1. Knowledge Base
  2. Zmanda Recovery Manager (ZRM)

How to generate a self signed certificate in ZMC

This article is for Amanda Enterprise (AE) and ZRM for MySQL (ZRM)

Info Type: Tip

Info Description:

  • Move any existing keys:
# mkdir /root/ZMC_old_certs
#  mv /opt/zmanda/amanda/apache2/conf/certs/* /root/ZMC_old_certs
  • Create a public/private key pair by entering the commands shown in bold below. Enter a secure passphrase (at least 8 characters, alphanumeric) when prompted. You must enter the same key twice for verification:
# cd /opt/zmanda/amanda/apache2/conf/certs
# /opt/zmanda/amanda/common/bin/openssl genrsa -des3 -out ZMC-server.key 1024
Generating RSA private key, 1024 bit long modulus
................++++++
. .......................................................++++++
e is 65537 (0x10001)
Enter pass phrase for ZMC-server.key:
Verifying - Enter pass phrase for ZMC-server.key:
  • Create a certificate signing request. Answer any prompts as they are displayed.
# /opt/zmanda/amanda/common/bin/openssl req -new -key ZMC-server.key -out ZMC-server.csr
Enter pass phrase for ZMC-server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CA
State or Province Name (full name) [Berkshire]:Sunnyvale
Locality Name (eg, city) [Newbury]:Sunnyvale
Organization Name (eg, company) [My Company Ltd]:Zmanda.Inc
Organizational Unit Name (eg, section) []:support
Common Name (eg, your name or your server's hostname) []:ZMC
Email Address []:support@zmanda.com
Please enter the following 'extra' attributes
To be sent with your certificate request
A challenge password []:zmanda
An optional company name []:zmanda
  • Generate a self-signed certificate.  When prompted for a passphrase enter the passphrase that you entered during key creation. The example shows creating a certificate that lasts for five years (1825 days); you can enter a different value if desired.
# /opt/zmanda/amanda/common/bin/openssl x509 -req -days 1825 -in ZMC-server.csr -signkey ZMC-server.key -out ZMC-server.crt
Signature ok
subject=/C=CA/ST=Sunnyvale/L=Sunnyvale/O=Zmanda.Inc/OU=support/CN=ZMC/
emailAddress=support@zmanda.com
Getting Private key
Enter pass phrase for ZMC-server.key:
  • The certificate should be changed to use a key with no passphrase to avoid being prompted for the password and to allow for integration with ZMC.  When prompted for a passphrase enter the passphrase that you entered during key creation. The example shows removing a passphrase from previously created certificate.
# mv ZMC-server.key ZMC-server.key.has-passphrase

# /opt/zmanda/amanda/common/bin/openssl rsa -in ZMC-server.key.has-passphrase -out ZMC-server.key
  • Change permissions so the key can only be read by root.

# chmod 400 ZMC-server.key
  • Restart the ZMC. Enter the passphrase when prompted.

# /etc/init.d/zmc_aee restart or /etc/init.d/zmc_zrm restart
Stopping /etc/init.d/zmc: prg: zmc_parser. pid: 15844
prg: zmc_dblogger. pid: 15843
prg: backup_monitor. pid: 15845
prg: rss2event. pid: 15846
prg: zmc_eventserver. pid: 15828
/usr/sbin/setenforce: SELinux is disabled
/opt/zmanda/amanda//zmandactl.sh : httpd stopped
STOPPING server from pid file /opt/zmanda/amanda/mysql/data/mysqld.pid
080509 13:28:07 mysqld ended
/opt/zmanda/amanda//zmandactl.sh : mysql stopped
/usr/sbin/setenforce: SELinux is disabled
Starting /etc/init.d/zmc: /usr/sbin/setenforce: SELinux is disabled
/opt/zmanda/amanda//zmandactl.sh : mysql started
nohup: redirecting stderr to stdout
Starting mysqld daemon with databases from /opt/zmanda/amanda/mysql/data/
httpd: Could not determine the server's fully qualified domain name, using 127.0.0.1 for ServerName
Syntax OK
httpd: Could not determine the server's fully qualified domain name, using 127.0.0.1 for ServerName
Apache/2.0.59 mod_ssl/2.0.59 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide us with the pass phrases.

Server 127.0.0.1:443 (RSA)
Enter pass phrase:

Ok: Pass Phrase Dialog successful.
/opt/zmanda/amanda//zmandactl.sh : httpd started
/usr/sbin/setenforce: SELinux is disabled
/usr/sbin/amcleanup: no unprocessed logfile to clean up.
/usr/sbin/amcleanup: no unprocessed logfile to clean up.
Checking ZMC Services Status...
EventServer is not running.
DbLogger is not running.
Parser is not running.
Backup_monitor is not running.
Rss2event is not running.
Starting EventServer.
Starting parser.
Starting backup_monitor.
Starting rss2event.
Starting dblogger.