Overview:

An authentication hierarchy has two certificate (credential) issuing authorities:  one Root Broker (RB) and one or more Authentication Brokers (AB). The RB operates with a self issued certificate and the AB(s) operate with a certificate issued by the RB. These certificates are created when the brokers are installed and originally have a maximum life period of eight (8) years. All certificates issued by a broker cease to be valid after the expiry of the broker's certificate.

All authentication clients store a copy of the Root certificate in their trusted certificate store and use it to validate the user and service certificates issued by the authentication brokers in the Root hierarchy. If the Root certificate in the trusted store of an authentication client expires, the client will reject all secure connection attempts from peers holding certificates issued by that Root hierarchy.

In the case of NetBackup hosts configured to use NetBackup Access Control (NBAC), expiration of the Root certificate will result in the failure of all connections to these hosts.

To avoid any interruption in service, all broker certificates need to be renewed before they expire. Once the broker certificates have been renewed, the authentication clients on all NetBackup hosts need to re-establish trust with any broker to fetch and add the new Root certificate to their trusted store.

The update of the authentication clients does not need to be performed immediately after the broker certificate renewal as the authentication client will continue to function while the old Root certificate in its trusted certificate store is valid.

Determining the expiry date of broker certificates
Brokers in Root+AB mode

The expiry date of the Root certificate can be determined by executing vssat showalltrustedcreds. The Root certificate has a User Name of root and Domain Name of root@<RootBrokerHost>. The expiry date of the AB certificate can be determined by executing vssat showcred. The AB certificate has User Name of broker and Domain Name of root@<RootBrokerHost>.

Brokers in Root only mode

The expiry date of the Root certificate can be determined by executing vssat showalltrustedcreds. The Root certificate has a User Name of root and Domain Name of root@<RootBrokerHost>.

The expiry date of the AB certificate can be determined by executing vssat showcred. The User Name of the AB certificate will be the name that was specified during installation and Domain Name will be root@<RootBrokerHost>.

Renewing broker certificates

The capability to renew broker certificates is included in the following NetBackup releases:

The enhanced authentication brokers keep track of the validity period of their own certificates and automatically attempt to renew their certificates one year before the expiry of the existing certificates. Broker certificate renewal can also be triggered manually. The validity period of the renewed certificates is increased to 20 years from the time of renewal.

Note: The following instructions specify usage of the vssat and vxatd (broker) commands.  If these commands aren't found in the path, navigate to the following locations to find them:
UNIX/Linux: /opt/VRTSat/bin
Windows; <install_path>\VERITAS\Security\Authentication\bin (<install_path> is commonly C:\Program Files but may vary depending on your installation)

First, ensure that the broker supports the certificate renewal feature.

Execute vssat showversion to determine the version of the authentication service.  The minimum required versions are:

Upgrade the broker if required.

Note: If a version 4.4.x.x of the authentication service has been installed from another product, it is not supported for certificate renewal at this time.  Please contact Symantec technical support for assistance.

To manually trigger broker certificate renewal on the Root broker:

Note: The Root broker certificate should be renewed first; then, the AB(s).  If there is a single authentication broker running in Root+AB mode, both certificates will be renewed at the same time and only this procedure will need to be followed.

1. Shut down the broker service:

Execute /etc/rc2.d/K99vxatd stop or use bpps -x to find the process ID of vxatd and send a SIGTERM signal to it by executing kill -s SIGTERM <pid>

Windows:

Stop the Symantec Product Authentication Service (Note: Some older versions will have the service name Veritas Authentication Service) or, from a command prompt, issue a net stop vrtsat command.

2. Find out the broker mode:

Execute vssat showbrokermode and examine the output.

Example command output:

# vssat showbrokermode

showbrokermode
----------------------
----------------------

Broker mode is :        3

A value of 0 means the broker is unconfigured.  (This value shouldn't be returned.)
A value of 1 means the broker is running in AB only mode.
A value of 2 means the broker is running in Root only mode.
A value of 3 means the broker is running in Root+AB mode.

3. For a brokers in Root+AB mode, execute vxatd -o -a -r -w.

For a broker in Root only mode, execute vxatd -o -r -w.

4. Start the broker service:

UNIX/Linux: execute vxatd or /etc/rc2.d/S70vxatd start.

Windows: Start the Symantec Product Authentication Service or from a command line prompt, run net start vrtsat.

To manually trigger broker certificate renewal on a standalone AB:

Note: This procedure will need to be followed on each AB in the environment.  Do not perform this procedure until the Root Broker certificate renewal is complete!

1. Re-establish trust with the Root broker by

executing vssat setuptrust --broker <RootBrokerHost> --securitylevel high.

The Authentication Service Administrator's Guide (linked below) may be consulted for more details about this command.

2. Shut down the broker service:

Execute /etc/rc2.d/K99vxatd stop or use bpps -x to find the process ID of vxatd and send a SIGTERM signal to it by executing kill -s SIGTERM <pid>.

Windows:

Stop the Symantec Product Authentication Service (Note: Some older versions will have the service name Veritas Authentication Service) or, from a command prompt, issue a net stop vrtsat command.

3. Execute vxatd -o -a -w.

4. Start the broker service:

UNIX/Linux: execute vxatd or /etc/rc2.d/S70vxatd start.

Windows: Start the Symantec Product Authentication Service or from a command line prompt, run net start vrtsat.

Updating the trusted certificate store on NetBackup hosts
Once the broker certificates have been renewed (manually or automatically), all NetBackup hosts configured to use NBAC must re-establish trust with a broker before the Root certificate in their trusted certificate store expires.

Details of the trusted broker certificates on a NetBackup host can be viewed by executing bpnbat -ShowBrokerCerts.

To re-establish trust with a broker on an NetBackup host, perform either of these two alternatives:

1. Manually login to the host and execute bpnbat -GetBrokerCert <broker_host> <broker_port>. (If the broker_port is 0, bpnbat will attempt to contact the broker on the port 2821, the default port.)

Note: bpnbat can be found in /opt/openv/netbackup/bin (UNIX/Linux) or <install_path>\VERITAS\NetBackup\bin (Windows).

OR

2. Run the NetBackup certificate update utility (nbcertupdater) on the NetBackup master server and specify the NetBackup hosts to be updated. This utility can remotely update the trusted Root certificate on a specified set of NetBackup hosts.

Note: nbcertupdater can be found in /opt/openv/netbackup/bin/admincmd (UNIX/Linux) or <install_path>\VERITAS\NetBackup\bin\admincmd (Windows).

More information on the usage and syntax of nbcertupdater can be found in the related documentation linked below.