Changing the key pair for a host

Consider changing a key pair only if a key is compromised or leaked. Changing a key pair results in both a new host ID-based certificate and a new host name-based certificate.

The following procedure describes changing a key pair for a host, and then getting a new certificate using the new key pair.

Do not perform the procedure for a primary server, only a non-primary server host.

To change a key pair for a host

The NetBackup host administrator backs up the following directories:
On Windows: Install_path\NetBackup\var\VxSS\at\systemprofile
On UNIX: /usr/openv/var/vxss/at/root
The NetBackup host administrator removes the directory from the host.
Restart the NetBackup services on the host.
The primary server administrator performs the following steps:
- Log in to the NetBackup Web Management Service:
  bpnbat -login -logintype WEB
  See Web login requirements for nbcertcmd command options.
- Revoke the host ID-based certificate:
  nbcertcmd -revokeCertificate -host host_name
- Generate a reissue token for the NetBackup host where the key pair is to be changed.
  See Creating a reissue token.
- Deploy a new host name-based certificate:
  bpnbaz - ProvisionCert host_name
The NetBackup host administrator uses the reissue token to deploy a new host ID-based certificate with an updated key pair.
Use the following command to enter the token directly:
nbcertcmd -getCertificate -force -token
Use the following command if the token is in a file:
nbcertcmd -getCertificate -force -file /directory/token_file
If the host has more than one primary server, repeat the process beginning at step 4 for each primary server.
Restart the NetBackup services on the NetBackup host where the key was changed.

Changing the key pair for a host

Feedback

Feedback