Unable to decrypt: BAD_DATA error message in NMC UI after a NetWorker server migration

• The NetWorker server was migrated to a new hardware
• nsrdr was performed to bring back the NetWorker configuration: NetWorker: NetWorker Server Disaster Recovery (NSRDR)
• Password was assigned to fields of some NetWorker resources
• In the NetWorker Management Console (NMC), the following error appears when clicking some of the NetWorker resources.

The "BAD_DATA" error can occur due to lockbox issues, such as corruption or when the NetWorker server is migrated, moved, or reinstalled without restoring the lockbox. The current lockbox does not have the passwords stored that match the user or password in the NetWorker Server Resource Database (nsrdb), hence the BAD_DATA error.

To resolve the BAD_DATA error message, replace the current lockbox with the original lockbox from the NetWorker server prior to an nsrdr or migration. On a Linux NetWorker server, export the original lockbox using the nsr_prep_lb command. See the NetWorker Security Configuration Guide for instructions on how to export the lockbox. NetWorker documentation is available through: Support for NetWorker | Manuals & Documents.

You can also view this video on YouTube.

How to reset the passwords in the NetWorker Server Resource Database (nsrdb).

1. Create an input file with the names of passwords that must be cleared in nsrdb.  Create a file called "pass.txt" that contains the following lines:

update password: ;
y
update management password: ;
y
update NAS management password: ;
y
update NAS file access password: ;
y
update Authentication Key: ;
y
update VMWS user password: ;
y
update EBR Password: ;
y
update REST Services Password: ;
y
update vCenter Password: ;
y
update Privacy Key: ;
y
update datazone pass phrase: ;
y

2. Stop NetWorker services.

Linux: systemctl stop networker or nsr_shutdown
Windows:  net stop nsrexecd /y

3. Make a copy of nsrdb. Call this nsrdb.beforepassclean.

Linux: cp -R /nsr/res/nsrdb /nsr/res/nsrdb.beforepassclean
Windows (Assuming default install path): C:\Program Files\EMC NetWorker\nsr\res\nsrdb. Use Windows File Explorer to create a copy of this folder.

4. Run nsradmin command with the input file pass.txt.

Linux: nsradmin -i pass.txt -d /nsr/res/nsrdb
Windows: nsradmin -i pass.txt -d "C:\Program Files\EMC Networker\nsr\res\nsrdb"

5. Make another copy of the modified nsrdb. Call this  nsrdb_passwordblank. Rename the dbg folder under nsrdb if there is any.

6. Start the NetWorker service.

Linux: systemctl start networker
Windows: net start nsrd
Windows (if NMC is installed on the same host): net start gstd

7. Launch NMC and reenter the password that was assigned to the NetWorker resource.

Change the ownership of nsrdb

On a Windows NetWorker server, the ownership of the modified nsrdb files is changed from Administrators (the group) to the user account that renamed the folder. This can corrupt NetWorker databases if services are started with incorrect file ownership. The result is that corrupted files are moved to the ..\nsr\res\nsrdb\dbg folder. Before starting NetWorker services on Windows, set all file permissions under nsrdb to be owned by the Administrators group, not the user.

Open "C:\Program Files\EMC Networker\nsr\res\nsrdb" from the File Explorer and set the ownership for all files and child objects to Administrators.

1. From Windows File Explorer, right click the C:\Program Files\EMC NetWorker\nsr\res\nsrdb folder
2. Select Properties.
3. Click the "Security" tab.
4. Click "Advanced"
5. In Owner, click "Change"

 

6. In the "Enter the object name to select" box, type: Administrators, then click "Check Names." (Sometimes you must use the computer name, like AMER\Administrators.)
7. Click OK

 

8. Put a checkmark in the "Replace all child object permission entries…"  and "Replace owner on subcontainers and objects" box.
9. Click "Apply," then click "Yes" for "Do you wish to continue?" box.
10. Click "OK"

 

11. Return to step 6 in the Resolution field.