- Notes, cautions, and warnings
- Preface
- Introduction
- Configuration and Setup
- Best practices
- (Optional) Configuring support for multiple vCenters
- Installing Avamar Administrator software
- Configure vCenter-to-Avamar authentication
- Creating a dedicated vCenter user account
- Add a vCenter as an Avamar client in the AUI
- Register or add a proxy client
- Edit vCenter
- Auto-discovery of virtual machines
- Deploying proxies using Proxy Deployment Manager from AUI
- Upgrading proxies
- Maintaining proxies
- Monitor proxy status
- Import custom certificate in Avamar VMware Image Backup Proxy
- Security patch updates for proxies
- Additional Avamar server configuration
- Administration
- Clients and containers
- Add a VMware client
- Delete a VMware client
- Enable changed block tracking
- Viewing protected virtual machines in Avamar Administrator
- Viewing a replicated virtual machine name in Avamar Administrator
- Monitoring the vCenter connection in Avamar Administrator
- Manually synchronize the AUI with vCenter and VM clients
- Rename a vCenter client
- VMware Image Dataset
- Adding guest backup throttling parameters to a dataset in Avamar Administrator
- Groups
- Changing proxy datastore and group assignments in Avamar Administrator
- Backup
- Limitations
- Perform an on-demand backup of a virtual machine by using AUI
- Set advanced plug-in options in the AUI
- Schedule backups using the AUI Policy wizard
- Log truncation backups
- Monitor backups
- Cancel backups
- Support for vCenter HA failover for inflight backups
- Configure a backup to support VMware encryption
- Configure a backup to support vSAN encryption
- Enforcement of backups to Data Domain
- Restore
- Image and file-level restore guidelines
- Image backup overview
- File Level Restore
- Performance improvements for File Level Restore
- File-level restore supported configurations
- RSA SecurID authentication in the AUI
- File Level Restore troubleshooting and limitations
- File Level Restore (FLR) in the AUI
- Restore ACL for non-root user configuration
- Perform a File Level Restore (FLR) operation by using the Data Protection Backup and Recovery File Level Restore (FLR) UI
- Backup Validation
- Protecting the vCenter Management Infrastructure
- vCenter deployments overview
- Best practices for backup and restore
- Protecting an embedded PSC
- Protecting external deployment models
- vCenter server appliance(s) with one external PSC where PSC fails
- vCenter server appliance is lost but the PSC remains
- vCenter server appliance with multiple PSCs where one PSC is lost, one remains
- vCenter server appliance remains but all PSCs fail
- vCenter server appliance remains but multiple PSCs fail
- vCenter server appliance fails
- vCenter server restore workflow
- Platform Services Controller restore workfow
- Command reference
- Support for vCenter HA failover for inflight backups
- Additional considerations
- Protecting ESX Hosts
- Avamar Image Backup and Recovery for VMware Cloud on Amazon Web Services (AWS)
- Avamar image backup and recovery for VMware Cloud on AWS
- Configure the VMware Cloud on AWS web portal console
- Amazon AWS web portal requirements
- vCenter server inventory requirements
- Deploy the vProxy OVA on a vCenter server in VMware Cloud on AWS
- Configure vCenter-to-Avamar authentication for VMware Cloud on AWS
- Avamar image backup and restore for VMware Cloud on AWS best practices
- Unsupported Avamar operations
- Backing up VMware Cloud Foundation (VCF) Components on VxRail
- Manually deploying proxies
- Overview
- Downloading the proxy appliance template file
- Deploying the proxy appliance in vCenter
- Deploying a proxy appliance in vCenter using the vSphere Web Client
- Registering and activating the proxy with the Avamar server
- Configuring proxy settings in Avamar Administrator
- Performing optional proxy performance optimization
- vSphere Data Ports
- Using VMware vRealize Log Insight
- Plug-in Options
- Troubleshooting
- Installation and configuration problems and solutions
- Backup problems and solutions
- Backup does not start
- Exclude the proxy from the virtual machine backup if performing the backup with other VMware software
- Backups fail with No Proxy errors
- Changed block tracking does not take effect
- Proxies are not assigned to backup jobs
- VM snapshot fails backups due to incorrect pre-evaluation of available space
- Backup and restore of vFlash Read Cache enabled VMs will use NBD transport mode
- Exchange log truncation unsupported when VMDK is encrypted via vSphere
- Indexing VMware image backups requires HotAdd transport mode
- Proxy status alert
- Restore problems and solutions
- Glossary
Dell EMC Avamar for VMware 19.7 User Guide
Import custom certificate in Avamar VMware Image Backup Proxy
After deploying a proxy appliance in vCenter and registering it with the Avamar server, you can manually replace the default self-signed certificate with a user certificate for port 443, 5480, and 5489 on Avamar VMware Image Backup Proxy.
Prerequisites
Deploy a proxy appliance in vCenter.
Register and activate the proxy with the Avamar server.
Find the /usr/local/avamarclient/etc/pxychangecert.sh file on the Avamar VMware Image Backup Proxy.
About this task
NOTE:This is a manual process. If you redeploy or upgrade the proxy manually or using Proxy Deployment Manager (PDM) then you must follow the certificate replacement steps again.
Version supported: Avamar VMware Image Backup Proxy 7.5.1 and later.
To import the custom certificate and replace the existing self-signed certificate on proxy, perform the following steps:
Steps
-
Log in to the proxy using SSH with an admin account and switch to root account using
su command.
195proxy:~ # su -
-
Grant execute permission for
pxychangecert.sh script.
195proxy:~ # chmod +x pxychangecert.sh
-
For signed certificate:
-
From proxy generate a private key and Certificate Signing Request (CSR) files using the following openssl commands:
195proxy:~ # mkdir /tmp/certs195proxy:~ # openssl genrsa -out /tmp/certs/key.pem 3072195proxy:~ # openssl req -new -key /tmp/certs/key.pem -out /tmp/certs/`hostname -f`.csr -subj "/C=US/ST=California/L=Irvine/O=Dell Technologies/OU=Dell EMC/CN=`hostname -f`"NOTE:The `hostname -f ` will set Common Name (CN) to current hostname. Adjust Country (C), State (ST), Location (L), Organization (O), and Organization Unit (OU) as per your requirement or omit -subj so that openssl starts an interactive prompt to collect these values.
- Upload the /tmp/certs/<proxy hostname>.csr file to the commercial or internal Certificate Authority (CA).
- The CA must provide a valid signed certificate and a certificate chain file. Upload these the files to /tmp/certs directory.
-
From proxy generate a private key and Certificate Signing Request (CSR) files using the following openssl commands:
-
For self-signed certificate:
Run the following openssl command to generate a new private key and a self-signed certificate with expiration duration of one year:195proxy:~ # openssl req -x509 -new -newkey rsa:3072 -nodes -keyout /tmp/certs/key.pem -out /tmp/certs/cert.pem -days 365 -subj "/C=US/ST=California/L=Irvine/O=Dell Technologies/OU=Dell EMC/CN=`hostname -f `"NOTE: You can modify -days to adjust the duration of expiration.
-
Ensure matching private key, certificate, and certificate chain are located in the temp location of the proxy, and meet the following requirements:
- The private key must not be encrypted.
- The certificate must be in x509 format.
- The CN of the certificate must match the hostname of this proxy.
- The "keyUsage" extension of the certificate or the " keyUsage" must not contain digitalSignature, keyEncipherment, and keyAgreement properties.
- The "extendedKeyUsage" extension of the certificate or the "extendedKeyUsage" must not contain serverAuth and clientAuth properties.
- The certificate chain file must contain all trusted root CA for the certificate. If the certificate to be replaced is a self-signed certificate, use the same file for certificate and chain.
-
Replace the certificate by running the following command:
195proxy:~ # ./pxychangecert.sh /tmp/certs/key.pem /tmp/certs/cert.pem /tmp/certs/chain.pem avam@rWhere, avam@r is the default keystore password.
Results
Example
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please select whether the article was helpful or not.
Comments cannot contain these special characters: <>()\