nbcertcmd — NetBackup 8.1.2 | Cohesity Documentation

Name

nbcertcmd — request and manage the host ID-based security certificates and tokens that are used to authorize certificate requests.

SYNOPSIS

nbcertcmd
-cleanupToken [-server master_server_name]

nbcertcmd -createCertRequest -requestFile request_file_name [-servermaster_server_name]

nbcertcmd
-createToken -name token_name [-reissue -host host_name | -hostId host_id] [-maxUses number] [-validFor numDnumHnumM] [-reason description_for_auditing] [-server master_server_name]

nbcertcmd -checkClockSkew [-server master_server_name]

nbcertcmd -deleteAllCertificates

nbcertcmd -deleteCertificate -hostId host_id [-cluster]

nbcertcmd
-deleteToken -name token_name [-reason description_for_auditing] [-server master_server_name]

nbcertcmd -deployCertificate -certificateFile certificate_file_name

nbcertcmd -displayCACertDetail [-server master_server_name] [-json | -json_compact]

nbcertcmd -displayToken -name token_name [-json | -json_compact] [-server master_server_name]

nbcertcmd -getCACertificate [-file hash_file_name] [-cluster] [-server master_server_name]

nbcertcmd -getCertificate [-token | -envtoken environment_variable | -file authorization_token_file] [-force] [-cluster] [-server master_server_name] [-json | -json_compact]

nbcertcmd -getCRL [-server master_server_name] [-cluster]

nbcertcmd -getSecConfig -certDeployLevel [-server master_server_name]

nbcertcmd -hostSelfCheck [-cluster] [-server master_server_name]

nbcertcmd -listAllCertificates [-jks]

nbcertcmd -listAllDomainCertificates [-json | -json_compact] [-server master_server_name]

nbcertcmd -listCACertDetails [-json | -json_compact] [-cluster]

nbcertcmd -listCertDetails [-json | -json_compact] [-cluster]

nbcertcmd -listToken [-all] [-json | -json_compact] [-server master_server_name]

nbcertcmd -removeCACertificate -fingerPrint certificate_fingerprint [-cluster]

nbcertcmd -renewCertificate [-host host_name] [-cluster] [-server master_server_name]

nbcertcmd
-revokeCertificate -host host_name | -hostId host_id [-reasonCode value] [-server master_server_name]

nbcertcmd -setSecConfig -certDeployLevel level [-server master_server_name]

nbcertcmd -signCertificate -token | -file authorization_token_file-requestFile request_file_name -certificateFile certificate_file_name

On UNIX systems, the directory path to this command is /usr/openv/netbackup/bin/

On Windows systems, the directory path to this command is install_path\NetBackup\bin\

DESCRIPTION

The nbcertcmd command is used to request and manage host ID-based security certificates on each NetBackup host. A NetBackup host can be a master server, media server, or client.

This command is also used to create and manage the authorization tokens that may be required to request certificates for NetBackup hosts.

Additionally the command is used to set and retrieve the security configuration attributes.

The Privilege details table lists the operations that require administrator privileges and also the operations that do not require special privileges.

Table: Privilege details

Commands that require NetBackup administrator privileges	-cleanupToken, -createToken, -deleteToken, -displayToken, -hostSelfCheck, -listAllDomainCertificates, -listToken, -revokeCertificate, and -setSecConfig Note: These operations require a bpnbat web log-on (bpnbat -login -logintype WEB) using an account that has NetBackup administrator privileges.
Commands that require host administrator privileges	-createCertRequest, -deleteAllCertificates, -deleteCertificate, -deployCertificate, -displayCACertDetail, -getCACertificate, -getCertificate, -getCRL, -listAllCertificates, -listCertDetails, -removeCACertificate, and -renewCertificate
Commands that do not require special privileges	-checkClockSkew, -getSecConfig, -listCACertDetails, and -signCertificate.

For more information about host ID-based security certificates and authorization tokens, see the NetBackup Security and Encryption Guide.

The nbcertcmd supports the following operations:

-cleanupToken	Deletes the tokens that have reached their maximum usage count or have expired.
-createCertRequest	Generates a host ID-based security certificate signing request on the NetBackup host and saves it into the specified file. The command should be used on the NetBackup host when there is no connectivity with the master server. The command must be executed on the NetBackup host for which you want to request the certificate. Use the - server option to specify the master server name in the certificate signing request. This name is the master server from which the NetBackup host expects the certificate.
-createToken	Creates a token for authorizing certificate requests.
-checkClockSkew	Displays the time difference (in seconds) between the current host and the master server.
-deleteAllCertificates	Deletes all security certificates and keys that are available on the NetBackup host. This option is only applicable on media servers and clients.
-deleteCertificate	Deletes the security certificate of the NetBackup host that is associated with the specified host ID and removes the specified host ID entries from the `CertMapInfo.json` file. This option is available on all NetBackup hosts.
-deleteToken	Deletes the specified token.
-deployCertificate	Reads the host security certificate from the specified certificate file and deploys it on the NetBackup host. The command must be executed on the NetBackup host on which the certificate signing request was generated.
-displayCACertDetail	Displays the CA certificate details from the specified master server.
-displayToken	Displays the attributes and the value of a specified token.
-getCACertificate	Connects to the master server and gets the certificate of the Certificate Authority (CA). It then displays the fingerprint of the certificate and adds it to the local trust store after confirmation from the user.
-getCertificate	This option performs the following actions: Requests a host ID-based security certificate for the NetBackup host from the master server. Adds the certificate to the local certificate store. Fetches the latest certificate revocation list (CRL) and security level from the master server.
-getCRL	Fetches the latest certificate revocation list from the master server. You can use the - server option to specify an alternate master server. Use the -cluster option to fetch the latest CRL from the global certificate store.
-getSecConfig	Retrieves the specified security configuration attribute.
-hostSelfCheck	Indicates if the host's certificate is revoked or not revoked in the local certificate revocation list (CRL). To ensure that you have the latest CRL information, first run nbcertcmd -getCRL.
-listAllCertificates	Lists the details of all security certificates that are available on the NetBackup host.
-listAllDomainCertificates	Requests all of the security certificates for the domain from a NetBackup master server. By default, this operation uses the first server entry in the NetBackup configuration (`bp.conf`). You can use the - server option to specify an alternate master server.
-listCACertDetails	Lists the details of trusted CA certificates that are stored in the local trust store of the NetBackup host.
-listCertDetails	Lists the certificate details for each security certificate that is deployed on the NetBackup host.
-listToken	Lists the tokens. The option does not display the token value.
-removeCACertificate	Removes the CA certificate from the trust store whose fingerprint matches the input fingerprint. Use the -listCACertDetails option to view fingerprint of existing CA certificates.
-renewCertificate	Renews an existing NetBackup host ID-based security certificate. Use the -host option to change primary name of host.
-revokeCertificate	Revokes a host ID-based security certificate. The NetBackup host can no longer use the certificate to communicate with the master server.
-setSecConfig	Sets the specified security configuration attribute.
-signCertificate	Reads the certificate signing request from the specified request file and sends it to the master server that is listed in the signing request. The signed certificate is stored in the specified certificate file. The command must be executed on the NetBackup host which has connectivity with the master server.

Note:

Clustered NetBackup hosts have two certificate stores, a local certificate store and a global certificate store. The command operates on the local certificate store by default, unless the -cluster option is specified.

Note:

Please be aware the nbcertcmd command does not support non-US ASCII (non-7 bit ASCII) characters for user-defined strings.

OPTIONS

-all

Displays all tokens, including the tokens that have reached their maximum usage count or have expired.

-certDeployLevel level

Specifies the certificate's deployment level. The option is applicable for both the -getSecConfig and -setSecConfig commands. The -setSecConfig command requires that you specify a level. Certificate deployment levels for the -setSecConfig parameter are:

0 - Very High: Automatic certificate deployment is disabled.

1 - High: Certificates are automatically deployed to known hosts.

2 - Medium: Certificates are automatically deployed to all requesting hosts.

-certificateFile certificate_file_name

Specifies the path of the certificate file.

-cluster

Performs the operation on the global certificate store.

-envtoken environment_variable

Indicates the name of an environment variable that contains the authorization token to be used for the request.

-file file_name

Specifies the path of the file containing either the authorization token (on the first line) or the CA certificate hash.

-fingerPrint certificate_fingerprint

Specify the CA certificate fingerprint.

-force

Overwrites the certificate if it exists.

-host host_name

Specifies the host name.

-hostId host_id

Specifies the NetBackup host ID.

-jks

Displays the Tomcat certificate information from Java keystore. This option is available only on the NetBackup master server.

-json

Generates output data in json format that spans multiple lines.

-json_compact

Generates output data in json format on a single line.

-maxUses number

Specifies the maximum usage count of the token. If this option is not specified, the default value is 1. The maximum value for maxUses is 99999.

-name token_name

Specifies the token name.

-reason description_for_auditing

Specifies the reason that is stored in the audit record for this operation.

-reasonCode value

Specifies a reason code for revocation of a certificate. The values that are shown are the only valid numbers for the -reasonCode value:

0 - Unspecified, 1 - Key Compromise, 2 - CA Compromise, 3 - Affiliation Changed, 4 - Superseded, 5 - Cessation of Operation

-reissue

Creates a token that can be used to reissue a certificate. Use this option with either the -host option or the -hostID option.

-requestFile file_name

Specifies the path of the certificate request file.

-server master_server_name

Specifies an alternate master server. By default, this command uses the first server entry in the NetBackup configuration.

-token

Indicates that an authorization token is used for the request. Prompts the user to securely specify a token.

-validFor numDnumHnumM

Specifies the validity of the token. Input format for this value should be for number of days, hours, and minutes. For example, 12D6H30M, would have a validity of 12 days, 6 hours, and 30 minutes. You can choose to specify one or more values. If this option is not specified, the default value is 24 hours. Please note that if you want to set the validity of the token to 12 hours, you don't need to specify values for days or minutes. You can specify 12H. The maximum validity period that you can specify is 999 days.

EXAMPLES

Example 1: Create a token to request a certificate re-issue.

# nbcertcmd -createToken -name acme01_HR05 -reissue -validFor 10D -host HRfileserver.acme.com -reason "issued token on request of Alice through email dated 12/08/2016"

Token XXXXXXXXXXXXXXXX created successfully.

Example 2: Obtain a certificate from a specified master using a token

# nbcertcmd -getCertificate -token -server nbmaster01.acme.com

Authorization Token: 
Host certificate received successfully from server nbmaster01.acme.com.

Example 3: Request and deploy a certificate on a NetBackup host that has no connectivity with the master server.

Run the command that is shown on the NetBackup host that has no connectivity with the master server:
# nbcertcmd -createCertRequest -requestFile /tmp/request_file_name -server master.servername
Host certificate request generated successfully.
Copy the /tmp/request_file_name to a NetBackup host that has connectivity with the master server and run the command that is shown on that NetBackup host:
# nbcertcmd -signCertificate -file authorization_token_file -requestFile /tmp/request_file_name -certificateFile /tmp/signed_certificate
```
Sending certificate request to server: master.servername

Host certificate request signed successfully.
```

Copy the /tmp/signed_certificate to the original NetBackup host where the request file (/tmp/request_file_name) was generated and run the command shown:

# nbcertcmd -deployCertificate -certificateFile /tmp/signed_certificate
Deploying certificate from master server: master.servername

Host certificate deployed successfully