Setting up trust with the primary server (Certificate Authority)
Each NetBackup host must first trust the NetBackup primary server, which acts as the Certificate Authority (CA). Trust is essential so that the host can request a host ID-based certificate. The CA certificate can be used to authenticate other hosts in the domain, and is stored in the trust store of each host. Setting up trust involves requesting a certificate from the primary server.
See Automatic host ID-based certificate deployment.
Run the nbcertcmd -listCACertDetails command to see the list of CA certificates that are in the host's trust store. The output displays all of the primary servers that the host already trusts.
To establish trust with the primary server (CA)
- The host administrator must have the Root Certificate Fingerprint that was communicated to them through an authentic source. The source was most likely the primary server administrator, who communicated the fingerprint by email, by file, or on an internal website. The following topic describes that process:
See Finding and communicating the fingerprint of the certificate authority.
- From the NetBackup host, run the following command:
nbcertcmd -getCACertificate -server master_server_name
- In the confirmation output, enter y to proceed.
For example:
nbcertcmd -getCACertificate -server master1 Authenticity of root certificate cannot be established. The SHA1 fingerprint of root certificate is B8:2B:91:E1:4E:78:D2: 25:86:4C:29:C5:92:16:00:8D:E8:2F:33:DD.
Note:
Are you sure you want to continue using this certificate ? (y/n): y The validation of root certificate fingerprint is successful. CA certificate stored successfully.
- Next, the administrator performs the following task:
For information about this command, see the NetBackup Commands Reference Guide.
The NetBackup Administration Console and the Backup, Archive, and Restore user interfaces communicate with NetBackup hosts (primary server, media server, or client) over a secure channel. NetBackup secures this channel using a NetBackup host ID-based or a host name-based security certificate that the NetBackup Certificate Authority (CA) issues.
Figure: Message inquiring whether to add a Certificate Authority (CA) to the trust store displays in the NetBackup Administration Console in the following situation: A user is running the NetBackup Administration Console on a NetBackup host. The user tries to connect to another NetBackup host (a target host) using the NetBackup Administration Console. However, the CA that issued the security certificate to the target host is not in the trust store of the host where the user launched the console.
To verify the CA fingerprint that the dialog displays, see the following topic:
See Finding and communicating the fingerprint of the certificate authority.
If the user selects Yes in this message, the CA is added to the trust store of the host where the console is running. This host will then trust all hosts that have a certificate signed by the CA that is listed in the message.