EMC AVAMAR 4.1
PRODUCT SECURITY MANUAL P/N 300-007-039 REV A01
EMC CORPORATION COPORATE HEADQUARTERS: HOPKINTON, MA 01748-9103 1-508-435-1000 WWW.EMC.COM Copyright and Trademark Notices
This document contains information proprietary to EMC. Due to continuing product development, product specifications and capabilities are subject to change without notice. You may not disclose or use any proprietary information or reproduce or transmit any part of this document in any form or by any means, electronic or mechanical, for any purpose, without written permission from EMC. EMC has made every effort to keep the information in this document current and accurate as of the date of publication or revision. However, EMC does not guarantee or imply that this document is error free or accurate with regard to any particular specification. In no event will EMC be liable for direct, indirect, incidental or consequential damages resulting from any defect in the documentation, even if advised of the possibility of such damages. No EMC agent or employee is authorized to make any modification, extension or addition to the above statements. EMC may have patents, patent applications, trademarks, copyrights or other intellectual property rights covering subject matter in this document. The furnishing of this document does not provide any license to these patents, trademarks, copyrights or other intellectual property. The Avamar Agent for Microsoft Windows incorporates Open Transaction Manager (OTM), a product of Columbia Data Products, Inc. (CDP). CDP assumes no liability for any claim that may arise regarding this incorporation. In addition, EMC disclaims all warranties, both express and implied, arising from the use of Open Transaction Manager. Copyright 1999-2002 Columbia Data Products, Inc. Altamonte Springs. All rights reserved. Avamar, RAIN and AvaSphere are trademarks or registered trademarks of EMC in the US and/or other countries. All other product names and/or slogans mentioned herein may be trademarks or registered trademarks of their respective companies. All information presented here is subject to change and intended for general information. Copyright 2002-2008 EMC. All rights reserved. Protected by US Patents No. 6,704,730, 6,810,398 and patents pending. Printed in the USA. TABLE OF CONTENTS
Foreword ...... 5 Scope and Intended Audience ...... 5 Typeface Conventions ...... 5 Notes, Tips and Warnings...... 6 User Accounts ...... 7 Default User Accounts ...... 7 Secure Shell (SSH) Authentication ...... 9 admin User Account ...... 9 dpn User Account ...... 10 root User Account ...... 12 Changing Passwords and Creating SSH Keys ...... 13 Run the change-passwords Utility ...... 13 Update Avamar Enterprise Manager Server...... 21 Manually Update Avamar Administrator CLI...... 22 Avamar Product Security Policy ...... 24 Networking and Related Services ...... 25 Subnet and Gateway Assignments ...... 25 Domain Name Server (DNS)...... 25 Security ...... 25 SNMP Configuration ...... 26 Client-Server Data Port Usage and Firewall Requirements ...... 27 Log Files ...... 32 Log Management and Retrieval ...... 32 Single-Node Server...... 33 Utility Node ...... 35 Storage Node ...... 36 Spare Node ...... 36 Avamar NDMP Accelerator Node ...... 37 Access Node ...... 37 Avamar Administrator Client Network Host...... 37 Backup Client Network Host ...... 37 Appendix A — Client-Server Encryption Functional Matrix ...... 39
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 3 TABLE OF CONTENTS
Appendix B — Signing Avamar Enterprise Manager SSL Certificates . 42 Overview ...... 42 Getting a Signed Certificate ...... 43 Tomcat Application Server Certificate ...... 45 Appendix C — Installing an SSL Certificate on an Avamar Server . . . . 48 Appendix D — Transport Layer Security Certification ...... 49 Overview ...... 49 Important Terms and Concepts ...... 49 Self-Signing Certificates ...... 50 Root Certificates ...... 50 Implementing TLS Authentication ...... 50 Implement TLS Server Authentication ...... 50 Implement TLS Client Authentication ...... 51 Requesting TLS Encryption ...... 52 Generating Authentication Certificates and CSRs ...... 53 Generate an Avamar Server Node Authentication Certificate and CSR ...... 53 Generate an Avamar Client Authentication Certificate and CSR...... 55 Generating a Root Certificate and Key...... 57 Download and Install OpenSSL and CA.pl ...... 57 Create a Root Certificate and Key ...... 57 Generating Self-Signed x509 Certificates ...... 59 Prerequisite ...... 60 Generate a Signed x509 Certificate...... 60 Installing a Client Authentication Certificate...... 62 Installing a Trusted Root Certificate ...... 63 Appendix E — Configuring Avamar Authentication and Encryption on Unix ...... 65 Configuring Encryption and Server to Client Authentication ...... 66 Configure the Avamar Server ...... 66 Configure the Managment Console Server ...... 66 Configure the Avamar Client ...... 67 Configuring Client to Server Authentication ...... 67 Configure the Avamar Client ...... 67 Configure the Avamar Server ...... 67 Verifying Avamar Authentication ...... 68 Using the avtar command ...... 68 Using the Avamar Administrator ...... 68
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 4 FOREWORD
Scope and Intended Audience
Scope. This publication discusses various aspects of Avamar product security.
Intended Audience. This publication is primarily intended for EMC Field Engineers, contracted representatives and business partners who are responsible for configuring, troubleshooting and upgrading Avamar systems at customer sites, as well as system administrators or application integrators who are responsible for installing software and maintaining servers and clients on a networkProduct Information For current documentation, release notes, software updates, as well as information about EMC products, licensing and service, go to the EMC Powerlink web site at http://Powerlink.EMC.com.
Typeface Conventions
The following table provides examples of standard typeface styles used in this publication to convey various kinds of information.
EXAMPLE DESCRIPTION
Click OK. Bold text denotes actual Graphical User Interface - or - (GUI) buttons, commands, menus and options (any Choose File > Close. GUI element that initiates action). Also note in the second example that sequential commands are separated by a greater-than (>) character. In this example, you are being instructed to choose the Close command from the File menu.
Enter: Bold fixed-width text denotes shell commands that cd /temp must be entered exactly as they appear in this publication.
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 5 Notes, Tips and Warnings FOREWORD
EXAMPLE DESCRIPTION
--logfile=FILE All caps text often denotes a placeholder (token) for an actual value that must be supplied by the user. In this example, FILE would be an actual filename.
Installation Complete. Regular (not bold) fixed-width text denotes command shell messages. It is also used to list code and file contents.
Notes, Tips and Warnings
The following kinds of notes, tips and warnings appear in this publication:
IMPORTANT: This is a warning. Warnings always contain information that if not heeded could result in unpredictable system behavior or loss of data.
TIP: This is a tip. Tips present optional information intended to improve your productivity or otherwise enhance your experience with our product. Tips never contain information that will cause a failure if ignored.
NOTE: This is a general note. Notes contain ancillary infor- mation intended to clarify a topic or procedure. Notes never contain information that will cause a failure if ignored.
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 6 USER ACCOUNTS
This chapter provides information on default user accounts for the Avamar system, SSH login access and the change-passwords interactive utility.
Default User Accounts
The Avamar system uses the following default user accounts and passwords:
USER DEFAULT ACCOUNT PASSWORD DESCRIPTION/REMARKS
root changeme Linux OS root account on all Avamar nodes.
admin changeme Linux OS account for Avamar server data owner.
LINUX OS dpn changeme Linux OS account for Avamar maintenance user.
MCUser MCUser1 Default Avamar Administrator administrative user account.
backuponly backuponly1 Account for internal use by Avamar Administrator server.
restoreonly restoreonly1 Account for internal use by Avamar Administrator server.
AVAMAR backuprestore backuprestore1 Account for internal use by
ADMINISTRATOR Avamar Administrator server.
root 8RttoTriz Account for internal use by Avamar Administrator server.
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 7 Default User Accounts USER ACCOUNTS
USER DEFAULT ACCOUNT PASSWORD DESCRIPTION/REMARKS
admin No password, logged in on local node only.
viewuser viewuser1 Administrator server database view account. DATABASE POSTGRESQL ADMINISTRATOR
admin No password, logged in on local node only. POSTGRESQL DATABASE AVAMAR ENTERPRISE MANAGER
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 8 Secure Shell (SSH) Authentication USER ACCOUNTS Secure Shell (SSH) Authentication
Access to the admin, dpn and root operating system user accounts is available through SSH login. SSH uses public and private encrypted keys to authenticate users logging into those accounts. SSH login access can be obtained by supplying operating system account passwords or by using either of two pre-authorized private keys, as described in the following table:
PRIVATE MATCHING WHERE KEYS KEY FILE PUBLIC KEY DEFAULT AUTHORIZES CAN BE NAME FILE NAME PASSPHRASE ACCESS TO FOUND
admin_key admin_key.pub P3t3rPan Operating ~admin/.ssh/ system admin account
dpnid dpn_key.pub Operating ~admin/.ssh system admin ~dpn/.ssh/ and root accounts
On an Avamar server, use the change-passwords program to coordinate changes to private keys and corresponding authorizations across all nodes.
admin User Account The admin user account SSH v2 key configuration is controlled by the following files and directories in admin’s home directory:
FILE/DIRECTORY DESCRIPTION
~admin/.ssh/ Private SSH directory. This directory must be fully protected and owned as follows: drwx------2 admin admin
~admin/.ssh/config SSH configuration file. This file must contain the following entry: StrictHostKeyChecking=no This file must be fully protected and owned as follows: -r------1 admin admin
~admin/.ssh/admin_key Private RSA OpenSSH key file. This file must be fully protected and owned as follows: -r------1 admin admin The admin user account SSH private and public keys must be named admin_key and admin_key.pub, respectively.
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 9 Secure Shell (SSH) Authentication USER ACCOUNTS
FILE/DIRECTORY DESCRIPTION
~admin/.ssh/admin_key.pub Public RSA OpenSSH key file. This file is public and does not need to be protected. -r--r--r-- 1 admin admin
~admin/.ssh/dpnid Private DSA OpenSSH key file. This file must be fully protected and owned as follows: -r------1 admin admin
~admin/.ssh/id_rsa Symbolic link to ~admin/.ssh/admin_key.
~admin/.ssh/authorized_keys2 Contains a list of public keys for users allowed to log into the admin user account. This file must be fully protected and owned as follows: -r------1 admin admin This file must contain public key entries for the admin and dpn user accounts: As currently shipped, the admin public key entry is an RSA key, prefixed with “ssh-rsa” and appended with the comment “dpn_admin_key.” As currently shipped, the dpn public key entry is a DSA key, prefixed with “ssh- dss” and appended with the comment “dpn@dpn41s.”
Any files not listed in the previous table can be ignored. Use of the admin key requires a passphrase. The only method of changing or removing a passphrase is to generate a new private/public key pair and modify the appropriate authorized_keys2 files accordingly. To ensure proper operation of the Avamar server, the admin user must authorize SSH access by way of the dpnid private key. This is accomplished by including the matching public key (dpn_key.pub) in the admin user’s authorized_keys2 file. The dpnid private key must not require a passphrase
dpn User Account The dpn user account SSH v2 key configuration is controlled by the following files and directories:
FILE/DIRECTORY DESCRIPTION
~dpn/.ssh/ Private SSH directory. This directory must be fully protected and owned as follows: drwx------2 dpn admin - or - drwx------2 dpn dpn
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 10 Secure Shell (SSH) Authentication USER ACCOUNTS
FILE/DIRECTORY DESCRIPTION
~dpn/.ssh/config SSH configuration file. This file must contain the following entry: StrictHostKeyChecking=no This file must be fully protected and owned as follows: -r------1 dpn admin - or - -r------1 dpn dpn
~dpn/.ssh/dpnid Private DSA OpenSSH key file. This file must be fully protected and owned as follows: -r------1 dpn admin - or - -r------1 dpn dpn The dpn user account SSH private and public keys must be named dpnid and dpn_key.pub, respectively.
~dpn/.ssh/dpn_key.pub Public DSA OpenSSH key file. This file is public and does not need to be protected. -r--r--r-- 1 dpn admin - or - -r--r--r-- 1 dpn dpn
~dpn/.ssh/id_rsa Symbolic link to ~dpn/.ssh/dpnid.
~dpn/.ssh/authorized_keys2 Contains a list of public keys for users allowed to log into the admin user account. This file must be fully protected and owned as follows: -r------1 dpn admin - or - -r------1 dpn dpn This file is deliberately left empty to ensure that no one can login as user dpn using SSH keys.
Any other files can be ignored. The only way to log in as user dpn is to know the operating system dpn password. To ensure proper operation of the Avamar server, dpn’s public key must be in both the root’s and admin’s .ssh/authorized_keys2 file.
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 11 Secure Shell (SSH) Authentication USER ACCOUNTS root User Account The root user account SSH v2 key configuration is controlled by the following files and directories:
FILE/DIRECTORY DESCRIPTION
.ssh/ Private SSH directory. This directory must be fully protected and owned as follows: drwx------2 root root
.ssh/config SSH configuration file. This file must contain the following entry: StrictHostKeyChecking=no This file must be fully protected and owned as follows: -r------1 root root
.ssh/authorized_keys2 Contains a list of public keys for users allowed to log into the root user account. This file must be fully protected and owned as follows: -r------1 root root This file must contain a public key entry for the dpn user accounts. As currently shipped, the dpn public key entry is a DSA key, prefixed with “ssh-dss” and appended with the comment “dpn@dpn41s.”
Any files not listed in the previous table can be ignored. To log in as the root user requires the password for the root account or use of the pre-authorized dpnid private key. To ensure proper operation of the Avamar server, the root user must authorize SSH access by way of the dpnid private key. This is accomplished by including the matching public key (dpn_key.pub) in the root user's authorized_keys2 file. The dpnid private key must not require a passphrase.
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 12 Changing Passwords and Creating SSH Keys USER ACCOUNTS Changing Passwords and Creating SSH Keys
This section explains how to use the change-passwords utility. This utility changes passwords for various operating user accounts and Avamar server user accounts. The change-passwords utility also creates new OpenSSH keys. The change-passwords utility provides interactive prompts for the following operations: • Changing operating system login passwords for the admin, dpn and root accounts • Creating new admin and dpnid OpenSSH keys • Changing internal Avamar server passwords for the root and MCUser accounts
Run the change-passwords Utility To change operating user account passwords, Avamar server user account passwords or to create new OpenSSH keys, perform the following: User=dpn 1. Open a command shell. 2. Do one of the following:
IF DO THIS
Administering a single-node Log into the server as user dpn. server.
Administering a multi-node Log into the utility node as user dpn. server.
3. Enter: change-passwords If you run change-passwords on a multi-node server, the following information appears in your command shell: Do you wish to change passwords and/or passphrases on all nodes? Answering y(es) changes this set of nodes: #.s -- all utility/services nodes #.# -- all data nodes. Answering n(o) will afford you the opportunity to install existing SSH keys onto other nodes.
y(es), n(o), h(elp), q(uit/exit):
NOTE: The previous information does not appear if you run change-passwords on a single-node server.
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 13 Changing Passwords and Creating SSH Keys USER ACCOUNTS
4. Do one of the following:
IF DO THIS
You want to change passwords Enter y and press ENTER. on all nodes.
You want to change passwords Enter n and press ENTER. on selected nodes.
The following information appears in your command shell: Identity added: /home/dpn/.ssh/dpnid (/home/dpn/.ssh/dpnid) Identity added: /home/dpn/.ssh/dpnid.prev (/home/dpn/.ssh/dpnid.prev) Identity added: /home/dpn/.ssh/dpnid.orig (/home/dpn/.ssh/dpnid.orig)
Do you wish to specify one or more additional SSH passphrase-less private keys that are authorized for root operations? Answer n(o) here unless there are known inconsistencies in ~root/.ssh/authorized_keys2 files among the various nodes (as might be evident if you had been prompted for a root password in a previous run of this program). Note that the following keys will be used automatically (there is no need to re-specify them here): /home/dpn/.ssh/dpnid
y(es), n(o), h(elp), q(uit/exit): ------5. Enter n and press ENTER. The following information appears in your command shell: The following is a test of OS root authorization with the currently loaded SSH key(s).
If during this test you are prompted for an OS root password, then you might be missing an appropriate "dpnid" key for one or more nodes. -> In that event, re-run this program and, when prompted, specify as many SSH private key files as are necessary in order to complete root operations on all nodes.
Starting root authorization test with 600 second timeout... End of root authorization test. ------
Change OS (login) passwords? y(es), n(o), q(uit/exit):
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 14 Changing Passwords and Creating SSH Keys USER ACCOUNTS
Change Operating System User Account Passwords? 6. Do one of the following:
IF DO THIS
You want to change the admin, dpn or root Enter y and press ENTER. operating system user account passwords.
You do not want to change the admin, dpn Enter n and press ENTER. or root operating system user account Proceed to step 16. passwords.
The following information appears in your command shell: ------Change OS password for "admin"? y(es), n(o), q(uit/exit): Change admin 7. Do one of the following: Login Password?
IF DO THIS
You want to change the admin operating Enter y and press ENTER. system user account password.
You do not want to change the admin Enter n and press ENTER. operating system user account password. Proceed to step 10.
The following information appears in your command shell: Please enter a new OS (login) password for user "admin". (Entering an empty (blank) line twice quits/exits.) 8. Enter the new admin operating system user account password and press ENTER. The following information appears in your command shell: Please enter the same OS password again. (Entering an empty (blank) line twice quits/exits.) 9. Re-enter the new admin operating system user account password and press ENTER. The following information appears in your command shell: Accepted OS password for "admin". ------Change OS password for "dpn"? y(es), n(o), q(uit/exit):
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 15 Changing Passwords and Creating SSH Keys USER ACCOUNTS
Change dpn Login 10. Do one of the following: Password?
IF DO THIS
You want to change the dpn operating Enter y and press ENTER. system user account password.
You do not want to change the dpn Enter n and press ENTER. operating system user account password. Proceed to step 13.
Please enter a new OS (login) password for user "dpn". (Entering an empty (blank) line twice quits/exits.) 11. Enter the new dpn operating system user account password and press ENTER. The following information appears in your command shell: Please enter the same OS password again. (Entering an empty (blank) line twice quits/exits.) 12. Re-enter the new dpn operating system user account password and press ENTER. The following information appears in your command shell: Accepted OS password for "dpn". ------Change OS password for "root"? y(es), n(o), q(uit/exit): y Change root Login 13. Do one of the following: Password?
IF DO THIS
You want to change the root operating Enter y and press ENTER. system user account password.
You do not want to change the root Enter n and press ENTER. operating system user account password. Proceed to step 16.
The following information appears in your command shell: Please enter a new OS (login) password for user "root". (Entering an empty (blank) line twice quits/exits.) 14. Enter the new root operating system user account password and press ENTER. The following information appears in your command shell: Please enter the same OS password again. (Entering an empty (blank) line twice quits/exits.) 15. Re-enter the new root operating system user account password and press ENTER. The following information appears in your command shell: Accepted OS password for "root". ======Change SSH keys? y(es), n(o), q(uit/exit): y
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 16 Changing Passwords and Creating SSH Keys USER ACCOUNTS
Create New OpenSSH Keys? 16. Do one of the following:
IF DO THIS
You want to create new admin Enter y and press ENTER. or dpnid OpenSSH keys.
You do not want to create new Enter n and press ENTER. admin or dpnid OpenSSH keys. Proceed to step 21.
The following information appears in your command shell: ------Change SSH key for "admin"? y(es), n(o), q(uit/exit): 17. Do one of the following: Create New admin OpenSSH Key? IF DO THIS
You want to create a new Enter y and press ENTER. admin OpenSSH key.
You do not want to create a Enter n and press ENTER. new admin OpenSSH key. Proceed to step 20.
The following information appears in your command shell: Please enter a new SSH key passphrase for user "admin". (Entering an empty (blank) line twice quits/exits.) 18. Enter the new admin OpenSSH passphrase and press ENTER. The following information appears in your command shell: Please enter the same SSH key again. (Entering an empty (blank) line twice quits/exits.) 19. Re-enter the new admin OpenSSH passphrase and press ENTER. The following information appears in your command shell: Accepted SSH key for "admin". ------Redo passphrase-less elevated-privilege SSH key "dpnid"? y(es), n(o), h(elp), q(uit/exit):
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 17 Changing Passwords and Creating SSH Keys USER ACCOUNTS
Create New dpnid 20. Do one of the following: OpenSSH Key?
IF DO THIS
You want to create a new Enter y and press ENTER. dpnid OpenSSH key.
You do not want to create a Enter n and press ENTER. new dpnid OpenSSH key.
The following information appears in your command shell: ======Change Avamar Server passwords? y(es), n(o), q(uit/exit):
Change Internal Avamar Server User Account Passwords?
IMPORTANT: The remainder of this procedure requires knowledge of the internal Avamar server root user account password.
21. Do one of the following:
IF DO THIS
You want to change the MCUser or Enter y and press ENTER. root internal Avamar server user account passwords.
You do not want to change the Enter n and press ENTER. MCUser or root internal Avamar Proceed to step 26. server user account passwords.
The following information appears in your command shell: Please enter the CURRENT Avamar Server password for "root" (Entering an empty (blank) line twice quits/exits.) 22. Enter the current internal Avamar server root user account password (not the operating system root password) and press ENTER. The following information appears in your command shell: Checking Avamar Server root password (300 second timeout)... Avamar Server current root password accepted. ------Change Avamar Server password for "MCUser"? y(es), n(o), q(uit/exit): y
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 18 Changing Passwords and Creating SSH Keys USER ACCOUNTS
Change Internal 23. Do one of the following: Avamar Server MCUser Password? IF DO THIS
You want to change the internal Enter y and press ENTER. Avamar server MCUser password.
You do not want to change the internal Enter n and press ENTER. Avamar server MCUser password. Proceed to step 26.
The following information appears in your command shell: Please enter a new Avamar Server password for user "MCUser". (Entering an empty (blank) line twice quits/exits.) 24. Enter the new internal Avamar server MCUser password and press ENTER. The following information appears in your command shell: Please enter the same Avamar Server password again. (Entering an empty (blank) line twice quits/exits.) 25. Re-enter the new internal Avamar server MCUser password and press ENTER. The following information appears in your command shell: Accepted Avamar Server password for "MCUser". ------Change Avamar Server password for "root"? y(es), n(o), q(uit/exit):
IMPORTANT: Use of change-passwords to change the internal Avamar server MCUser password disables the Ava- mar Administrator CLI feature. After running change-pass- words you must manually update the MCUser password for the Avamar Administrator CLI. Refer to Manually Update Avamar Administrator CLI (page 22).
Change Internal 26. Do one of the following: Avamar Server root Password? IF DO THIS
You want to change the internal Avamar Enter y and press ENTER. server root password.
You do not want to change the internal Enter n and press ENTER. Avamar server root password. Proceed to step 29.
Please enter a new Avamar Server password for user "root". (Entering an empty (blank) line twice quits/exits.) 27. Enter the new internal Avamar server root password and press ENTER. The following information appears in your command shell: Please enter the same Avamar Server password again. (Entering an empty (blank) line twice quits/exits.)
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 19 Changing Passwords and Creating SSH Keys USER ACCOUNTS
28. Re-enter the new internal Avamar server root password and press ENTER. The following information appears in your command shell: Accepted Avamar Server password for "root". ------Do you wish to proceed with your password changes on the selected node? Answering y(es) will proceed with password updates. Answering n(o) or q(uit) will not proceed.
y(es), n(o), q(uit/exit): y
Accept Changes? 29. Do one of the following:
IF DO THIS
You want to accept changes made Enter y and press ENTER. to passwords or OpenSSH keys during this utility session.
You want to exit this utility session Enter n and press ENTER. without making changes to passwords or OpenSSH keys.
The following information appears in your command shell: Changing OS passwords... [Logging to /usr/local/avamar/var/change-passwords.log...] Done changing OS passwords... Changing Avamar Server passwords... Checking Administrator Server Status... Stopping Administrator Server... Starting process of updating Administrator configuration... Running script to update Administrator configuration on node 0.s... [Logging to /usr/local/avamar/var/change-passwords.log...] Done with updating Administrator configuration on node 0.s... Starting process of updating client configurations... Running script to update client configuration on 0.s... [Logging to /usr/local/avamar/var/change-passwords.log...] Updating client configuration on node 0.0... Done updating client configuration on 0.0... Checking Administrator Server Status... Starting Administrator Server... Starting process of changing SSH keys... Running script to update SSH keys on node 0.s... [Logging to /usr/local/avamar/var/change-passwords.log...] Done with updating SSH keys on node 0.s... ------Done. NOTES: - If you had custom public keys present in the authorized_keys2 files of any Avamar OS users (admin, dpn, root) be aware that you may need to re-add your custom keys. - Please be sure to resume schedules via the Administrator GUI.
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 20 Changing Passwords and Creating SSH Keys USER ACCOUNTS Update Avamar Enterprise Manager Server After the change-passwords utility finishes modifying various passwords, you must update the Avamar Enterprise Manager server by performing the following: 1. Open your web browser and log into Avamar Enterprise Manager. The Dashboard page appears. 2. Choose Configure. The Configure page appears. 3. Click the server name you want to edit. An Edit block appears below the systems list.
4. Enter the new MCUser password in the Password field and click Save. User=admin 5. Open a command shell. 6. Do one of the following:
IF DO THIS
Administering a single- Log into the server as node server. user admin.
Administering a multi- Log into the utility node node server. as user admin.
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 21 Changing Passwords and Creating SSH Keys USER ACCOUNTS
7. Load the admin OpenSSH key by entering: ssh-agent bash ssh-add ~admin/.ssh/admin_key You are prompted to enter a passphrase. 8. Enter the admin user account passphrase and press ENTER. 9. Enter: dpnctl stop ems emserver.sh --renameserver --uselocalmcs dpnctl start
Manually Update Avamar Administrator CLI The change-passwords utility does not change the internal Avamar server MCUser password for the Avamar Administrator CLI. After running change-passwords, you must therefore, manually update the MCUser password for the Avamar Administrator CLI. (The Avamar Administrator CLI generates events whenever cron maintenance activities run.)
IMPORTANT: Use of change-passwords to change the the internal Avamar server MCUser password disables the Avamar Administrator CLI.
Edit the following files to manually update the MCUser password: • ~admin/.avamardata/var/mc/cli_data/prefs/mcclimcs.xml • ~dpn/.avamardata/var/mc/cli_data/prefs/mcclimcs.xml • ~root/.avamardata/var/mc/cli_data/prefs/mcclimcs.xml From the command shell: User=admin 1. Do one of the following:
IF DO THIS
Administering a single- Log into the server as node server. user admin.
Administering a multi- Log into the utility node node server. as user admin.
2. Open ~admin/.avamardata/var/mc/cli_data/prefs/mcclimcs.xml in a Unix text editor.
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 22 Changing Passwords and Creating SSH Keys USER ACCOUNTS
3. Locate the following entries:
NOTE: This example has been simplified for clarity.
4. Change the mcspasswd=”PASSWORD” entry to agree with the new internal Avamar server MCUser password that you previously set using the change-passwords utility (page 19). 5. Save your changes. User=dpn 6. Switch user to the dpn user account by entering: su - dpn When prompted for a password, enter the dpn password and press ENTER. 7. Load the dpn OpenSSH key by entering: ssh-agent bash ssh-add ~dpn/.ssh/dpnid 8. Open ~dpn/.avamardata/var/mc/cli_data/prefs/mcclimcs.xml in a Unix text editor. 9. Repeat steps 3 thru 5. User=admin 10. Switch back to the admin user account by entering: exit exit User=root 11. Switch user to root by entering: su - When prompted for a password, enter the root password and press ENTER. 12. Open ~root/.avamardata/var/mc/cli_data/prefs/mcclimcs.xml in a Unix text editor.
IMPORTANT: The ~root/.avamardata/var/mc/cli_data/prefs/mcclimcs.xml file might not be present on all servers. In the case, skip step 14.
13. Repeat steps 3 thru 5. User=admin 14. Switch back to the admin user account by entering: exit
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 23 AVAMAR PRODUCT SECURITY POLICY
Each Avamar release ships with a set of up-to-date security patches. If you install any other security patches or security applications incompatible with Avamar, you must remove them and restore the Avamar system to its previous working configuration. Then file a support case with EMC Technical Support and include the specific security updates you applied.
IMPORTANT: It is customer responsibility to ensure that the Avamar system is configured to protect against unau- thorized access. Back up all important files before applying new security patches, applications or updates.
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 24 NETWORKING AND RELATED SERVICES
The following networking and related services are required to successfully deploy an Avamar system.
Subnet and Gateway Assignments
Clients must be able to contact every node in the Avamar module directly, and vice-versa. The switch must have a default gateway assigned to it.
Domain Name Server (DNS)
There must be a DNS server in the facility. DNS configuration is important. A single-node Avamar server or the utility node of a multi-node Avamar server must be assigned a forward mapping and optionally a reverse-mapping. An example of a forward-mapping entry for a single-node Avamar server or the utility node of a multi-node Avamar server might be as follows in a BIND environment: avamar-1 A 10.0.5.5 A corresponding optional reverse mapping for a zone serving the 5.0.10.in- addr.arpa subnet in a BIND environment might be as follows: 5 PTR avamar-1.example.com.
Security
All nodes and the switch in the Avamar server must be protected against unauthorized access. A VPN system must be employed if remote access to the Avamar server is required.
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 25 SNMP Configuration NETWORKING AND RELATED SERVICES SNMP Configuration
All Avamar nodes use Simple Network Management Protocol (SNMP). The snmpd.conf file, the configuration file used by SNMP, defines how SNMP operates. Before Avamar release 4.1, the default snmpd.conf file contains the public community string shown in the following example: #### # First, map the community name “public” into a “security name” # sec.name source community com2sec notConfigUser default public The public community string in the previous example grants read-only access to everything, which presents a medium-level security vulnerability. To enable a higher-level of security for Avamar releases before 4.1, change the community name: 1. Open the /etc/snmp/snmpd.conf file in a Unix editor (vi or emacs). 2. Go to the line “com2sec notConfigUser default public.” 3. Change the community name from public to AvCom: com2sec notConfigUser default AvCom 4. Save the /etc/snmp/snmpd.con file. 5. Restart the snmpd agent. 6. Repeat steps 1–5 for all nodes that comprise the Avamar system.
NOTE: Dell omreport actively uses SNMP. According to Dell, changing the public community string to a different value does not affect functionality.
For new Avamar installations beginning with release 4.1, the community name in the snmpd.conf file is already set to AvCom (Avamar Community).
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 26 Client-Server Data Port Usage and Firewall Requirements NETWORKING AND RELATED SERVICES REMARKS Required. recommended. but Optional, name specific sources to restrict Might servers. recommended. but Optional, to specific destinations restrict Might name servers. recommended. but Optional, name specific sources to restrict Might servers. Required. clients Avamar from all access Permit or only web server from reverse proxy (recommended). Required. time to specific sources restrict Might servers. Required. to specific destinations restrict Might servers. time Required. clients Avamar from all access Permit or only web server from reverse proxy (recommended). Optional. syslog. to events server Avamar Logs DESTINATION All nodes All nodes All DNS resolving name servers node Utility node Utility nodes All time NTP servers node Utility node Utility SOURCE Utilitynode and trusted hosts administrator servers DNS resolving name nodes All masters DNS zone client web User-defined web proxy hosts or reverse server time NTP servers All nodes if external time used are servers client web User-defined hosts node Utility communication over the following data ports for all applicable firewalls. all applicable for data ports the following over communication PURPOSE SSH DNS name resolution DNS name resolution DNS zone transfer HTTP NTP NTP for Implements HTTPS web docs and restore, downloads features Syslog 22/TCP 53/TCP 80/TCP 53/UDP 53/UDP 443/TCP 514/TCP PORT/ 123/UDP 123/UDP PROTOCOL Client-Server Data Port Usage and Firewall Requirements Client-Server Data client-server unobstructed Configure
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 27 Client-Server Data Port Usage and Firewall Requirements NETWORKING AND RELATED SERVICES REMARKS Only required for legacy Avamar M legacy Avamar required for Only E hardware. and Avamar access only permitting Recommend hosts. administrative from trusted be open during the must 1234 Port software. of Avamar installation initial no a After installation, successful on should be listening service Avamar port 1234. hosts trusted to only access Permit are used to which for the initial software. of Avamar installation PostgreSQL to for connecting Optional the module. from database outside access only permitting Recommend to access requiring from hosts database. server administrator PostgreSQL to for connecting Optional the module. from database outside access only permitting Recommend to access requiring from hosts database. server administrator Optional. Only required if metadata search feature is installed. Required. access only permitting Recommend hosts. administrative from trusted Required. access only permitting Recommend hosts. administrative from trusted DESTINATION All nodes for nodes All M and Avamar Avamar E node Utility node Utility Enterprise Avamar Manager server node node Access (where metadata search database is installed) node. Utility node. Utility SOURCE User-defined web client web User-defined hosts hosts web client Trusted PostgreSQL User-defined hosts client PostgreSQL User-defined hosts client Enterprise Manager Avamar Administrator Avamar console management Administrator Avamar console. management PURPOSE 3ware RAID RAID 3ware management for avw_install HTTPS utility Connection to server administrator database PostgreSQL Enterprise Avamar Manager server database PostgreSQL (emdb) search Metadata database PostgreSQL RMI - Avamar server Administrator RMI - Avamar server. Administrator PORT/ 1080/TCP 1234/TCP 5555/TCP 5556/TCP 5557/TCP 7778/TCP 7779/TCP PROTOCOL
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 28 Client-Server Data Port Usage and Firewall Requirements NETWORKING AND RELATED SERVICES REMARKS Required. access only permitting Recommend hosts. administrative from trusted Required. access only permitting Recommend hosts. administrative from trusted Required. The /usr/local/jakarta-tomcat-5.5.9/ a makes bin/shutdown.sh script a and sends on port 8005, connection the running to command shutdown connection This tomcat. instance of host. local be made from the can only the contains file server.xml The 8005: for port definition
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 29 Client-Server Data Port Usage and Firewall Requirements NETWORKING AND RELATED SERVICES REMARKS Required. access only permitting Recommend host. local from the Required. access only permitting Recommend host. local from the Required. access only permitting Recommend host. local from the Required. access only permitting Recommend host. local from the Required. as is used if server Required Replicator source. Required. and for clients Optional browsing backups from Avamar cancelling management console. Administrator DESTINATION Utility node (where node (where Utility Enterprise Avamar Manager is installed) node (where Utility Enterprise Avamar Manager is installed) node (where Utility Enterprise Avamar Manager is installed) node (where Utility Enterprise Avamar Manager is installed) nodes All Replicator target server node Utility Avamar clients SOURCE Utility node Utility node Utility node Utility node Utility network hosts client Avamar nodes All clients Avamar node Utility PURPOSE RMI - Avamar RMI - Avamar Manager Enterprise RMI - Avamar Manager Enterprise login_server RMI - Avamar Manager Enterprise service_context RMI - Avamar Manager Enterprise node_context client Avamar with communications server Avamar server Avamar with communications target Replicator (Avamar server proprietary communication) client Avamar with communications server administrator server Administrator with communications client Avamar PORT/ 8778/TCP 8779/TCP 8780/TCP 8781/TCP 27000/TCP 27000/TCP 28001/TCP 28002/TCP PROTOCOL
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 30 Client-Server Data Port Usage and Firewall Requirements NETWORKING AND RELATED SERVICES REMARKS Required. source. is Replicator server if Required DESTINATION All nodes All Replicator All target server nodes SOURCE Avamar clients Avamar nodes All PURPOSE Avamar client Secure Avamar (SSL) Layer Sockets with communications server Avamar SSL server Avamar with communications target Replicator server PORT/ 29000/TCP 29000/TCP PROTOCOL
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 31 LOG FILES
A log is a chronological record of system activities. Avamar software includes log files for server and client components, maintenance tasks, various utilities and backup clients. These log files enable you to examine various aspects of the Avamar system.
Log Management and Retrieval
The following sections includes log file information organized in tables for each Avamar component. For additional information on log files, refer to the Avamar manual for the specific component.
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 32 Single-Node Server LOG FILES Single-Node Server
FEATURE/FUNCTION LOCATION
Avamar Administrator server /usr/local/avamar/var/mc/server_log/flush.log /usr/local/avamar/var/mc/server_log/restore.log /usr/local/avamar/var/mc/server_log/mcserver.log.# /usr/local/avamar/var/mc/server_log/mcserver.out /usr/local/avamar/var/mc/server_log/pgsql.log /usr/local/avamar/var/mc/server_data/postgres/data/pg_log/ postgresql-DATE_TIME.log /usr/local/avamar/var/mc/server_data/mcs_data_dump.sql
Avamar Enterprise Manager /usr/local/avamar/var/em/webapp_log/admin.DATE.log - Tomcat /usr/local/avamar/var/em/webapp_log/catalina.DATE.log /usr/local/avamar/var/em/webapp_log/catalina.out /usr/local/avamar/var/em/webapp_log/host-manager.DATE.log /usr/local/avamar/var/em/webapp_log/localhost.DATE.log /usr/local/avamar/var/em/webapp_log/manager.DATE.log
Avamar Enterprise Manager /usr/local/avamar/var/em/server_log/flush.log - Server /usr/local/avamar/var/em/server_log/restore.log /usr/local/avamar/var/em/server_log/emserver.log.# /usr/local/avamar/var/em/server_log/emserver.out /usr/local/avamar/var/em/server_log/pgsql.log /usr/local/avamar/var/em/server_data/postgres/data/pg_log/ postgresql-DATE_TIME.log /usr/local/avamar/var/em/server_data/ems_data_dump.sql
Maintenance tasks /usr/local/avamar/var/cron/clean_emdb.log /usr/local/avamar/var/cron/dpn_crontab.log /usr/local/avamar/var/cron/cp.log /usr/local/avamar/var/cron/gc.log /usr/local/avamar/var/cron/hfscheck.log /usr/local/avamar/var/cron/ntpd_keepalive_cron.log /usr/local/avamar/var/cron/ntpd_keepalive_cron.log.# /usr/local/avamar/var/cron/suspend.log
avw_install utility /usr/local/avamar/var/avw_cleanup.log /usr/local/avamar/var/avw_install.log /usr/local/avamar/var/avw-time.log /usr/local/avamar/var/log/dpnavwinstall-VERSION.log
axion_install utility /usr/local/avamar/var/axion_install_DATE_TIME.log
Avamar File System (AvFS) /usr/local/avamar/var/axionfs.log
change-passwords utility /usr/local/avamar/var/change-passwords.log
dpnctl utility /usr/local/avamar/var/log/dpnctl.log
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 33 Single-Node Server LOG FILES
FEATURE/FUNCTION LOCATION dpnnetutil utility /usr/local/avamar/var/log/dpnnetutil-version.log /usr/local/avamar/var/log/dpnnetutil.log* /usr/local/avamar/var/log/dpnnetutilbgaux.log /usr/local/avamar/var/log/dpnnetutilbgaux-stdout-stderr.log permctl utility /usr/local/avamar/var/log/permctl.log resite utility /usr/local/avamar/var/dpnresite-version.log /usr/local/avamar/var/mcspref.log /usr/local/avamar/var/nataddr.log /usr/local/avamar/var/smtphost.log timedist utility /usr/local/avamar/var/timedist.log timesyncmon program /usr/local/avamar/var/timesysncmon.log
Avamar Replicator /usr/local/avamar/var/cron/replicate.log
Avamar license server /usr/local/avamar/var/ascd-PORT.log
Storage server log /data01/cur/err.log /data01/cur/gsan.log
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 34 Utility Node LOG FILES Utility Node
FEATURE/FUNCTION LOCATION
Avamar Administrator server /usr/local/avamar/var/mc/server_log/flush.log /usr/local/avamar/var/mc/server_log/restore.log /usr/local/avamar/var/mc/server_log/mcserver.log.# /usr/local/avamar/var/mc/server_log/mcserver.out /usr/local/avamar/var/mc/server_log/pgsql.log /usr/local/avamar/var/mc/server_data/postgres/data/ pg_log/postgresql-DATE_TIME.log /usr/local/avamar/var/mc/server_data/mcs_data_dump.sql
Avamar Enterprise Manager /usr/local/avamar/var/em/webapp_log/admin.DATE.log - Tomcat /usr/local/avamar/var/em/webapp_log/catalina.DATE.log /usr/local/avamar/var/em/webapp_log/catalina.out /usr/local/avamar/var/em/webapp_log/host- manager.DATE.log /usr/local/avamar/var/em/webapp_log/localhost.DATE.log /usr/local/avamar/var/em/webapp_log/manager.DATE.log
Avamar Enterprise Manager /usr/local/avamar/var/em/server_log/flush.log - Server /usr/local/avamar/var/em/server_log/restore.log /usr/local/avamar/var/em/server_log/emserver.log.# /usr/local/avamar/var/em/server_log/emserver.out /usr/local/avamar/var/em/server_log/pgsql.log /usr/local/avamar/var/em/server_data/postgres/data/ pg_log/postgresql-DATE_TIME.log /usr/local/avamar/var/em/server_data/ems_data_dump.sql
Maintenance tasks /usr/local/avamar/var/cron/clean_emdb.log /usr/local/avamar/var/cron/dpn_crontab.log /usr/local/avamar/var/cron/cp.log /usr/local/avamar/var/cron/gc.log /usr/local/avamar/var/cron/hfscheck.log /usr/local/avamar/var/cron/ntpd_keepalive_cron.log /usr/local/avamar/var/cron/ntpd_keepalive_cron.log.# /usr/local/avamar/var/cron/suspend.log
avw_install utility /usr/local/avamar/var/avw_cleanup.log /usr/local/avamar/var/avw_install.log /usr/local/avamar/var/avw-time.log /usr/local/avamar/var/log/dpnavwinstall-VERSION.log
axion_install utility /usr/local/avamar/var/axion_install_DATE_TIME.log
Avamar File System (AvFS) /usr/local/avamar/var/axionfs.log
change-passwords utility /usr/local/avamar/var/change-passwords.log
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 35 Spare Node LOG FILES
FEATURE/FUNCTION LOCATION
dpnctl utility /usr/local/avamar/var/log/dpnctl.log
dpnnetutil utility /usr/local/avamar/var/log/dpnnetutil-version.log /usr/local/avamar/var/log/dpnnetutil.log* /usr/local/avamar/var/log/dpnnetutilbgaux.log /usr/local/avamar/var/log/dpnnetutilbgaux-stdout-stderr.log
permctl utility /usr/local/avamar/var/log/permctl.log
timedist utility /usr/local/avamar/var/timedist.log
timesyncmon program /usr/local/avamar/var/timesysncmon.log
Avamar Replicator /usr/local/avamar/var/cron/replicate.log
Avamar license server /usr/local/avamar/var/ascd-PORT.log
Storage Node
FEATURE/FUNCTION LOCATION
Storage server log /data01/cur/err.log /data01/cur/gsan.log
dpnnetutil utility /usr/local/avamar/var/log/dpnnetutilbgaux-stdout-stderr.log /usr/local/avamar/var/log/dpnnetutilbgaux.log
Maintenance tasks /usr/local/avamar/var/ntpd_keepalive_cron.log*
timesyncmon program /usr/local/avamar/var/timesyncmon.log*
Spare Node
FEATURE/FUNCTION LOCATION
dpnnetutil utility /usr/local/avamar/var/log/dpnnetutilbgaux-stdout-stderr.log /usr/local/avamar/var/log/dpnnetutilbgaux.log
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 36 Backup Client Network Host LOG FILES Avamar NDMP Accelerator Node
FEATURE/FUNCTION LOCATION
dpnnetutil utility /usr/local/avamar/var/log/dpnnetutilbgaux-stdout-stderr.log /usr/local/avamar/var/log/dpnnetutilbgaux.log
Access Node
FEATURE/FUNCTION LOCATION
dpnnetutil utility /usr/local/avamar/var/log/dpnnetutilbgaux-stdout-stderr.log /usr/local/avamar/var/log/dpnnetutilbgaux.log
Avamar Administrator Client Network Host
FEATURE/FUNCTION LOCATION
Avamar Administrator Windows: management console. C:\Program Files\avs\administrator\var\mc\gui_log\mcclient.log.0 Unix: $HOME/.avamardata/var/mc/gui_log/mcclient.log.0
Avamar Administrator Unix: management console $HOME/.avamardata/var/mc/gui_log/mccli.log.0 command line interface
Backup Client Network Host
FEATURE/FUNCTION LOCATION
Client avagent process (all clients) C:\Program Files\avs\var\avagent.log
Client avtar process (all clients) C:\Program Files\avs\var\{WORKORDER-ID}.alg C:\Program Files\avs\var\{WORKORDER-ID}.log
Avamar Windows Client tray applet C:\Program Files\avs\var\avscc.log
Avamar DB2 Client /usr/local/avamar/var/{WORKORDER-ID}.log
Avamar Exchange Client /usr/local/avamar/var/{WORKORDER-ID}.log
Avamar NDMP Accelerator /usr/local/avamar/var/{WORKORDER-ID}.log
Avamar NetWare Client /usr/local/avamar/var/{WORKORDER-ID}.log
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 37 Backup Client Network Host LOG FILES
FEATURE/FUNCTION LOCATION
Avamar Oracle Client /usr/local/avamar/var/{WORKORDER-ID}.log
Avamar SQL Server Client /usr/local/avamar/var/{WORKORDER-ID}.log
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 38 APPENDIX A — CLIENT-SERVER ENCRYPTION FUNCTIONAL MATRIX
rver rver avtar option option used option 4.1 and later BEHAVIOR/DESCRIPTION ATRIX --encrypt=ssl will maintain backward maintain backward will by supporting compatibility indefinitely. Avamar proprietary Avamar encryption. proprietary Avamar encryption. highest to negotiated Linux: setting. available negotiated Windows: algorithm. highest to negotiated Linux: setting. available negotiated Windows: algorithm. NOTE: avtar --encrypt of factors, including Avamar se including Avamar factors, of M UNCTIONAL F AVTAR SETTING AVTAR ance is dependent on a number --encrypt=proprietary --encrypt=proprietary --encrypt=ssl --encrypt=ssl d strengths that can be expected in various circumstances: that d can strengths expected in various be NCRYPTION CLIENT VERSION Pre-4.1 and 4.1 later Pre-4.1 and 4.1 later E pt_server_authenticate preference setting and the pt_server_authenticate ERVER -S SETTING MCSERVER.XML MCSERVER.XML _AUTHENTICATE Not Implemented Not Implemented ENCRYPT_SERVER LIENT Axion AVAMAR AES-128 A — C /MCCLI VALUES /MCCLI ADMINISTRATOR PPENDIX Pre-4.1 SERVER AVAMAR VERSION during that activity. an behaviors encryption various documents table following The A encryption circumst functional given behaviorClient-server in any version, client version, the mcserver.xml encry mcserver.xml the version, client version,
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 39 APPENDIX A — CLIENT-SERVER ENCRYPTION FUNCTIONAL MATRIX Older Avamar clients Avamar Older BEHAVIOR/DESCRIPTION Avamar proprietary Avamar encryption. NOTE: cannot support unencrypted “clear” text. Unencrypted “clear” text. due to - job failed Error Event incompatibility. options due to - job failed Error Event incompatibility. options highest to negotiated Linux: setting. available Windows: negotiated to preferred setting. Linux: AES-128. negotiated Windows: algorithm, restricted to strength. 128-bit exactly due to - job failed Error Event incompatibility. options Linux: server AES-128 with authentication. negotiated Windows: algorithm, restricted to strength. 128-bit exactly AVTAR SETTING AVTAR --encrypt=proprietary --encrypt=proprietary --encrypt-strength=cleartext supported. Not supported. Not --encrypt=ssl --encrypt=tls --encrypt-strength=medium supported Not --encrypt=tls-sa --encrypt-strength=medium later CLIENT 4.1 and 4.1 VERSION Pre-4.1 Pre-4.1 and 4.1 later Pre-4.1 and 4.1 later Pre-4.1 and 4.1 later TRUE TRUE FALSE FALSE SETTING MCSERVER.XML MCSERVER.XML _AUTHENTICATE ENCRYPT_SERVER None Medium AVAMAR /MCCLI VALUES /MCCLI ADMINISTRATOR later 4.1 and SERVER AVAMAR VERSION
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 40 APPENDIX A — CLIENT-SERVER ENCRYPTION FUNCTIONAL MATRIX BEHAVIOR/DESCRIPTION Error Event - job failed due to - job failed Error Event incompatibility. options Linux: AES-256. negotiated Windows: algorithm, restricted to or higher 168-bit exactly strength. due to - job failed Error Event incompatibility options Linux: server AES-256 with authentication. negotiated Windows: algorithm, restricted to or higher 168-bit exactly strength. AVTAR SETTING AVTAR Not supported Not --encrypt=tls --encrypt-strength=high supported Not --encrypt=tls-sa --encrypt-strength=high CLIENT VERSION Pre-4.1 and 4.1 later Pre-4.1 and 4.1 later TRUE FALSE SETTING MCSERVER.XML MCSERVER.XML _AUTHENTICATE ENCRYPT_SERVER High AVAMAR /MCCLI VALUES /MCCLI ADMINISTRATOR later 4.1 and SERVER AVAMAR VERSION
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 41 APPENDIX B — SIGNING AVAMAR ENTERPRISE MANAGER SSL CERTIFICATES
This appendix describes how to use the public and private key pair for the Avamar Enterprise Manager web server and how to get the certificate signed.
Overview
Avamar Enterprise Manager uses HTTP over SSL to communicate with the client browser. This requires an SSL certificate that is used by the Avamar Enterprise Manager web server to prove it is really the server that it says it is. An SSL certificate is created when avsetup_ems runs. The certificate must be signed by a recognized Certificate Authority (CA) or if not, the web browser displays an error when loading the Avamar Enterprise Manager web page. Getting a Signed Certificate (page 43) describes how to use the public and private key pair for the Avamar Enterprise Manager web server and how to get the certificate signed. To use a single signed certificate for both the Avamar Enterprise Manager web server and Tomcat, you must also complete additional steps in Tomcat Application Server Certificate (page 45).
NOTE: This appendix applies to all versions of Avamar Enterprise Manager.
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 42 Getting a Signed Certificate APPENDIX B — SIGNING AVAMAR ENTERPRISE MANAGER SSL CERTIFICATES Getting a Signed Certificate
The procedure uses the java keytool command, a utility which manages certificate keys. The keytool command is located in the bin directory of the Java install directory (/usr/java/jre1.5.0_12/bin). If this directory is not in your path, you can either add it to the path, or specify the complete path when using keytool. All keytool commands require a password. The password set by avsetup_ems is changeit. For more information on avsetup_ems refer to the Avamar Technical Addendum. To get the certificate signed: 1. Log into the root account on a utility node or single-node server. 2. Stop the Avamar Enterprise Manager by entering: dpnctl stop ems 3. Change the password for all certificates in the keystore to match the keystore’s password. For Tomcat, the passwords of certificates in the keystore must match the password of the keystore itself.
NOTE: It is a good practice to change the keystore pass- word, however, to retain the default password, skip to step 6.
(a) Delete the mcssl certificate from the keystore by entering: keytool -delete -alias mcssl (b) Change the keystore password by entering: keytool -storepasswd When prompted, enter the old password and then the new password twice. (c) Export the mcssl certificate to a file by entering the following on a single command line: keytool -export -keystore /usr/local/avamar/lib/rmi_ssl_keystore -alias mcssl -file /tmp/mcssl.crt The default password for rmi_ssl_keystore is changeme. Use this password if it has not been changed.
IMPORTANT: Space limitations in this publication caused the previous command to continue (wrap) to more than one line. Your command must be entered on a single command line (no line feeds or returns allowed).
(d) Import the file to the root’s keystore by entering: keytool -import -alias mcssl -file /tmp/mcssl.crt
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 43 Getting a Signed Certificate APPENDIX B — SIGNING AVAMAR ENTERPRISE MANAGER SSL CERTIFICATES
4. Set the new password by editing /usr/local/jakarta-tomcat-VERSION/conf/server.xml. Where VERSION is the version of Tomcat. (a) Find the Connector element for port=“443” (b) Set the keystorePass attribute to the new password.
NOTE: For additional information on this procedure, go to the Apache Tomcat 5.5 Servlet/JSP Container website (http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html).
5. Set the trust_keystore_ap preference to the new password by editing the Enterprise Manager Server (EMS) preferences file, /usr/local/avamar/var/em/server_data/prefs/emserver.xml. 6. Delete the existing certificate (with alias Tomcat) by entering: keytool -delete -alias tomcat 7. Enter the following keytool command: keytool -genkey -alias tomcat -keyalg RSA -dname "CN=hostname.domain.com, OU=Organization Name, O=Company Name, L=City Name, ST=CA, C=US" Use information specific to your site for CN, OU, O, L, ST and C. When prompted for the key password use the same one you chose for the keystore. 8. Enter the following command to create a Certificate Signing Request (CSR): keytool -certreq -alias tomcat The command screen displays the CSR. To store the CSR to a user-defined filename (CSRFILENAME), add -file CSRFILENAME to the keytool command. 9. Provide the CSR to a signing authority to generate a signed certificate. Specify the certificate by using the PKCS#7 format. 10. Import the signed certificate into the keystore by entering: keytool -import -alias tomcat -file CERTFILENAME Where CERTFILENAME is the name of the file you received from the signing authority. 11. Restart the Avamar Enterprise Manager by entering: dpnctl ems start 12. Continue with Tomcat Application Server Certificate (page 45) to use the same certificate for both the Tomcat application server and the Avamar Enterprise Manager web server,
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 44 Tomcat Application Server Certificate APPENDIX B — SIGNING AVAMAR ENTERPRISE MANAGER SSL CERTIFICATES Tomcat Application Server Certificate
The Tomcat application server can use the signed certificate you created for the Avamar Enterprise Manager web server. This procedure requires KeyTool IUI, an open source utility. KeyTool IUI requires Java version 6 or later to run.
IMPORTANT: Run the KeyTool IUI from a desktop worksta- tion.
To use the signed certificate: 1. Download the KeyTool IUI from: http://www.icewalkers.com/download/KeyTool-IUI/3073/dls/ 2. After installing Java 6, extract the KeyTool IUI tarball or zip file. 3. Follow the instructions in readme_first.txt to run KeyTool IUI. 4. Download the /root/.keystore file from the Avamar utility node to your desktop machine. In the process of downloading, rename the file with a .jks extension (keystore.jks). 5. From KeyTool IUI, select Export > Keystore’s entry > Private key in the left pane. The following image shows the KeyStore IUI. The right pane shows the options for the source and target.
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 45 Tomcat Application Server Certificate APPENDIX B — SIGNING AVAMAR ENTERPRISE MANAGER SSL CERTIFICATES
6. Configure private key data according to the following table:
FOR THIS OPTION TAKE THIS ACTION
Keystore file Click the folder icon and browse for the saved .jks file in step 3.
Keystore password Click the mask icon and enter the password.
Private key file Select PEM format and enter a filename of your choosing.
Certificates chain file Select PEM format and enter a filename of your choosing.
7. Click OK. The dialog box as shown in the following image appears.
8. Select the tomcat certificate. 9. For Enter respective password, enter the same password as the keystore password. 10. Click OK. A message appears stating that keys were successfully exported. You also have the option of viewing each one. 11. Upload the private key and certificate chain files from your desktop workstation to the Avamar utility node. (a) Copy the private key to /etc/httpd/conf/ssl.key/server.key. (b) Copy the certificate chain file to /etc/httpd/conf/ssl.crt/server.crt.
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 46 Tomcat Application Server Certificate APPENDIX B — SIGNING AVAMAR ENTERPRISE MANAGER SSL CERTIFICATES
12. Ensure these files are owned by root.root with permissions of 600 by entering the following commands, each one on a single command line: chown root.root /etc/httpd/conf/ssl.key/server.key /etc/httpd/conf/ssl.crt/server.crt chmod 600 /etc/httpd/conf/ssl.key/server.key /etc/httpd/conf/ssl.crt/server.crt
IMPORTANT: Space limitations in this publication caused the previous commands to continue (wrap) to more than one line. Each of your commands must be entered on a single command line (no line feeds or returns allowed).
13. Restart the httpd process by entering: website restart
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 47 APPENDIX C — INSTALLING AN SSL CERTIFICATE ON AN AVAMAR SERVER
The following information applies to Apache only and not Tomcat (used in Avamar Enterprise Manager). Currently, the Avamar web restore application uses the certificate that is generated during Avamar software installation. This certificate is self-signed, contains the hostname localhost.localdomain, and expires after one year. Use the gen-ssl-cert utility to create a new self-signed certificate: User=root 1. Do one of the following:
IF DO THIS
Preparing a single- Log into the server as root. node server. When prompted for a password, enter the root password and press ENTER.
Preparing a multi- Log into the utility node as root. node server. When prompted for a password, enter the root password and press ENTER.
2. Enter: /usr/local/avamar/bin/gen-ssl-cert For more information on the gen-ssl-cert utility, refer to the Avamar Technical Addendum.
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 48 APPENDIX D — TRANSPORT LAYER SECURITY CERTIFICATION
This appendix describes how to implement client/server authentication using Transport Layer Security (TLS) certificates.
Overview
This appendix lists the individual tasks for implementing TLS server and client authentication. It also explains how to apply encryption constraints to TLS.
Important Terms and Concepts Become familiar with the following terms and concepts before performing any of the procedures in this appendix.
Transport Layer Security and Secure Sockets Layer. Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols that provide secure communications on the Internet for activities such as web browsing, email, Internet faxing, instant messaging and other data transfers. Although essentially the same, there are minor differences between SSL and TLS.
X.509 v3. A standard for formatting digital certificates that can be used to authenticate identities of computers, applications, people and so forth.
Root Certificate. In cryptography and computer security, a root certificate is either an unsigned public key certificate or a self-signed certificate. A root certificate is part of a public key infrastructure scheme. The most common commercial variety is based on the ITU-T X.509 standard, which normally includes a digital signature from a CA.
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 49 Implementing TLS Authentication APPENDIX D — TRANSPORT LAYER SECURITY CERTIFICATION Self-Signing Certificates If you self-sign your server and client certificates (that is, you do not intend to use a commercial CA such as Verisign), you must first create your own root certificate and key (page 57), then sign them using the self-signing procedure in this appendix (page 59). If you use a commercial CA to sign your server certificates, the CA will sign your certificates and return them to you.
Root Certificates Root certificates can be used with Windows and stunnel. All other certificates can be signed by this root certificate. If you are not a commercial certificate authority, some software might not accept your certificates. However, you can configure stunnel nodes to use the CA certificate and load it into the Local Computer Certificate Store on your Windows clients. Your certificates are then accepted as commercially-purchased ones. When creating and signing certificates, EMC recommends: • Properly secure the private key associated with the root certificate. • In a high-risk environment use an air-gapped network for signing operations and creating keys, CSRs and other security-related artifacts. (An air-gapped network is completely physically, electrically and electromagnetically isolated.) • Use a hardware random-number generator (RNG) to efficiently and quickly generate random numbers with adequate characteristics for cryptographic use. • For maximum security, use the OpenBSD operating system as the host for the OpenSSL key and certificate utilities.
Implementing TLS Authentication
This section explains how to implement TLS server and client authentication.
Implement TLS Server Authentication To properly implement Avamar server authentication requires that the CSR contains the Avamar server node’s IP address in the Alternative Subject Name field. If nodes use multiple IP addresses (multihomed servers, servers behind network address translation (NAT), and so forth), ensure that each IP address is added to the Alternative Subject Name field. If the openssl req command is used to generate the CSR, see (page 60) for an example of the content for the openssl.conf file. This example contains the [alt_names] section, which includes the server node IP addresses.
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 50 Implementing TLS Authentication APPENDIX D — TRANSPORT LAYER SECURITY CERTIFICATION
To implement server authentication using TLS: 1. Generate a unique server authentication certificate for each Avamar server node by performing Generate an Avamar Server Node Authentication Certificate and CSR (page 53) once for each Avamar server node.
IMPORTANT: Ensure that the CSR that you create contains the Avamar server node’s IP address in the Alternative Sub- ject Name field.
2. Do one of the following:
IF DO THIS
You are using a Submit your CSRs to your commercial CA. commercial CA, such as Verisign to sign your server certificates.
You are self-signing 1. Ensure that the root certificate and key your server certificates have been generated (page 57). with your own root 2. Self-sign your server certificates with your certificate and key. own root certificate and key by performing Generating Self-Signed x509 Certificates (page 59) once for each server certificate.
3. Install the signed server certificates on all Avamar server nodes. 4. Configure stunnel on all Avamar server nodes to use your server certificate. 5. Restart stunnel on all the Avamar server nodes. 6. Restart the ascd service, if necessary. 7. Include the encrypt=sslverify option for all future client communications.
Implement TLS Client Authentication
IMPORTANT: Ensure that TLS authentication has been properly implemented on your Avamar server (page 50) before proceeding any further with these client tasks.
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 51 Requesting TLS Encryption APPENDIX D — TRANSPORT LAYER SECURITY CERTIFICATION
To implement client authentication using TLS: 1. Generate a single generic client certificate for use on all clients by performing Generate an Avamar Client Authentication Certificate and CSR (page 55). 2. Do one of the following:
IF DO THIS
You are using a Submit your CSR to your commercial CA. commercial CA, such as Verisign, to sign your client certificate.
You are self-signing 1. Ensure that the root certificate and key your client certificate have been created (page 57). with your own root 2. Self-sign your client certificate with your certificate and key. own root certificate and key by performing Generating Self-Signed x509 Certificates (page 59).
3. Install the client certificate as a Trusted Authority in the client Local Computer Certificate Store by performing Installing a Client Authentication Certificate (page 62). 4. If you are using a self-signed client certificate, perform Installing a Trusted Root Certificate (page 63) on each client. 5. Configure stunnel on all Avamar server nodes to enforce a requirement for client certificates. 6. Restart stunnel on all the Avamar server nodes. 7. Restart of the ascd service, if necessary.
Requesting TLS Encryption Requests for 256-bit or 128-bit encryption strength and SHA digests in Avamar releases before 4.1 were notated by option flags. The following list contains examples of option flags for encryption. • ssl:AES256-SHA • ssl:AES128-SHA • sslverify:AES256-SHA • sslverify:AES128-SHA Avamar supports other types of encryption besides the ones listed. Avamar 4.1 and later deprecates this notation for option flags. Deprecated versions of option flags that still exist for clients running Avamar 4.1 or later are ignored. Avamar 4.1 and later replace the colon-seperated option flags with an option flag pair: encrypt and encrypt-strength. The encrypt-strength option takes one of
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 52 Generating Authentication Certificates and CSRs APPENDIX D — TRANSPORT LAYER SECURITY CERTIFICATION
three values: None, Medium or High. Each encrypt-strength option value has a corresponding cipher:
OPTION VALUE CIPHER
None Cleartext (no cipher)
Medium 128-bit strength
High • 168-bit strength or higher on Windows • 256-bit strength on Linux
A pre-4.1 option flag such as ssl:AES256-SHA translates into an encrypt and encrypt-strength option flag pair for Avamar 4.1 and later. For example, if server authentication is not requested, the option flag pair for ssl:AES256-SHA is specified as follows: --encrypt=tls --encrypt-strength=high If server authentication is requested, the option flag pair for ssl:AES256-SHA is specified as follows: --encrypt=tls-sa --encrypt-strength=high Refer to Appendix A — Client-Server Encryption Functional Matrix (page 39) for more information.
Generating Authentication Certificates and CSRs
This section explains how to generate authentication certificates and CSRs for the Avamar server and client nodes.
NOTE: The following procedures use “Example, Inc. (exam- ple),” “example.com,” “Dept 55,” “avamar-1,” and “192.0.2.4” as an example company name, Internet domain, department name, Avamar server name and IP address, respectively. Use your actual information instead.
The following procedures create RSA public/private key pairs and CSRs.
Generate an Avamar Server Node Authentication Certificate and CSR
IMPORTANT: Generate a unique certificate for each Ava- mar server node and repeat this procedure on every Avamar server node.
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 53 Generating Authentication Certificates and CSRs APPENDIX D — TRANSPORT LAYER SECURITY CERTIFICATION
To generate a request for a new Avamar server node authentication certificate with a new key: 1. Open a command shell and enter the following on a single command line: openssl req -new -newkey rsa:1024 -keyform PEM -keyout avamar-1key.pem -nodes -outform PEM -out avamar-1req.pem
IMPORTANT: Space limitations in this publication caused the previous command to continue (wrap) to more than one line. Enter the command on a single line (no line feeds or returns allowed).
The following information appears in your command shell: Loading 'screen' into random state - done Generating a 1024 bit RSA private key .++++++ ...++++++ writing new private key to 'avamar-1key.pem' ----- 2. When prompted, enter the following information and press ENTER after each entry:
NAME FIELD DESCRIPTION
Distinquished Name (DN) Unique name for this particular server node. For example: avamar-1.node-1
Country Name The two-letter ISO abbreviation for your country. For example: US
State or Province Name The state or province where your organization is located. For example: California IMPORTANT: This entry cannot be abbreviated.
Locality Name City where your organization is located. For example: Los Angeles
Organization Name The exact legal name of your company. For example: Example, Inc. IMPORTANT: This entry cannot be abbreviated.
Organizational Unit Name Optional entry for additional organization information. For example: Dept. 55
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 54 Generating Authentication Certificates and CSRs APPENDIX D — TRANSPORT LAYER SECURITY CERTIFICATION
NAME FIELD DESCRIPTION
Common Name Because this is your root certificate, name it something meaningful. For example: example.com Certificate Authority
Email Address Primary email address for this server. For example: [email protected]
The information you enter is incorporated into your certificate request.
TIP: Entering a period (.) and pressing ENTER leaves that entry blank.
The output from avamar-1req.pem is similar to the following: -----BEGIN CERTIFICATE REQUEST----- ABCDEF...... XYZ= -----END CERTIFICATE REQUEST----- avamar-1key.pem content is similar to this: -----BEGIN RSA PRIVATE KEY----- ABCDEF...... XYZ= -----END RSA PRIVATE KEY----- 3. Repeat steps 1 and 2 for every Avamar server node.
Generate an Avamar Client Authentication Certificate and CSR To generate a request for a new Avamar client authentication certificate with a new key: 1. Open a command shell and enter the following on a single command line: openssl req -new -newkey rsa:1024 -keyform PEM -keyout avamarclientkey.pem -nodes -outform PEM -out avamarclientreq.pem
IMPORTANT: Space limitations in this publication caused the previous command to continue (wrap) to more than one line. Enter the command on a single line (no line feeds or returns allowed).
The following information appears in your command shell: Loading 'screen' into random state - done Generating a 1024 bit RSA private key .++++++ ...++++++ writing new private key to 'avamarclientkey.pem' -----
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 55 Generating Authentication Certificates and CSRs APPENDIX D — TRANSPORT LAYER SECURITY CERTIFICATION
2. When prompted, enter the following information and press ENTER after each entry:
NAME FIELD DESCRIPTION
Country Name The two-letter ISO abbreviation for your country. For example: US
State or Province Name The state or province where your organization is located. For example: California IMPORTANT: This entry cannot be abbreviated.
Locality Name City where your organization is located. For example: Los Angeles
Organization Name The exact legal name of your company. For example: Example, Inc. IMPORTANT: This entry cannot be abbreviated.
Organizational Unit Name Optional entry for additional organization information. For example: Dept. 55
Common Name Because this certificate will be used by every Avamar client, name it something meaningful. For example: Generic Avamar Backup Client
Email Address Contact email address for all CA-related issues. For example: [email protected]
Challenge Password Enter a password that all users of this certificate must know and enter in order to be authenticated.
Optional Company Name Optional entry.
The information you enter is incorporated into your certificate request.
TIP: Entering a period (.) and pressing ENTER leaves that entry blank.
The output from avamarclientreq.pem is similar to the following: -----BEGIN CERTIFICATE REQUEST----- ABCDEF ..XYZ= -----END CERTIFICATE REQUEST-----
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 56 Generating a Root Certificate and Key APPENDIX D — TRANSPORT LAYER SECURITY CERTIFICATION
The output from avamarclientkey.pem content looks similar to this: -----BEGIN RSA PRIVATE KEY----- ABCDEF ..XYZ= -----END RSA PRIVATE KEY-----
Generating a Root Certificate and Key
NOTE: Skip this section if you are using a commercial CA, such as Verisign to sign your server certificates.
This topic explains how to create a root certificate and key by using OpenSSL tools. The recommended method is to use the CA.pl, a Perl script “wrapper” for OpenSSL commands. As a alternative, you can use the openssl req command. The following web sites provide more information for CA.pl and openssl req, respectively: • www.openssl.org/docs/apps/CA.pl.html • www.openssl.org/docs/apps/req.html
Download and Install OpenSSL and CA.pl Download and install OpenSSL and a Perl interpreter on the system which generates the certificate. For optimal results download and install CA.pl.
NOTE: OpenSSL and Perl interpreters are available for Linux, Windows, OpenBSD and other operating systems.
Create a Root Certificate and Key Use one of the following procedures to create a root certificate and key. • Using CA.pl to Create a Root Certificate and Key (page 58) • Using openssl req to Create a Root Certificate and Key (page 59) The following procedures creates two files: exampleca.pem and examplekey.pem. • Provide the exampleca.pemfile to others for importation into their certificate stores and browsers. • Use examplekey.pem, which is secured in a private directory, for signing operations.
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 57 Generating a Root Certificate and Key APPENDIX D — TRANSPORT LAYER SECURITY CERTIFICATION
Using CA.pl to Create a Root Certificate and Key
NOTE: This procedure uses “Example, Inc. (example)” and “example.com” as an example company name and Internet domain, respectively. Use your actual company name instead.
The following procedure prompts you for various information including a password. When prompted for a password, specify a secure password. 1. Open a command shell. 2. From the openssl directory, enter: CA.pl -newca
NOTE: This command creates all relevant files and directo- ries in ./demoCA.
TIP: Press ENTER to show CA details. You are prompted for this information later on.
3. When prompted for a password, enter a secure password. 4. When prompted for a filename, enter the filename of the CA certificates (which should also contain the private key). 5. When prompted, enter the following information and press ENTER after each entry:
NAME FIELD DESCRIPTION
Country Name The two-letter ISO abbreviation for your country. For example: US
State or Province Name The state or province where your organization is located. For example: California IMPORTANT: This entry cannot be abbreviated.
Locality Name City where your organization is located. For example: Los Angeles
Organization Name The exact legal name of your company. For example: Example, Inc. IMPORTANT: This entry cannot be abbreviated.
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 58 Generating Self-Signed x509 Certificates APPENDIX D — TRANSPORT LAYER SECURITY CERTIFICATION
NAME FIELD DESCRIPTION
Organizational Unit Name Optional entry for additional organization information. For example: Dept. 55
Common Name Because this is your root certificate, name it something meaningful. For example: example.com Certificate Authority
Email Address Contact email address for all CA-related issues. For example: [email protected]
TIP: Entering a period (.) and pressing ENTER leaves that entry blank.
6. Back up exampleca.pem and examplekey.pem.
Using openssl req to Create a Root Certificate and Key 1. Open a command shell and enter: openssl req -new -x509 -newkey rsa:1024 -keyform PEM -keyout private/examplekey.pem -extensions v3_ca -outform PEM -out exampleca.pem -days 3650 Where the -days 3650 option certifies the certificate for 3650 days (10 years). You can set the -days option to any period of time for your specific site requirements.
IMPORTANT: Space limitations in this publication caused the previous command example to continue (wrap) to more than one line. Enter the command on a single line (no line feeds or returns allowed).
2. Back up exampleca.pem and examplekey.pem.
Generating Self-Signed x509 Certificates
NOTE: Skip this section if you are using a commercial CA, such as Verisign to sign your server certificates.
This section explains how to self-sign certificates.
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 59 Generating Self-Signed x509 Certificates APPENDIX D — TRANSPORT LAYER SECURITY CERTIFICATION Prerequisite Before you can self-sign certificates, you must: 1. Generate a root certificate and key as described in Generating a Root Certificate and Key (page 57). 2. Establish your authority to self-sign certificates by installing the root certificate (as a Trusted Authority) in the client’s Local Computer Certificate Store.
Generate a Signed x509 Certificate This procedure assumes the following: • CA certificate is in exampleca.pem. • Key for CA certificate is in examplekey.pem. • example.srl serial number seed file does not already exist. • The following entries have been appended to the end of the openssl.cnf file that ships with OpenSSL: [ server_ext ] basicConstraints = CA:false keyUsage = critical, digitalSignature, keyEncipherment nsCertType = server extendedKeyUsage = serverAuth nsComment = "OpenSSL-generated server certificate" subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always, issuer:always subjectAltName = @alt_names [alt_names] IP.0 = 192.0.2.4 # additional ip might be useful for server behind nat or multi-homed #IP.1 = 1.2.3.4 DNS.0 = avamar-1.example.com #additional hostname might be useful for server behind nat or multihomed #DNS.1 = natavds.example.com Note the customized hostname and IP address on the subjectAltName line. To generate a signed x509 certificate: 1. Enter the following command on a single line: openssl x509 -CA exampleca.pem -CAkey examplekey.pem -req -in avamar-1req.pem -extensions server_ext -extfile openssl.cnf -outform PEM -out avamar-1cert.pem -days 365 -CAserial example.srl -CAcreateserial
IMPORTANT: Space limitations in this publication caused the previous command example to continue (wrap) to more than one line. Enter the command on a single command line (no line feeds or returns allowed).
The following information appears in your command shell: Loading 'screen' into random state - done Signature ok subject=/C=US/ST=California/L=Los Angeles/O=Example, Inc./OU=Dept55/ CN=avamar-1.example.com/[email protected]
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 60 Generating Self-Signed x509 Certificates APPENDIX D — TRANSPORT LAYER SECURITY CERTIFICATION
Getting CA Private Key Enter pass phrase for examplekey.pem: 2. Enter the passphrase for this key and press ENTER. Content of signed certificate looks similar to the following output: -----BEGIN CERTIFICATE----- ABCDEF...... XYZ= -----END CERTIFICATE----- 3. Display the certificate content in text by entering: openssl x509 -in avamar-1cert.pem -noout -text The following information appears in your command shell: Certificate: Data: Version: 3 (0x2) Serial Number: 9f:3a:d1:2d:93:2d:3d:92 Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, ST=California, O=Example, Inc., OU=Dept55, CN=example.com Certificate Authority/emailAddress=avamar-1.example.com Validity Not Before: May 16 20:21:12 2008 GMT Not After : May 16 20:21:12 2009 GMT Subject: C=US, ST=California, L=Los Angeles, O=Example, Inc., OU=Dept55, CN=avamar-1.example.com/[email protected] Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:c2:e2:f9:b8:77:9a:06:fe:6d:1d:c8:9d:04:3a: 7d:75:aa:1e:8d:4a:57:34:f7:a6:4e:30:73:80:ca: c0:38:be:e9:e5:04:1b:05:42:79:b1:07:40:59:b7: 3f:7f:79:21:2d:95:74:96:6f:25:ce:16:b8:ae:72: b1:b4:76:e7:fd:45:28:87:50:fd:76:b2:fe:c3:c2: cd:20:ee:54:40:2a:56:55:ca:d4:f4:df:ae:29:6b: 4b:84:18:98:b7:ff:be:04:4e:bf:b5:9a:a7:39:ba: 2e:87:3e:ea:d0:ae:8a:ec:d4:6a:7c:f3:cb:79:0b: b9:a9:83:28:67:80:e2:e1:dd Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: critical Digital Signature Netscape Cert Type: SSL Client X509v3 Extended Key Usage: TLS Web Client Authentication Netscape Comment: OpenSSL-generated server certificate X509v3 Subject Key Identifier: A5:29:93:8E:98:E1:FB:4E:7A:2A:5A:A0:AB:76:A6:C5:18:F1:78:0A X509v3 Authority Key Identifier: keyid:DA:27:CF:99:D1:EB:C2:2C:93:50:9D:09:B7:20:E0:31:7E:D6:84:09 DirName:/C=US/ST=California/O=example.com/OU=Dept55/CN=example.com Certificate Authority/[email protected] serial:DA:2D:59:E2:4F:E2:91:F8 Signature Algorithm: sha1WithRSAEncryption 9e:10:07:a7:1a:e8:7e:5c:b1:87:0d:81:5a:70:49:2c:86:e6: 4c:36:93:31:4e:bf:f6:bf:de:02:52:66:25:c0:67:e9:a5:dc:
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 61 Installing a Client Authentication Certificate APPENDIX D — TRANSPORT LAYER SECURITY CERTIFICATION
5d:bf:9c:10:b6:77:c4:ce:a8:18:8d:6f:1d:e2:32:e5:01:56: 20:86:f8:c3:9d:01:e6:dc:f4:0d:56:fc:22:dc:f7:be:64:42: cf:1e:ca:cb:7d:18:7b:8e:c0:ca:64:33:a1:aa:e5:1a:b6:1b: 9f:f0:c8:19:55:c4:88:c1:77:bb:16:da:58:63:22:7d:ba:ff: 9e:bc:c8:11:3f:37:cb:5e:a9:8d:dd:3b:f3:e6:cd:56:2f:2a: 47:e9 f3:f8 4. Combine the key and signed certificate into a pkcs#12 format file suitable for importing into a Microsoft Certificate Store by entering: openssl pkcs12 -in avamarclientcert.pem -inkey avamarclientkey.pem -export -out avamarclientcert.p12 -name "Avamar Trusted Client"
IMPORTANT: Space limitations in this publication caused the previous command to continue (wrap) to more than one line. Enter the command on a single command line (no line feeds or returns allowed).
The following information appears in your command shell: Loading 'screen' into random state - done Enter Export Password: mypassword Verifying - Enter Export Password: mypassword
Installing a Client Authentication Certificate
The following procedure explains how to import a certificate (in pkcs#12 format) into each client’s Microsoft Windows certificate store. 1. Log into the Windows client computer by using an account with local administrator privileges. 2. Open the Microsoft Management Console: (a) Choose Start > Run. The Run dialog box appears. (b) Enter mmc and press ENTER. The Microsoft Management Console appears. 3. Press CTRL+M. The Add/Remove Snap-In dialog box appears. 4. Press ALT+D. If installing on Windows Vista, do the following: (a) Click Add. (b) Select Computer Account and press ENTER twice. (c) Click OK. The Add Standalone Snap-in dialog box appears. 5. From the Add Standalone Snap-in dialog box: (a) Choose Certificates from the list and click Add.
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 62 Installing a Trusted Root Certificate APPENDIX D — TRANSPORT LAYER SECURITY CERTIFICATION
The Certificates Snap-in dialog box appears. (b) Set Computer Account. (c) Press ENTER twice. The Certificates Snap-in dialog box closes, and the Snap-in for Certificates/Computer Account/Local Computer is added. (d) Press ESC, then ENTER. The Certificates (Local Computer) Management console is visible in the tree. 6. Expand the tree, then select Certificates (Local Computer) > Personal > Certificates. 7. Click the right mouse button menu and choose All tasks > Import... The Certificate Import Wizard appears. 8. Click Next, and then click Browse. 9. Navigate to the location of the file holding your Client authentication certificate and click Open.
Installing a Trusted Root Certificate
This section explains how to install a trusted root certificate, which enables Windows Avamar backup clients to authenticate server nodes 1. Log into the Windows client computer by using an account with local administrator privileges. 2. Open the Microsoft Management Console: (a) Choose Start > Run. The Run dialog box appears. (b) Enter mmc and press ENTER. The Microsoft Management Console appears. 3. Press CTRL+M. The Add/Remove Snap-In dialog box appears. 4. Press ALT+D. If installing on Windows Vista, do the following: (a) Click Add. (b) Select Computer Account and press ENTER twice. (c) Click OK. The Add Standalone Snap-in dialog box appears. 5. From the Add Standalone Snap-in dialog box: (a) Choose Certificates from the list and click Add. The Certificates Snap-in dialog box appears. (b) Set Computer Account.
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 63 Installing a Trusted Root Certificate APPENDIX D — TRANSPORT LAYER SECURITY CERTIFICATION
(c) Press ENTER twice. The Certificates Snap-in dialog box closes, and the Snap-in for Certificates/Computer Account/Local Computer is added. (d) Press ESC, then ENTER. The Certificates (Local Computer) Management console is visible in the tree. 6. Expand the tree, then select Certificates (Local Computer) > Personal > Certificates. 7. Click the right mouse button menu and choose All tasks > Import... The Certificate Import Wizard appears. 8. Click Next, and then click Browse. 9. Navigate to the location of the file holding your Client authentication certificate and click Open.
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 64 APPENDIX E — CONFIGURING AVAMAR AUTHENTICATION AND ENCRYPTION ON UNIX
This appendix describes how to configure server and client authentication for Avamar AIX, FreeBSD, HP-UX, Linux and Solaris backup clients. Avamar clients and servers use X.509 certificates for authentication. Typically, one-way authentication provides sufficiently strong security. The Avamar client requests authentication from the Avamar server, and the server sends the appropriate certificate to the client. The client then validates the certificate. Refer to Configuring Encryption and Server to Client Authentication (page 66) to set up one-way authentication. For stronger security, Avamar clients and servers can use two-way authentication. To set up two-way authentication first complete the instructions in Configuring Encryption and Server to Client Authentication (page 66), and then complete Configuring Client to Server Authentication (page 67). In both configurations, all network data can be encrypted.
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 65 Configuring Encryption and Server to Client Authentication APPENDIX E — CONFIGURING AVAMAR AUTHENTICATION AND ENCRYPTION ON UNIX Configuring Encryption and Server to Client Authentication
The Avamar server uses stunnel for authentication and TLS encryption. This section describes how to set up one-way authentication and data encryption. The tasks include: • Obtaining a unique server certificate and private key pair. • Installing the unique server certificate and private key pair on the utility node and data nodes. • Configuring stunnel to load the certificate and keys. • Configuring the Avamar client to accept the certificate when authentication or encryption is requested.
Configure the Avamar Server Perform the following steps on the utility node and data nodes: 1. Generate a unique private key and obtain an TLS server certificate by using one of the methods described in Appendix D — Transport Layer Security Certification (page 49). 2. On the utility node open the stunnel.conf file in a Unix editor (vi or emacs) and add the following lines: cert = /usr/local/avamar/etc/stunnel/servercert.pem key = /usr/local/avamar/etc/stunnel/serverkey.pem 3. Save stunnel.conf and exit the editor. 4. Restart stunnel on the utility node by entering: stunctl restart
NOTE: The stunctl program must be run as user admin.
The stunctl program propagates the changes made to stunnel.conf on all data nodes and restarts stunnel on all the data nodes.
Configure the Managment Console Server Configure the Manage Console Server (MCS): 1. Set the encrypt_server_authenticate value in the /usr/local/avamar/var/mc/server_data/prefs/mcserver.xml file by entering: encrypt_server_authenticate=true 2. Restart the MCS by entering: dpnctl stop mcs dpnctl start
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 66 Configuring Client to Server Authentication APPENDIX E — CONFIGURING AVAMAR AUTHENTICATION AND ENCRYPTION ON UNIX Configure the Avamar Client Configure the Avamar client to accept server certificates: 1. Append the certificate (from the server’s certificate signer) to the chain.pem file on the Avamar client.
NOTE: The chain.pem file is located in SYSDIR (/usr/local/avamar/etc) on the Avamar client.
2. If chain.pem does not exist, copy the certificate (from the server’s certificate signer) to chain.pem. Otherwise, skip this step.
Configuring Client to Server Authentication
This section describes how to set up client to server authentication. Complete this section after completing Configuring Encryption and Server to Client Authentication (page 66) to configure two-authentication for Avamar.
Configure the Avamar Client 1. Generate a unique private key (key.pem) and obtain an TLS client certificate (cert.pem) by using one of the methods in Appendix D — Transport Layer Security Certification (page 49). 2. Copy key.pem and cert.pem to SYSDIR (/usr/local/avamar/etc) on the Avamar client.
Configure the Avamar Server
IMPORTANT: The following procedure requires you to restart stunnel. If restarting stunnel is not feasible, use the CApath option instead of CAfile in step 3 and skip step 5. For more information on stunnel options, see the stunnel man page.
1. Append the certificate (from the server’s certificate signer) to the chain.pem file located in SYSDIR/stunnel. 2. If chain.pem does not exist, copy the certificate (from the server’s certificate signer) to chain.pem. Otherwise, continue to step 3. 3. On the utility node open the stunnel.conf file in a Unix editor (vi or emacs) and add the following lines: CAfile=/usr/local/avamar/etc/stunnel/chain.pem verify=2 The verify=2 option forces stunnel to authenticate clients.
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 67 Verifying Avamar Authentication APPENDIX E — CONFIGURING AVAMAR AUTHENTICATION AND ENCRYPTION ON UNIX
4. Save stunnel.conf and exit the editor. 5. Log in as admin and restart stunnel on the utility node by entering: stunctl restart
Verifying Avamar Authentication
To verify authentication, run a test backup. Use either the avtar command from the command line or the Avamar Administrator.
Using the avtar command To use the avtar command with an encryption option: • For Avamar clients running 4.1 or later, use the --encrypt=tls-sa option. • For Avamar clients running 4.0 or before, use the --encrypt=sslverify option. The --encrypt=tls-sa and --encrypt=sslverify options verify the identity of the Avamar server to the Avamar client. For more information about the avtar command, refer to the Avamar Technical Addendum.
Using the Avamar Administrator To use the Avamar Administrator 4.1 or later: 1. Ensure that that MCS is configured to enable server to client authentication as described in Configure the Managment Console Server (page 66). 2. Select medium or high from the Encryption method list.
NOTE: The Encryption method list appears on both the On Demand Backup Options dialog box and the Restore Options dialog box.
For more information about the Avamar Administrator, refer to the Avamar System Administration Manual.
NOTE: If you block non-TLS (port 27000) traffic to Avamar with a firewall, only authenticated clients can connect to the server. To connect to the server, Avamar 4.1 clients must use the --encrypt=tls option and clients running an earlier release must use the --encrypt=ssl option. All clients must also use properly signed certificates to authenticate them- selves to the server
AVAMAR 4.1 • PRODUCT SECURITY MANUAL 68