Generating a certificate on a clustered primary server after disaster recovery installation
After you complete the disaster recovery of a clustered primary server, you must generate a certificate on the active node as well as all inactive nodes. Additionally, failover to the secondary node is expected behavior in a cluster environment. This procedure is required for successful backups and restores of the cluster.
For additional information on deploying certificates on primary server nodes see the NetBackup Security and Encryption Guide.
Generating the local certificate on each cluster node after disaster recovery installation
- Add all inactive nodes to the cluster.
If all the nodes of the cluster are not currently part of the cluster, start by adding them to the cluster. Consult with your operating system cluster instructions for assistance with this process.
More information about supported cluster technologies is available. See the NetBackup Clustered Primary Server Administrator's Guide.
- Run the nbcertcmd command to store the Certificate Authority certificate.
UNIX: /usr/openv/netbackup/bin/nbcertcmd -getCACertificate
Windows: install_path\NetBackup\bin\nbcertcmd -getCACertificate
- Use the bpnbat command as shown to authorize the necessary changes. When you are prompted for the authentication broker, enter the virtual server name, not the local node name.
bpnbat -login -loginType WEB
- Use the nbcertcmd command to create a reissue token. The hostname is the local node name. When the command runs, it displays the token string value. A unique reissue token is needed for each cluster node.
nbcertcmd -createtoken -name token_name -reissue -host hostname
- Use the reissue token with the nbcertcmd command to store the host certificate. This command prompts you for the token string value. Enter the token string from the nbcertcmd -createToken command.
nbcertcmd -getCertificate -token