reason for creating the token. The reason appears in the audit logs, along with the other entries in the dialog.
- Select Create.
- Select the Copy to clipboard button to save the token value to the clipboard.
- Convey the token value to the administrator of the non-primary host. How the token is conveyed depends on various security factors in the environment. The token may be transmitted by email, by file, or verbally.
- The administrator of the non-primary host uses the token to obtain a host ID-based certificate from the Certificate Authority. See the following procedure for instructions:
To create a token using the nbcertcmd command
- Run the following command on the host:
nbcertcmd -createToken -name token_name
For example:
nbcertcmd -createToken -name testtoken
Token FCBVYUTDUIELUDOE created successfully.
Additional parameters can be used to indicate maximum uses, validity duration, and the reason for creation.
For information about the nbcertcmd command, see the NetBackup Commands Reference Guide.