Import custom certificate in Avamar VMware Image Backup Proxy
After deploying a proxy appliance in vCenter and registering it with the Avamar server, you can manually replace the default self-signed certificate with a user certificate for port 443, 5480, and 5489 on Avamar VMware Image Backup Proxy.
Prerequisites
Deploy a proxy appliance in vCenter.
Register and activate the proxy with the Avamar server.
Find the
/usr/local/avamarclient/etc/pxychangecert.sh file on the Avamar VMware Image Backup Proxy.
About this task
NOTE:This is a manual process. If you redeploy or upgrade the proxy manually or using Proxy Deployment Manager (PDM) then you must follow the certificate replacement steps again.
Version supported: Avamar VMware Image Backup Proxy 7.5.1 and later.
To import the custom certificate and replace the existing self-signed certificate on proxy, perform the following steps:
Steps
Log in to the proxy using SSH with an admin account and switch to root account using
su command.
195proxy:~ # su -
Grant execute permission for
pxychangecert.sh script.
195proxy:~ # chmod +x pxychangecert.sh
For signed certificate:
From proxy generate a private key and Certificate Signing Request (CSR) files using the following openssl commands:
NOTE:The `hostname -f ` will set Common Name (CN) to current hostname. Adjust Country (C), State (ST), Location (L), Organization (O), and Organization Unit (OU) as per your requirement or omit
-subj so that openssl starts an interactive prompt to collect these values.
Upload the
/tmp/certs/<proxy hostname>.csr file to the commercial or internal Certificate Authority (CA).
The CA must provide a valid signed certificate and a certificate chain file. Upload these the files to
/tmp/certs directory.
For self-signed certificate:
Run the following openssl command to generate a new private key and a self-signed certificate with expiration duration of one year:
NOTE: You can modify
-days to adjust the duration of expiration.
Ensure matching private key, certificate, and certificate chain are located in the temp location of the proxy, and meet the following requirements:
The private key must not be encrypted.
The certificate must be in x509 format.
The CN of the certificate must match the hostname of this proxy.
The "keyUsage" extension of the certificate or the " keyUsage" must not contain
digitalSignature,
keyEncipherment, and
keyAgreement properties.
The "extendedKeyUsage" extension of the certificate or the "extendedKeyUsage" must not contain
serverAuth and
clientAuth properties.
The certificate chain file must contain all trusted root CA for the certificate. If the certificate to be replaced is a self-signed certificate, use the same file for certificate and chain.
Replace the certificate by running the following command:
The old files will be moved to a backup directory.
Example
When you execute the script, old ssl keys are backed up in/opt/vmware/etc/sfcb/sslbackup/<yyyy-mm-dd-hr.min.ss> and java keystore is backed up in
/opt/jetty/etc//keybackup/yyyy-mm-dd-hr.min.ss>
Data is not available for the Topic
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please select whether the article was helpful or not.
Comments cannot contain these special characters: <>()\