Table of contents
Download Binaries
To install the ZMC, you must first download Zmanda AE Server and ZMC binaries. They are available at Zmanda network downloads page.
Click the binary file link to download for respective OS version under Product version 4.1 as shown in the below screen:
The binary file naming convention is as mentioned below
· zmanda-zmc-<XXXXXXXXX>-x64.run
· zmanda-backup-server-<XXXXXXXXX>-x64.run
Download License File
You can download your trial/production license file from Zmanda Network. will include an option to download a license key (zmanda_license), after you bind the license to the MAC address of the machine on which the Zmanda Management Console will be installed. Download license file and upload it on the Zmanda Management Console in the “Licenses” section, under the “Settings” tab. For more details please the License page.
Steps to download the license file:
STEP 1: Login to your Zmanda network account and click the download icon for the license you wish to download
STEP 2: Enter the MAC address of your ZMC server and a name. Once the details are entered, click on submit and license downloads successfully. If there is any change in MAC and server name then Customer can contact the sales team or support team
Secure Socket Layer (SSL) Certification
ZMC is shipped with a pre-packaged Apache SSL certificate. We recommend you to purchase external CA certified SSL certificates or create your own self-signed SSL certificates and distribute to all browsers/clients from which you wish to access the ZMC portal. The pre-packaged SSL certificates may generate warnings on some browser versions.
If using a certificate from a recognized Certificate Authority, your browser will automatically create the secure connection with no errors or warnings.
If using a self-signed certificate, you must then deploy a mechanism to get the relevant browser(s) to accept this new root CA. One method is to generate the certificate using a special format that can be directly imported by common web browsers, and then providing a link on a secure intranet for ZMC users to download (web browsers automatically display the import dialog if the file is in the correct format and sent by the intranet web server using the correct mimetype). PKCS12 (now part of OpenSSL, provides a mechanism to distribute self-signed private key certificates in a number formats recognized by different browsers.
Another approach is to manually add the new self-signed root CA to the root CA list of the client system, which will automatically provide access to the new CA for all web browsers on the client system. This article covers the procedures for doing this in a Microsoft Windows server environment.
For more details on certificate validation issues, see this article from OpenSSL.
Steps for generating self-signed certificates:
- Prechecks
- To check the certificate expiry dates, run the following commands:
# sudo openssl x509 -in /var/lib/amanda/.tlsv3_zmc.crt -text -noout | grep -i validity -A2
# sudo openssl x509 -in /var/lib/amanda/.tlsv3_aee.crt -text -noout | grep -i validity -A2
- To check the certificate expiry dates, run the following commands:
- Generate new CA and certificates for ZMC-Service:
- Generate Key and Certificate for CA
- Switch to amandabackup user
# su amandabackup - Create a new directory to generate the cert and key files. All the following commands should be run from within this directory
mkdir -p /var/lib/amanda/tmpcerts
cd /var/lib/amanda/tmpcerts
- Generate new Certificate Authority (CA):
/opt/zmanda/amanda/bin/openssl ecparam -name prime256v1 -genkey -noout -out tlsv3_ca.key && /opt/zmanda/amanda/bin/openssl ec -in tlsv3_ca.key -pubout -out tlsv3_ca.pkey
/opt/zmanda/amanda/bin/openssl req -new -x509 -days 365 -sha384 -addext "keyUsage = critical, digitalSignature, cRLSign, keyCertSign" -key tlsv3_ca.key -out tlsv3_ca.crt
- Switch to amandabackup user
- Generate Keys and Certificates for ZMC-Service
- Create the 'zmc.conf' file with next content and replace the <bold> content:
[req]
prompt = no
default_bits = 2048
default_md = sha512
distinguished_name = req_dn
[req_dn]
commonName = <hostname>
organizationName = <myorganization>
organizationalUnitName = <myorganizationdeppartment>
emailAddress = <myorganizationdeppartment_email>
countryName = <mycountry2letterinternationalcode>
stateOrProvinceName = <mystate>
localityName = <mycity>
[v3_ssl]
basicConstraints = critical, CA:FALSE
nsCertType = server
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[v3_mtls]
basicConstraints = critical, CA:FALSE
nsCertType = client, server
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, serverAuth
subjectAltName = @alt_names
[alt_names]
IP.1 = <hostip>
DNS.1 = <hostname>
DNS.2 = h<hostIP replacing dots (.) with dashes (-)>.server.betsol
# sample of above= h192-168-1-2.server.betsol
# see x509v3_config for other extensions
- Generate new ZMC TLS certificates for Web Interface
/opt/zmanda/amanda/bin/openssl req -newkey rsa:2048 -nodes -keyout self-signed.key -x509 -days 730 -out self-signed.crt -config zmc.conf -extensions v3_ssl
-
Generate new ZMC certificates for mTLS communications
/opt/zmanda/amanda/bin/openssl ecparam -name prime256v1 -genkey -noout -out tlsv3_zmc.key && /opt/zmanda/amanda/bin/openssl req -new -sha384 -config zmc.conf -extensions v3_mtls -key tlsv3_zmc.key -out tlsv3_zmc.csr
/opt/zmanda/amanda/bin/openssl x509 -req -days 730 -sha384 -extfile zmc.conf -extensions v3_mtls -CA tlsv3_ca.crt -CAkey tlsv3_ca.key -CAcreateserial -in tlsv3_zmc.csr -out tlsv3_zmc.crt
- Copy and replace generated files into the ZMC server with
cp tlsv3_ca.crt /var/lib/amanda/.tlsv3_ca.crt
cp self-signed.key /var/lib/amanda/.self-signed.key
cp self-signed.crt /var/lib/amanda/.self-signed.crt
cp tlsv3_zmc.key /var/lib/amanda/.tlsv3_zmc.key
cp tlsv3_zmc.crt /var/lib/amanda/.tlsv3_zmc.crt - Verify all the replaced files remains with the owner and group 'amandabackup'
- Create the 'zmc.conf' file with next content and replace the <bold> content:
- Generate Key and Certificate for CA
-
Generate certificates for AEE-Service
-
Generate Key and Certificate for AEE_Service
- Create one folder per each AEE server that you have:
mkdir /var/lib/amanda/tmpcerts/aee1
cd /var/lib/amanda/tmpcerts/aee1 - Create the 'aee.conf' file with next content and replace the <bold> content:
[req]
prompt = no
default_bits = 2048
default_md = sha512
distinguished_name = req_dn
[req_dn]
commonName = <hostname>
organizationName = <myorganization>
organizationalUnitName = <myorganizationdeppartment>
emailAddress = <myorganizationdeppartment_email>
countryName = <mycountry2letterinternationalcode>
stateOrProvinceName = <mystate>
localityName = <mycity>
[v3_mtls]
basicConstraints = critical, CA:FALSE
nsCertType = client, server
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, serverAuth
subjectAltName = @alt_names
[alt_names]
IP.1 = <hostip>
DNS.1 = <hostname>
DNS.2 = h<hostIP replacing dots (.) with dashes (-)>.server.betsol
# sample of above= h192-168-1-2.server.betsol
# see x509v3_config for other extensions
- Generate new AEE certificate with
/opt/zmanda/amanda/bin/openssl ecparam -name prime256v1 -genkey -noout -out tlsv3_aee.key && /opt/zmanda/amanda/bin/openssl req -new -sha384 -config aee.conf -extensions v3_ssl -key tlsv3_aee.key -out tlsv3_aee.csr
/opt/zmanda/amanda/bin/openssl x509 -req -days 730 -sha384 -extfile aee.conf -extensions v3_mtls -CA ../tlsv3_ca.crt -CAkey ../tlsv3_ca.key -CAcreateserial -in tlsv3_aee.csr -out tlsv3_aee.crt
- Create new folder for 2nd AEE server (if apply)
mkdir /var/lib/amanda/tmpcerts/aee2
cd /var/lib/amanda/tmpcerts/aee2 - Repeat steps 3.1.2 and 3.1.3 for create the 2nd AEE certificate (if apply).
- Create one folder per each AEE server that you have:
- Copy AEE Files to each AEE Server Accordingly
- Copy generated files into the AEE server with
scp /var/lib/amanda/tmpcerts/tlsv3_ca.crt<user>@<aee1_ip>:/tmp/tlsv3_ca.crt
scp /var/lib/amanda/tmpcerts/aee1/tlsv3_aee.key <user>@<aee1_ip>:/tmp/tlsv3_aee.key
scp /var/lib/amanda/tmpcerts/aee1/tlsv3_aee.crt <user>@<aee2_ip>:/tmp/tlsv3_aee.crt
#Copy 2nd AEE certificate (if apply)
scp /var/lib/amanda/tmpcerts/tlsv3_ca.crt <user>@<aee2_ip>:/tmp/tlsv3_ca.crt
scp /var/lib/amanda/tmpcerts/aee2/tlsv3_aee.key <user>@<aee2_ip>:/tmp/tlsv3_aee.key
scp /var/lib/amanda/tmpcerts/aee2/tlsv3_aee.crt <user>@<aee2_ip>:/tmp/tlsv3_aee.crt
- Login into each AEE server and move the copied files
Login as root
mv /tmp/tlsv3_ca.crt /var/lib/amanda/.tlsv3_ca.crt
mv /tmp/tlsv3_aee.key /var/lib/amanda/.tlsv3_aee.key
mv /tmp/tlsv3_aee.crt /var/lib/amanda/.tlsv3_aee.crt
chown amandabackup:amandabackup /var/lib/amanda/.tlsv3_ca.crt
chown amandabackup:amandabackup /var/lib/amanda/.tlsv3_aee.key
chown amandabackup:amandabackup /var/lib/amanda/.tlsv3_aee.crt
- Verify all the replaced files remains with the owner and group 'amandabackup'.
- Copy generated files into the AEE server with
-
- Restart All Services
- Now restart the zmc and ae services by executing the following commands as the root user
systemctl restart run-zmanda-backup-server.service
systemctl restart run-zmanda-zmc.service
- Now restart the zmc and ae services by executing the following commands as the root user