EMC Avamar 4.1 Product Security ManualThe Avamar Agent for Microsoft Windows incorporates Open...

PRODUCT SECURITY MANUALP/N 300-007-039

REV A01

EMC CORPORATION

COPORATE HEADQUARTERS:HOPKINTON, MA 01748-9103

1-508-435-1000WWW.EMC.COM

EMC AVAMAR4.1

Copyright and Trademark Notices

This document contains information proprietary to EMC. Due to continuing product development, product specifications and capabilities are subject to change without notice. You may not disclose or use any proprietary information or reproduce or transmit any part of this document in any form or by any means, electronic or mechanical, for any purpose, without written permission from EMC.

EMC has made every effort to keep the information in this document current and accurate as of the date of publication or revision. However, EMC does not guarantee or imply that this document is error free or accurate with regard to any particular specification. In no event will EMC be liable for direct, indirect, incidental or consequential damages resulting from any defect in the documentation, even if advised of the possibility of such damages. No EMC agent or employee is authorized to make any modification, extension or addition to the above statements.

EMC may have patents, patent applications, trademarks, copyrights or other intellectual property rights covering subject matter in this document. The furnishing of this document does not provide any license to these patents, trademarks, copyrights or other intellectual property.

The Avamar Agent for Microsoft Windows incorporates Open Transaction Manager (OTM), a product of Columbia Data Products, Inc. (CDP). CDP assumes no liability for any claim that may arise regarding this incorporation. In addition, EMC disclaims all warranties, both express and implied, arising from the use of Open Transaction Manager. Copyright 1999-2002 Columbia Data Products, Inc. Altamonte Springs. All rights reserved.

Avamar, RAIN and AvaSphere are trademarks or registered trademarks of EMC in the US and/or other countries.

All other product names and/or slogans mentioned herein may be trademarks or registered trademarks of their respective companies. All information presented here is subject to change and intended for general information.

Copyright 2002-2008 EMC. All rights reserved.

Protected by US Patents No. 6,704,730, 6,810,398 and patents pending.

Printed in the USA.

TABLE OF CONTENTS
Foreword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5
Scope and Intended Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Typeface Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Notes, Tips and Warnings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7Default User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Secure Shell (SSH) Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

admin User Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9dpn User Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10root User Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Changing Passwords and Creating SSH Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Run the change-passwords Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Update Avamar Enterprise Manager Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Manually Update Avamar Administrator CLI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Avamar Product Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24

Networking and Related Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25Subnet and Gateway Assignments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Domain Name Server (DNS). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25SNMP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Client-Server Data Port Usage and Firewall Requirements . . . . . . . . . . . . . . . . . . . . . . 27

Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32Log Management and Retrieval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Single-Node Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Utility Node . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35Storage Node . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36Spare Node . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36Avamar NDMP Accelerator Node . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37Access Node . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37Avamar Administrator Client Network Host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37Backup Client Network Host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Appendix A — Client-Server Encryption Functional Matrix . . . . . . . . . .39

AVAMAR 4.1 • PRODUCT SECURITY MANUAL 3

TABLE OF CONTENTS

Appendix B — Signing Avamar Enterprise Manager SSL Certificates . 42Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42Getting a Signed Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Tomcat Application Server Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Appendix C — Installing an SSL Certificate on an Avamar Server . . . . 48

Appendix D — Transport Layer Security Certification . . . . . . . . . . . . . . 49Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Important Terms and Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49Self-Signing Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50Root Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Implementing TLS Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50Implement TLS Server Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50Implement TLS Client Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Requesting TLS Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52Generating Authentication Certificates and CSRs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Generate an Avamar Server Node Authentication Certificate and CSR . . . . . . . . . . 53Generate an Avamar Client Authentication Certificate and CSR. . . . . . . . . . . . . . . . 55

Generating a Root Certificate and Key. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57Download and Install OpenSSL and CA.pl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57Create a Root Certificate and Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Generating Self-Signed x509 Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59Prerequisite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60Generate a Signed x509 Certificate. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Installing a Client Authentication Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62Installing a Trusted Root Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Appendix E — Configuring Avamar Authentication and Encryption on Unix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Configuring Encryption and Server to Client Authentication . . . . . . . . . . . . . . . . . . . . . . 66Configure the Avamar Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66Configure the Managment Console Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66Configure the Avamar Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Configuring Client to Server Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67Configure the Avamar Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67Configure the Avamar Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Verifying Avamar Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68Using the avtar command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68Using the Avamar Administrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68


FOREWORD

Scope and Intended AudienceScope. This publication discusses various aspects of Avamar product security.

Intended Audience. This publication is primarily intended for EMC Field Engineers, contracted representatives and business partners who are responsible for configuring, troubleshooting and upgrading Avamar systems at customer sites, as well as system administrators or application integrators who are responsible for installing software and maintaining servers and clients on a networkProduct Information

For current documentation, release notes, software updates, as well as information about EMC products, licensing and service, go to the EMC Powerlink web site at http://Powerlink.EMC.com.

Typeface ConventionsThe following table provides examples of standard typeface styles used in this publication to convey various kinds of information.

EXAMPLE DESCRIPTION

Click OK. - or -Choose File > Close.

Bold text denotes actual Graphical User Interface (GUI) buttons, commands, menus and options (any GUI element that initiates action).Also note in the second example that sequential commands are separated by a greater-than (>) character. In this example, you are being instructed to choose the Close command from the File menu.

Enter: cd /temp

Bold fixed-width text denotes shell commands that must be entered exactly as they appear in this publication.


Notes, Tips and WarningsFOREWORD

Notes, Tips and WarningsThe following kinds of notes, tips and warnings appear in this publication:

IMPORTANT: This is a warning. Warnings always containinformation that if not heeded could result in unpredictablesystem behavior or loss of data.

TIP: This is a tip. Tips present optional information intendedto improve your productivity or otherwise enhance yourexperience with our product. Tips never contain informationthat will cause a failure if ignored.

NOTE: This is a general note. Notes contain ancillary infor-mation intended to clarify a topic or procedure. Notes nevercontain information that will cause a failure if ignored.

--logfile=FILE All caps text often denotes a placeholder (token) for an actual value that must be supplied by the user. In this example, FILE would be an actual filename.

Installation Complete. Regular (not bold) fixed-width text denotes command shell messages. It is also used to list code and file contents.

EXAMPLE DESCRIPTION


USER ACCOUNTSThis chapter provides information on default user accounts for the Avamar system, SSH login access and the change-passwords interactive utility.

Default User AccountsThe Avamar system uses the following default user accounts and passwords:

USERACCOUNT

DEFAULTPASSWORD DESCRIPTION/REMARKS

LIN

UX

OS

root changeme Linux OS root account on all Avamar nodes.

admin changeme Linux OS account for Avamar server data owner.

dpn changeme Linux OS account for Avamar maintenance user.

AV

AM

AR

A

DM

INIS

TR

AT

OR

MCUser MCUser1 Default Avamar Administrator administrative user account.

backuponly backuponly1 Account for internal use by Avamar Administrator server.

restoreonly restoreonly1 Account for internal use by Avamar Administrator server.

backuprestore backuprestore1 Account for internal use by Avamar Administrator server.

root 8RttoTriz Account for internal use by Avamar Administrator server.


Default User AccountsUSER ACCOUNTS

AD

MIN

IST

RA

TO

R

POS

TG

RE

SQ

L D

AT

AB

AS

E

admin No password, logged in on localnode only.

viewuser viewuser1 Administrator server database view account.

AV

AM

AR

EN

TE

RP

RIS

E M

AN

AG

ER

PO

ST

GR

ES

QL

DA

TA

BA

SE

admin No password, logged in on localnode only.

USERACCOUNT

DEFAULTPASSWORD DESCRIPTION/REMARKS


Secure Shell (SSH) AuthenticationUSER ACCOUNTS

Secure Shell (SSH) AuthenticationAccess to the admin, dpn and root operating system user accounts is available through SSH login. SSH uses public and private encrypted keys to authenticate users logging into those accounts. SSH login access can be obtained by supplying operating system account passwords or by using either of two pre-authorized private keys, as described in the following table:

On an Avamar server, use the change-passwords program to coordinate changes to private keys and corresponding authorizations across all nodes.

admin User AccountThe admin user account SSH v2 key configuration is controlled by the following files and directories in admin’s home directory:

PRIVATE KEY FILE

NAME

MATCHING PUBLIC KEY FILE NAME

DEFAULTPASSPHRASE

AUTHORIZES ACCESS TO

WHERE KEYS CAN BE FOUND

admin_key admin_key.pub P3t3rPan Operating system admin account

~admin/.ssh/

dpnid dpn_key.pub Operating system admin and root accounts

~admin/.ssh~dpn/.ssh/

FILE/DIRECTORY DESCRIPTION

~admin/.ssh/ Private SSH directory. This directory must be fully protected and owned as follows:

drwx------ 2 admin admin

~admin/.ssh/config SSH configuration file. This file must contain the following entry:

StrictHostKeyChecking=no

This file must be fully protected and owned as follows:

-r-------- 1 admin admin

~admin/.ssh/admin_key Private RSA OpenSSH key file. This file must be fully protected and owned as follows:


The admin user account SSH private and public keys must be named admin_key and admin_key.pub, respectively.



Any files not listed in the previous table can be ignored.

Use of the admin key requires a passphrase. The only method of changing or removing a passphrase is to generate a new private/public key pair and modify the appropriate authorized_keys2 files accordingly. To ensure proper operation of the Avamar server, the admin user must authorize SSH access by way of the dpnid private key. This is accomplished by including the matching public key (dpn_key.pub) in the admin user’s authorized_keys2 file. The dpnid private key must not require a passphrase

dpn User AccountThe dpn user account SSH v2 key configuration is controlled by the following files and directories:

~admin/.ssh/admin_key.pub Public RSA OpenSSH key file. This file is public and does not need to be protected.

-r--r--r-- 1 admin admin

~admin/.ssh/dpnid Private DSA OpenSSH key file. This file must be fully protected and owned as follows:


~admin/.ssh/id_rsa Symbolic link to ~admin/.ssh/admin_key.

~admin/.ssh/authorized_keys2 Contains a list of public keys for users allowed to log into the admin user account.



This file must contain public key entries for the admin and dpn user accounts:

As currently shipped, the admin public key entry is an RSA key, prefixed with “ssh-rsa” and appended with the comment “dpn_admin_key.”As currently shipped, the dpn public key entry is a DSA key, prefixed with “ssh-dss” and appended with the comment “dpn@dpn41s.”



~dpn/.ssh/ Private SSH directory. This directory must be fully protected and owned as follows:

drwx------ 2 dpn admin

- or -drwx------ 2 dpn dpn



Any other files can be ignored.

The only way to log in as user dpn is to know the operating system dpn password. To ensure proper operation of the Avamar server, dpn’s public key must be in both the root’s and admin’s .ssh/authorized_keys2 file.

~dpn/.ssh/config SSH configuration file. This file must contain the following entry:



-r-------- 1 dpn admin

- or --r-------- 1 dpn dpn

~dpn/.ssh/dpnid Private DSA OpenSSH key file. This file must be fully protected and owned as follows:


- or --r-------- 1 dpn dpn

The dpn user account SSH private and public keys must be named dpnid and dpn_key.pub, respectively.

~dpn/.ssh/dpn_key.pub Public DSA OpenSSH key file. This file is public and does not need to be protected.

-r--r--r-- 1 dpn admin

- or --r--r--r-- 1 dpn dpn

~dpn/.ssh/id_rsa Symbolic link to ~dpn/.ssh/dpnid.

~dpn/.ssh/authorized_keys2 Contains a list of public keys for users allowed to log into the admin user account.



- or --r-------- 1 dpn dpn

This file is deliberately left empty to ensure that no one can login as user dpn using SSH keys.




root User AccountThe root user account SSH v2 key configuration is controlled by the following files and directories:

Any files not listed in the previous table can be ignored.

To log in as the root user requires the password for the root account or use of the pre-authorized dpnid private key. To ensure proper operation of the Avamar server, the root user must authorize SSH access by way of the dpnid private key. This is accomplished by including the matching public key (dpn_key.pub) in the root user's authorized_keys2 file. The dpnid private key must not require a passphrase.


.ssh/ Private SSH directory. This directory must be fully protected and owned as follows:

drwx------ 2 root root

.ssh/config SSH configuration file. This file must contain the following entry:



-r-------- 1 root root

.ssh/authorized_keys2 Contains a list of public keys for users allowed to log into the root user account.


-r-------- 1 root root

This file must contain a public key entry for the dpn user accounts. As currently shipped, the dpn public key entry is a DSA key, prefixed with “ssh-dss” and appended with the comment “dpn@dpn41s.”


Changing Passwords and Creating SSH KeysUSER ACCOUNTS

Changing Passwords and Creating SSH KeysThis section explains how to use the change-passwords utility. This utility changes passwords for various operating user accounts and Avamar server user accounts. The change-passwords utility also creates new OpenSSH keys.

The change-passwords utility provides interactive prompts for the following operations:

• Changing operating system login passwords for the admin, dpn and root accounts

• Creating new admin and dpnid OpenSSH keys• Changing internal Avamar server passwords for the root and MCUser

accounts

Run the change-passwords UtilityTo change operating user account passwords, Avamar server user account passwords or to create new OpenSSH keys, perform the following:

User=dpn 1. Open a command shell.

2. Do one of the following:

3. Enter:

change-passwords

If you run change-passwords on a multi-node server, the following information appears in your command shell:Do you wish to change passwords and/or passphrases on all nodes?

Answering y(es) changes this set of nodes:#.s -- all utility/services nodes#.# -- all data nodes.

Answering n(o) will afford you the opportunity to installexisting SSH keys onto other nodes.

y(es), n(o), h(elp), q(uit/exit):

NOTE: The previous information does not appear if you run change-passwords on a single-node server.

IF DO THIS

Administering a single-node server.

Log into the server as user dpn.

Administering a multi-node server.

Log into the utility node as user dpn.




The following information appears in your command shell:Identity added: /home/dpn/.ssh/dpnid (/home/dpn/.ssh/dpnid) Identity added: /home/dpn/.ssh/dpnid.prev (/home/dpn/.ssh/dpnid.prev) Identity added: /home/dpn/.ssh/dpnid.orig (/home/dpn/.ssh/dpnid.orig)

Do you wish to specify one or more additional SSH passphrase-lessprivate keys that are authorized for root operations?

Answer n(o) here unless there are known inconsistencies in~root/.ssh/authorized_keys2 files among the various nodes (as mightbe evident if you had been prompted for a root password in a previousrun of this program).

Note that the following keys will be used automatically (there isno need to re-specify them here):

/home/dpn/.ssh/dpnid

y(es), n(o), h(elp), q(uit/exit):--------------------------------------------------------

5. Enter n and press ENTER.

The following information appears in your command shell:

The following is a test of OS root authorization with the currentlyloaded SSH key(s).

If during this test you are prompted for an OS root password,then you might be missing an appropriate "dpnid" key for oneor more nodes.

-> In that event, re-run this program and, when prompted,specify as many SSH private key files as are necessaryin order to complete root operations on all nodes.

Starting root authorization test with 600 second timeout...End of root authorization test.--------------------------------------------------------

Change OS (login) passwords?y(es), n(o), q(uit/exit):

IF DO THIS

You want to change passwords on all nodes.

Enter y and press ENTER.

You want to change passwords on selected nodes.

Enter n and press ENTER.



Change Operating System User Account Passwords?6. Do one of the following:


--------------------------------------------------------Change OS password for "admin"?

y(es), n(o), q(uit/exit):

Change adminLogin Password?



Please enter a new OS (login) password for user "admin".(Entering an empty (blank) line twice quits/exits.)

8. Enter the new admin operating system user account password and press ENTER.


Please enter the same OS password again.(Entering an empty (blank) line twice quits/exits.)

9. Re-enter the new admin operating system user account password and press ENTER.


Accepted OS password for "admin".--------------------------------------------------------Change OS password for "dpn"?y(es), n(o), q(uit/exit):

IF DO THIS

You want to change the admin, dpn or root operating system user account passwords.


You do not want to change the admin, dpn or root operating system user account passwords.

Enter n and press ENTER.Proceed to step 16.

IF DO THIS

You want to change the admin operating system user account password.


You do not want to change the admin operating system user account password.




Change dpn LoginPassword?

10.Do one of the following:

Please enter a new OS (login) password for user "dpn".(Entering an empty (blank) line twice quits/exits.)

11.Enter the new dpn operating system user account password and press ENTER.



12.Re-enter the new dpn operating system user account password and press ENTER.


Accepted OS password for "dpn".--------------------------------------------------------Change OS password for "root"?y(es), n(o), q(uit/exit): y

Change root LoginPassword?



Please enter a new OS (login) password for user "root".(Entering an empty (blank) line twice quits/exits.)

14.Enter the new root operating system user account password and press ENTER.



15.Re-enter the new root operating system user account password and press ENTER.


Accepted OS password for "root".========================================================Change SSH keys?y(es), n(o), q(uit/exit): y

IF DO THIS

You want to change the dpn operating system user account password.


You do not want to change the dpn operating system user account password.


IF DO THIS

You want to change the root operating system user account password.


You do not want to change the root operating system user account password.




Create New OpenSSH Keys?16.Do one of the following:


--------------------------------------------------------Change SSH key for "admin"?y(es), n(o), q(uit/exit):

Create New adminOpenSSH Key?



Please enter a new SSH key passphrase for user "admin".(Entering an empty (blank) line twice quits/exits.)

18.Enter the new admin OpenSSH passphrase and press ENTER.


Please enter the same SSH key again.(Entering an empty (blank) line twice quits/exits.)

19.Re-enter the new admin OpenSSH passphrase and press ENTER.


Accepted SSH key for "admin".--------------------------------------------------------Redo passphrase-less elevated-privilege SSH key "dpnid"?y(es), n(o), h(elp), q(uit/exit):

IF DO THIS

You want to create new admin or dpnid OpenSSH keys.


You do not want to create new admin or dpnid OpenSSH keys.


IF DO THIS

You want to create a new admin OpenSSH key.


You do not want to create a new admin OpenSSH key.




Create New dpnidOpenSSH Key?


The following information appears in your command shell:========================================================Change Avamar Server passwords?y(es), n(o), q(uit/exit):

Change Internal Avamar Server User Account Passwords?

IMPORTANT: The remainder of this procedure requiresknowledge of the internal Avamar server root user accountpassword.



Please enter the CURRENT Avamar Server password for "root"(Entering an empty (blank) line twice quits/exits.)

22.Enter the current internal Avamar server root user account password (not the operating system root password) and press ENTER.


Checking Avamar Server root password (300 second timeout)...Avamar Server current root password accepted.--------------------------------------------------------Change Avamar Server password for "MCUser"?y(es), n(o), q(uit/exit): y

IF DO THIS

You want to create a new dpnid OpenSSH key.


You do not want to create a new dpnid OpenSSH key.


IF DO THIS

You want to change the MCUser or root internal Avamar server user account passwords.


You do not want to change the MCUser or root internal Avamar server user account passwords.




Change InternalAvamar Server

MCUserPassword?


The following information appears in your command shell:Please enter a new Avamar Server password for user "MCUser".(Entering an empty (blank) line twice quits/exits.)

24.Enter the new internal Avamar server MCUser password and press ENTER.


Please enter the same Avamar Server password again.(Entering an empty (blank) line twice quits/exits.)

25.Re-enter the new internal Avamar server MCUser password and press ENTER.

The following information appears in your command shell:Accepted Avamar Server password for "MCUser".--------------------------------------------------------Change Avamar Server password for "root"?y(es), n(o), q(uit/exit):

IMPORTANT: Use of change-passwords to change theinternal Avamar server MCUser password disables the Ava-mar Administrator CLI feature. After running change-pass-words you must manually update the MCUser password forthe Avamar Administrator CLI. Refer to Manually UpdateAvamar Administrator CLI (page 22).

Change InternalAvamar Server

root Password?


Please enter a new Avamar Server password for user "root".(Entering an empty (blank) line twice quits/exits.)

27.Enter the new internal Avamar server root password and press ENTER.


Please enter the same Avamar Server password again.(Entering an empty (blank) line twice quits/exits.)

IF DO THIS

You want to change the internal Avamar server MCUser password.


You do not want to change the internal Avamar server MCUser password.


IF DO THIS

You want to change the internal Avamar server root password.


You do not want to change the internal Avamar server root password.




28.Re-enter the new internal Avamar server root password and press ENTER.


Accepted Avamar Server password for "root".--------------------------------------------------------Do you wish to proceed with your password changes on the selected node?

Answering y(es) will proceed with password updates.Answering n(o) or q(uit) will not proceed.

y(es), n(o), q(uit/exit): y

Accept Changes?29.Do one of the following:


Changing OS passwords...[Logging to /usr/local/avamar/var/change-passwords.log...]Done changing OS passwords...Changing Avamar Server passwords...Checking Administrator Server Status...Stopping Administrator Server...Starting process of updating Administrator configuration...Running script to update Administrator configuration on node 0.s...[Logging to /usr/local/avamar/var/change-passwords.log...]Done with updating Administrator configuration on node 0.s...Starting process of updating client configurations...Running script to update client configuration on 0.s...[Logging to /usr/local/avamar/var/change-passwords.log...]Updating client configuration on node 0.0...Done updating client configuration on 0.0...Checking Administrator Server Status...Starting Administrator Server...Starting process of changing SSH keys...Running script to update SSH keys on node 0.s...[Logging to /usr/local/avamar/var/change-passwords.log...]Done with updating SSH keys on node 0.s...--------------------------------------------------------Done.NOTES:- If you had custom public keys present in the

authorized_keys2 files of any Avamar OS users(admin, dpn, root) be aware that you may need to re-add your custom keys.

- Please be sure to resume schedules via theAdministrator GUI.

IF DO THIS

You want to accept changes made to passwords or OpenSSH keys during this utility session.


You want to exit this utility session without making changes to passwords or OpenSSH keys.




Update Avamar Enterprise Manager ServerAfter the change-passwords utility finishes modifying various passwords, you must update the Avamar Enterprise Manager server by performing the following:

1. Open your web browser and log into Avamar Enterprise Manager.

The Dashboard page appears.

2. Choose Configure.

The Configure page appears.

3. Click the server name you want to edit.

An Edit block appears below the systems list.

4. Enter the new MCUser password in the Password field and click Save.

User=admin 5. Open a command shell.


IF DO THIS


Log into the server as user admin.


Log into the utility node as user admin.



7. Load the admin OpenSSH key by entering:

ssh-agent bash

ssh-add ~admin/.ssh/admin_key

You are prompted to enter a passphrase.

8. Enter the admin user account passphrase and press ENTER.

9. Enter:

dpnctl stop ems

emserver.sh --renameserver --uselocalmcs

dpnctl start

Manually Update Avamar Administrator CLIThe change-passwords utility does not change the internal Avamar server MCUser password for the Avamar Administrator CLI. After running change-passwords, you must therefore, manually update the MCUser password for the Avamar Administrator CLI. (The Avamar Administrator CLI generates events whenever cron maintenance activities run.)

IMPORTANT: Use of change-passwords to change thethe internal Avamar server MCUser password disables theAvamar Administrator CLI.

Edit the following files to manually update the MCUser password:

• ~admin/.avamardata/var/mc/cli_data/prefs/mcclimcs.xml • ~dpn/.avamardata/var/mc/cli_data/prefs/mcclimcs.xml• ~root/.avamardata/var/mc/cli_data/prefs/mcclimcs.xml

From the command shell:

User=admin 1. Do one of the following:

2. Open ~admin/.avamardata/var/mc/cli_data/prefs/mcclimcs.xml in a Unix text editor.

IF DO THIS


Log into the server as user admin.


Log into the utility node as user admin.


3. Locate the following entries:

<MCSConfig><MCS

mcsprofile="local"mcsaddr="AVAMARSERVER"mcsport="7778"mcsuserid="MCUser"mcspasswd="PASSWORD"

/>

</MCSConfig>

NOTE: This example has been simplified for clarity.

4. Change the mcspasswd=”PASSWORD” entry to agree with the new internal Avamar server MCUser password that you previously set using the change-passwords utility (page 19).

5. Save your changes.

User=dpn 6. Switch user to the dpn user account by entering:

su - dpn

When prompted for a password, enter the dpn password and press ENTER.

7. Load the dpn OpenSSH key by entering:

ssh-agent bash

ssh-add ~dpn/.ssh/dpnid

8. Open ~dpn/.avamardata/var/mc/cli_data/prefs/mcclimcs.xml in a Unix text editor.

9. Repeat steps 3 thru 5.

User=admin 10.Switch back to the admin user account by entering:

exit

exit

User=root 11.Switch user to root by entering:

su -

When prompted for a password, enter the root password and press ENTER.

12.Open ~root/.avamardata/var/mc/cli_data/prefs/mcclimcs.xml in a Unix text editor.

IMPORTANT: The ~root/.avamardata/var/mc/cli_data/prefs/mcclimcs.xmlfile might not be present on all servers. In the case, skipstep 14.

13.Repeat steps 3 thru 5.

User=admin 14.Switch back to the admin user account by entering:

exit


AVAMAR PRODUCT SECURITY POLICYEach Avamar release ships with a set of up-to-date security patches. If you install any other security patches or security applications incompatible with Avamar, you must remove them and restore the Avamar system to its previous working configuration. Then file a support case with EMC Technical Support and include the specific security updates you applied.

IMPORTANT: It is customer responsibility to ensure thatthe Avamar system is configured to protect against unau-thorized access. Back up all important files before applyingnew security patches, applications or updates.

NETWORKING AND RELATED SERVICESThe following networking and related services are required to successfully deploy an Avamar system.

Subnet and Gateway AssignmentsClients must be able to contact every node in the Avamar module directly, and vice-versa.

The switch must have a default gateway assigned to it.

Domain Name Server (DNS)There must be a DNS server in the facility. DNS configuration is important.

A single-node Avamar server or the utility node of a multi-node Avamar server must be assigned a forward mapping and optionally a reverse-mapping.

An example of a forward-mapping entry for a single-node Avamar server or the utility node of a multi-node Avamar server might be as follows in a BIND environment:

avamar-1 A 10.0.5.5

A corresponding optional reverse mapping for a zone serving the 5.0.10.in-addr.arpa subnet in a BIND environment might be as follows:

5 PTR avamar-1.example.com.

SecurityAll nodes and the switch in the Avamar server must be protected against unauthorized access. A VPN system must be employed if remote access to the Avamar server is required.


SNMP ConfigurationNETWORKING AND RELATED SERVICES

SNMP ConfigurationAll Avamar nodes use Simple Network Management Protocol (SNMP). The snmpd.conf file, the configuration file used by SNMP, defines how SNMP operates. Before Avamar release 4.1, the default snmpd.conf file contains the public community string shown in the following example:

####

# First, map the community name “public” into a “security name”

# sec.name source communitycom2sec notConfigUser default public

The public community string in the previous example grants read-only access to everything, which presents a medium-level security vulnerability.

To enable a higher-level of security for Avamar releases before 4.1, change the community name:

1. Open the /etc/snmp/snmpd.conf file in a Unix editor (vi or emacs).

2. Go to the line “com2sec notConfigUser default public.”

3. Change the community name from public to AvCom:

com2sec notConfigUser default AvCom

4. Save the /etc/snmp/snmpd.con file.

5. Restart the snmpd agent.

6. Repeat steps 1–5 for all nodes that comprise the Avamar system.

NOTE: Dell omreport actively uses SNMP. According to Dell,changing the public community string to a different valuedoes not affect functionality.

For new Avamar installations beginning with release 4.1, the community name in the snmpd.conf file is already set to AvCom (Avamar Community).


Client-Server Data Port Usage and Firewall RequirementsNETWORKING AND RELATED SERVICES

Clie

nt-S

erve

r Dat

a Po

rt U

sage

and

Fire

wal

l Req

uire

men

tsConfigure

unobst

ruct

ed c

lient-

serv

er c

om

munic

ation o

ver

the

follo

win

g d

ata

port

s fo

r all

applic

able

fir

ewal

ls.

PO

RT

/P

RO

TO

CO

LP

UR

PO

SE

SO

UR

CE

DE

ST

INA

TIO

NR

EM

AR

KS

22/T

CP

SSH

Utilit

y node

and t

rust

ed

adm

inis

trat

or

host

sAll

nodes

Req

uir

ed.

53/U

DP

DN

S n

ame

reso

lution

DN

S r

esolv

ing n

ame

serv

ers

All

nodes

Optional, b

ut

reco

mm

ended

.M

ight re

stri

ct s

ourc

es to s

pec

ific

nam

e se

rver

s.

53/U

DP

DN

S n

ame

reso

lution

All

nodes

DN

S r

esolv

ing

nam

e se

rver

sO

ptional, b

ut

reco

mm

ended

.M

ight

rest

rict

des

tinations

to s

pec

ific

nam

e se

rver

s.

53/T

CP

DN

S z

one

tran

sfer

DN

S z

one

mas

ters

Utilit

y node

Optional, b

ut

reco

mm

ended

.M

ight re

stri

ct s

ourc

es to s

pec

ific

nam

e se

rver

s.

80/T

CP

HTT

PU

ser-

def

ined

web

clie

nt

host

s or

reve

rse

pro

xy w

eb

serv

er

Utilit

y node

Req

uir

ed.

Perm

it a

cces

s fr

om

all

Ava

mar

clie

nts

or

only

fro

m r

ever

se p

roxy

web

ser

ver

(rec

om

men

ded

).

123/U

DP

NTP

NTP t

ime

serv

ers

All

nodes

Req

uir

ed.

Mig

ht

rest

rict

sourc

es t

o s

pec

ific

tim

e se

rver

s.

123/U

DP

NTP

All

nodes

if

exte

rnal

tim

e se

rver

s are

use

dN

TP t

ime

serv

ers

Req

uir

ed.

Mig

ht

rest

rict

des

tinations

to s

pec

ific

tim

e se

rver

s.

443/T

CP

HTT

PS for Im

ple

men

ts

web

res

tore

, docs

and

dow

nlo

ads

featu

res

Use

r-def

ined

web

clie

nt

host

sU

tilit

y node

Req

uir

ed.

Perm

it a

cces

s fr

om

all

Ava

mar

clie

nts

or

only

fro

m r

ever

se p

roxy

web

ser

ver

(rec

om

men

ded

).

514/T

CP

Sys

log

Utilit

y node

Utilit

y node

Optional.

Logs

Ava

mar

serv

er e

vents

to s

yslo

g.



1080/T

CP

3w

are

RAID

m

anag

emen

tU

ser-

def

ined

web

clie

nt

host

sAll

nodes

for

Ava

mar

M a

nd

Ava

mar

E

Only

req

uir

ed f

or

legacy

Ava

mar

M

and A

vam

ar E

har

dw

are.

Rec

om

men

d o

nly

per

mitting a

cces

s fr

om

tru

sted

adm

inis

trat

ive

host

s.

1234/T

CP

HTT

PS f

or

avw

_in

stal

l utilit

yTr

ust

ed w

eb c

lient

host

sU

tilit

y node

Port

1234 m

ust

be

open

duri

ng t

he

initia

l in

stal

lation o

f Ava

mar

soft

war

e.

Aft

er a

succ

essf

ul in

stalla

tion,

no

Ava

mar

serv

ice

should

be

liste

nin

g o

n

port

1234.

Perm

it a

cces

s only

to t

rust

ed h

ost

s w

hic

h a

re u

sed t

o f

or

the

initia

l in

stal

lation o

f Ava

mar

soft

war

e.

5555/T

CP

Connec

tion t

o

adm

inis

trat

or

serv

er

Post

gre

SQ

L data

base

Use

r-def

ined

Post

gre

SQ

L cl

ient

host

sU

tilit

y node

Optional f

or

connec

ting t

o P

ost

gre

SQ

L data

base

fro

m o

uts

ide

the

module

. Rec

om

men

d o

nly

per

mitting a

cces

s fr

om

host

s re

quir

ing a

cces

s to

ad

min

istr

ator

serv

er d

atab

ase.

5556/T

CP

Ava

mar

Ente

rprise

M

anag

er s

erve

r Po

stgre

SQ

L dat

abas

e (e

mdb)

Use

r-def

ined

Post

gre

SQ

L cl

ient

host

sAva

mar

Ente

rpri

se

Manag

er s

erve

r node

Optional f

or

connec

ting t

o P

ost

gre

SQ

L data

base

fro

m o

uts

ide

the

module

.Rec

om

men

d o

nly

per

mitting a

cces

s fr

om

host

s re

quir

ing a

cces

s to

ad

min

istr

ator

serv

er d

atab

ase.

5557/T

CP

Met

adat

a se

arch

Po

stgre

SQ

L data

base

Ava

mar

Ente

rpri

se M

anag

erAcc

ess

node

(wher

e m

etad

ata

sear

ch d

atab

ase

is

inst

alle

d)

Optional.

Only

req

uir

ed if

met

adata

sea

rch

feat

ure

is

inst

alle

d.

7778/T

CP

RM

I -

Ava

mar

Adm

inis

trat

or

serv

erAva

mar

Adm

inis

trat

or

managem

ent

conso

leU

tilit

y node.

Req

uir

ed.

Rec

om

men

d o

nly

per

mitting a

cces

s fr

om

tru

sted

adm

inis

trat

ive

host

s.

7779/T

CP

RM

I -

Ava

mar

Adm

inis

trat

or

serv

er.

Ava

mar

Adm

inis

trat

or

managem

ent

conso

le.

Utilit

y node.

Req

uir

ed.

Rec

om

men

d o

nly

per

mitting a

cces

s fr

om

tru

sted

adm

inis

trat

ive

host

s.

PO

RT

/P

RO

TO

CO

LP

UR

PO

SE

SO

UR

CE

DE

ST

INA

TIO

NR

EM

AR

KS



7780/T

CP

RM

I -

Ava

mar

Adm

inis

trat

or

serv

erAva

mar

Adm

inis

trat

or

managem

ent

conso

leU

tilit

y node

Req

uir

ed.

Rec

om

men

d o

nly

per

mitting a

cces

s fr

om

tru

sted

adm

inis

trat

ive

host

s.

7781/T

CP

RM

I -

Ava

mar

Adm

inis

trat

or

serv

erAva

mar

Adm

inis

trat

or

managem

ent

conso

leU

tilit

y node

Req

uir

ed.

Rec

om

men

d o

nly

per

mitting a

cces

s fr

om

tru

sted

adm

inis

trat

ive

host

s.

8005/T

CP

Tom

cat

serv

er

shutd

ow

n p

ort

Loca

l host

Utilit

y node

Req

uir

ed.

The

/usr

/loca

l/ja

kart

a-to

mca

t-5.5

.9/

bin

/shutd

ow

n.s

h s

crip

t m

akes

a

connec

tion o

n p

ort

8005,

and s

ends

a

shutd

ow

n c

om

mand t

o t

he

runnin

g

inst

ance

of

tom

cat.

This

connec

tion

can o

nly

be

mad

e fr

om

the

loca

l host

. The

serv

er.x

ml file

conta

ins

the

def

initio

n f

or

port

8005:

<Server port="8005"

shutdown="SHUTDOWN">

Do n

ot

modify

this

def

initio

n.

8009/T

CP

Tom

cat

connec

tor

port

Utilit

y node

Utilit

y node

Optional, b

ut

reco

mm

ended

. The

Apac

he

JSer

v Pro

toco

l (A

JP)

use

s port

8009 to b

ala

nce

the

work

load for

multip

le inst

ance

s of

Tom

cat.

AJP

can

be

turn

ed o

ff b

y re

mov

ing the

follo

win

g e

lem

ent

from

the

serv

er.x

ml

file

:<Connector port="8009"

enableLookups="false"

redirectPort="8443"

protocol="AJP/1.3" />

8443/T

CP

HTT

PS f

or

Tom

cat

Any

net

work

host

runnin

g

web

bro

wse

rU

tilit

y node

Optional, b

ut

reco

mm

ended

in o

rder

to

use

Ava

mar

Ente

rprise

Manag

er.

PO

RT

/P

RO

TO

CO

LP

UR

PO

SE

SO

UR

CE

DE

ST

INA

TIO

NR

EM

AR

KS



8778/T

CP

RM

I -

Ava

mar

Ente

rprise

Man

ager

Utilit

y node

Utilit

y node

(wher

e Ava

mar

Ente

rpri

se

Manag

er is

inst

alle

d)

Req

uir

ed.

Rec

om

men

d o

nly

per

mitting a

cces

s fr

om

the

loca

l host

.

8779/T

CP

RM

I -

Ava

mar

Ente

rprise

Man

ager

lo

gin

_se

rver

Utilit

y node

Utilit

y node

(wher

e Ava

mar

Ente

rpri

se

Manag

er is

inst

alle

d)

Req

uir

ed.

Rec

om

men

d o

nly

per

mitting a

cces

s fr

om

the

loca

l host

.

8780/T

CP

RM

I -

Ava

mar

Ente

rprise

Man

ager

se

rvic

e_co

nte

xt

Utilit

y node

Utilit

y node

(wher

e Ava

mar

Ente

rpri

se

Manag

er is

inst

alle

d)

Req

uir

ed.

Rec

om

men

d o

nly

per

mitting a

cces

s fr

om

the

loca

l host

.

8781/T

CP

RM

I -

Ava

mar

Ente

rprise

Man

ager

node_

conte

xt

Utilit

y node

Utilit

y node

(wher

e Ava

mar

Ente

rpri

se

Manag

er is

inst

alle

d)

Req

uir

ed.

Rec

om

men

d o

nly

per

mitting a

cces

s fr

om

the

loca

l host

.

27000/T

CP

Ava

mar

clie

nt

com

munic

ations

with

Ava

mar

ser

ver

Ava

mar

clie

nt

net

work

host

sAll

nodes

Req

uir

ed.

27000/T

CP

Ava

mar

ser

ver

com

munic

ations

with

Rep

licat

or

targ

et

serv

er (

Ava

mar

pro

priet

ary

co

mm

unic

ation)

All

nodes

Rep

licat

or

targ

et

serv

erReq

uir

ed if

serv

er is

use

d a

s Rep

licat

or

sourc

e.

28001/T

CP

Ava

mar

clie

nt

com

munic

ations

with

adm

inis

trat

or

serv

er

Ava

mar

clie

nts

Utilit

y node

Req

uir

ed.

28002/T

CP

Adm

inis

trat

or

serv

er

com

munic

ations

with

Ava

mar

clie

nt

Utilit

y node

Ava

mar

clie

nts

Optional fo

r bro

wsi

ng c

lients

and

cance

lling b

ack

ups

from

Ava

mar

Adm

inis

trat

or

man

agem

ent

conso

le.

PO

RT

/P

RO

TO

CO

LP

UR

PO

SE

SO

UR

CE

DE

ST

INA

TIO

NR

EM

AR

KS



29000/T

CP

Ava

mar

clie

nt

Sec

ure

Sock

ets

Laye

r (S

SL)

co

mm

unic

ations

with

Ava

mar

ser

ver

Ava

mar

clie

nts

All

nodes

Req

uir

ed.

29000/T

CP

Ava

mar

ser

ver

SSL

com

munic

ations

with

Rep

licat

or

targ

et

serv

er

All

nodes

All

Rep

licato

r ta

rget

ser

ver

nodes

Req

uir

ed if se

rver

is

Rep

licat

or

sourc

e.

PO

RT

/P

RO

TO

CO

LP

UR

PO

SE

SO

UR

CE

DE

ST

INA

TIO

NR

EM

AR

KS


LOG FILESA log is a chronological record of system activities. Avamar software includes log files for server and client components, maintenance tasks, various utilities and backup clients. These log files enable you to examine various aspects of the Avamar system.

Log Management and RetrievalThe following sections includes log file information organized in tables for each Avamar component. For additional information on log files, refer to the Avamar manual for the specific component.


Single-Node ServerLOG FILES

Single-Node ServerFEATURE/FUNCTION LOCATION

Avamar Administrator server /usr/local/avamar/var/mc/server_log/flush.log/usr/local/avamar/var/mc/server_log/restore.log/usr/local/avamar/var/mc/server_log/mcserver.log.#/usr/local/avamar/var/mc/server_log/mcserver.out/usr/local/avamar/var/mc/server_log/pgsql.log/usr/local/avamar/var/mc/server_data/postgres/data/pg_log/postgresql-DATE_TIME.log/usr/local/avamar/var/mc/server_data/mcs_data_dump.sql

Avamar Enterprise Manager - Tomcat

/usr/local/avamar/var/em/webapp_log/admin.DATE.log/usr/local/avamar/var/em/webapp_log/catalina.DATE.log/usr/local/avamar/var/em/webapp_log/catalina.out/usr/local/avamar/var/em/webapp_log/host-manager.DATE.log/usr/local/avamar/var/em/webapp_log/localhost.DATE.log/usr/local/avamar/var/em/webapp_log/manager.DATE.log

Avamar Enterprise Manager - Server

/usr/local/avamar/var/em/server_log/flush.log/usr/local/avamar/var/em/server_log/restore.log/usr/local/avamar/var/em/server_log/emserver.log.#/usr/local/avamar/var/em/server_log/emserver.out/usr/local/avamar/var/em/server_log/pgsql.log/usr/local/avamar/var/em/server_data/postgres/data/pg_log/postgresql-DATE_TIME.log/usr/local/avamar/var/em/server_data/ems_data_dump.sql

Maintenance tasks /usr/local/avamar/var/cron/clean_emdb.log/usr/local/avamar/var/cron/dpn_crontab.log/usr/local/avamar/var/cron/cp.log/usr/local/avamar/var/cron/gc.log/usr/local/avamar/var/cron/hfscheck.log/usr/local/avamar/var/cron/ntpd_keepalive_cron.log/usr/local/avamar/var/cron/ntpd_keepalive_cron.log.#/usr/local/avamar/var/cron/suspend.log

avw_install utility /usr/local/avamar/var/avw_cleanup.log/usr/local/avamar/var/avw_install.log/usr/local/avamar/var/avw-time.log/usr/local/avamar/var/log/dpnavwinstall-VERSION.log

axion_install utility /usr/local/avamar/var/axion_install_DATE_TIME.log

Avamar File System (AvFS) /usr/local/avamar/var/axionfs.log

change-passwords utility /usr/local/avamar/var/change-passwords.log

dpnctl utility /usr/local/avamar/var/log/dpnctl.log


Single-Node ServerLOG FILES

dpnnetutil utility /usr/local/avamar/var/log/dpnnetutil-version.log/usr/local/avamar/var/log/dpnnetutil.log*/usr/local/avamar/var/log/dpnnetutilbgaux.log/usr/local/avamar/var/log/dpnnetutilbgaux-stdout-stderr.log

permctl utility /usr/local/avamar/var/log/permctl.log

resite utility /usr/local/avamar/var/dpnresite-version.log/usr/local/avamar/var/mcspref.log/usr/local/avamar/var/nataddr.log/usr/local/avamar/var/smtphost.log

timedist utility /usr/local/avamar/var/timedist.log

timesyncmon program /usr/local/avamar/var/timesysncmon.log

Avamar Replicator /usr/local/avamar/var/cron/replicate.log

Avamar license server /usr/local/avamar/var/ascd-PORT.log

Storage server log /data01/cur/err.log/data01/cur/gsan.log

FEATURE/FUNCTION LOCATION


Utility NodeLOG FILES

Utility NodeFEATURE/FUNCTION LOCATION

Avamar Administrator server /usr/local/avamar/var/mc/server_log/flush.log/usr/local/avamar/var/mc/server_log/restore.log/usr/local/avamar/var/mc/server_log/mcserver.log.#/usr/local/avamar/var/mc/server_log/mcserver.out/usr/local/avamar/var/mc/server_log/pgsql.log/usr/local/avamar/var/mc/server_data/postgres/data/pg_log/postgresql-DATE_TIME.log/usr/local/avamar/var/mc/server_data/mcs_data_dump.sql

Avamar Enterprise Manager - Tomcat

/usr/local/avamar/var/em/webapp_log/admin.DATE.log/usr/local/avamar/var/em/webapp_log/catalina.DATE.log/usr/local/avamar/var/em/webapp_log/catalina.out/usr/local/avamar/var/em/webapp_log/host-manager.DATE.log/usr/local/avamar/var/em/webapp_log/localhost.DATE.log/usr/local/avamar/var/em/webapp_log/manager.DATE.log

Avamar Enterprise Manager - Server

/usr/local/avamar/var/em/server_log/flush.log/usr/local/avamar/var/em/server_log/restore.log/usr/local/avamar/var/em/server_log/emserver.log.#/usr/local/avamar/var/em/server_log/emserver.out/usr/local/avamar/var/em/server_log/pgsql.log/usr/local/avamar/var/em/server_data/postgres/data/pg_log/postgresql-DATE_TIME.log/usr/local/avamar/var/em/server_data/ems_data_dump.sql

Maintenance tasks /usr/local/avamar/var/cron/clean_emdb.log/usr/local/avamar/var/cron/dpn_crontab.log/usr/local/avamar/var/cron/cp.log/usr/local/avamar/var/cron/gc.log/usr/local/avamar/var/cron/hfscheck.log/usr/local/avamar/var/cron/ntpd_keepalive_cron.log/usr/local/avamar/var/cron/ntpd_keepalive_cron.log.#/usr/local/avamar/var/cron/suspend.log

avw_install utility /usr/local/avamar/var/avw_cleanup.log/usr/local/avamar/var/avw_install.log/usr/local/avamar/var/avw-time.log/usr/local/avamar/var/log/dpnavwinstall-VERSION.log

axion_install utility /usr/local/avamar/var/axion_install_DATE_TIME.log

Avamar File System (AvFS) /usr/local/avamar/var/axionfs.log

change-passwords utility /usr/local/avamar/var/change-passwords.log


Spare NodeLOG FILES

Storage Node

Spare Node

dpnctl utility /usr/local/avamar/var/log/dpnctl.log

dpnnetutil utility /usr/local/avamar/var/log/dpnnetutil-version.log/usr/local/avamar/var/log/dpnnetutil.log*/usr/local/avamar/var/log/dpnnetutilbgaux.log/usr/local/avamar/var/log/dpnnetutilbgaux-stdout-stderr.log

permctl utility /usr/local/avamar/var/log/permctl.log

timedist utility /usr/local/avamar/var/timedist.log

timesyncmon program /usr/local/avamar/var/timesysncmon.log

Avamar Replicator /usr/local/avamar/var/cron/replicate.log

Avamar license server /usr/local/avamar/var/ascd-PORT.log


Storage server log /data01/cur/err.log/data01/cur/gsan.log

dpnnetutil utility /usr/local/avamar/var/log/dpnnetutilbgaux-stdout-stderr.log/usr/local/avamar/var/log/dpnnetutilbgaux.log

Maintenance tasks /usr/local/avamar/var/ntpd_keepalive_cron.log*

timesyncmon program /usr/local/avamar/var/timesyncmon.log*





Backup Client Network HostLOG FILES

Avamar NDMP Accelerator Node

Access Node

Avamar Administrator Client Network Host

Backup Client Network Host






Avamar Administrator management console.

Windows:C:\Program Files\avs\administrator\var\mc\gui_log\mcclient.log.0

Unix:$HOME/.avamardata/var/mc/gui_log/mcclient.log.0

Avamar Administrator management console command line interface

Unix: $HOME/.avamardata/var/mc/gui_log/mccli.log.0


Client avagent process (all clients) C:\Program Files\avs\var\avagent.log

Client avtar process (all clients) C:\Program Files\avs\var\{WORKORDER-ID}.algC:\Program Files\avs\var\{WORKORDER-ID}.log

Avamar Windows Client tray applet C:\Program Files\avs\var\avscc.log

Avamar DB2 Client /usr/local/avamar/var/{WORKORDER-ID}.log

Avamar Exchange Client /usr/local/avamar/var/{WORKORDER-ID}.log

Avamar NDMP Accelerator /usr/local/avamar/var/{WORKORDER-ID}.log

Avamar NetWare Client /usr/local/avamar/var/{WORKORDER-ID}.log


Backup Client Network HostLOG FILES

Avamar Oracle Client /usr/local/avamar/var/{WORKORDER-ID}.log

Avamar SQL Server Client /usr/local/avamar/var/{WORKORDER-ID}.log



APPENDIX A — CLIENT-SERVER ENCRYPTION FUNCTIONAL MATRIX

APPE

NDIX

A —

CLI

ENT-S

ERVE

R ENC

RYPT

ION F

UNCT

IONA

L MAT

RIX

Clie

nt-

serv

er e

ncr

yption funct

ional

beh

avio

r in

any

giv

en c

ircu

mst

ance

is d

epen

den

t on a

num

ber

of fa

ctors

, in

cludin

g A

vam

ar

serv

er

vers

ion,

clie

nt

vers

ion,

the

mcs

erve

r.xm

l en

cryp

t_se

rver

_au

then

tica

te p

refe

rence

set

ting a

nd t

he avtar --encrypt o

ption u

sed

duri

ng t

hat

act

ivity.

The

follo

win

g t

able

docu

men

ts v

ario

us

encr

yption b

ehav

iors

and s

tren

gth

s th

at c

an b

e ex

pec

ted in v

arious

circ

um

stan

ces:

AV

AM

AR

SE

RV

ER

VE

RS

ION

AV

AM

AR

A

DM

INIS

TR

AT

OR

/MC

CLI

VA

LUE

S

MC

SE

RV

ER

.XM

L E

NC

RY

PT

_SE

RV

ER

_AU

TH

EN

TIC

AT

E

SE

TT

ING

CLI

EN

T

VE

RS

ION

AV

TA

R S

ET

TIN

GB

EH

AV

IOR

/DE

SC

RIP

TIO

N

Pre

-4.1

Axi

on

Not

Imple

men

ted

Pre

-4.1

--encrypt=proprietary

Ava

mar

pro

pri

etar

y en

cryp

tion.

4.1

and

late

r--encrypt=proprietary

Ava

mar

pro

pri

etar

y en

cryp

tion.

AES-1

28

Not

Imple

men

ted

Pre

-4.1

--encrypt=ssl

Linux:

neg

otiate

d t

o h

ighes

t av

aila

ble

set

ting.

Win

dow

s: n

egotiate

d

algori

thm

.

4.1

and

late

r--encrypt=ssl

Linux:

neg

otiate

d t

o h

ighes

t av

aila

ble

set

ting.

Win

dow

s: n

egotiate

d

algori

thm

.

NO

TE

: 4

.1 a

nd late

r avtar

will

mai

nta

in b

ackw

ard

com

pat

ibili

ty b

y su

pport

ing

--encrypt=ssl o

ption

indef

initel

y.



4.1

and

late

r

None

FALS

E

Pre

-4.1

--encrypt=proprietary

Ava

mar

pro

priet

ary

encr

yption.

NO

TE

: O

lder

Ava

mar

clie

nts

ca

nnot

support

unen

cryp

ted

“cle

ar”

tex

t.

4.1

and

late

r--encrypt=proprietary

--encrypt-strength=cleartext

Unen

cryp

ted “

clea

r” t

ext.

TRU

E

Pre

-4.1

Not

support

ed.

Err

or

Eve

nt

- jo

b faile

d d

ue

to

options

inco

mpatibili

ty.

4.1

and

late

rN

ot

support

ed.

Err

or

Eve

nt

- jo

b faile

d d

ue

to

options

inco

mpatibili

ty.

Med

ium

FALS

E

Pre

-4.1

--encrypt=ssl

Linux:

neg

otiate

d t

o h

ighes

t av

aila

ble

set

ting.

Win

dow

s: n

egotiat

ed t

o

pre

ferr

ed s

etting.

4.1

and

late

r--encrypt=tls

--encrypt-strength=medium

Linux:

AES-1

28.

Win

dow

s: n

egotiate

d

algori

thm

, re

stri

cted

to

exact

ly 1

28-b

it s

tren

gth

.

TRU

E

Pre

-4.1

Not

support

edErr

or

Eve

nt

- jo

b faile

d d

ue

to

options

inco

mpatibili

ty.

4.1

and

late

r--encrypt=tls-sa

--encrypt-strength=medium

Linux:

AES-1

28 w

ith s

erve

r au

then

tica

tion.

Win

dow

s: n

egotiate

d

algori

thm

, re

stri

cted

to

exact

ly 1

28-b

it s

tren

gth

.

AV

AM

AR

SE

RV

ER

VE

RS

ION

AV

AM

AR

A

DM

INIS

TR

AT

OR

/MC

CLI

VA

LUE

S

MC

SE

RV

ER

.XM

L E

NC

RY

PT

_SE

RV

ER

_AU

TH

EN

TIC

AT

E

SE

TT

ING

CLI

EN

T

VE

RS

ION

AV

TA

R S

ET

TIN

GB

EH

AV

IOR

/DE

SC

RIP

TIO

N



4.1

and

late

rH

igh

FALS

E

Pre

-4.1

Not

support

edErr

or

Eve

nt

- jo

b faile

d d

ue

to

options

inco

mpatibili

ty.

4.1

and

late

r--encrypt=tls

--encrypt-strength=high

Linux:

AES-2

56.

Win

dow

s: n

egotiate

d

algori

thm

, re

stri

cted

to

exact

ly 1

68-b

it o

r hig

her

st

rength

.

TRU

E

Pre

-4.1

Not

support

edErr

or

Eve

nt

- jo

b faile

d d

ue

to

options

inco

mpatibili

ty

4.1

and

late

r--encrypt=tls-sa


Linux:

AES-2

56 w

ith s

erve

r au

then

tica

tion.

Win

dow

s: n

egotiate

d

algori

thm

, re

stri

cted

to

exact

ly 1

68-b

it o

r hig

her

st

rength

.

AV

AM

AR

SE

RV

ER

VE

RS

ION

AV

AM

AR

A

DM

INIS

TR

AT

OR

/MC

CLI

VA

LUE

S

MC

SE

RV

ER

.XM

L E

NC

RY

PT

_SE

RV

ER

_AU

TH

EN

TIC

AT

E

SE

TT

ING

CLI

EN

T

VE

RS

ION

AV

TA

R S

ET

TIN

GB

EH

AV

IOR

/DE

SC

RIP

TIO

N


APPENDIX B — SIGNING AVAMAR ENTERPRISE MANAGER SSL CERTIFICATES

This appendix describes how to use the public and private key pair for the Avamar Enterprise Manager web server and how to get the certificate signed.

OverviewAvamar Enterprise Manager uses HTTP over SSL to communicate with the client browser. This requires an SSL certificate that is used by the Avamar Enterprise Manager web server to prove it is really the server that it says it is. An SSL certificate is created when avsetup_ems runs. The certificate must be signed by a recognized Certificate Authority (CA) or if not, the web browser displays an error when loading the Avamar Enterprise Manager web page.

Getting a Signed Certificate (page 43) describes how to use the public and private key pair for the Avamar Enterprise Manager web server and how to get the certificate signed.

To use a single signed certificate for both the Avamar Enterprise Manager web server and Tomcat, you must also complete additional steps in Tomcat Application Server Certificate (page 45).

NOTE: This appendix applies to all versions of AvamarEnterprise Manager.


Getting a Signed CertificateAPPENDIX B — SIGNING AVAMAR ENTERPRISE MANAGER SSL CERTIFICATES

Getting a Signed CertificateThe procedure uses the java keytool command, a utility which manages certificate keys. The keytool command is located in the bin directory of the Java install directory (/usr/java/jre1.5.0_12/bin). If this directory is not in your path, you can either add it to the path, or specify the complete path when using keytool. All keytool commands require a password. The password set by avsetup_ems is changeit. For more information on avsetup_ems refer to the Avamar Technical Addendum.

To get the certificate signed:

1. Log into the root account on a utility node or single-node server.

2. Stop the Avamar Enterprise Manager by entering:

dpnctl stop ems

3. Change the password for all certificates in the keystore to match the keystore’s password.

For Tomcat, the passwords of certificates in the keystore must match the password of the keystore itself.

NOTE: It is a good practice to change the keystore pass-word, however, to retain the default password, skip to step 6.

(a) Delete the mcssl certificate from the keystore by entering:

keytool -delete -alias mcssl

(b) Change the keystore password by entering:

keytool -storepasswd

When prompted, enter the old password and then the new password twice.

(c) Export the mcssl certificate to a file by entering the following on a single command line:

keytool -export -keystore /usr/local/avamar/lib/rmi_ssl_keystore -alias mcssl -file /tmp/mcssl.crt

The default password for rmi_ssl_keystore is changeme. Use this password if it has not been changed.

IMPORTANT: Space limitations in this publication causedthe previous command to continue (wrap) to more than oneline. Your command must be entered on a single commandline (no line feeds or returns allowed).

(d) Import the file to the root’s keystore by entering:

keytool -import -alias mcssl -file /tmp/mcssl.crt


Getting a Signed CertificateAPPENDIX B — SIGNING AVAMAR ENTERPRISE MANAGER SSL CERTIFICATES

4. Set the new password by editing /usr/local/jakarta-tomcat-VERSION/conf/server.xml.

Where VERSION is the version of Tomcat.

(a) Find the Connector element for port=“443”

(b) Set the keystorePass attribute to the new password.

NOTE: For additional information on this procedure, go tothe Apache Tomcat 5.5 Servlet/JSP Container website(http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html).

5. Set the trust_keystore_ap preference to the new password by editing the Enterprise Manager Server (EMS) preferences file, /usr/local/avamar/var/em/server_data/prefs/emserver.xml.

6. Delete the existing certificate (with alias Tomcat) by entering:

keytool -delete -alias tomcat

7. Enter the following keytool command:

keytool -genkey -alias tomcat -keyalg RSA -dname "CN=hostname.domain.com, OU=Organization Name, O=Company Name, L=City Name, ST=CA, C=US"

Use information specific to your site for CN, OU, O, L, ST and C.

When prompted for the key password use the same one you chose for the keystore.

8. Enter the following command to create a Certificate Signing Request (CSR):

keytool -certreq -alias tomcat

The command screen displays the CSR. To store the CSR to a user-defined filename (CSRFILENAME), add -file CSRFILENAME to the keytool command.

9. Provide the CSR to a signing authority to generate a signed certificate.

Specify the certificate by using the PKCS#7 format.

10. Import the signed certificate into the keystore by entering:

keytool -import -alias tomcat -file CERTFILENAME

Where CERTFILENAME is the name of the file you received from the signing authority.

11.Restart the Avamar Enterprise Manager by entering:

dpnctl ems start

12.Continue with Tomcat Application Server Certificate (page 45) to use the same certificate for both the Tomcat application server and the Avamar Enterprise Manager web server,


Tomcat Application Server CertificateAPPENDIX B — SIGNING AVAMAR ENTERPRISE MANAGER SSL CERTIFICATES

Tomcat Application Server CertificateThe Tomcat application server can use the signed certificate you created for the Avamar Enterprise Manager web server. This procedure requires KeyTool IUI, an open source utility. KeyTool IUI requires Java version 6 or later to run.

IMPORTANT: Run the KeyTool IUI from a desktop worksta-tion.

To use the signed certificate:

1. Download the KeyTool IUI from:

http://www.icewalkers.com/download/KeyTool-IUI/3073/dls/

2. After installing Java 6, extract the KeyTool IUI tarball or zip file.

3. Follow the instructions in readme_first.txt to run KeyTool IUI.

4. Download the /root/.keystore file from the Avamar utility node to your desktop machine.

In the process of downloading, rename the file with a .jks extension (keystore.jks).

5. From KeyTool IUI, select Export > Keystore’s entry > Private key in the left pane.

The following image shows the KeyStore IUI. The right pane shows the options for the source and target.



6. Configure private key data according to the following table:

7. Click OK.

The dialog box as shown in the following image appears.

8. Select the tomcat certificate.

9. For Enter respective password, enter the same password as the keystore password.

10.Click OK.

A message appears stating that keys were successfully exported. You also have the option of viewing each one.

11.Upload the private key and certificate chain files from your desktop workstation to the Avamar utility node.

(a) Copy the private key to /etc/httpd/conf/ssl.key/server.key.

(b) Copy the certificate chain file to /etc/httpd/conf/ssl.crt/server.crt.

FOR THIS OPTION TAKE THIS ACTION

Keystore file Click the folder icon and browse for the saved .jks file in step 3.

Keystore password Click the mask icon and enter the password.

Private key file Select PEM format and enter a filename of your choosing.

Certificates chain file Select PEM format and enter a filename of your choosing.



12.Ensure these files are owned by root.root with permissions of 600 by entering the following commands, each one on a single command line:

chown root.root /etc/httpd/conf/ssl.key/server.key /etc/httpd/conf/ssl.crt/server.crt

chmod 600 /etc/httpd/conf/ssl.key/server.key /etc/httpd/conf/ssl.crt/server.crt

IMPORTANT: Space limitations in this publication causedthe previous commands to continue (wrap) to more than oneline. Each of your commands must be entered on a singlecommand line (no line feeds or returns allowed).

13.Restart the httpd process by entering:

website restart



APPENDIX C — INSTALLING AN SSL CERTIFICATE ON ANAVAMAR SERVER

The following information applies to Apache only and not Tomcat (used in Avamar Enterprise Manager).

Currently, the Avamar web restore application uses the certificate that is generated during Avamar software installation. This certificate is self-signed, contains the hostname localhost.localdomain, and expires after one year.

Use the gen-ssl-cert utility to create a new self-signed certificate:

User=root 1. Do one of the following:

2. Enter:

/usr/local/avamar/bin/gen-ssl-cert

For more information on the gen-ssl-cert utility, refer to the Avamar Technical Addendum.

IF DO THIS

Preparing a single-node server.

Log into the server as root.When prompted for a password, enter the root password and press ENTER.

Preparing a multi-node server.

Log into the utility node as root.When prompted for a password, enter the root password and press ENTER.

APPENDIX D — TRANSPORT LAYER SECURITY CERTIFICATION

This appendix describes how to implement client/server authentication using Transport Layer Security (TLS) certificates.

OverviewThis appendix lists the individual tasks for implementing TLS server and client authentication. It also explains how to apply encryption constraints to TLS.

Important Terms and ConceptsBecome familiar with the following terms and concepts before performing any of the procedures in this appendix.

Transport Layer Security and Secure Sockets Layer. Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols that provide secure communications on the Internet for activities such as web browsing, email, Internet faxing, instant messaging and other data transfers. Although essentially the same, there are minor differences between SSL and TLS.

X.509 v3. A standard for formatting digital certificates that can be used to authenticate identities of computers, applications, people and so forth.

Root Certificate. In cryptography and computer security, a root certificate is either an unsigned public key certificate or a self-signed certificate. A root certificate is part of a public key infrastructure scheme. The most common commercial variety is based on the ITU-T X.509 standard, which normally includes a digital signature from a CA.


Implementing TLS AuthenticationAPPENDIX D — TRANSPORT LAYER SECURITY CERTIFICATION

Self-Signing CertificatesIf you self-sign your server and client certificates (that is, you do not intend to use a commercial CA such as Verisign), you must first create your own root certificate and key (page 57), then sign them using the self-signing procedure in this appendix (page 59).

If you use a commercial CA to sign your server certificates, the CA will sign your certificates and return them to you.

Root Certificates Root certificates can be used with Windows and stunnel. All other certificates can be signed by this root certificate. If you are not a commercial certificate authority, some software might not accept your certificates. However, you can configure stunnel nodes to use the CA certificate and load it into the Local Computer Certificate Store on your Windows clients. Your certificates are then accepted as commercially-purchased ones.

When creating and signing certificates, EMC recommends:

• Properly secure the private key associated with the root certificate. • In a high-risk environment use an air-gapped network for signing operations

and creating keys, CSRs and other security-related artifacts. (An air-gapped network is completely physically, electrically and electromagnetically isolated.)

• Use a hardware random-number generator (RNG) to efficiently and quickly generate random numbers with adequate characteristics for cryptographic use.

• For maximum security, use the OpenBSD operating system as the host for the OpenSSL key and certificate utilities.

Implementing TLS AuthenticationThis section explains how to implement TLS server and client authentication.

Implement TLS Server AuthenticationTo properly implement Avamar server authentication requires that the CSR contains the Avamar server node’s IP address in the Alternative Subject Name field. If nodes use multiple IP addresses (multihomed servers, servers behind network address translation (NAT), and so forth), ensure that each IP address is added to the Alternative Subject Name field.

If the openssl req command is used to generate the CSR, see (page 60) for an example of the content for the openssl.conf file. This example contains the [alt_names] section, which includes the server node IP addresses.


Implementing TLS AuthenticationAPPENDIX D — TRANSPORT LAYER SECURITY CERTIFICATION

To implement server authentication using TLS:

1. Generate a unique server authentication certificate for each Avamar server node by performing Generate an Avamar Server Node Authentication Certificate and CSR (page 53) once for each Avamar server node.

IMPORTANT: Ensure that the CSR that you create containsthe Avamar server node’s IP address in the Alternative Sub-ject Name field.


3. Install the signed server certificates on all Avamar server nodes.

4. Configure stunnel on all Avamar server nodes to use your server certificate.

5. Restart stunnel on all the Avamar server nodes.

6. Restart the ascd service, if necessary.

7. Include the encrypt=sslverify option for all future client communications.

Implement TLS Client Authentication

IMPORTANT: Ensure that TLS authentication has beenproperly implemented on your Avamar server (page 50)before proceeding any further with these client tasks.

IF DO THIS

You are using a commercial CA, such as Verisign to sign your server certificates.

Submit your CSRs to your commercial CA.

You are self-signing your server certificates with your own root certificate and key.

1. Ensure that the root certificate and key have been generated (page 57).

2. Self-sign your server certificates with your own root certificate and key by performing Generating Self-Signed x509 Certificates (page 59) once for each server certificate.


Requesting TLS EncryptionAPPENDIX D — TRANSPORT LAYER SECURITY CERTIFICATION

To implement client authentication using TLS:

1. Generate a single generic client certificate for use on all clients by performing Generate an Avamar Client Authentication Certificate and CSR (page 55).


3. Install the client certificate as a Trusted Authority in the client Local Computer Certificate Store by performing Installing a Client Authentication Certificate (page 62).

4. If you are using a self-signed client certificate, perform Installing a Trusted Root Certificate (page 63) on each client.

5. Configure stunnel on all Avamar server nodes to enforce a requirement for client certificates.

6. Restart stunnel on all the Avamar server nodes.

7. Restart of the ascd service, if necessary.

Requesting TLS EncryptionRequests for 256-bit or 128-bit encryption strength and SHA digests in Avamar releases before 4.1 were notated by option flags. The following list contains examples of option flags for encryption.

• ssl:AES256-SHA• ssl:AES128-SHA• sslverify:AES256-SHA• sslverify:AES128-SHA

Avamar supports other types of encryption besides the ones listed. Avamar 4.1 and later deprecates this notation for option flags. Deprecated versions of option flags that still exist for clients running Avamar 4.1 or later are ignored.

Avamar 4.1 and later replace the colon-seperated option flags with an option flag pair: encrypt and encrypt-strength. The encrypt-strength option takes one of

IF DO THIS

You are using a commercial CA, such as Verisign, to sign your client certificate.

Submit your CSR to your commercial CA.

You are self-signing your client certificate with your own root certificate and key.

1. Ensure that the root certificate and key have been created (page 57).

2. Self-sign your client certificate with your own root certificate and key by performing Generating Self-Signed x509 Certificates (page 59).


Generating Authentication Certificates and CSRsAPPENDIX D — TRANSPORT LAYER SECURITY CERTIFICATION

three values: None, Medium or High. Each encrypt-strength option value has a corresponding cipher:

A pre-4.1 option flag such as ssl:AES256-SHA translates into an encrypt and encrypt-strength option flag pair for Avamar 4.1 and later. For example, if server authentication is not requested, the option flag pair for ssl:AES256-SHA is specified as follows: --encrypt=tls


If server authentication is requested, the option flag pair for ssl:AES256-SHA is specified as follows:--encrypt=tls-sa


Refer to Appendix A — Client-Server Encryption Functional Matrix (page 39) for more information.

Generating Authentication Certificates and CSRsThis section explains how to generate authentication certificates and CSRs for the Avamar server and client nodes.

NOTE: The following procedures use “Example, Inc. (exam-ple),” “example.com,” “Dept 55,” “avamar-1,” and “192.0.2.4” as an example company name, Internet domain, department name, Avamar server name and IP address, respectively. Use your actual information instead.

The following procedures create RSA public/private key pairs and CSRs.

Generate an Avamar Server Node Authentication Certificate and CSR

IMPORTANT: Generate a unique certificate for each Ava-mar server node and repeat this procedure on every Avamarserver node.

OPTION VALUE CIPHER

None Cleartext (no cipher)

Medium 128-bit strength

High • 168-bit strength or higher on Windows • 256-bit strength on Linux



To generate a request for a new Avamar server node authentication certificate with a new key:

1. Open a command shell and enter the following on a single command line:

openssl req -new -newkey rsa:1024 -keyform PEM -keyout avamar-1key.pem -nodes -outform PEM -out avamar-1req.pem

IMPORTANT: Space limitations in this publication causedthe previous command to continue (wrap) to more than oneline. Enter the command on a single line (no line feeds orreturns allowed).


Loading 'screen' into random state - doneGenerating a 1024 bit RSA private key.++++++...++++++writing new private key to 'avamar-1key.pem'-----

2. When prompted, enter the following information and press ENTER after each entry:

NAME FIELD DESCRIPTION

Distinquished Name (DN) Unique name for this particular server node. For example:avamar-1.node-1

Country Name The two-letter ISO abbreviation for your country. For example:US

State or Province Name The state or province where your organization is located. For example:California

IMPORTANT: This entry cannot be abbreviated.

Locality Name City where your organization is located. For example:Los Angeles

Organization Name The exact legal name of your company. For example:Example, Inc.


Organizational Unit Name Optional entry for additional organization information. For example:Dept. 55



The information you enter is incorporated into your certificate request.

TIP: Entering a period (.) and pressing ENTER leaves thatentry blank.

The output from avamar-1req.pem is similar to the following:

-----BEGIN CERTIFICATE REQUEST-----ABCDEF......XYZ=-----END CERTIFICATE REQUEST-----

avamar-1key.pem content is similar to this:

-----BEGIN RSA PRIVATE KEY-----ABCDEF......XYZ=-----END RSA PRIVATE KEY-----

3. Repeat steps 1 and 2 for every Avamar server node.

Generate an Avamar Client Authentication Certificate and CSRTo generate a request for a new Avamar client authentication certificate with a new key:

1. Open a command shell and enter the following on a single command line:

openssl req -new -newkey rsa:1024 -keyform PEM -keyout avamarclientkey.pem -nodes -outform PEM -out avamarclientreq.pem

IMPORTANT: Space limitations in this publication causedthe previous command to continue (wrap) to more than oneline. Enter the command on a single line (no line feeds orreturns allowed).


Loading 'screen' into random state - doneGenerating a 1024 bit RSA private key.++++++...++++++writing new private key to 'avamarclientkey.pem'-----

Common Name Because this is your root certificate, name it something meaningful. For example:example.com Certificate Authority

Email Address Primary email address for this server. For example:[email protected]





The information you enter is incorporated into your certificate request.


The output from avamarclientreq.pem is similar to the following:

-----BEGIN CERTIFICATE REQUEST-----ABCDEF..XYZ=-----END CERTIFICATE REQUEST-----









Common Name Because this certificate will be used by every Avamar client, name it something meaningful. For example:Generic Avamar Backup Client

Email Address Contact email address for all CA-related issues. For example:[email protected]

Challenge Password Enter a password that all users of this certificate must know and enter in order to be authenticated.

Optional Company Name Optional entry.


Generating a Root Certificate and KeyAPPENDIX D — TRANSPORT LAYER SECURITY CERTIFICATION

The output from avamarclientkey.pem content looks similar to this:

-----BEGIN RSA PRIVATE KEY-----ABCDEF..XYZ=-----END RSA PRIVATE KEY-----

Generating a Root Certificate and Key

NOTE: Skip this section if you are using a commercial CA,such as Verisign to sign your server certificates.

This topic explains how to create a root certificate and key by using OpenSSL tools. The recommended method is to use the CA.pl, a Perl script “wrapper” for OpenSSL commands. As a alternative, you can use the openssl req command.

The following web sites provide more information for CA.pl and openssl req, respectively:

• www.openssl.org/docs/apps/CA.pl.html• www.openssl.org/docs/apps/req.html

Download and Install OpenSSL and CA.plDownload and install OpenSSL and a Perl interpreter on the system which generates the certificate. For optimal results download and install CA.pl.

NOTE: OpenSSL and Perl interpreters are available forLinux, Windows, OpenBSD and other operating systems.

Create a Root Certificate and KeyUse one of the following procedures to create a root certificate and key.

• Using CA.pl to Create a Root Certificate and Key (page 58)• Using openssl req to Create a Root Certificate and Key (page 59)

The following procedures creates two files: exampleca.pem and examplekey.pem.

• Provide the exampleca.pemfile to others for importation into their certificate stores and browsers.

• Use examplekey.pem, which is secured in a private directory, for signing operations.


Generating a Root Certificate and KeyAPPENDIX D — TRANSPORT LAYER SECURITY CERTIFICATION

Using CA.pl to Create a Root Certificate and Key

NOTE: This procedure uses “Example, Inc. (example)” and“example.com” as an example company name and Internetdomain, respectively. Use your actual company nameinstead.

The following procedure prompts you for various information including a password. When prompted for a password, specify a secure password.

1. Open a command shell.

2. From the openssl directory, enter:

CA.pl -newca

NOTE: This command creates all relevant files and directo-ries in ./demoCA.

TIP: Press ENTER to show CA details. You are prompted forthis information later on.

3. When prompted for a password, enter a secure password.

4. When prompted for a filename, enter the filename of the CA certificates (which should also contain the private key).










Generating Self-Signed x509 CertificatesAPPENDIX D — TRANSPORT LAYER SECURITY CERTIFICATION


6. Back up exampleca.pem and examplekey.pem.

Using openssl req to Create a Root Certificate and Key1. Open a command shell and enter:

openssl req -new -x509 -newkey rsa:1024 -keyform PEM -keyout private/examplekey.pem -extensions v3_ca -outform PEM -out exampleca.pem -days 3650

Where the -days 3650 option certifies the certificate for 3650 days (10 years). You can set the -days option to any period of time for your specific site requirements.

IMPORTANT: Space limitations in this publication causedthe previous command example to continue (wrap) to morethan one line. Enter the command on a single line (no linefeeds or returns allowed).

2. Back up exampleca.pem and examplekey.pem.

Generating Self-Signed x509 Certificates

NOTE: Skip this section if you are using a commercial CA,such as Verisign to sign your server certificates.

This section explains how to self-sign certificates.


Common Name Because this is your root certificate, name it something meaningful. For example:example.com Certificate Authority

Email Address Contact email address for all CA-related issues. For example:[email protected]




PrerequisiteBefore you can self-sign certificates, you must:

1. Generate a root certificate and key as described in Generating a Root Certificate and Key (page 57).

2. Establish your authority to self-sign certificates by installing the root certificate (as a Trusted Authority) in the client’s Local Computer Certificate Store.

Generate a Signed x509 CertificateThis procedure assumes the following:

• CA certificate is in exampleca.pem.• Key for CA certificate is in examplekey.pem.• example.srl serial number seed file does not already exist.• The following entries have been appended to the end of the openssl.cnf file

that ships with OpenSSL:[ server_ext ]basicConstraints = CA:falsekeyUsage = critical, digitalSignature, keyEnciphermentnsCertType = serverextendedKeyUsage = serverAuthnsComment = "OpenSSL-generated server certificate"subjectKeyIdentifier = hashauthorityKeyIdentifier = keyid:always, issuer:alwayssubjectAltName = @alt_names[alt_names]IP.0 = 192.0.2.4# additional ip might be useful for server behind nat or multi-homed#IP.1 = 1.2.3.4DNS.0 = avamar-1.example.com#additional hostname might be useful for server behind nat or multihomed#DNS.1 = natavds.example.com

Note the customized hostname and IP address on the subjectAltName line.

To generate a signed x509 certificate:

1. Enter the following command on a single line:

openssl x509 -CA exampleca.pem -CAkey examplekey.pem -req -in avamar-1req.pem -extensions server_ext -extfile openssl.cnf -outform PEM -out avamar-1cert.pem -days 365 -CAserial example.srl -CAcreateserial

IMPORTANT: Space limitations in this publication causedthe previous command example to continue (wrap) to morethan one line. Enter the command on a single command line(no line feeds or returns allowed).


Loading 'screen' into random state - doneSignature oksubject=/C=US/ST=California/L=Los Angeles/O=Example, Inc./OU=Dept55/CN=avamar-1.example.com/[email protected]



Getting CA Private KeyEnter pass phrase for examplekey.pem:

2. Enter the passphrase for this key and press ENTER.

Content of signed certificate looks similar to the following output:

-----BEGIN CERTIFICATE-----ABCDEF......XYZ=-----END CERTIFICATE-----

3. Display the certificate content in text by entering:

openssl x509 -in avamar-1cert.pem -noout -text

The following information appears in your command shell:Certificate:

Data:Version: 3 (0x2)Serial Number:

9f:3a:d1:2d:93:2d:3d:92Signature Algorithm: sha1WithRSAEncryptionIssuer: C=US, ST=California, O=Example, Inc., OU=Dept55, CN=example.com Certificate Authority/emailAddress=avamar-1.example.comValidity

Not Before: May 16 20:21:12 2008 GMTNot After : May 16 20:21:12 2009 GMT

Subject: C=US, ST=California, L=Los Angeles, O=Example, Inc., OU=Dept55, CN=avamar-1.example.com/[email protected] Public Key Info:

Public Key Algorithm: rsaEncryptionRSA Public Key: (1024 bit)

Modulus (1024 bit):00:c2:e2:f9:b8:77:9a:06:fe:6d:1d:c8:9d:04:3a:7d:75:aa:1e:8d:4a:57:34:f7:a6:4e:30:73:80:ca:c0:38:be:e9:e5:04:1b:05:42:79:b1:07:40:59:b7:3f:7f:79:21:2d:95:74:96:6f:25:ce:16:b8:ae:72:b1:b4:76:e7:fd:45:28:87:50:fd:76:b2:fe:c3:c2:cd:20:ee:54:40:2a:56:55:ca:d4:f4:df:ae:29:6b:4b:84:18:98:b7:ff:be:04:4e:bf:b5:9a:a7:39:ba:2e:87:3e:ea:d0:ae:8a:ec:d4:6a:7c:f3:cb:79:0b:b9:a9:83:28:67:80:e2:e1:dd

Exponent: 65537 (0x10001)X509v3 extensions:

X509v3 Basic Constraints:CA:FALSE

X509v3 Key Usage: criticalDigital Signature

Netscape Cert Type:SSL Client

X509v3 Extended Key Usage:TLS Web Client Authentication

Netscape Comment:OpenSSL-generated server certificate

X509v3 Subject Key Identifier:A5:29:93:8E:98:E1:FB:4E:7A:2A:5A:A0:AB:76:A6:C5:18:F1:78:0A

X509v3 Authority Key Identifier:keyid:DA:27:CF:99:D1:EB:C2:2C:93:50:9D:09:B7:20:E0:31:7E:D6:84:09DirName:/C=US/ST=California/O=example.com/OU=Dept55/CN=example.com Certificate Authority/[email protected]:DA:2D:59:E2:4F:E2:91:F8

Signature Algorithm: sha1WithRSAEncryption9e:10:07:a7:1a:e8:7e:5c:b1:87:0d:81:5a:70:49:2c:86:e6:4c:36:93:31:4e:bf:f6:bf:de:02:52:66:25:c0:67:e9:a5:dc:


Installing a Client Authentication CertificateAPPENDIX D — TRANSPORT LAYER SECURITY CERTIFICATION

5d:bf:9c:10:b6:77:c4:ce:a8:18:8d:6f:1d:e2:32:e5:01:56:20:86:f8:c3:9d:01:e6:dc:f4:0d:56:fc:22:dc:f7:be:64:42:cf:1e:ca:cb:7d:18:7b:8e:c0:ca:64:33:a1:aa:e5:1a:b6:1b:9f:f0:c8:19:55:c4:88:c1:77:bb:16:da:58:63:22:7d:ba:ff:9e:bc:c8:11:3f:37:cb:5e:a9:8d:dd:3b:f3:e6:cd:56:2f:2a:47:e9

f3:f8

4. Combine the key and signed certificate into a pkcs#12 format file suitable for importing into a Microsoft Certificate Store by entering:

openssl pkcs12 -in avamarclientcert.pem -inkey avamarclientkey.pem -export -out avamarclientcert.p12 -name "Avamar Trusted Client"

IMPORTANT: Space limitations in this publication causedthe previous command to continue (wrap) to more than oneline. Enter the command on a single command line (no linefeeds or returns allowed).


Loading 'screen' into random state - doneEnter Export Password: mypasswordVerifying - Enter Export Password: mypassword

Installing a Client Authentication CertificateThe following procedure explains how to import a certificate (in pkcs#12 format) into each client’s Microsoft Windows certificate store.

1. Log into the Windows client computer by using an account with local administrator privileges.

2. Open the Microsoft Management Console:

(a) Choose Start > Run.

The Run dialog box appears.

(b) Enter mmc and press ENTER.

The Microsoft Management Console appears.

3. Press CTRL+M.

The Add/Remove Snap-In dialog box appears.

4. Press ALT+D.

If installing on Windows Vista, do the following:

(a) Click Add.

(b) Select Computer Account and press ENTER twice.

(c) Click OK.

The Add Standalone Snap-in dialog box appears.

5. From the Add Standalone Snap-in dialog box:

(a) Choose Certificates from the list and click Add.


Installing a Trusted Root CertificateAPPENDIX D — TRANSPORT LAYER SECURITY CERTIFICATION

The Certificates Snap-in dialog box appears.

(b) Set Computer Account.

(c) Press ENTER twice.

The Certificates Snap-in dialog box closes, and the Snap-in for Certificates/Computer Account/Local Computer is added.

(d) Press ESC, then ENTER.

The Certificates (Local Computer) Management console is visible in the tree.

6. Expand the tree, then select Certificates (Local Computer) > Personal > Certificates.

7. Click the right mouse button menu and choose All tasks > Import...

The Certificate Import Wizard appears.

8. Click Next, and then click Browse.

9. Navigate to the location of the file holding your Client authentication certificate and click Open.

Installing a Trusted Root CertificateThis section explains how to install a trusted root certificate, which enables Windows Avamar backup clients to authenticate server nodes

1. Log into the Windows client computer by using an account with local administrator privileges.

2. Open the Microsoft Management Console:

(a) Choose Start > Run.

The Run dialog box appears.

(b) Enter mmc and press ENTER.

The Microsoft Management Console appears.

3. Press CTRL+M.

The Add/Remove Snap-In dialog box appears.

4. Press ALT+D.

If installing on Windows Vista, do the following:

(a) Click Add.

(b) Select Computer Account and press ENTER twice.

(c) Click OK.

The Add Standalone Snap-in dialog box appears.

5. From the Add Standalone Snap-in dialog box:

(a) Choose Certificates from the list and click Add.

The Certificates Snap-in dialog box appears.

(b) Set Computer Account.


Installing a Trusted Root CertificateAPPENDIX D — TRANSPORT LAYER SECURITY CERTIFICATION

(c) Press ENTER twice.

The Certificates Snap-in dialog box closes, and the Snap-in for Certificates/Computer Account/Local Computer is added.

(d) Press ESC, then ENTER.

The Certificates (Local Computer) Management console is visible in the tree.

6. Expand the tree, then select Certificates (Local Computer) > Personal > Certificates.

7. Click the right mouse button menu and choose All tasks > Import...

The Certificate Import Wizard appears.

8. Click Next, and then click Browse.

9. Navigate to the location of the file holding your Client authentication certificate and click Open.


APPENDIX E — CONFIGURING AVAMAR AUTHENTICATIONAND ENCRYPTION ON UNIX

This appendix describes how to configure server and client authentication for Avamar AIX, FreeBSD, HP-UX, Linux and Solaris backup clients.

Avamar clients and servers use X.509 certificates for authentication. Typically, one-way authentication provides sufficiently strong security. The Avamar client requests authentication from the Avamar server, and the server sends the appropriate certificate to the client. The client then validates the certificate. Refer to Configuring Encryption and Server to Client Authentication (page 66) to set up one-way authentication.

For stronger security, Avamar clients and servers can use two-way authentication. To set up two-way authentication first complete the instructions in Configuring Encryption and Server to Client Authentication (page 66), and then complete Configuring Client to Server Authentication (page 67).

In both configurations, all network data can be encrypted.


Configuring Encryption and Server to Client AuthenticationAPPENDIX E — CONFIGURING AVAMAR AUTHENTICATION AND ENCRYPTION ON UNIX

Configuring Encryption and Server to Client AuthenticationThe Avamar server uses stunnel for authentication and TLS encryption. This section describes how to set up one-way authentication and data encryption. The tasks include:

• Obtaining a unique server certificate and private key pair.• Installing the unique server certificate and private key pair on the utility node

and data nodes. • Configuring stunnel to load the certificate and keys.• Configuring the Avamar client to accept the certificate when authentication or

encryption is requested.

Configure the Avamar ServerPerform the following steps on the utility node and data nodes:

1. Generate a unique private key and obtain an TLS server certificate by using one of the methods described in Appendix D — Transport Layer Security Certification (page 49).

2. On the utility node open the stunnel.conf file in a Unix editor (vi or emacs) and add the following lines:

cert = /usr/local/avamar/etc/stunnel/servercert.pem

key = /usr/local/avamar/etc/stunnel/serverkey.pem

3. Save stunnel.conf and exit the editor.

4. Restart stunnel on the utility node by entering:

stunctl restart

NOTE: The stunctl program must be run as user admin.

The stunctl program propagates the changes made to stunnel.conf on all data nodes and restarts stunnel on all the data nodes.

Configure the Managment Console ServerConfigure the Manage Console Server (MCS):

1. Set the encrypt_server_authenticate value in the /usr/local/avamar/var/mc/server_data/prefs/mcserver.xml file by entering:

encrypt_server_authenticate=true

2. Restart the MCS by entering:

dpnctl stop mcs

dpnctl start


Configuring Client to Server AuthenticationAPPENDIX E — CONFIGURING AVAMAR AUTHENTICATION AND ENCRYPTION ON UNIX

Configure the Avamar ClientConfigure the Avamar client to accept server certificates:

1. Append the certificate (from the server’s certificate signer) to the chain.pem file on the Avamar client.

NOTE: The chain.pem file is located in SYSDIR (/usr/local/avamar/etc) on the Avamar client.

2. If chain.pem does not exist, copy the certificate (from the server’s certificate signer) to chain.pem. Otherwise, skip this step.

Configuring Client to Server AuthenticationThis section describes how to set up client to server authentication. Complete this section after completing Configuring Encryption and Server to Client Authentication (page 66) to configure two-authentication for Avamar.

Configure the Avamar Client 1. Generate a unique private key (key.pem) and obtain an TLS client

certificate (cert.pem) by using one of the methods in Appendix D — Transport Layer Security Certification (page 49).

2. Copy key.pem and cert.pem to SYSDIR (/usr/local/avamar/etc) on the Avamar client.

Configure the Avamar Server

IMPORTANT: The following procedure requires you torestart stunnel. If restarting stunnel is not feasible, use theCApath option instead of CAfile in step 3 and skip step 5. Formore information on stunnel options, see the stunnel manpage.

1. Append the certificate (from the server’s certificate signer) to the chain.pem file located in SYSDIR/stunnel.

2. If chain.pem does not exist, copy the certificate (from the server’s certificate signer) to chain.pem. Otherwise, continue to step 3.

3. On the utility node open the stunnel.conf file in a Unix editor (vi or emacs) and add the following lines:

CAfile=/usr/local/avamar/etc/stunnel/chain.pem

verify=2

The verify=2 option forces stunnel to authenticate clients.


Verifying Avamar AuthenticationAPPENDIX E — CONFIGURING AVAMAR AUTHENTICATION AND ENCRYPTION ON UNIX

4. Save stunnel.conf and exit the editor.

5. Log in as admin and restart stunnel on the utility node by entering:

stunctl restart

Verifying Avamar AuthenticationTo verify authentication, run a test backup. Use either the avtar command from the command line or the Avamar Administrator.

Using the avtar commandTo use the avtar command with an encryption option:

• For Avamar clients running 4.1 or later, use the --encrypt=tls-sa option.• For Avamar clients running 4.0 or before, use the --encrypt=sslverify

option.

The --encrypt=tls-sa and --encrypt=sslverify options verify the identity of the Avamar server to the Avamar client.

For more information about the avtar command, refer to the Avamar Technical Addendum.

Using the Avamar AdministratorTo use the Avamar Administrator 4.1 or later:

1. Ensure that that MCS is configured to enable server to client authentication as described in Configure the Managment Console Server (page 66).

2. Select medium or high from the Encryption method list.

NOTE: The Encryption method list appears on both the OnDemand Backup Options dialog box and the Restore Optionsdialog box.

For more information about the Avamar Administrator, refer to the Avamar System Administration Manual.

NOTE: If you block non-TLS (port 27000) traffic to Avamarwith a firewall, only authenticated clients can connect to theserver. To connect to the server, Avamar 4.1 clients must usethe --encrypt=tls option and clients running an earlierrelease must use the --encrypt=ssl option. All clients mustalso use properly signed certificates to authenticate them-selves to the server


EMC Avamar 4.1 Product Security ManualThe Avamar Agent for Microsoft Windows incorporates Open...

Documents

Transcript of EMC Avamar 4.1 Product Security ManualThe Avamar Agent for Microsoft Windows incorporates Open...