Table of contents
Download Binaries
To install the ZMC, you must first download Zmanda AE Server and ZMC binaries. They are available at Zmanda network downloads page.
Click the binary file link to download for respective OS version under Product version 4.1 as shown in the below screen:
The binary file naming convention is as mentioned below
· zmanda-zmc-<XXXXXXXXX>-x64.run
· zmanda-backup-server-<XXXXXXXXX>-x64.run
Download License File
You can download your trial/production license file from Zmanda Network. will include an option to download a license key (zmanda_license), after you bind the license to the MAC address of the machine on which the Zmanda Management Console will be installed. Download license file and upload it on the Zmanda Management Console in the “Licenses” section, under the “Settings” tab. For more details please the License page.
Steps to download the license file:
STEP 1: Login to your Zmanda network account and click the download icon for the license you wish to download
STEP 2: Enter the MAC address of your ZMC server and a name. Once the details are entered, click on submit and license downloads successfully. If there is any change in MAC and server name then Customer can contact the sales team or support team
Secure Socket Layer (SSL) Certification
ZMC is shipped with a pre-packaged Apache SSL certificate. We recommend you to purchase external CA certified SSL certificates or create your own self-signed SSL certificates and distribute to all browsers/clients from which you wish to access the ZMC portal. The pre-packaged SSL certificates may generate warnings on some browser versions.
If using a certificate from a recognized Certificate Authority, your browser will automatically create the secure connection with no errors or warnings.
If using a self-signed certificate, you must then deploy a mechanism to get the relevant browser(s) to accept this new root CA. One method is to generate the certificate using a special format that can be directly imported by common web browsers, and then providing a link on a secure intranet for ZMC users to download (web browsers automatically display the import dialog if the file is in the correct format and sent by the intranet web server using the correct mimetype). PKCS12 (now part of OpenSSL, provides a mechanism to distribute self-signed private key certificates in a number formats recognized by different browsers.
Another approach is to manually add the new self-signed root CA to the root CA list of the client system, which will automatically provide access to the new CA for all web browsers on the client system. This article covers the procedures for doing this in a Microsoft Windows server environment.
For more details on certificate validation issues, see this article from OpenSSL.
Steps for generating self-signed certificates:
- To generate the key and certificate for zmc_service
- Generate new CA:
/opt/zmanda/amanda/bin/openssl ecparam -name prime256v1 -genkey -noout -out tlsv3_ca.key && openssl ec -in tlsv3_ca.key -pubout -out tlsv3_ca.pkey
/opt/zmanda/amanda/bin/openssl req -new -x509 -days 9999 -sha384 -addext "keyUsage = critical, digitalSignature, cRLSign, keyCertSign" -key tlsv3_ca.key -out tlsv3_ca.crt - Create the 'zmc.conf' file with the next content and replace the bolded content with applicable values:
[req]
prompt = no
default_bits = 2048
default_md = sha512
distinguished_name = req_dn
[req_dn]
commonName = <hostName>
organizationName = <MyOrganization>
organizationalUnitName = <MyOrganizationDeppartment>
emailAddress = <MyOrganizationDeppartment_Email>
countryName = <MyCountry2LetterInternationalCode>
stateOrProvinceName = <MyState>
localityName = <MyCity>
[v3_ssl]
basicConstraints = critical, CA:FALSE
nsCertType = server
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[v3_mtls]
basicConstraints = critical, CA:FALSE
nsCertType = client
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth
subjectAltName = @alt_names
[alt_names]
IP.1 = <hostIP>
DNS.1 = <hostName>
DNS.2 = h<hostIP replacing dots (.) with dashes (-)>.server.betsol
# sample of above= h192.168.1.2.server.betsol
# see x509v3_config for other extensions -
Generate 1st new ZMC certificates with
/opt/zmanda/amanda/bin/openssl req -newkey rsa:2048 -nodes -keyout self-signed.key -x509 -days 730 -out self-signed.crt -config zmc.conf -extensions v3_ssl
-
Generate new 2nd ZMC certificates with
/opt/zmanda/amanda/bin/openssl ecparam -name prime256v1 -genkey -noout -out tlsv3_zmc.key && openssl req -new -sha384 -config zmc.conf -extensions v3_mtls -key tlsv3_zmc.key -out tlsv3_zmc.csr
/opt/zmanda/amanda/bin/openssl x509 -req -days 730 -sha384 -extfile zmc.conf -extensions v3_mtls -CA tlsv3_ca.crt -CAkey tlsv3_ca.key -CAcreateserial -in tlsv3_zmc.csr -out tlsv3_zmc.crt
-
Copy and replace generated files into the ZMC server with
cp tlsv3_ca.crt /var/lib/amanda/.tlsv3_ca.crt
cp self-signed.key /var/lib/amanda/.self-signed.key
cp self-signed.crt /var/lib/amanda/.self-signed.crt
cp tlsv3_zmc.key /var/lib/amanda/.tlsv3_zmc.key
cp tlsv3_zmc.crt /var/lib/amanda/.tlsv3_zmc.crt
- Verify all the replaced files remain with the owner and group 'amandabackup'
- Generate new CA:
-
To generate the key and certificate for ae_service
-
Create the aee.conf' file with the next content and replace the bolded content with applicable values:
[req]
prompt = no
default_bits = 2048
default_md = sha512
distinguished_name = req_dn
[req_dn]
commonName = <hostName>
organizationName = <MyOrganization>
organizationalUnitName = <MyOrganizationDeppartment>
emailAddress = <MyOrganizationDeppartment_Email>
countryName = <MyCountry2LetterInternationalCode>
stateOrProvinceName = <MyState>
localityName = <MyCity>
[v3_ssl]
basicConstraints = critical, CA:FALSE
nsCertType = server
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
IP.1 = <hostIP>
DNS.1 = <hostName>
DNS.2 = h<hostIP replacing dots (.) with dashes (-)>.server.betsol
# sample of above= h192.168.1.2.server.betsol
# see x509v3_config for other extensions
-
Generate new 1st ZMC certificates with
/opt/zmanda/amanda/bin/openssl ecparam -name prime256v1 -genkey -noout -out tlsv3_aee.key && openssl req -new -sha384 -config aee.conf -extensions v3_ssl -key tlsv3_aee.key -out tlsv3_aee.csr
/opt/zmanda/amanda/bin/openssl x509 -req -days 730 -sha384 -extfile aee.conf -extensions v3_ssl -CA tlsv3_ca.crt -CAkey tlsv3_ca.key -CAcreateserial -in tlsv3_aee.csr -out tlsv3_aee.crt
- Copy and replace generated files into the AEE server with
cp tlsv3_ca.crt /var/lib/amanda/.tlsv3_ca.crt
cp tlsv3_aee.key /var/lib/amanda/.tlsv3_aee.key
cp tlsv3_aee.crt /var/lib/amanda/.tlsv3_aee.crt
- Verify all the replaced files remain with the owner and group 'amandabackup'
-
-
Now restart the zmc and ae services by executing the following commands:
systemctl restart run-zmanda-backup-server.service
systemctl restart run-zmanda-zmc.service
-
If you also want to solve the certificate warning shown by the browser when loading the Zmanda Web Console, you can download the ‘tlsv3_ca.crt’ file on your PC and install it on your browser root certificate authorities.