NetWorker: How to Resolve the Authentication Issue

Client side:

1. To manually delete peer information, run the following from an admin or root command prompt on the system:

   nsradmin -p nsrexec
   nsradmin> p type: nsr peer information
   nsradmin> delete
   then Yes

Backup Server side:

2. To manually delete peer information, run the following from an admin or root command prompt on the Server:

   nsradmin -p nsrexec
   nsradmin> p type: nsr peer information; name: client_name
   nsradmin> delete
   then Yes

3. nsradmin -p nsrexecd -s <server_name> (if this test passes then we are good to initiate backup else again flow above action then perform these two tasks at backup server end).

4. Run a Client initiated Backup from the client side to be more sure after the connection is getting established.
   Command: save -s server_name saveset_id -b pool_name (path of saveset)

   NOTE: If Backup still failing then follow the end Further Troubleshooting steps at the End.
   NOTE: We have observed that some issues do not resolve after following the action plan. In those scenarios, we can follow the below alternative action plan.

Workaround:
The action plan below is for scenarios where the backup server and client/server are updated from an older version of NetWorker. The clients nsladb must be updated so it is only using nsrauth. We have observed that few clients are not supported.

From the command line on the NetWorker server run:

C:\>nsradmin -p nsrexec
NetWorker administration program.
Use the "help" command for help.
nsradmin> . type:nsrla
Current query set
nsradmin> show auth methods
nsradmin> print auth methods: "0.0.0.0/0,nsrauth/oldauth";
nsradmin> update auth methods: "0.0.0.0/0,oldauth"
Update? y
updated resource id2.0.88.1.53.127.23.68.24.141.134.206(32)
nsradmin> print authmethods: "0.0.0.0/0,oldauth";
nsradmin> quit

Stop and Restart the NetWorker services/daemons on the NetWorker server.

nsrauth: The nsrauth authentication mechanism is enabled by default. It is strong authentication that is based on the Secure Sockets Layer (SSL) protocol. This is provided by the OpenSSL library. NetWorker hosts and NetWorker user permissions are authenticated by using nsrauth.

oldauth: For compatibility with earlier NetWorker releases, oldauth authentication is supported.
If two hosts cannot authenticate by using strong authentication (nsrauth), you can enable authentication by using oldauth.
You can specify the minimum authentication strength that is allowed for any host relationship.

For compatibility with earlier NetWorker releases, NetWorker supports oldauth authentication.
It is recommended that you use nsrauth authentication and only enable oldauth authentication when two hosts cannot authenticate by using nsrauth.
The oldauth authentication method is not secure.

When you specify more than one authentication method, NetWorker attempts to communicate with the first method in the list.

If the first method fails, then NetWorker attempts to communicate by using the second method in the list.

When NSRLA corruption occurs:
The nsrexecd program creates new local host credentials on a host. The nsrauth process rejects all connection attempts between the host and other hosts in the datazone that have communicated with the host before the corruption.

The nsrauth process rejects the connection because information in the NSR Peer Information resource for the host differs from the new local host credentials that the host provides when it tries to establish a connection.

To resolve this issue, import a copy of the local host credentials for the host into the local NSRLA resource.

This workaround ensures that the local host credentials for the host match the information that is stored in the NSR Peer Information resource on all other hosts in the datazone.

Deleting the NSR Peer Information resource by using NMC:

Use NMC to connect to the NetWorker server and delete the NSR Peer Information resource for a NetWorker host.

The account that you use to connect to the NetWorker server must have permission to access the NSRLA database on the target host.

You cannot use NMC to delete the NSR Peer Information resource for a NetWorker host that does not have an existing client resource that is configured on the NetWorker server.

Procedure:

1. On the Administration window, select Hosts. The Hosts Management window appears.

2. Right-click the NetWorker host with the NSR Peer Information resource that you want to delete, and then select Host Details.

   Note: The NetWorker host does not appear in the Local Hosts section when a client resource does not exist on the NetWorker server. The Certificate window displays a list of NSR Peer Information resources stored in the nsrexec database on the host.

3. In the Certificate pane, right-click the certificate that you want to delete, and then select Delete.

4. When prompted to confirm the delete operation, select Yes. If you receive the error, User username on machine hostname is not on the administrator list, you cannot modify the resource until you configure the NSRLA access privileges on the target host. The section "Configuring NSRLA access privileges" provides more information.

Results:
The target host creates a new NSR Peer Information resource for the initiating host the next time that the initiating host attempts to establish a connection with the target host.
Deleting the NSR Peer Information resource by using nsradmin
To delete the NSR Peer Information resource for the initiating host, use the nsradmin command on the target host.