EMC Avamar 4.1 Product Security ManualThe Avamar Agent for Microsoft Windows incorporates Open...
Transcript of EMC Avamar 4.1 Product Security ManualThe Avamar Agent for Microsoft Windows incorporates Open...
PRODUCT SECURITY MANUALP/N 300-007-039
REV A01
EMC CORPORATION
COPORATE HEADQUARTERS:HOPKINTON, MA 01748-9103
1-508-435-1000WWW.EMC.COM
EMC AVAMAR4.1
Copyright and Trademark Notices
This document contains information proprietary to EMC. Due to continuing product development, product specifications and capabilities are subject to change without notice. You may not disclose or use any proprietary information or reproduce or transmit any part of this document in any form or by any means, electronic or mechanical, for any purpose, without written permission from EMC.
EMC has made every effort to keep the information in this document current and accurate as of the date of publication or revision. However, EMC does not guarantee or imply that this document is error free or accurate with regard to any particular specification. In no event will EMC be liable for direct, indirect, incidental or consequential damages resulting from any defect in the documentation, even if advised of the possibility of such damages. No EMC agent or employee is authorized to make any modification, extension or addition to the above statements.
EMC may have patents, patent applications, trademarks, copyrights or other intellectual property rights covering subject matter in this document. The furnishing of this document does not provide any license to these patents, trademarks, copyrights or other intellectual property.
The Avamar Agent for Microsoft Windows incorporates Open Transaction Manager (OTM), a product of Columbia Data Products, Inc. (CDP). CDP assumes no liability for any claim that may arise regarding this incorporation. In addition, EMC disclaims all warranties, both express and implied, arising from the use of Open Transaction Manager. Copyright 1999-2002 Columbia Data Products, Inc. Altamonte Springs. All rights reserved.
Avamar, RAIN and AvaSphere are trademarks or registered trademarks of EMC in the US and/or other countries.
All other product names and/or slogans mentioned herein may be trademarks or registered trademarks of their respective companies. All information presented here is subject to change and intended for general information.
Copyright 2002-2008 EMC. All rights reserved.
Protected by US Patents No. 6,704,730, 6,810,398 and patents pending.
Printed in the USA.
TABLE OF CONTENTS
Foreword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5Scope and Intended Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Typeface Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Notes, Tips and Warnings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7Default User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Secure Shell (SSH) Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
admin User Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9dpn User Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10root User Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Changing Passwords and Creating SSH Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Run the change-passwords Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Update Avamar Enterprise Manager Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Manually Update Avamar Administrator CLI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Avamar Product Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24
Networking and Related Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25Subnet and Gateway Assignments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Domain Name Server (DNS). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25SNMP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Client-Server Data Port Usage and Firewall Requirements . . . . . . . . . . . . . . . . . . . . . . 27
Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32Log Management and Retrieval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Single-Node Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Utility Node . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35Storage Node . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36Spare Node . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36Avamar NDMP Accelerator Node . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37Access Node . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37Avamar Administrator Client Network Host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37Backup Client Network Host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Appendix A — Client-Server Encryption Functional Matrix . . . . . . . . . .39
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 3
TABLE OF CONTENTS
Appendix B — Signing Avamar Enterprise Manager SSL Certificates . 42Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42Getting a Signed Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Tomcat Application Server Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Appendix C — Installing an SSL Certificate on an Avamar Server . . . . 48
Appendix D — Transport Layer Security Certification . . . . . . . . . . . . . . 49Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Important Terms and Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49Self-Signing Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50Root Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Implementing TLS Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50Implement TLS Server Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50Implement TLS Client Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Requesting TLS Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52Generating Authentication Certificates and CSRs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Generate an Avamar Server Node Authentication Certificate and CSR . . . . . . . . . . 53Generate an Avamar Client Authentication Certificate and CSR. . . . . . . . . . . . . . . . 55
Generating a Root Certificate and Key. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57Download and Install OpenSSL and CA.pl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57Create a Root Certificate and Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Generating Self-Signed x509 Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59Prerequisite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60Generate a Signed x509 Certificate. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Installing a Client Authentication Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62Installing a Trusted Root Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Appendix E — Configuring Avamar Authentication and Encryption on Unix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Configuring Encryption and Server to Client Authentication . . . . . . . . . . . . . . . . . . . . . . 66Configure the Avamar Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66Configure the Managment Console Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66Configure the Avamar Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Configuring Client to Server Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67Configure the Avamar Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67Configure the Avamar Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Verifying Avamar Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68Using the avtar command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68Using the Avamar Administrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 4
FOREWORD
Scope and Intended AudienceScope. This publication discusses various aspects of Avamar product security.
Intended Audience. This publication is primarily intended for EMC Field Engineers, contracted representatives and business partners who are responsible for configuring, troubleshooting and upgrading Avamar systems at customer sites, as well as system administrators or application integrators who are responsible for installing software and maintaining servers and clients on a networkProduct Information
For current documentation, release notes, software updates, as well as information about EMC products, licensing and service, go to the EMC Powerlink web site at http://Powerlink.EMC.com.
Typeface ConventionsThe following table provides examples of standard typeface styles used in this publication to convey various kinds of information.
EXAMPLE DESCRIPTION
Click OK. - or -Choose File > Close.
Bold text denotes actual Graphical User Interface (GUI) buttons, commands, menus and options (any GUI element that initiates action).Also note in the second example that sequential commands are separated by a greater-than (>) character. In this example, you are being instructed to choose the Close command from the File menu.
Enter: cd /temp
Bold fixed-width text denotes shell commands that must be entered exactly as they appear in this publication.
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 5
Notes, Tips and WarningsFOREWORD
Notes, Tips and WarningsThe following kinds of notes, tips and warnings appear in this publication:
IMPORTANT: This is a warning. Warnings always containinformation that if not heeded could result in unpredictablesystem behavior or loss of data.
TIP: This is a tip. Tips present optional information intendedto improve your productivity or otherwise enhance yourexperience with our product. Tips never contain informationthat will cause a failure if ignored.
NOTE: This is a general note. Notes contain ancillary infor-mation intended to clarify a topic or procedure. Notes nevercontain information that will cause a failure if ignored.
--logfile=FILE All caps text often denotes a placeholder (token) for an actual value that must be supplied by the user. In this example, FILE would be an actual filename.
Installation Complete. Regular (not bold) fixed-width text denotes command shell messages. It is also used to list code and file contents.
EXAMPLE DESCRIPTION
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 6
USER ACCOUNTSThis chapter provides information on default user accounts for the Avamar system, SSH login access and the change-passwords interactive utility.
Default User AccountsThe Avamar system uses the following default user accounts and passwords:
USERACCOUNT
DEFAULTPASSWORD DESCRIPTION/REMARKS
LIN
UX
OS
root changeme Linux OS root account on all Avamar nodes.
admin changeme Linux OS account for Avamar server data owner.
dpn changeme Linux OS account for Avamar maintenance user.
AV
AM
AR
A
DM
INIS
TR
AT
OR
MCUser MCUser1 Default Avamar Administrator administrative user account.
backuponly backuponly1 Account for internal use by Avamar Administrator server.
restoreonly restoreonly1 Account for internal use by Avamar Administrator server.
backuprestore backuprestore1 Account for internal use by Avamar Administrator server.
root 8RttoTriz Account for internal use by Avamar Administrator server.
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 7
Default User AccountsUSER ACCOUNTS
AD
MIN
IST
RA
TO
R
POS
TG
RE
SQ
L D
AT
AB
AS
E
admin No password, logged in on localnode only.
viewuser viewuser1 Administrator server database view account.
AV
AM
AR
EN
TE
RP
RIS
E M
AN
AG
ER
PO
ST
GR
ES
QL
DA
TA
BA
SE
admin No password, logged in on localnode only.
USERACCOUNT
DEFAULTPASSWORD DESCRIPTION/REMARKS
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 8
Secure Shell (SSH) AuthenticationUSER ACCOUNTS
Secure Shell (SSH) AuthenticationAccess to the admin, dpn and root operating system user accounts is available through SSH login. SSH uses public and private encrypted keys to authenticate users logging into those accounts. SSH login access can be obtained by supplying operating system account passwords or by using either of two pre-authorized private keys, as described in the following table:
On an Avamar server, use the change-passwords program to coordinate changes to private keys and corresponding authorizations across all nodes.
admin User AccountThe admin user account SSH v2 key configuration is controlled by the following files and directories in admin’s home directory:
PRIVATE KEY FILE
NAME
MATCHING PUBLIC KEY FILE NAME
DEFAULTPASSPHRASE
AUTHORIZES ACCESS TO
WHERE KEYS CAN BE FOUND
admin_key admin_key.pub P3t3rPan Operating system admin account
~admin/.ssh/
dpnid dpn_key.pub Operating system admin and root accounts
~admin/.ssh~dpn/.ssh/
FILE/DIRECTORY DESCRIPTION
~admin/.ssh/ Private SSH directory. This directory must be fully protected and owned as follows:
drwx------ 2 admin admin
~admin/.ssh/config SSH configuration file. This file must contain the following entry:
StrictHostKeyChecking=no
This file must be fully protected and owned as follows:
-r-------- 1 admin admin
~admin/.ssh/admin_key Private RSA OpenSSH key file. This file must be fully protected and owned as follows:
-r-------- 1 admin admin
The admin user account SSH private and public keys must be named admin_key and admin_key.pub, respectively.
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 9
Secure Shell (SSH) AuthenticationUSER ACCOUNTS
Any files not listed in the previous table can be ignored.
Use of the admin key requires a passphrase. The only method of changing or removing a passphrase is to generate a new private/public key pair and modify the appropriate authorized_keys2 files accordingly. To ensure proper operation of the Avamar server, the admin user must authorize SSH access by way of the dpnid private key. This is accomplished by including the matching public key (dpn_key.pub) in the admin user’s authorized_keys2 file. The dpnid private key must not require a passphrase
dpn User AccountThe dpn user account SSH v2 key configuration is controlled by the following files and directories:
~admin/.ssh/admin_key.pub Public RSA OpenSSH key file. This file is public and does not need to be protected.
-r--r--r-- 1 admin admin
~admin/.ssh/dpnid Private DSA OpenSSH key file. This file must be fully protected and owned as follows:
-r-------- 1 admin admin
~admin/.ssh/id_rsa Symbolic link to ~admin/.ssh/admin_key.
~admin/.ssh/authorized_keys2 Contains a list of public keys for users allowed to log into the admin user account.
This file must be fully protected and owned as follows:
-r-------- 1 admin admin
This file must contain public key entries for the admin and dpn user accounts:
As currently shipped, the admin public key entry is an RSA key, prefixed with “ssh-rsa” and appended with the comment “dpn_admin_key.”As currently shipped, the dpn public key entry is a DSA key, prefixed with “ssh-dss” and appended with the comment “dpn@dpn41s.”
FILE/DIRECTORY DESCRIPTION
FILE/DIRECTORY DESCRIPTION
~dpn/.ssh/ Private SSH directory. This directory must be fully protected and owned as follows:
drwx------ 2 dpn admin
- or -drwx------ 2 dpn dpn
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 10
Secure Shell (SSH) AuthenticationUSER ACCOUNTS
Any other files can be ignored.
The only way to log in as user dpn is to know the operating system dpn password. To ensure proper operation of the Avamar server, dpn’s public key must be in both the root’s and admin’s .ssh/authorized_keys2 file.
~dpn/.ssh/config SSH configuration file. This file must contain the following entry:
StrictHostKeyChecking=no
This file must be fully protected and owned as follows:
-r-------- 1 dpn admin
- or --r-------- 1 dpn dpn
~dpn/.ssh/dpnid Private DSA OpenSSH key file. This file must be fully protected and owned as follows:
-r-------- 1 dpn admin
- or --r-------- 1 dpn dpn
The dpn user account SSH private and public keys must be named dpnid and dpn_key.pub, respectively.
~dpn/.ssh/dpn_key.pub Public DSA OpenSSH key file. This file is public and does not need to be protected.
-r--r--r-- 1 dpn admin
- or --r--r--r-- 1 dpn dpn
~dpn/.ssh/id_rsa Symbolic link to ~dpn/.ssh/dpnid.
~dpn/.ssh/authorized_keys2 Contains a list of public keys for users allowed to log into the admin user account.
This file must be fully protected and owned as follows:
-r-------- 1 dpn admin
- or --r-------- 1 dpn dpn
This file is deliberately left empty to ensure that no one can login as user dpn using SSH keys.
FILE/DIRECTORY DESCRIPTION
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 11
Secure Shell (SSH) AuthenticationUSER ACCOUNTS
root User AccountThe root user account SSH v2 key configuration is controlled by the following files and directories:
Any files not listed in the previous table can be ignored.
To log in as the root user requires the password for the root account or use of the pre-authorized dpnid private key. To ensure proper operation of the Avamar server, the root user must authorize SSH access by way of the dpnid private key. This is accomplished by including the matching public key (dpn_key.pub) in the root user's authorized_keys2 file. The dpnid private key must not require a passphrase.
FILE/DIRECTORY DESCRIPTION
.ssh/ Private SSH directory. This directory must be fully protected and owned as follows:
drwx------ 2 root root
.ssh/config SSH configuration file. This file must contain the following entry:
StrictHostKeyChecking=no
This file must be fully protected and owned as follows:
-r-------- 1 root root
.ssh/authorized_keys2 Contains a list of public keys for users allowed to log into the root user account.
This file must be fully protected and owned as follows:
-r-------- 1 root root
This file must contain a public key entry for the dpn user accounts. As currently shipped, the dpn public key entry is a DSA key, prefixed with “ssh-dss” and appended with the comment “dpn@dpn41s.”
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 12
Changing Passwords and Creating SSH KeysUSER ACCOUNTS
Changing Passwords and Creating SSH KeysThis section explains how to use the change-passwords utility. This utility changes passwords for various operating user accounts and Avamar server user accounts. The change-passwords utility also creates new OpenSSH keys.
The change-passwords utility provides interactive prompts for the following operations:
• Changing operating system login passwords for the admin, dpn and root accounts
• Creating new admin and dpnid OpenSSH keys• Changing internal Avamar server passwords for the root and MCUser
accounts
Run the change-passwords UtilityTo change operating user account passwords, Avamar server user account passwords or to create new OpenSSH keys, perform the following:
User=dpn 1. Open a command shell.
2. Do one of the following:
3. Enter:
change-passwords
If you run change-passwords on a multi-node server, the following information appears in your command shell:Do you wish to change passwords and/or passphrases on all nodes?
Answering y(es) changes this set of nodes:#.s -- all utility/services nodes#.# -- all data nodes.
Answering n(o) will afford you the opportunity to installexisting SSH keys onto other nodes.
y(es), n(o), h(elp), q(uit/exit):
NOTE: The previous information does not appear if you run change-passwords on a single-node server.
IF DO THIS
Administering a single-node server.
Log into the server as user dpn.
Administering a multi-node server.
Log into the utility node as user dpn.
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 13
Changing Passwords and Creating SSH KeysUSER ACCOUNTS
4. Do one of the following:
The following information appears in your command shell:Identity added: /home/dpn/.ssh/dpnid (/home/dpn/.ssh/dpnid) Identity added: /home/dpn/.ssh/dpnid.prev (/home/dpn/.ssh/dpnid.prev) Identity added: /home/dpn/.ssh/dpnid.orig (/home/dpn/.ssh/dpnid.orig)
Do you wish to specify one or more additional SSH passphrase-lessprivate keys that are authorized for root operations?
Answer n(o) here unless there are known inconsistencies in~root/.ssh/authorized_keys2 files among the various nodes (as mightbe evident if you had been prompted for a root password in a previousrun of this program).
Note that the following keys will be used automatically (there isno need to re-specify them here):
/home/dpn/.ssh/dpnid
y(es), n(o), h(elp), q(uit/exit):--------------------------------------------------------
5. Enter n and press ENTER.
The following information appears in your command shell:
The following is a test of OS root authorization with the currentlyloaded SSH key(s).
If during this test you are prompted for an OS root password,then you might be missing an appropriate "dpnid" key for oneor more nodes.
-> In that event, re-run this program and, when prompted,specify as many SSH private key files as are necessaryin order to complete root operations on all nodes.
Starting root authorization test with 600 second timeout...End of root authorization test.--------------------------------------------------------
Change OS (login) passwords?y(es), n(o), q(uit/exit):
IF DO THIS
You want to change passwords on all nodes.
Enter y and press ENTER.
You want to change passwords on selected nodes.
Enter n and press ENTER.
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 14
Changing Passwords and Creating SSH KeysUSER ACCOUNTS
Change Operating System User Account Passwords?6. Do one of the following:
The following information appears in your command shell:
--------------------------------------------------------Change OS password for "admin"?
y(es), n(o), q(uit/exit):
Change adminLogin Password?
7. Do one of the following:
The following information appears in your command shell:
Please enter a new OS (login) password for user "admin".(Entering an empty (blank) line twice quits/exits.)
8. Enter the new admin operating system user account password and press ENTER.
The following information appears in your command shell:
Please enter the same OS password again.(Entering an empty (blank) line twice quits/exits.)
9. Re-enter the new admin operating system user account password and press ENTER.
The following information appears in your command shell:
Accepted OS password for "admin".--------------------------------------------------------Change OS password for "dpn"?y(es), n(o), q(uit/exit):
IF DO THIS
You want to change the admin, dpn or root operating system user account passwords.
Enter y and press ENTER.
You do not want to change the admin, dpn or root operating system user account passwords.
Enter n and press ENTER.Proceed to step 16.
IF DO THIS
You want to change the admin operating system user account password.
Enter y and press ENTER.
You do not want to change the admin operating system user account password.
Enter n and press ENTER.Proceed to step 10.
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 15
Changing Passwords and Creating SSH KeysUSER ACCOUNTS
Change dpn LoginPassword?
10.Do one of the following:
Please enter a new OS (login) password for user "dpn".(Entering an empty (blank) line twice quits/exits.)
11.Enter the new dpn operating system user account password and press ENTER.
The following information appears in your command shell:
Please enter the same OS password again.(Entering an empty (blank) line twice quits/exits.)
12.Re-enter the new dpn operating system user account password and press ENTER.
The following information appears in your command shell:
Accepted OS password for "dpn".--------------------------------------------------------Change OS password for "root"?y(es), n(o), q(uit/exit): y
Change root LoginPassword?
13.Do one of the following:
The following information appears in your command shell:
Please enter a new OS (login) password for user "root".(Entering an empty (blank) line twice quits/exits.)
14.Enter the new root operating system user account password and press ENTER.
The following information appears in your command shell:
Please enter the same OS password again.(Entering an empty (blank) line twice quits/exits.)
15.Re-enter the new root operating system user account password and press ENTER.
The following information appears in your command shell:
Accepted OS password for "root".========================================================Change SSH keys?y(es), n(o), q(uit/exit): y
IF DO THIS
You want to change the dpn operating system user account password.
Enter y and press ENTER.
You do not want to change the dpn operating system user account password.
Enter n and press ENTER.Proceed to step 13.
IF DO THIS
You want to change the root operating system user account password.
Enter y and press ENTER.
You do not want to change the root operating system user account password.
Enter n and press ENTER.Proceed to step 16.
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 16
Changing Passwords and Creating SSH KeysUSER ACCOUNTS
Create New OpenSSH Keys?16.Do one of the following:
The following information appears in your command shell:
--------------------------------------------------------Change SSH key for "admin"?y(es), n(o), q(uit/exit):
Create New adminOpenSSH Key?
17.Do one of the following:
The following information appears in your command shell:
Please enter a new SSH key passphrase for user "admin".(Entering an empty (blank) line twice quits/exits.)
18.Enter the new admin OpenSSH passphrase and press ENTER.
The following information appears in your command shell:
Please enter the same SSH key again.(Entering an empty (blank) line twice quits/exits.)
19.Re-enter the new admin OpenSSH passphrase and press ENTER.
The following information appears in your command shell:
Accepted SSH key for "admin".--------------------------------------------------------Redo passphrase-less elevated-privilege SSH key "dpnid"?y(es), n(o), h(elp), q(uit/exit):
IF DO THIS
You want to create new admin or dpnid OpenSSH keys.
Enter y and press ENTER.
You do not want to create new admin or dpnid OpenSSH keys.
Enter n and press ENTER.Proceed to step 21.
IF DO THIS
You want to create a new admin OpenSSH key.
Enter y and press ENTER.
You do not want to create a new admin OpenSSH key.
Enter n and press ENTER.Proceed to step 20.
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 17
Changing Passwords and Creating SSH KeysUSER ACCOUNTS
Create New dpnidOpenSSH Key?
20.Do one of the following:
The following information appears in your command shell:========================================================Change Avamar Server passwords?y(es), n(o), q(uit/exit):
Change Internal Avamar Server User Account Passwords?
IMPORTANT: The remainder of this procedure requiresknowledge of the internal Avamar server root user accountpassword.
21.Do one of the following:
The following information appears in your command shell:
Please enter the CURRENT Avamar Server password for "root"(Entering an empty (blank) line twice quits/exits.)
22.Enter the current internal Avamar server root user account password (not the operating system root password) and press ENTER.
The following information appears in your command shell:
Checking Avamar Server root password (300 second timeout)...Avamar Server current root password accepted.--------------------------------------------------------Change Avamar Server password for "MCUser"?y(es), n(o), q(uit/exit): y
IF DO THIS
You want to create a new dpnid OpenSSH key.
Enter y and press ENTER.
You do not want to create a new dpnid OpenSSH key.
Enter n and press ENTER.
IF DO THIS
You want to change the MCUser or root internal Avamar server user account passwords.
Enter y and press ENTER.
You do not want to change the MCUser or root internal Avamar server user account passwords.
Enter n and press ENTER.Proceed to step 26.
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 18
Changing Passwords and Creating SSH KeysUSER ACCOUNTS
Change InternalAvamar Server
MCUserPassword?
23.Do one of the following:
The following information appears in your command shell:Please enter a new Avamar Server password for user "MCUser".(Entering an empty (blank) line twice quits/exits.)
24.Enter the new internal Avamar server MCUser password and press ENTER.
The following information appears in your command shell:
Please enter the same Avamar Server password again.(Entering an empty (blank) line twice quits/exits.)
25.Re-enter the new internal Avamar server MCUser password and press ENTER.
The following information appears in your command shell:Accepted Avamar Server password for "MCUser".--------------------------------------------------------Change Avamar Server password for "root"?y(es), n(o), q(uit/exit):
IMPORTANT: Use of change-passwords to change theinternal Avamar server MCUser password disables the Ava-mar Administrator CLI feature. After running change-pass-words you must manually update the MCUser password forthe Avamar Administrator CLI. Refer to Manually UpdateAvamar Administrator CLI (page 22).
Change InternalAvamar Server
root Password?
26.Do one of the following:
Please enter a new Avamar Server password for user "root".(Entering an empty (blank) line twice quits/exits.)
27.Enter the new internal Avamar server root password and press ENTER.
The following information appears in your command shell:
Please enter the same Avamar Server password again.(Entering an empty (blank) line twice quits/exits.)
IF DO THIS
You want to change the internal Avamar server MCUser password.
Enter y and press ENTER.
You do not want to change the internal Avamar server MCUser password.
Enter n and press ENTER.Proceed to step 26.
IF DO THIS
You want to change the internal Avamar server root password.
Enter y and press ENTER.
You do not want to change the internal Avamar server root password.
Enter n and press ENTER.Proceed to step 29.
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 19
Changing Passwords and Creating SSH KeysUSER ACCOUNTS
28.Re-enter the new internal Avamar server root password and press ENTER.
The following information appears in your command shell:
Accepted Avamar Server password for "root".--------------------------------------------------------Do you wish to proceed with your password changes on the selected node?
Answering y(es) will proceed with password updates.Answering n(o) or q(uit) will not proceed.
y(es), n(o), q(uit/exit): y
Accept Changes?29.Do one of the following:
The following information appears in your command shell:
Changing OS passwords...[Logging to /usr/local/avamar/var/change-passwords.log...]Done changing OS passwords...Changing Avamar Server passwords...Checking Administrator Server Status...Stopping Administrator Server...Starting process of updating Administrator configuration...Running script to update Administrator configuration on node 0.s...[Logging to /usr/local/avamar/var/change-passwords.log...]Done with updating Administrator configuration on node 0.s...Starting process of updating client configurations...Running script to update client configuration on 0.s...[Logging to /usr/local/avamar/var/change-passwords.log...]Updating client configuration on node 0.0...Done updating client configuration on 0.0...Checking Administrator Server Status...Starting Administrator Server...Starting process of changing SSH keys...Running script to update SSH keys on node 0.s...[Logging to /usr/local/avamar/var/change-passwords.log...]Done with updating SSH keys on node 0.s...--------------------------------------------------------Done.NOTES:- If you had custom public keys present in the
authorized_keys2 files of any Avamar OS users(admin, dpn, root) be aware that you may need to re-add your custom keys.
- Please be sure to resume schedules via theAdministrator GUI.
IF DO THIS
You want to accept changes made to passwords or OpenSSH keys during this utility session.
Enter y and press ENTER.
You want to exit this utility session without making changes to passwords or OpenSSH keys.
Enter n and press ENTER.
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 20
Changing Passwords and Creating SSH KeysUSER ACCOUNTS
Update Avamar Enterprise Manager ServerAfter the change-passwords utility finishes modifying various passwords, you must update the Avamar Enterprise Manager server by performing the following:
1. Open your web browser and log into Avamar Enterprise Manager.
The Dashboard page appears.
2. Choose Configure.
The Configure page appears.
3. Click the server name you want to edit.
An Edit block appears below the systems list.
4. Enter the new MCUser password in the Password field and click Save.
User=admin 5. Open a command shell.
6. Do one of the following:
IF DO THIS
Administering a single-node server.
Log into the server as user admin.
Administering a multi-node server.
Log into the utility node as user admin.
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 21
Changing Passwords and Creating SSH KeysUSER ACCOUNTS
7. Load the admin OpenSSH key by entering:
ssh-agent bash
ssh-add ~admin/.ssh/admin_key
You are prompted to enter a passphrase.
8. Enter the admin user account passphrase and press ENTER.
9. Enter:
dpnctl stop ems
emserver.sh --renameserver --uselocalmcs
dpnctl start
Manually Update Avamar Administrator CLIThe change-passwords utility does not change the internal Avamar server MCUser password for the Avamar Administrator CLI. After running change-passwords, you must therefore, manually update the MCUser password for the Avamar Administrator CLI. (The Avamar Administrator CLI generates events whenever cron maintenance activities run.)
IMPORTANT: Use of change-passwords to change thethe internal Avamar server MCUser password disables theAvamar Administrator CLI.
Edit the following files to manually update the MCUser password:
• ~admin/.avamardata/var/mc/cli_data/prefs/mcclimcs.xml • ~dpn/.avamardata/var/mc/cli_data/prefs/mcclimcs.xml• ~root/.avamardata/var/mc/cli_data/prefs/mcclimcs.xml
From the command shell:
User=admin 1. Do one of the following:
2. Open ~admin/.avamardata/var/mc/cli_data/prefs/mcclimcs.xml in a Unix text editor.
IF DO THIS
Administering a single-node server.
Log into the server as user admin.
Administering a multi-node server.
Log into the utility node as user admin.
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 22
Changing Passwords and Creating SSH KeysUSER ACCOUNTS
3. Locate the following entries:
<MCSConfig><MCS
mcsprofile="local"mcsaddr="AVAMARSERVER"mcsport="7778"mcsuserid="MCUser"mcspasswd="PASSWORD"
/><!-- add more profiles if needed here and set default to select default -->
</MCSConfig>
NOTE: This example has been simplified for clarity.
4. Change the mcspasswd=”PASSWORD” entry to agree with the new internal Avamar server MCUser password that you previously set using the change-passwords utility (page 19).
5. Save your changes.
User=dpn 6. Switch user to the dpn user account by entering:
su - dpn
When prompted for a password, enter the dpn password and press ENTER.
7. Load the dpn OpenSSH key by entering:
ssh-agent bash
ssh-add ~dpn/.ssh/dpnid
8. Open ~dpn/.avamardata/var/mc/cli_data/prefs/mcclimcs.xml in a Unix text editor.
9. Repeat steps 3 thru 5.
User=admin 10.Switch back to the admin user account by entering:
exit
exit
User=root 11.Switch user to root by entering:
su -
When prompted for a password, enter the root password and press ENTER.
12.Open ~root/.avamardata/var/mc/cli_data/prefs/mcclimcs.xml in a Unix text editor.
IMPORTANT: The ~root/.avamardata/var/mc/cli_data/prefs/mcclimcs.xmlfile might not be present on all servers. In the case, skipstep 14.
13.Repeat steps 3 thru 5.
User=admin 14.Switch back to the admin user account by entering:
exit
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 23
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 24
AVAMAR PRODUCT SECURITY POLICYEach Avamar release ships with a set of up-to-date security patches. If you install any other security patches or security applications incompatible with Avamar, you must remove them and restore the Avamar system to its previous working configuration. Then file a support case with EMC Technical Support and include the specific security updates you applied.
IMPORTANT: It is customer responsibility to ensure thatthe Avamar system is configured to protect against unau-thorized access. Back up all important files before applyingnew security patches, applications or updates.
NETWORKING AND RELATED SERVICESThe following networking and related services are required to successfully deploy an Avamar system.
Subnet and Gateway AssignmentsClients must be able to contact every node in the Avamar module directly, and vice-versa.
The switch must have a default gateway assigned to it.
Domain Name Server (DNS)There must be a DNS server in the facility. DNS configuration is important.
A single-node Avamar server or the utility node of a multi-node Avamar server must be assigned a forward mapping and optionally a reverse-mapping.
An example of a forward-mapping entry for a single-node Avamar server or the utility node of a multi-node Avamar server might be as follows in a BIND environment:
avamar-1 A 10.0.5.5
A corresponding optional reverse mapping for a zone serving the 5.0.10.in-addr.arpa subnet in a BIND environment might be as follows:
5 PTR avamar-1.example.com.
SecurityAll nodes and the switch in the Avamar server must be protected against unauthorized access. A VPN system must be employed if remote access to the Avamar server is required.
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 25
SNMP ConfigurationNETWORKING AND RELATED SERVICES
SNMP ConfigurationAll Avamar nodes use Simple Network Management Protocol (SNMP). The snmpd.conf file, the configuration file used by SNMP, defines how SNMP operates. Before Avamar release 4.1, the default snmpd.conf file contains the public community string shown in the following example:
####
# First, map the community name “public” into a “security name”
# sec.name source communitycom2sec notConfigUser default public
The public community string in the previous example grants read-only access to everything, which presents a medium-level security vulnerability.
To enable a higher-level of security for Avamar releases before 4.1, change the community name:
1. Open the /etc/snmp/snmpd.conf file in a Unix editor (vi or emacs).
2. Go to the line “com2sec notConfigUser default public.”
3. Change the community name from public to AvCom:
com2sec notConfigUser default AvCom
4. Save the /etc/snmp/snmpd.con file.
5. Restart the snmpd agent.
6. Repeat steps 1–5 for all nodes that comprise the Avamar system.
NOTE: Dell omreport actively uses SNMP. According to Dell,changing the public community string to a different valuedoes not affect functionality.
For new Avamar installations beginning with release 4.1, the community name in the snmpd.conf file is already set to AvCom (Avamar Community).
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 26
Client-Server Data Port Usage and Firewall RequirementsNETWORKING AND RELATED SERVICES
Clie
nt-S
erve
r Dat
a Po
rt U
sage
and
Fire
wal
l Req
uire
men
tsConfigure
unobst
ruct
ed c
lient-
serv
er c
om
munic
ation o
ver
the
follo
win
g d
ata
port
s fo
r all
applic
able
fir
ewal
ls.
PO
RT
/P
RO
TO
CO
LP
UR
PO
SE
SO
UR
CE
DE
ST
INA
TIO
NR
EM
AR
KS
22/T
CP
SSH
Utilit
y node
and t
rust
ed
adm
inis
trat
or
host
sAll
nodes
Req
uir
ed.
53/U
DP
DN
S n
ame
reso
lution
DN
S r
esolv
ing n
ame
serv
ers
All
nodes
Optional, b
ut
reco
mm
ended
.M
ight re
stri
ct s
ourc
es to s
pec
ific
nam
e se
rver
s.
53/U
DP
DN
S n
ame
reso
lution
All
nodes
DN
S r
esolv
ing
nam
e se
rver
sO
ptional, b
ut
reco
mm
ended
.M
ight
rest
rict
des
tinations
to s
pec
ific
nam
e se
rver
s.
53/T
CP
DN
S z
one
tran
sfer
DN
S z
one
mas
ters
Utilit
y node
Optional, b
ut
reco
mm
ended
.M
ight re
stri
ct s
ourc
es to s
pec
ific
nam
e se
rver
s.
80/T
CP
HTT
PU
ser-
def
ined
web
clie
nt
host
s or
reve
rse
pro
xy w
eb
serv
er
Utilit
y node
Req
uir
ed.
Perm
it a
cces
s fr
om
all
Ava
mar
clie
nts
or
only
fro
m r
ever
se p
roxy
web
ser
ver
(rec
om
men
ded
).
123/U
DP
NTP
NTP t
ime
serv
ers
All
nodes
Req
uir
ed.
Mig
ht
rest
rict
sourc
es t
o s
pec
ific
tim
e se
rver
s.
123/U
DP
NTP
All
nodes
if
exte
rnal
tim
e se
rver
s are
use
dN
TP t
ime
serv
ers
Req
uir
ed.
Mig
ht
rest
rict
des
tinations
to s
pec
ific
tim
e se
rver
s.
443/T
CP
HTT
PS for Im
ple
men
ts
web
res
tore
, docs
and
dow
nlo
ads
featu
res
Use
r-def
ined
web
clie
nt
host
sU
tilit
y node
Req
uir
ed.
Perm
it a
cces
s fr
om
all
Ava
mar
clie
nts
or
only
fro
m r
ever
se p
roxy
web
ser
ver
(rec
om
men
ded
).
514/T
CP
Sys
log
Utilit
y node
Utilit
y node
Optional.
Logs
Ava
mar
serv
er e
vents
to s
yslo
g.
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 27
Client-Server Data Port Usage and Firewall RequirementsNETWORKING AND RELATED SERVICES
1080/T
CP
3w
are
RAID
m
anag
emen
tU
ser-
def
ined
web
clie
nt
host
sAll
nodes
for
Ava
mar
M a
nd
Ava
mar
E
Only
req
uir
ed f
or
legacy
Ava
mar
M
and A
vam
ar E
har
dw
are.
Rec
om
men
d o
nly
per
mitting a
cces
s fr
om
tru
sted
adm
inis
trat
ive
host
s.
1234/T
CP
HTT
PS f
or
avw
_in
stal
l utilit
yTr
ust
ed w
eb c
lient
host
sU
tilit
y node
Port
1234 m
ust
be
open
duri
ng t
he
initia
l in
stal
lation o
f Ava
mar
soft
war
e.
Aft
er a
succ
essf
ul in
stalla
tion,
no
Ava
mar
serv
ice
should
be
liste
nin
g o
n
port
1234.
Perm
it a
cces
s only
to t
rust
ed h
ost
s w
hic
h a
re u
sed t
o f
or
the
initia
l in
stal
lation o
f Ava
mar
soft
war
e.
5555/T
CP
Connec
tion t
o
adm
inis
trat
or
serv
er
Post
gre
SQ
L data
base
Use
r-def
ined
Post
gre
SQ
L cl
ient
host
sU
tilit
y node
Optional f
or
connec
ting t
o P
ost
gre
SQ
L data
base
fro
m o
uts
ide
the
module
. Rec
om
men
d o
nly
per
mitting a
cces
s fr
om
host
s re
quir
ing a
cces
s to
ad
min
istr
ator
serv
er d
atab
ase.
5556/T
CP
Ava
mar
Ente
rprise
M
anag
er s
erve
r Po
stgre
SQ
L dat
abas
e (e
mdb)
Use
r-def
ined
Post
gre
SQ
L cl
ient
host
sAva
mar
Ente
rpri
se
Manag
er s
erve
r node
Optional f
or
connec
ting t
o P
ost
gre
SQ
L data
base
fro
m o
uts
ide
the
module
.Rec
om
men
d o
nly
per
mitting a
cces
s fr
om
host
s re
quir
ing a
cces
s to
ad
min
istr
ator
serv
er d
atab
ase.
5557/T
CP
Met
adat
a se
arch
Po
stgre
SQ
L data
base
Ava
mar
Ente
rpri
se M
anag
erAcc
ess
node
(wher
e m
etad
ata
sear
ch d
atab
ase
is
inst
alle
d)
Optional.
Only
req
uir
ed if
met
adata
sea
rch
feat
ure
is
inst
alle
d.
7778/T
CP
RM
I -
Ava
mar
Adm
inis
trat
or
serv
erAva
mar
Adm
inis
trat
or
managem
ent
conso
leU
tilit
y node.
Req
uir
ed.
Rec
om
men
d o
nly
per
mitting a
cces
s fr
om
tru
sted
adm
inis
trat
ive
host
s.
7779/T
CP
RM
I -
Ava
mar
Adm
inis
trat
or
serv
er.
Ava
mar
Adm
inis
trat
or
managem
ent
conso
le.
Utilit
y node.
Req
uir
ed.
Rec
om
men
d o
nly
per
mitting a
cces
s fr
om
tru
sted
adm
inis
trat
ive
host
s.
PO
RT
/P
RO
TO
CO
LP
UR
PO
SE
SO
UR
CE
DE
ST
INA
TIO
NR
EM
AR
KS
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 28
Client-Server Data Port Usage and Firewall RequirementsNETWORKING AND RELATED SERVICES
7780/T
CP
RM
I -
Ava
mar
Adm
inis
trat
or
serv
erAva
mar
Adm
inis
trat
or
managem
ent
conso
leU
tilit
y node
Req
uir
ed.
Rec
om
men
d o
nly
per
mitting a
cces
s fr
om
tru
sted
adm
inis
trat
ive
host
s.
7781/T
CP
RM
I -
Ava
mar
Adm
inis
trat
or
serv
erAva
mar
Adm
inis
trat
or
managem
ent
conso
leU
tilit
y node
Req
uir
ed.
Rec
om
men
d o
nly
per
mitting a
cces
s fr
om
tru
sted
adm
inis
trat
ive
host
s.
8005/T
CP
Tom
cat
serv
er
shutd
ow
n p
ort
Loca
l host
Utilit
y node
Req
uir
ed.
The
/usr
/loca
l/ja
kart
a-to
mca
t-5.5
.9/
bin
/shutd
ow
n.s
h s
crip
t m
akes
a
connec
tion o
n p
ort
8005,
and s
ends
a
shutd
ow
n c
om
mand t
o t
he
runnin
g
inst
ance
of
tom
cat.
This
connec
tion
can o
nly
be
mad
e fr
om
the
loca
l host
. The
serv
er.x
ml file
conta
ins
the
def
initio
n f
or
port
8005:
<Server port="8005"
shutdown="SHUTDOWN">
Do n
ot
modify
this
def
initio
n.
8009/T
CP
Tom
cat
connec
tor
port
Utilit
y node
Utilit
y node
Optional, b
ut
reco
mm
ended
. The
Apac
he
JSer
v Pro
toco
l (A
JP)
use
s port
8009 to b
ala
nce
the
work
load for
multip
le inst
ance
s of
Tom
cat.
AJP
can
be
turn
ed o
ff b
y re
mov
ing the
follo
win
g e
lem
ent
from
the
serv
er.x
ml
file
:<Connector port="8009"
enableLookups="false"
redirectPort="8443"
protocol="AJP/1.3" />
8443/T
CP
HTT
PS f
or
Tom
cat
Any
net
work
host
runnin
g
web
bro
wse
rU
tilit
y node
Optional, b
ut
reco
mm
ended
in o
rder
to
use
Ava
mar
Ente
rprise
Manag
er.
PO
RT
/P
RO
TO
CO
LP
UR
PO
SE
SO
UR
CE
DE
ST
INA
TIO
NR
EM
AR
KS
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 29
Client-Server Data Port Usage and Firewall RequirementsNETWORKING AND RELATED SERVICES
8778/T
CP
RM
I -
Ava
mar
Ente
rprise
Man
ager
Utilit
y node
Utilit
y node
(wher
e Ava
mar
Ente
rpri
se
Manag
er is
inst
alle
d)
Req
uir
ed.
Rec
om
men
d o
nly
per
mitting a
cces
s fr
om
the
loca
l host
.
8779/T
CP
RM
I -
Ava
mar
Ente
rprise
Man
ager
lo
gin
_se
rver
Utilit
y node
Utilit
y node
(wher
e Ava
mar
Ente
rpri
se
Manag
er is
inst
alle
d)
Req
uir
ed.
Rec
om
men
d o
nly
per
mitting a
cces
s fr
om
the
loca
l host
.
8780/T
CP
RM
I -
Ava
mar
Ente
rprise
Man
ager
se
rvic
e_co
nte
xt
Utilit
y node
Utilit
y node
(wher
e Ava
mar
Ente
rpri
se
Manag
er is
inst
alle
d)
Req
uir
ed.
Rec
om
men
d o
nly
per
mitting a
cces
s fr
om
the
loca
l host
.
8781/T
CP
RM
I -
Ava
mar
Ente
rprise
Man
ager
node_
conte
xt
Utilit
y node
Utilit
y node
(wher
e Ava
mar
Ente
rpri
se
Manag
er is
inst
alle
d)
Req
uir
ed.
Rec
om
men
d o
nly
per
mitting a
cces
s fr
om
the
loca
l host
.
27000/T
CP
Ava
mar
clie
nt
com
munic
ations
with
Ava
mar
ser
ver
Ava
mar
clie
nt
net
work
host
sAll
nodes
Req
uir
ed.
27000/T
CP
Ava
mar
ser
ver
com
munic
ations
with
Rep
licat
or
targ
et
serv
er (
Ava
mar
pro
priet
ary
co
mm
unic
ation)
All
nodes
Rep
licat
or
targ
et
serv
erReq
uir
ed if
serv
er is
use
d a
s Rep
licat
or
sourc
e.
28001/T
CP
Ava
mar
clie
nt
com
munic
ations
with
adm
inis
trat
or
serv
er
Ava
mar
clie
nts
Utilit
y node
Req
uir
ed.
28002/T
CP
Adm
inis
trat
or
serv
er
com
munic
ations
with
Ava
mar
clie
nt
Utilit
y node
Ava
mar
clie
nts
Optional fo
r bro
wsi
ng c
lients
and
cance
lling b
ack
ups
from
Ava
mar
Adm
inis
trat
or
man
agem
ent
conso
le.
PO
RT
/P
RO
TO
CO
LP
UR
PO
SE
SO
UR
CE
DE
ST
INA
TIO
NR
EM
AR
KS
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 30
Client-Server Data Port Usage and Firewall RequirementsNETWORKING AND RELATED SERVICES
29000/T
CP
Ava
mar
clie
nt
Sec
ure
Sock
ets
Laye
r (S
SL)
co
mm
unic
ations
with
Ava
mar
ser
ver
Ava
mar
clie
nts
All
nodes
Req
uir
ed.
29000/T
CP
Ava
mar
ser
ver
SSL
com
munic
ations
with
Rep
licat
or
targ
et
serv
er
All
nodes
All
Rep
licato
r ta
rget
ser
ver
nodes
Req
uir
ed if se
rver
is
Rep
licat
or
sourc
e.
PO
RT
/P
RO
TO
CO
LP
UR
PO
SE
SO
UR
CE
DE
ST
INA
TIO
NR
EM
AR
KS
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 31
LOG FILESA log is a chronological record of system activities. Avamar software includes log files for server and client components, maintenance tasks, various utilities and backup clients. These log files enable you to examine various aspects of the Avamar system.
Log Management and RetrievalThe following sections includes log file information organized in tables for each Avamar component. For additional information on log files, refer to the Avamar manual for the specific component.
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 32
Single-Node ServerLOG FILES
Single-Node ServerFEATURE/FUNCTION LOCATION
Avamar Administrator server /usr/local/avamar/var/mc/server_log/flush.log/usr/local/avamar/var/mc/server_log/restore.log/usr/local/avamar/var/mc/server_log/mcserver.log.#/usr/local/avamar/var/mc/server_log/mcserver.out/usr/local/avamar/var/mc/server_log/pgsql.log/usr/local/avamar/var/mc/server_data/postgres/data/pg_log/postgresql-DATE_TIME.log/usr/local/avamar/var/mc/server_data/mcs_data_dump.sql
Avamar Enterprise Manager - Tomcat
/usr/local/avamar/var/em/webapp_log/admin.DATE.log/usr/local/avamar/var/em/webapp_log/catalina.DATE.log/usr/local/avamar/var/em/webapp_log/catalina.out/usr/local/avamar/var/em/webapp_log/host-manager.DATE.log/usr/local/avamar/var/em/webapp_log/localhost.DATE.log/usr/local/avamar/var/em/webapp_log/manager.DATE.log
Avamar Enterprise Manager - Server
/usr/local/avamar/var/em/server_log/flush.log/usr/local/avamar/var/em/server_log/restore.log/usr/local/avamar/var/em/server_log/emserver.log.#/usr/local/avamar/var/em/server_log/emserver.out/usr/local/avamar/var/em/server_log/pgsql.log/usr/local/avamar/var/em/server_data/postgres/data/pg_log/postgresql-DATE_TIME.log/usr/local/avamar/var/em/server_data/ems_data_dump.sql
Maintenance tasks /usr/local/avamar/var/cron/clean_emdb.log/usr/local/avamar/var/cron/dpn_crontab.log/usr/local/avamar/var/cron/cp.log/usr/local/avamar/var/cron/gc.log/usr/local/avamar/var/cron/hfscheck.log/usr/local/avamar/var/cron/ntpd_keepalive_cron.log/usr/local/avamar/var/cron/ntpd_keepalive_cron.log.#/usr/local/avamar/var/cron/suspend.log
avw_install utility /usr/local/avamar/var/avw_cleanup.log/usr/local/avamar/var/avw_install.log/usr/local/avamar/var/avw-time.log/usr/local/avamar/var/log/dpnavwinstall-VERSION.log
axion_install utility /usr/local/avamar/var/axion_install_DATE_TIME.log
Avamar File System (AvFS) /usr/local/avamar/var/axionfs.log
change-passwords utility /usr/local/avamar/var/change-passwords.log
dpnctl utility /usr/local/avamar/var/log/dpnctl.log
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 33
Single-Node ServerLOG FILES
dpnnetutil utility /usr/local/avamar/var/log/dpnnetutil-version.log/usr/local/avamar/var/log/dpnnetutil.log*/usr/local/avamar/var/log/dpnnetutilbgaux.log/usr/local/avamar/var/log/dpnnetutilbgaux-stdout-stderr.log
permctl utility /usr/local/avamar/var/log/permctl.log
resite utility /usr/local/avamar/var/dpnresite-version.log/usr/local/avamar/var/mcspref.log/usr/local/avamar/var/nataddr.log/usr/local/avamar/var/smtphost.log
timedist utility /usr/local/avamar/var/timedist.log
timesyncmon program /usr/local/avamar/var/timesysncmon.log
Avamar Replicator /usr/local/avamar/var/cron/replicate.log
Avamar license server /usr/local/avamar/var/ascd-PORT.log
Storage server log /data01/cur/err.log/data01/cur/gsan.log
FEATURE/FUNCTION LOCATION
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 34
Utility NodeLOG FILES
Utility NodeFEATURE/FUNCTION LOCATION
Avamar Administrator server /usr/local/avamar/var/mc/server_log/flush.log/usr/local/avamar/var/mc/server_log/restore.log/usr/local/avamar/var/mc/server_log/mcserver.log.#/usr/local/avamar/var/mc/server_log/mcserver.out/usr/local/avamar/var/mc/server_log/pgsql.log/usr/local/avamar/var/mc/server_data/postgres/data/pg_log/postgresql-DATE_TIME.log/usr/local/avamar/var/mc/server_data/mcs_data_dump.sql
Avamar Enterprise Manager - Tomcat
/usr/local/avamar/var/em/webapp_log/admin.DATE.log/usr/local/avamar/var/em/webapp_log/catalina.DATE.log/usr/local/avamar/var/em/webapp_log/catalina.out/usr/local/avamar/var/em/webapp_log/host-manager.DATE.log/usr/local/avamar/var/em/webapp_log/localhost.DATE.log/usr/local/avamar/var/em/webapp_log/manager.DATE.log
Avamar Enterprise Manager - Server
/usr/local/avamar/var/em/server_log/flush.log/usr/local/avamar/var/em/server_log/restore.log/usr/local/avamar/var/em/server_log/emserver.log.#/usr/local/avamar/var/em/server_log/emserver.out/usr/local/avamar/var/em/server_log/pgsql.log/usr/local/avamar/var/em/server_data/postgres/data/pg_log/postgresql-DATE_TIME.log/usr/local/avamar/var/em/server_data/ems_data_dump.sql
Maintenance tasks /usr/local/avamar/var/cron/clean_emdb.log/usr/local/avamar/var/cron/dpn_crontab.log/usr/local/avamar/var/cron/cp.log/usr/local/avamar/var/cron/gc.log/usr/local/avamar/var/cron/hfscheck.log/usr/local/avamar/var/cron/ntpd_keepalive_cron.log/usr/local/avamar/var/cron/ntpd_keepalive_cron.log.#/usr/local/avamar/var/cron/suspend.log
avw_install utility /usr/local/avamar/var/avw_cleanup.log/usr/local/avamar/var/avw_install.log/usr/local/avamar/var/avw-time.log/usr/local/avamar/var/log/dpnavwinstall-VERSION.log
axion_install utility /usr/local/avamar/var/axion_install_DATE_TIME.log
Avamar File System (AvFS) /usr/local/avamar/var/axionfs.log
change-passwords utility /usr/local/avamar/var/change-passwords.log
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 35
Spare NodeLOG FILES
Storage Node
Spare Node
dpnctl utility /usr/local/avamar/var/log/dpnctl.log
dpnnetutil utility /usr/local/avamar/var/log/dpnnetutil-version.log/usr/local/avamar/var/log/dpnnetutil.log*/usr/local/avamar/var/log/dpnnetutilbgaux.log/usr/local/avamar/var/log/dpnnetutilbgaux-stdout-stderr.log
permctl utility /usr/local/avamar/var/log/permctl.log
timedist utility /usr/local/avamar/var/timedist.log
timesyncmon program /usr/local/avamar/var/timesysncmon.log
Avamar Replicator /usr/local/avamar/var/cron/replicate.log
Avamar license server /usr/local/avamar/var/ascd-PORT.log
FEATURE/FUNCTION LOCATION
Storage server log /data01/cur/err.log/data01/cur/gsan.log
dpnnetutil utility /usr/local/avamar/var/log/dpnnetutilbgaux-stdout-stderr.log/usr/local/avamar/var/log/dpnnetutilbgaux.log
Maintenance tasks /usr/local/avamar/var/ntpd_keepalive_cron.log*
timesyncmon program /usr/local/avamar/var/timesyncmon.log*
FEATURE/FUNCTION LOCATION
dpnnetutil utility /usr/local/avamar/var/log/dpnnetutilbgaux-stdout-stderr.log/usr/local/avamar/var/log/dpnnetutilbgaux.log
FEATURE/FUNCTION LOCATION
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 36
Backup Client Network HostLOG FILES
Avamar NDMP Accelerator Node
Access Node
Avamar Administrator Client Network Host
Backup Client Network Host
FEATURE/FUNCTION LOCATION
dpnnetutil utility /usr/local/avamar/var/log/dpnnetutilbgaux-stdout-stderr.log/usr/local/avamar/var/log/dpnnetutilbgaux.log
FEATURE/FUNCTION LOCATION
dpnnetutil utility /usr/local/avamar/var/log/dpnnetutilbgaux-stdout-stderr.log/usr/local/avamar/var/log/dpnnetutilbgaux.log
FEATURE/FUNCTION LOCATION
Avamar Administrator management console.
Windows:C:\Program Files\avs\administrator\var\mc\gui_log\mcclient.log.0
Unix:$HOME/.avamardata/var/mc/gui_log/mcclient.log.0
Avamar Administrator management console command line interface
Unix: $HOME/.avamardata/var/mc/gui_log/mccli.log.0
FEATURE/FUNCTION LOCATION
Client avagent process (all clients) C:\Program Files\avs\var\avagent.log
Client avtar process (all clients) C:\Program Files\avs\var\{WORKORDER-ID}.algC:\Program Files\avs\var\{WORKORDER-ID}.log
Avamar Windows Client tray applet C:\Program Files\avs\var\avscc.log
Avamar DB2 Client /usr/local/avamar/var/{WORKORDER-ID}.log
Avamar Exchange Client /usr/local/avamar/var/{WORKORDER-ID}.log
Avamar NDMP Accelerator /usr/local/avamar/var/{WORKORDER-ID}.log
Avamar NetWare Client /usr/local/avamar/var/{WORKORDER-ID}.log
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 37
Backup Client Network HostLOG FILES
Avamar Oracle Client /usr/local/avamar/var/{WORKORDER-ID}.log
Avamar SQL Server Client /usr/local/avamar/var/{WORKORDER-ID}.log
FEATURE/FUNCTION LOCATION
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 38
APPENDIX A — CLIENT-SERVER ENCRYPTION FUNCTIONAL MATRIX
APPE
NDIX
A —
CLI
ENT-S
ERVE
R ENC
RYPT
ION F
UNCT
IONA
L MAT
RIX
Clie
nt-
serv
er e
ncr
yption funct
ional
beh
avio
r in
any
giv
en c
ircu
mst
ance
is d
epen
den
t on a
num
ber
of fa
ctors
, in
cludin
g A
vam
ar
serv
er
vers
ion,
clie
nt
vers
ion,
the
mcs
erve
r.xm
l en
cryp
t_se
rver
_au
then
tica
te p
refe
rence
set
ting a
nd t
he avtar --encrypt o
ption u
sed
duri
ng t
hat
act
ivity.
The
follo
win
g t
able
docu
men
ts v
ario
us
encr
yption b
ehav
iors
and s
tren
gth
s th
at c
an b
e ex
pec
ted in v
arious
circ
um
stan
ces:
AV
AM
AR
SE
RV
ER
VE
RS
ION
AV
AM
AR
A
DM
INIS
TR
AT
OR
/MC
CLI
VA
LUE
S
MC
SE
RV
ER
.XM
L E
NC
RY
PT
_SE
RV
ER
_AU
TH
EN
TIC
AT
E
SE
TT
ING
CLI
EN
T
VE
RS
ION
AV
TA
R S
ET
TIN
GB
EH
AV
IOR
/DE
SC
RIP
TIO
N
Pre
-4.1
Axi
on
Not
Imple
men
ted
Pre
-4.1
--encrypt=proprietary
Ava
mar
pro
pri
etar
y en
cryp
tion.
4.1
and
late
r--encrypt=proprietary
Ava
mar
pro
pri
etar
y en
cryp
tion.
AES-1
28
Not
Imple
men
ted
Pre
-4.1
--encrypt=ssl
Linux:
neg
otiate
d t
o h
ighes
t av
aila
ble
set
ting.
Win
dow
s: n
egotiate
d
algori
thm
.
4.1
and
late
r--encrypt=ssl
Linux:
neg
otiate
d t
o h
ighes
t av
aila
ble
set
ting.
Win
dow
s: n
egotiate
d
algori
thm
.
NO
TE
: 4
.1 a
nd late
r avtar
will
mai
nta
in b
ackw
ard
com
pat
ibili
ty b
y su
pport
ing
--encrypt=ssl o
ption
indef
initel
y.
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 39
APPENDIX A — CLIENT-SERVER ENCRYPTION FUNCTIONAL MATRIX
4.1
and
late
r
None
FALS
E
Pre
-4.1
--encrypt=proprietary
Ava
mar
pro
priet
ary
encr
yption.
NO
TE
: O
lder
Ava
mar
clie
nts
ca
nnot
support
unen
cryp
ted
“cle
ar”
tex
t.
4.1
and
late
r--encrypt=proprietary
--encrypt-strength=cleartext
Unen
cryp
ted “
clea
r” t
ext.
TRU
E
Pre
-4.1
Not
support
ed.
Err
or
Eve
nt
- jo
b faile
d d
ue
to
options
inco
mpatibili
ty.
4.1
and
late
rN
ot
support
ed.
Err
or
Eve
nt
- jo
b faile
d d
ue
to
options
inco
mpatibili
ty.
Med
ium
FALS
E
Pre
-4.1
--encrypt=ssl
Linux:
neg
otiate
d t
o h
ighes
t av
aila
ble
set
ting.
Win
dow
s: n
egotiat
ed t
o
pre
ferr
ed s
etting.
4.1
and
late
r--encrypt=tls
--encrypt-strength=medium
Linux:
AES-1
28.
Win
dow
s: n
egotiate
d
algori
thm
, re
stri
cted
to
exact
ly 1
28-b
it s
tren
gth
.
TRU
E
Pre
-4.1
Not
support
edErr
or
Eve
nt
- jo
b faile
d d
ue
to
options
inco
mpatibili
ty.
4.1
and
late
r--encrypt=tls-sa
--encrypt-strength=medium
Linux:
AES-1
28 w
ith s
erve
r au
then
tica
tion.
Win
dow
s: n
egotiate
d
algori
thm
, re
stri
cted
to
exact
ly 1
28-b
it s
tren
gth
.
AV
AM
AR
SE
RV
ER
VE
RS
ION
AV
AM
AR
A
DM
INIS
TR
AT
OR
/MC
CLI
VA
LUE
S
MC
SE
RV
ER
.XM
L E
NC
RY
PT
_SE
RV
ER
_AU
TH
EN
TIC
AT
E
SE
TT
ING
CLI
EN
T
VE
RS
ION
AV
TA
R S
ET
TIN
GB
EH
AV
IOR
/DE
SC
RIP
TIO
N
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 40
APPENDIX A — CLIENT-SERVER ENCRYPTION FUNCTIONAL MATRIX
4.1
and
late
rH
igh
FALS
E
Pre
-4.1
Not
support
edErr
or
Eve
nt
- jo
b faile
d d
ue
to
options
inco
mpatibili
ty.
4.1
and
late
r--encrypt=tls
--encrypt-strength=high
Linux:
AES-2
56.
Win
dow
s: n
egotiate
d
algori
thm
, re
stri
cted
to
exact
ly 1
68-b
it o
r hig
her
st
rength
.
TRU
E
Pre
-4.1
Not
support
edErr
or
Eve
nt
- jo
b faile
d d
ue
to
options
inco
mpatibili
ty
4.1
and
late
r--encrypt=tls-sa
--encrypt-strength=high
Linux:
AES-2
56 w
ith s
erve
r au
then
tica
tion.
Win
dow
s: n
egotiate
d
algori
thm
, re
stri
cted
to
exact
ly 1
68-b
it o
r hig
her
st
rength
.
AV
AM
AR
SE
RV
ER
VE
RS
ION
AV
AM
AR
A
DM
INIS
TR
AT
OR
/MC
CLI
VA
LUE
S
MC
SE
RV
ER
.XM
L E
NC
RY
PT
_SE
RV
ER
_AU
TH
EN
TIC
AT
E
SE
TT
ING
CLI
EN
T
VE
RS
ION
AV
TA
R S
ET
TIN
GB
EH
AV
IOR
/DE
SC
RIP
TIO
N
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 41
APPENDIX B — SIGNING AVAMAR ENTERPRISE MANAGER SSL CERTIFICATES
This appendix describes how to use the public and private key pair for the Avamar Enterprise Manager web server and how to get the certificate signed.
OverviewAvamar Enterprise Manager uses HTTP over SSL to communicate with the client browser. This requires an SSL certificate that is used by the Avamar Enterprise Manager web server to prove it is really the server that it says it is. An SSL certificate is created when avsetup_ems runs. The certificate must be signed by a recognized Certificate Authority (CA) or if not, the web browser displays an error when loading the Avamar Enterprise Manager web page.
Getting a Signed Certificate (page 43) describes how to use the public and private key pair for the Avamar Enterprise Manager web server and how to get the certificate signed.
To use a single signed certificate for both the Avamar Enterprise Manager web server and Tomcat, you must also complete additional steps in Tomcat Application Server Certificate (page 45).
NOTE: This appendix applies to all versions of AvamarEnterprise Manager.
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 42
Getting a Signed CertificateAPPENDIX B — SIGNING AVAMAR ENTERPRISE MANAGER SSL CERTIFICATES
Getting a Signed CertificateThe procedure uses the java keytool command, a utility which manages certificate keys. The keytool command is located in the bin directory of the Java install directory (/usr/java/jre1.5.0_12/bin). If this directory is not in your path, you can either add it to the path, or specify the complete path when using keytool. All keytool commands require a password. The password set by avsetup_ems is changeit. For more information on avsetup_ems refer to the Avamar Technical Addendum.
To get the certificate signed:
1. Log into the root account on a utility node or single-node server.
2. Stop the Avamar Enterprise Manager by entering:
dpnctl stop ems
3. Change the password for all certificates in the keystore to match the keystore’s password.
For Tomcat, the passwords of certificates in the keystore must match the password of the keystore itself.
NOTE: It is a good practice to change the keystore pass-word, however, to retain the default password, skip to step 6.
(a) Delete the mcssl certificate from the keystore by entering:
keytool -delete -alias mcssl
(b) Change the keystore password by entering:
keytool -storepasswd
When prompted, enter the old password and then the new password twice.
(c) Export the mcssl certificate to a file by entering the following on a single command line:
keytool -export -keystore /usr/local/avamar/lib/rmi_ssl_keystore -alias mcssl -file /tmp/mcssl.crt
The default password for rmi_ssl_keystore is changeme. Use this password if it has not been changed.
IMPORTANT: Space limitations in this publication causedthe previous command to continue (wrap) to more than oneline. Your command must be entered on a single commandline (no line feeds or returns allowed).
(d) Import the file to the root’s keystore by entering:
keytool -import -alias mcssl -file /tmp/mcssl.crt
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 43
Getting a Signed CertificateAPPENDIX B — SIGNING AVAMAR ENTERPRISE MANAGER SSL CERTIFICATES
4. Set the new password by editing /usr/local/jakarta-tomcat-VERSION/conf/server.xml.
Where VERSION is the version of Tomcat.
(a) Find the Connector element for port=“443”
(b) Set the keystorePass attribute to the new password.
NOTE: For additional information on this procedure, go tothe Apache Tomcat 5.5 Servlet/JSP Container website(http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html).
5. Set the trust_keystore_ap preference to the new password by editing the Enterprise Manager Server (EMS) preferences file, /usr/local/avamar/var/em/server_data/prefs/emserver.xml.
6. Delete the existing certificate (with alias Tomcat) by entering:
keytool -delete -alias tomcat
7. Enter the following keytool command:
keytool -genkey -alias tomcat -keyalg RSA -dname "CN=hostname.domain.com, OU=Organization Name, O=Company Name, L=City Name, ST=CA, C=US"
Use information specific to your site for CN, OU, O, L, ST and C.
When prompted for the key password use the same one you chose for the keystore.
8. Enter the following command to create a Certificate Signing Request (CSR):
keytool -certreq -alias tomcat
The command screen displays the CSR. To store the CSR to a user-defined filename (CSRFILENAME), add -file CSRFILENAME to the keytool command.
9. Provide the CSR to a signing authority to generate a signed certificate.
Specify the certificate by using the PKCS#7 format.
10. Import the signed certificate into the keystore by entering:
keytool -import -alias tomcat -file CERTFILENAME
Where CERTFILENAME is the name of the file you received from the signing authority.
11.Restart the Avamar Enterprise Manager by entering:
dpnctl ems start
12.Continue with Tomcat Application Server Certificate (page 45) to use the same certificate for both the Tomcat application server and the Avamar Enterprise Manager web server,
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 44
Tomcat Application Server CertificateAPPENDIX B — SIGNING AVAMAR ENTERPRISE MANAGER SSL CERTIFICATES
Tomcat Application Server CertificateThe Tomcat application server can use the signed certificate you created for the Avamar Enterprise Manager web server. This procedure requires KeyTool IUI, an open source utility. KeyTool IUI requires Java version 6 or later to run.
IMPORTANT: Run the KeyTool IUI from a desktop worksta-tion.
To use the signed certificate:
1. Download the KeyTool IUI from:
http://www.icewalkers.com/download/KeyTool-IUI/3073/dls/
2. After installing Java 6, extract the KeyTool IUI tarball or zip file.
3. Follow the instructions in readme_first.txt to run KeyTool IUI.
4. Download the /root/.keystore file from the Avamar utility node to your desktop machine.
In the process of downloading, rename the file with a .jks extension (keystore.jks).
5. From KeyTool IUI, select Export > Keystore’s entry > Private key in the left pane.
The following image shows the KeyStore IUI. The right pane shows the options for the source and target.
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 45
Tomcat Application Server CertificateAPPENDIX B — SIGNING AVAMAR ENTERPRISE MANAGER SSL CERTIFICATES
6. Configure private key data according to the following table:
7. Click OK.
The dialog box as shown in the following image appears.
8. Select the tomcat certificate.
9. For Enter respective password, enter the same password as the keystore password.
10.Click OK.
A message appears stating that keys were successfully exported. You also have the option of viewing each one.
11.Upload the private key and certificate chain files from your desktop workstation to the Avamar utility node.
(a) Copy the private key to /etc/httpd/conf/ssl.key/server.key.
(b) Copy the certificate chain file to /etc/httpd/conf/ssl.crt/server.crt.
FOR THIS OPTION TAKE THIS ACTION
Keystore file Click the folder icon and browse for the saved .jks file in step 3.
Keystore password Click the mask icon and enter the password.
Private key file Select PEM format and enter a filename of your choosing.
Certificates chain file Select PEM format and enter a filename of your choosing.
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 46
Tomcat Application Server CertificateAPPENDIX B — SIGNING AVAMAR ENTERPRISE MANAGER SSL CERTIFICATES
12.Ensure these files are owned by root.root with permissions of 600 by entering the following commands, each one on a single command line:
chown root.root /etc/httpd/conf/ssl.key/server.key /etc/httpd/conf/ssl.crt/server.crt
chmod 600 /etc/httpd/conf/ssl.key/server.key /etc/httpd/conf/ssl.crt/server.crt
IMPORTANT: Space limitations in this publication causedthe previous commands to continue (wrap) to more than oneline. Each of your commands must be entered on a singlecommand line (no line feeds or returns allowed).
13.Restart the httpd process by entering:
website restart
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 47
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 48
APPENDIX C — INSTALLING AN SSL CERTIFICATE ON ANAVAMAR SERVER
The following information applies to Apache only and not Tomcat (used in Avamar Enterprise Manager).
Currently, the Avamar web restore application uses the certificate that is generated during Avamar software installation. This certificate is self-signed, contains the hostname localhost.localdomain, and expires after one year.
Use the gen-ssl-cert utility to create a new self-signed certificate:
User=root 1. Do one of the following:
2. Enter:
/usr/local/avamar/bin/gen-ssl-cert
For more information on the gen-ssl-cert utility, refer to the Avamar Technical Addendum.
IF DO THIS
Preparing a single-node server.
Log into the server as root.When prompted for a password, enter the root password and press ENTER.
Preparing a multi-node server.
Log into the utility node as root.When prompted for a password, enter the root password and press ENTER.
APPENDIX D — TRANSPORT LAYER SECURITY CERTIFICATION
This appendix describes how to implement client/server authentication using Transport Layer Security (TLS) certificates.
OverviewThis appendix lists the individual tasks for implementing TLS server and client authentication. It also explains how to apply encryption constraints to TLS.
Important Terms and ConceptsBecome familiar with the following terms and concepts before performing any of the procedures in this appendix.
Transport Layer Security and Secure Sockets Layer. Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols that provide secure communications on the Internet for activities such as web browsing, email, Internet faxing, instant messaging and other data transfers. Although essentially the same, there are minor differences between SSL and TLS.
X.509 v3. A standard for formatting digital certificates that can be used to authenticate identities of computers, applications, people and so forth.
Root Certificate. In cryptography and computer security, a root certificate is either an unsigned public key certificate or a self-signed certificate. A root certificate is part of a public key infrastructure scheme. The most common commercial variety is based on the ITU-T X.509 standard, which normally includes a digital signature from a CA.
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 49
Implementing TLS AuthenticationAPPENDIX D — TRANSPORT LAYER SECURITY CERTIFICATION
Self-Signing CertificatesIf you self-sign your server and client certificates (that is, you do not intend to use a commercial CA such as Verisign), you must first create your own root certificate and key (page 57), then sign them using the self-signing procedure in this appendix (page 59).
If you use a commercial CA to sign your server certificates, the CA will sign your certificates and return them to you.
Root Certificates Root certificates can be used with Windows and stunnel. All other certificates can be signed by this root certificate. If you are not a commercial certificate authority, some software might not accept your certificates. However, you can configure stunnel nodes to use the CA certificate and load it into the Local Computer Certificate Store on your Windows clients. Your certificates are then accepted as commercially-purchased ones.
When creating and signing certificates, EMC recommends:
• Properly secure the private key associated with the root certificate. • In a high-risk environment use an air-gapped network for signing operations
and creating keys, CSRs and other security-related artifacts. (An air-gapped network is completely physically, electrically and electromagnetically isolated.)
• Use a hardware random-number generator (RNG) to efficiently and quickly generate random numbers with adequate characteristics for cryptographic use.
• For maximum security, use the OpenBSD operating system as the host for the OpenSSL key and certificate utilities.
Implementing TLS AuthenticationThis section explains how to implement TLS server and client authentication.
Implement TLS Server AuthenticationTo properly implement Avamar server authentication requires that the CSR contains the Avamar server node’s IP address in the Alternative Subject Name field. If nodes use multiple IP addresses (multihomed servers, servers behind network address translation (NAT), and so forth), ensure that each IP address is added to the Alternative Subject Name field.
If the openssl req command is used to generate the CSR, see (page 60) for an example of the content for the openssl.conf file. This example contains the [alt_names] section, which includes the server node IP addresses.
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 50
Implementing TLS AuthenticationAPPENDIX D — TRANSPORT LAYER SECURITY CERTIFICATION
To implement server authentication using TLS:
1. Generate a unique server authentication certificate for each Avamar server node by performing Generate an Avamar Server Node Authentication Certificate and CSR (page 53) once for each Avamar server node.
IMPORTANT: Ensure that the CSR that you create containsthe Avamar server node’s IP address in the Alternative Sub-ject Name field.
2. Do one of the following:
3. Install the signed server certificates on all Avamar server nodes.
4. Configure stunnel on all Avamar server nodes to use your server certificate.
5. Restart stunnel on all the Avamar server nodes.
6. Restart the ascd service, if necessary.
7. Include the encrypt=sslverify option for all future client communications.
Implement TLS Client Authentication
IMPORTANT: Ensure that TLS authentication has beenproperly implemented on your Avamar server (page 50)before proceeding any further with these client tasks.
IF DO THIS
You are using a commercial CA, such as Verisign to sign your server certificates.
Submit your CSRs to your commercial CA.
You are self-signing your server certificates with your own root certificate and key.
1. Ensure that the root certificate and key have been generated (page 57).
2. Self-sign your server certificates with your own root certificate and key by performing Generating Self-Signed x509 Certificates (page 59) once for each server certificate.
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 51
Requesting TLS EncryptionAPPENDIX D — TRANSPORT LAYER SECURITY CERTIFICATION
To implement client authentication using TLS:
1. Generate a single generic client certificate for use on all clients by performing Generate an Avamar Client Authentication Certificate and CSR (page 55).
2. Do one of the following:
3. Install the client certificate as a Trusted Authority in the client Local Computer Certificate Store by performing Installing a Client Authentication Certificate (page 62).
4. If you are using a self-signed client certificate, perform Installing a Trusted Root Certificate (page 63) on each client.
5. Configure stunnel on all Avamar server nodes to enforce a requirement for client certificates.
6. Restart stunnel on all the Avamar server nodes.
7. Restart of the ascd service, if necessary.
Requesting TLS EncryptionRequests for 256-bit or 128-bit encryption strength and SHA digests in Avamar releases before 4.1 were notated by option flags. The following list contains examples of option flags for encryption.
• ssl:AES256-SHA• ssl:AES128-SHA• sslverify:AES256-SHA• sslverify:AES128-SHA
Avamar supports other types of encryption besides the ones listed. Avamar 4.1 and later deprecates this notation for option flags. Deprecated versions of option flags that still exist for clients running Avamar 4.1 or later are ignored.
Avamar 4.1 and later replace the colon-seperated option flags with an option flag pair: encrypt and encrypt-strength. The encrypt-strength option takes one of
IF DO THIS
You are using a commercial CA, such as Verisign, to sign your client certificate.
Submit your CSR to your commercial CA.
You are self-signing your client certificate with your own root certificate and key.
1. Ensure that the root certificate and key have been created (page 57).
2. Self-sign your client certificate with your own root certificate and key by performing Generating Self-Signed x509 Certificates (page 59).
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 52
Generating Authentication Certificates and CSRsAPPENDIX D — TRANSPORT LAYER SECURITY CERTIFICATION
three values: None, Medium or High. Each encrypt-strength option value has a corresponding cipher:
A pre-4.1 option flag such as ssl:AES256-SHA translates into an encrypt and encrypt-strength option flag pair for Avamar 4.1 and later. For example, if server authentication is not requested, the option flag pair for ssl:AES256-SHA is specified as follows: --encrypt=tls
--encrypt-strength=high
If server authentication is requested, the option flag pair for ssl:AES256-SHA is specified as follows:--encrypt=tls-sa
--encrypt-strength=high
Refer to Appendix A — Client-Server Encryption Functional Matrix (page 39) for more information.
Generating Authentication Certificates and CSRsThis section explains how to generate authentication certificates and CSRs for the Avamar server and client nodes.
NOTE: The following procedures use “Example, Inc. (exam-ple),” “example.com,” “Dept 55,” “avamar-1,” and “192.0.2.4” as an example company name, Internet domain, department name, Avamar server name and IP address, respectively. Use your actual information instead.
The following procedures create RSA public/private key pairs and CSRs.
Generate an Avamar Server Node Authentication Certificate and CSR
IMPORTANT: Generate a unique certificate for each Ava-mar server node and repeat this procedure on every Avamarserver node.
OPTION VALUE CIPHER
None Cleartext (no cipher)
Medium 128-bit strength
High • 168-bit strength or higher on Windows • 256-bit strength on Linux
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 53
Generating Authentication Certificates and CSRsAPPENDIX D — TRANSPORT LAYER SECURITY CERTIFICATION
To generate a request for a new Avamar server node authentication certificate with a new key:
1. Open a command shell and enter the following on a single command line:
openssl req -new -newkey rsa:1024 -keyform PEM -keyout avamar-1key.pem -nodes -outform PEM -out avamar-1req.pem
IMPORTANT: Space limitations in this publication causedthe previous command to continue (wrap) to more than oneline. Enter the command on a single line (no line feeds orreturns allowed).
The following information appears in your command shell:
Loading 'screen' into random state - doneGenerating a 1024 bit RSA private key.++++++...++++++writing new private key to 'avamar-1key.pem'-----
2. When prompted, enter the following information and press ENTER after each entry:
NAME FIELD DESCRIPTION
Distinquished Name (DN) Unique name for this particular server node. For example:avamar-1.node-1
Country Name The two-letter ISO abbreviation for your country. For example:US
State or Province Name The state or province where your organization is located. For example:California
IMPORTANT: This entry cannot be abbreviated.
Locality Name City where your organization is located. For example:Los Angeles
Organization Name The exact legal name of your company. For example:Example, Inc.
IMPORTANT: This entry cannot be abbreviated.
Organizational Unit Name Optional entry for additional organization information. For example:Dept. 55
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 54
Generating Authentication Certificates and CSRsAPPENDIX D — TRANSPORT LAYER SECURITY CERTIFICATION
The information you enter is incorporated into your certificate request.
TIP: Entering a period (.) and pressing ENTER leaves thatentry blank.
The output from avamar-1req.pem is similar to the following:
-----BEGIN CERTIFICATE REQUEST-----ABCDEF......XYZ=-----END CERTIFICATE REQUEST-----
avamar-1key.pem content is similar to this:
-----BEGIN RSA PRIVATE KEY-----ABCDEF......XYZ=-----END RSA PRIVATE KEY-----
3. Repeat steps 1 and 2 for every Avamar server node.
Generate an Avamar Client Authentication Certificate and CSRTo generate a request for a new Avamar client authentication certificate with a new key:
1. Open a command shell and enter the following on a single command line:
openssl req -new -newkey rsa:1024 -keyform PEM -keyout avamarclientkey.pem -nodes -outform PEM -out avamarclientreq.pem
IMPORTANT: Space limitations in this publication causedthe previous command to continue (wrap) to more than oneline. Enter the command on a single line (no line feeds orreturns allowed).
The following information appears in your command shell:
Loading 'screen' into random state - doneGenerating a 1024 bit RSA private key.++++++...++++++writing new private key to 'avamarclientkey.pem'-----
Common Name Because this is your root certificate, name it something meaningful. For example:example.com Certificate Authority
Email Address Primary email address for this server. For example:[email protected]
NAME FIELD DESCRIPTION
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 55
Generating Authentication Certificates and CSRsAPPENDIX D — TRANSPORT LAYER SECURITY CERTIFICATION
2. When prompted, enter the following information and press ENTER after each entry:
The information you enter is incorporated into your certificate request.
TIP: Entering a period (.) and pressing ENTER leaves thatentry blank.
The output from avamarclientreq.pem is similar to the following:
-----BEGIN CERTIFICATE REQUEST-----ABCDEF..XYZ=-----END CERTIFICATE REQUEST-----
NAME FIELD DESCRIPTION
Country Name The two-letter ISO abbreviation for your country. For example:US
State or Province Name The state or province where your organization is located. For example:California
IMPORTANT: This entry cannot be abbreviated.
Locality Name City where your organization is located. For example:Los Angeles
Organization Name The exact legal name of your company. For example:Example, Inc.
IMPORTANT: This entry cannot be abbreviated.
Organizational Unit Name Optional entry for additional organization information. For example:Dept. 55
Common Name Because this certificate will be used by every Avamar client, name it something meaningful. For example:Generic Avamar Backup Client
Email Address Contact email address for all CA-related issues. For example:[email protected]
Challenge Password Enter a password that all users of this certificate must know and enter in order to be authenticated.
Optional Company Name Optional entry.
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 56
Generating a Root Certificate and KeyAPPENDIX D — TRANSPORT LAYER SECURITY CERTIFICATION
The output from avamarclientkey.pem content looks similar to this:
-----BEGIN RSA PRIVATE KEY-----ABCDEF..XYZ=-----END RSA PRIVATE KEY-----
Generating a Root Certificate and Key
NOTE: Skip this section if you are using a commercial CA,such as Verisign to sign your server certificates.
This topic explains how to create a root certificate and key by using OpenSSL tools. The recommended method is to use the CA.pl, a Perl script “wrapper” for OpenSSL commands. As a alternative, you can use the openssl req command.
The following web sites provide more information for CA.pl and openssl req, respectively:
• www.openssl.org/docs/apps/CA.pl.html• www.openssl.org/docs/apps/req.html
Download and Install OpenSSL and CA.plDownload and install OpenSSL and a Perl interpreter on the system which generates the certificate. For optimal results download and install CA.pl.
NOTE: OpenSSL and Perl interpreters are available forLinux, Windows, OpenBSD and other operating systems.
Create a Root Certificate and KeyUse one of the following procedures to create a root certificate and key.
• Using CA.pl to Create a Root Certificate and Key (page 58)• Using openssl req to Create a Root Certificate and Key (page 59)
The following procedures creates two files: exampleca.pem and examplekey.pem.
• Provide the exampleca.pemfile to others for importation into their certificate stores and browsers.
• Use examplekey.pem, which is secured in a private directory, for signing operations.
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 57
Generating a Root Certificate and KeyAPPENDIX D — TRANSPORT LAYER SECURITY CERTIFICATION
Using CA.pl to Create a Root Certificate and Key
NOTE: This procedure uses “Example, Inc. (example)” and“example.com” as an example company name and Internetdomain, respectively. Use your actual company nameinstead.
The following procedure prompts you for various information including a password. When prompted for a password, specify a secure password.
1. Open a command shell.
2. From the openssl directory, enter:
CA.pl -newca
NOTE: This command creates all relevant files and directo-ries in ./demoCA.
TIP: Press ENTER to show CA details. You are prompted forthis information later on.
3. When prompted for a password, enter a secure password.
4. When prompted for a filename, enter the filename of the CA certificates (which should also contain the private key).
5. When prompted, enter the following information and press ENTER after each entry:
NAME FIELD DESCRIPTION
Country Name The two-letter ISO abbreviation for your country. For example:US
State or Province Name The state or province where your organization is located. For example:California
IMPORTANT: This entry cannot be abbreviated.
Locality Name City where your organization is located. For example:Los Angeles
Organization Name The exact legal name of your company. For example:Example, Inc.
IMPORTANT: This entry cannot be abbreviated.
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 58
Generating Self-Signed x509 CertificatesAPPENDIX D — TRANSPORT LAYER SECURITY CERTIFICATION
TIP: Entering a period (.) and pressing ENTER leaves thatentry blank.
6. Back up exampleca.pem and examplekey.pem.
Using openssl req to Create a Root Certificate and Key1. Open a command shell and enter:
openssl req -new -x509 -newkey rsa:1024 -keyform PEM -keyout private/examplekey.pem -extensions v3_ca -outform PEM -out exampleca.pem -days 3650
Where the -days 3650 option certifies the certificate for 3650 days (10 years). You can set the -days option to any period of time for your specific site requirements.
IMPORTANT: Space limitations in this publication causedthe previous command example to continue (wrap) to morethan one line. Enter the command on a single line (no linefeeds or returns allowed).
2. Back up exampleca.pem and examplekey.pem.
Generating Self-Signed x509 Certificates
NOTE: Skip this section if you are using a commercial CA,such as Verisign to sign your server certificates.
This section explains how to self-sign certificates.
Organizational Unit Name Optional entry for additional organization information. For example:Dept. 55
Common Name Because this is your root certificate, name it something meaningful. For example:example.com Certificate Authority
Email Address Contact email address for all CA-related issues. For example:[email protected]
NAME FIELD DESCRIPTION
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 59
Generating Self-Signed x509 CertificatesAPPENDIX D — TRANSPORT LAYER SECURITY CERTIFICATION
PrerequisiteBefore you can self-sign certificates, you must:
1. Generate a root certificate and key as described in Generating a Root Certificate and Key (page 57).
2. Establish your authority to self-sign certificates by installing the root certificate (as a Trusted Authority) in the client’s Local Computer Certificate Store.
Generate a Signed x509 CertificateThis procedure assumes the following:
• CA certificate is in exampleca.pem.• Key for CA certificate is in examplekey.pem.• example.srl serial number seed file does not already exist.• The following entries have been appended to the end of the openssl.cnf file
that ships with OpenSSL:[ server_ext ]basicConstraints = CA:falsekeyUsage = critical, digitalSignature, keyEnciphermentnsCertType = serverextendedKeyUsage = serverAuthnsComment = "OpenSSL-generated server certificate"subjectKeyIdentifier = hashauthorityKeyIdentifier = keyid:always, issuer:alwayssubjectAltName = @alt_names[alt_names]IP.0 = 192.0.2.4# additional ip might be useful for server behind nat or multi-homed#IP.1 = 1.2.3.4DNS.0 = avamar-1.example.com#additional hostname might be useful for server behind nat or multihomed#DNS.1 = natavds.example.com
Note the customized hostname and IP address on the subjectAltName line.
To generate a signed x509 certificate:
1. Enter the following command on a single line:
openssl x509 -CA exampleca.pem -CAkey examplekey.pem -req -in avamar-1req.pem -extensions server_ext -extfile openssl.cnf -outform PEM -out avamar-1cert.pem -days 365 -CAserial example.srl -CAcreateserial
IMPORTANT: Space limitations in this publication causedthe previous command example to continue (wrap) to morethan one line. Enter the command on a single command line(no line feeds or returns allowed).
The following information appears in your command shell:
Loading 'screen' into random state - doneSignature oksubject=/C=US/ST=California/L=Los Angeles/O=Example, Inc./OU=Dept55/CN=avamar-1.example.com/[email protected]
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 60
Generating Self-Signed x509 CertificatesAPPENDIX D — TRANSPORT LAYER SECURITY CERTIFICATION
Getting CA Private KeyEnter pass phrase for examplekey.pem:
2. Enter the passphrase for this key and press ENTER.
Content of signed certificate looks similar to the following output:
-----BEGIN CERTIFICATE-----ABCDEF......XYZ=-----END CERTIFICATE-----
3. Display the certificate content in text by entering:
openssl x509 -in avamar-1cert.pem -noout -text
The following information appears in your command shell:Certificate:
Data:Version: 3 (0x2)Serial Number:
9f:3a:d1:2d:93:2d:3d:92Signature Algorithm: sha1WithRSAEncryptionIssuer: C=US, ST=California, O=Example, Inc., OU=Dept55, CN=example.com Certificate Authority/emailAddress=avamar-1.example.comValidity
Not Before: May 16 20:21:12 2008 GMTNot After : May 16 20:21:12 2009 GMT
Subject: C=US, ST=California, L=Los Angeles, O=Example, Inc., OU=Dept55, CN=avamar-1.example.com/[email protected] Public Key Info:
Public Key Algorithm: rsaEncryptionRSA Public Key: (1024 bit)
Modulus (1024 bit):00:c2:e2:f9:b8:77:9a:06:fe:6d:1d:c8:9d:04:3a:7d:75:aa:1e:8d:4a:57:34:f7:a6:4e:30:73:80:ca:c0:38:be:e9:e5:04:1b:05:42:79:b1:07:40:59:b7:3f:7f:79:21:2d:95:74:96:6f:25:ce:16:b8:ae:72:b1:b4:76:e7:fd:45:28:87:50:fd:76:b2:fe:c3:c2:cd:20:ee:54:40:2a:56:55:ca:d4:f4:df:ae:29:6b:4b:84:18:98:b7:ff:be:04:4e:bf:b5:9a:a7:39:ba:2e:87:3e:ea:d0:ae:8a:ec:d4:6a:7c:f3:cb:79:0b:b9:a9:83:28:67:80:e2:e1:dd
Exponent: 65537 (0x10001)X509v3 extensions:
X509v3 Basic Constraints:CA:FALSE
X509v3 Key Usage: criticalDigital Signature
Netscape Cert Type:SSL Client
X509v3 Extended Key Usage:TLS Web Client Authentication
Netscape Comment:OpenSSL-generated server certificate
X509v3 Subject Key Identifier:A5:29:93:8E:98:E1:FB:4E:7A:2A:5A:A0:AB:76:A6:C5:18:F1:78:0A
X509v3 Authority Key Identifier:keyid:DA:27:CF:99:D1:EB:C2:2C:93:50:9D:09:B7:20:E0:31:7E:D6:84:09DirName:/C=US/ST=California/O=example.com/OU=Dept55/CN=example.com Certificate Authority/[email protected]:DA:2D:59:E2:4F:E2:91:F8
Signature Algorithm: sha1WithRSAEncryption9e:10:07:a7:1a:e8:7e:5c:b1:87:0d:81:5a:70:49:2c:86:e6:4c:36:93:31:4e:bf:f6:bf:de:02:52:66:25:c0:67:e9:a5:dc:
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 61
Installing a Client Authentication CertificateAPPENDIX D — TRANSPORT LAYER SECURITY CERTIFICATION
5d:bf:9c:10:b6:77:c4:ce:a8:18:8d:6f:1d:e2:32:e5:01:56:20:86:f8:c3:9d:01:e6:dc:f4:0d:56:fc:22:dc:f7:be:64:42:cf:1e:ca:cb:7d:18:7b:8e:c0:ca:64:33:a1:aa:e5:1a:b6:1b:9f:f0:c8:19:55:c4:88:c1:77:bb:16:da:58:63:22:7d:ba:ff:9e:bc:c8:11:3f:37:cb:5e:a9:8d:dd:3b:f3:e6:cd:56:2f:2a:47:e9
f3:f8
4. Combine the key and signed certificate into a pkcs#12 format file suitable for importing into a Microsoft Certificate Store by entering:
openssl pkcs12 -in avamarclientcert.pem -inkey avamarclientkey.pem -export -out avamarclientcert.p12 -name "Avamar Trusted Client"
IMPORTANT: Space limitations in this publication causedthe previous command to continue (wrap) to more than oneline. Enter the command on a single command line (no linefeeds or returns allowed).
The following information appears in your command shell:
Loading 'screen' into random state - doneEnter Export Password: mypasswordVerifying - Enter Export Password: mypassword
Installing a Client Authentication CertificateThe following procedure explains how to import a certificate (in pkcs#12 format) into each client’s Microsoft Windows certificate store.
1. Log into the Windows client computer by using an account with local administrator privileges.
2. Open the Microsoft Management Console:
(a) Choose Start > Run.
The Run dialog box appears.
(b) Enter mmc and press ENTER.
The Microsoft Management Console appears.
3. Press CTRL+M.
The Add/Remove Snap-In dialog box appears.
4. Press ALT+D.
If installing on Windows Vista, do the following:
(a) Click Add.
(b) Select Computer Account and press ENTER twice.
(c) Click OK.
The Add Standalone Snap-in dialog box appears.
5. From the Add Standalone Snap-in dialog box:
(a) Choose Certificates from the list and click Add.
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 62
Installing a Trusted Root CertificateAPPENDIX D — TRANSPORT LAYER SECURITY CERTIFICATION
The Certificates Snap-in dialog box appears.
(b) Set Computer Account.
(c) Press ENTER twice.
The Certificates Snap-in dialog box closes, and the Snap-in for Certificates/Computer Account/Local Computer is added.
(d) Press ESC, then ENTER.
The Certificates (Local Computer) Management console is visible in the tree.
6. Expand the tree, then select Certificates (Local Computer) > Personal > Certificates.
7. Click the right mouse button menu and choose All tasks > Import...
The Certificate Import Wizard appears.
8. Click Next, and then click Browse.
9. Navigate to the location of the file holding your Client authentication certificate and click Open.
Installing a Trusted Root CertificateThis section explains how to install a trusted root certificate, which enables Windows Avamar backup clients to authenticate server nodes
1. Log into the Windows client computer by using an account with local administrator privileges.
2. Open the Microsoft Management Console:
(a) Choose Start > Run.
The Run dialog box appears.
(b) Enter mmc and press ENTER.
The Microsoft Management Console appears.
3. Press CTRL+M.
The Add/Remove Snap-In dialog box appears.
4. Press ALT+D.
If installing on Windows Vista, do the following:
(a) Click Add.
(b) Select Computer Account and press ENTER twice.
(c) Click OK.
The Add Standalone Snap-in dialog box appears.
5. From the Add Standalone Snap-in dialog box:
(a) Choose Certificates from the list and click Add.
The Certificates Snap-in dialog box appears.
(b) Set Computer Account.
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 63
Installing a Trusted Root CertificateAPPENDIX D — TRANSPORT LAYER SECURITY CERTIFICATION
(c) Press ENTER twice.
The Certificates Snap-in dialog box closes, and the Snap-in for Certificates/Computer Account/Local Computer is added.
(d) Press ESC, then ENTER.
The Certificates (Local Computer) Management console is visible in the tree.
6. Expand the tree, then select Certificates (Local Computer) > Personal > Certificates.
7. Click the right mouse button menu and choose All tasks > Import...
The Certificate Import Wizard appears.
8. Click Next, and then click Browse.
9. Navigate to the location of the file holding your Client authentication certificate and click Open.
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 64
APPENDIX E — CONFIGURING AVAMAR AUTHENTICATIONAND ENCRYPTION ON UNIX
This appendix describes how to configure server and client authentication for Avamar AIX, FreeBSD, HP-UX, Linux and Solaris backup clients.
Avamar clients and servers use X.509 certificates for authentication. Typically, one-way authentication provides sufficiently strong security. The Avamar client requests authentication from the Avamar server, and the server sends the appropriate certificate to the client. The client then validates the certificate. Refer to Configuring Encryption and Server to Client Authentication (page 66) to set up one-way authentication.
For stronger security, Avamar clients and servers can use two-way authentication. To set up two-way authentication first complete the instructions in Configuring Encryption and Server to Client Authentication (page 66), and then complete Configuring Client to Server Authentication (page 67).
In both configurations, all network data can be encrypted.
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 65
Configuring Encryption and Server to Client AuthenticationAPPENDIX E — CONFIGURING AVAMAR AUTHENTICATION AND ENCRYPTION ON UNIX
Configuring Encryption and Server to Client AuthenticationThe Avamar server uses stunnel for authentication and TLS encryption. This section describes how to set up one-way authentication and data encryption. The tasks include:
• Obtaining a unique server certificate and private key pair.• Installing the unique server certificate and private key pair on the utility node
and data nodes. • Configuring stunnel to load the certificate and keys.• Configuring the Avamar client to accept the certificate when authentication or
encryption is requested.
Configure the Avamar ServerPerform the following steps on the utility node and data nodes:
1. Generate a unique private key and obtain an TLS server certificate by using one of the methods described in Appendix D — Transport Layer Security Certification (page 49).
2. On the utility node open the stunnel.conf file in a Unix editor (vi or emacs) and add the following lines:
cert = /usr/local/avamar/etc/stunnel/servercert.pem
key = /usr/local/avamar/etc/stunnel/serverkey.pem
3. Save stunnel.conf and exit the editor.
4. Restart stunnel on the utility node by entering:
stunctl restart
NOTE: The stunctl program must be run as user admin.
The stunctl program propagates the changes made to stunnel.conf on all data nodes and restarts stunnel on all the data nodes.
Configure the Managment Console ServerConfigure the Manage Console Server (MCS):
1. Set the encrypt_server_authenticate value in the /usr/local/avamar/var/mc/server_data/prefs/mcserver.xml file by entering:
encrypt_server_authenticate=true
2. Restart the MCS by entering:
dpnctl stop mcs
dpnctl start
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 66
Configuring Client to Server AuthenticationAPPENDIX E — CONFIGURING AVAMAR AUTHENTICATION AND ENCRYPTION ON UNIX
Configure the Avamar ClientConfigure the Avamar client to accept server certificates:
1. Append the certificate (from the server’s certificate signer) to the chain.pem file on the Avamar client.
NOTE: The chain.pem file is located in SYSDIR (/usr/local/avamar/etc) on the Avamar client.
2. If chain.pem does not exist, copy the certificate (from the server’s certificate signer) to chain.pem. Otherwise, skip this step.
Configuring Client to Server AuthenticationThis section describes how to set up client to server authentication. Complete this section after completing Configuring Encryption and Server to Client Authentication (page 66) to configure two-authentication for Avamar.
Configure the Avamar Client 1. Generate a unique private key (key.pem) and obtain an TLS client
certificate (cert.pem) by using one of the methods in Appendix D — Transport Layer Security Certification (page 49).
2. Copy key.pem and cert.pem to SYSDIR (/usr/local/avamar/etc) on the Avamar client.
Configure the Avamar Server
IMPORTANT: The following procedure requires you torestart stunnel. If restarting stunnel is not feasible, use theCApath option instead of CAfile in step 3 and skip step 5. Formore information on stunnel options, see the stunnel manpage.
1. Append the certificate (from the server’s certificate signer) to the chain.pem file located in SYSDIR/stunnel.
2. If chain.pem does not exist, copy the certificate (from the server’s certificate signer) to chain.pem. Otherwise, continue to step 3.
3. On the utility node open the stunnel.conf file in a Unix editor (vi or emacs) and add the following lines:
CAfile=/usr/local/avamar/etc/stunnel/chain.pem
verify=2
The verify=2 option forces stunnel to authenticate clients.
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 67
Verifying Avamar AuthenticationAPPENDIX E — CONFIGURING AVAMAR AUTHENTICATION AND ENCRYPTION ON UNIX
4. Save stunnel.conf and exit the editor.
5. Log in as admin and restart stunnel on the utility node by entering:
stunctl restart
Verifying Avamar AuthenticationTo verify authentication, run a test backup. Use either the avtar command from the command line or the Avamar Administrator.
Using the avtar commandTo use the avtar command with an encryption option:
• For Avamar clients running 4.1 or later, use the --encrypt=tls-sa option.• For Avamar clients running 4.0 or before, use the --encrypt=sslverify
option.
The --encrypt=tls-sa and --encrypt=sslverify options verify the identity of the Avamar server to the Avamar client.
For more information about the avtar command, refer to the Avamar Technical Addendum.
Using the Avamar AdministratorTo use the Avamar Administrator 4.1 or later:
1. Ensure that that MCS is configured to enable server to client authentication as described in Configure the Managment Console Server (page 66).
2. Select medium or high from the Encryption method list.
NOTE: The Encryption method list appears on both the OnDemand Backup Options dialog box and the Restore Optionsdialog box.
For more information about the Avamar Administrator, refer to the Avamar System Administration Manual.
NOTE: If you block non-TLS (port 27000) traffic to Avamarwith a firewall, only authenticated clients can connect to theserver. To connect to the server, Avamar 4.1 clients must usethe --encrypt=tls option and clients running an earlierrelease must use the --encrypt=ssl option. All clients mustalso use properly signed certificates to authenticate them-selves to the server
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 68