This article is for Amanda Enterprise (AE) and ZRM for MySQL (ZRM)
Info Type: Tip
Info Description:
- Move any existing keys:
# mkdir /root/ZMC_old_certs # mv /opt/zmanda/amanda/apache2/conf/certs/* /root/ZMC_old_certs
- Create a public/private key pair by entering the commands shown in bold below. Enter a secure passphrase (at least 8 characters, alphanumeric) when prompted. You must enter the same key twice for verification:
# cd /opt/zmanda/amanda/apache2/conf/certs # /opt/zmanda/amanda/common/bin/openssl genrsa -des3 -out ZMC-server.key 1024 Generating RSA private key, 1024 bit long modulus ................++++++ . .......................................................++++++ e is 65537 (0x10001) Enter pass phrase for ZMC-server.key: Verifying - Enter pass phrase for ZMC-server.key:
- Create a certificate signing request. Answer any prompts as they are displayed.
# /opt/zmanda/amanda/common/bin/openssl req -new -key ZMC-server.key -out ZMC-server.csr Enter pass phrase for ZMC-server.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]:CA State or Province Name (full name) [Berkshire]:Sunnyvale Locality Name (eg, city) [Newbury]:Sunnyvale Organization Name (eg, company) [My Company Ltd]:Zmanda.Inc Organizational Unit Name (eg, section) []:support Common Name (eg, your name or your server's hostname) []:ZMC Email Address []:support@zmanda.com Please enter the following 'extra' attributes To be sent with your certificate request A challenge password []:zmanda An optional company name []:zmanda
- Generate a self-signed certificate. When prompted for a passphrase enter the passphrase that you entered during key creation. The example shows creating a certificate that lasts for five years (1825 days); you can enter a different value if desired.
# /opt/zmanda/amanda/common/bin/openssl x509 -req -days 1825 -in ZMC-server.csr -signkey ZMC-server.key -out ZMC-server.crt Signature ok subject=/C=CA/ST=Sunnyvale/L=Sunnyvale/O=Zmanda.Inc/OU=support/CN=ZMC/ emailAddress=support@zmanda.com Getting Private key Enter pass phrase for ZMC-server.key:
- The certificate should be changed to use a key with no passphrase to avoid being prompted for the password and to allow for integration with ZMC. When prompted for a passphrase enter the passphrase that you entered during key creation. The example shows removing a passphrase from previously created certificate.
# mv ZMC-server.key ZMC-server.key.has-passphrase # /opt/zmanda/amanda/common/bin/openssl rsa -in ZMC-server.key.has-passphrase -out ZMC-server.key
- Change permissions so the key can only be read by root.
# chmod 400 ZMC-server.key
- Restart the ZMC. Enter the passphrase when prompted.
# /etc/init.d/zmc_aee restart or /etc/init.d/zmc_zrm restart Stopping /etc/init.d/zmc: prg: zmc_parser. pid: 15844 prg: zmc_dblogger. pid: 15843 prg: backup_monitor. pid: 15845 prg: rss2event. pid: 15846 prg: zmc_eventserver. pid: 15828 /usr/sbin/setenforce: SELinux is disabled /opt/zmanda/amanda//zmandactl.sh : httpd stopped STOPPING server from pid file /opt/zmanda/amanda/mysql/data/mysqld.pid 080509 13:28:07 mysqld ended /opt/zmanda/amanda//zmandactl.sh : mysql stopped /usr/sbin/setenforce: SELinux is disabled Starting /etc/init.d/zmc: /usr/sbin/setenforce: SELinux is disabled /opt/zmanda/amanda//zmandactl.sh : mysql started nohup: redirecting stderr to stdout Starting mysqld daemon with databases from /opt/zmanda/amanda/mysql/data/ httpd: Could not determine the server's fully qualified domain name, using 127.0.0.1 for ServerName Syntax OK httpd: Could not determine the server's fully qualified domain name, using 127.0.0.1 for ServerName Apache/2.0.59 mod_ssl/2.0.59 (Pass Phrase Dialog) Some of your private key files are encrypted for security reasons. In order to read them you have to provide us with the pass phrases. Server 127.0.0.1:443 (RSA) Enter pass phrase: Ok: Pass Phrase Dialog successful. /opt/zmanda/amanda//zmandactl.sh : httpd started /usr/sbin/setenforce: SELinux is disabled /usr/sbin/amcleanup: no unprocessed logfile to clean up. /usr/sbin/amcleanup: no unprocessed logfile to clean up. Checking ZMC Services Status... EventServer is not running. DbLogger is not running. Parser is not running. Backup_monitor is not running. Rss2event is not running. Starting EventServer. Starting parser. Starting backup_monitor. Starting rss2event. Starting dblogger.