Migrating NetBackup CA when the entire NetBackup domain is upgraded
With NetBackup 8.3 upgrade, by default a new root CA with 2048 bits key strength is deployed and the CA migration process is automatically initiated. You can also set the NB_KEYSIZE environment variable to a value larger than 2048 bits before installation or upgrade.
Note:
If you have media servers earlier than NetBackup 8.2 that are configured as cloud storage servers, the CA migration process is not initiated. Ensure that all NetBackup hosts are upgraded to 8.3 or later for successful host communication.
When all hosts in your NetBackup domain are upgraded to NetBackup 8.3 or later, use the following procedure to complete the CA migration process:
To migrate NetBackup CA when all hosts are upgraded to NetBackup 8.3
- Run the following command to ensure that all hosts have the new CA certificates in their trust stores.
nbseccmd -nbcaMigrate -hostsPendingTrustPropagation
- Ensure that the command returns zero (0) hosts as the output.
For information about commands, see the NetBackup Commands Reference Guide.
- Run the following command to activate the new CA that can start issuing NetBackup certificates going forward:
Warning:
If one or more NetBackup hosts are at 8.2 or earlier versions, backups of such hosts fail after activation. Therefore, you must ensure that all NetBackup hosts in the domain are upgraded to 8.3 before activating the new CA.
nbseccmd -nbcaMigrate -activateNewCA
- Run the following command to ensure that all hosts have certificates that the new CA has renewed:
nbseccmd -nbcaMigrate -hostsPendingRenewal
Ensure that the command returns zero (0) hosts as the output.
- Restart the NetBackup Messaging Broker (nbmqbroker) service on this host.
- Run the following command to complete the CA migration process:
nbseccmd -nbcaMigrate -completeMigration
- After completing the NetBackup CA migration process and ensuring that the hosts use certificates that the new CA has issued, you can safely decommission the old NetBackup CA.
This clean-up task is optional.