View Source

{warning}You are viewing an outdated version of this article. An updated version of this article is available [here|ServerBackupManager:Run Server Backup Manager over SSL (HTTPS)].{warning}
The Backup Manager comes with SSL already set up. By default, SSL works with a self-signed certificate. This certificate can be used for encryption only and does not prove the identity of the server.

That default certificate is not signed by any well-known Certification Authority (CA), so when the users try to open the SSL version of the Backup Manager Web Interface, they usually see the warning in the browser window (see the image below).

!privacy_error.jpg!


If you decide to continue working with this self-signed certificate, you have to perform several steps to "accept" the certificate before you access the site. This usually occurs only the first time you access the site. Then the self-signed certificate is stored in the browser database marked as trusted. This scenario is suitable for testing purposes or for running the Backup Manager on the company's internal networks.

But if you want to provide a Backup Manager SSL interface to the outside world, you should obtain a certificate signed by a well-known CA. The role of a CA is to verify that the Backup Manager you are trying to access actually has the name you are trying to access it by, and that this server actually belongs to your organization.

h3. Obtaining CA-Signed Certificate for Production Use

Certificates for production use are issued by trusted 3rd party Certification Authorities (CAs). Many CAs simply verify the domain name and issue the certificate, whereas others ([VeriSign|http://www.verisign.com/], etc.) verify the existence of your business, the ownership of your domain name, and your authority to apply for the certificate, providing a higher standard of authentication.

Every browser comes with a pre-defined list of well-known CAs. A sample list of CAs can be found on [http://www.dmoz.org/Computers/Security/Public_Key_Infrastructure/PKIX/Tools_and_Services/Third_Party_Certificate_Authorities/].

Along with the name of your organization and the name of your server, a CA-signed certificate contains the public key of the server. This public key is used by the browser to encrypt data sent to the server. There is a private key on the server. The server uses the private key to decrypt the data encrypted by the public key. The private key should be kept secure on the server to prevent unauthorized access.

To learn more about public key cryptography, you can read this wikipedia page [http://en.wikipedia.org/wiki/Public-key_cryptography]. To learn more about certificates and steps to buy a certificate, you need to take a look at CAs' websites. Some of the most well known CAs are:
* [VeriSign|http://www.verisign.com/]
* [Thawte|http://www.thawte.com/]
* [CAcert|http://www.cacert.org/]
* [GoDaddy|http://www.godaddy.com/ssl/ssl-certificates.aspx?ci=9039]

----
h3. Generating Certificate Request

Before the CA can issue you the certificate, you should generate private key and the certificate request and send it to the CA for signing. For the instructions below to work, the certificate request and the private key should be generated with the {{openssl}} command, the same way as for Apache web server. If you decide to buy the certificate from GoDaddy - very popular hosting provider, which also issues the certificate - generate the private key and certificate request according to [http://support.godaddy.com/help/article/5269/generating-a-certificate-signing-request-csr-apache-2x].


{info:title=Note}While generating the private key and certificate request In Windows, you should replace the {{openssl}} command with the full path to binary, for example, {{C:\OpenSSL\bin\openssl}}.
{info}
----
h3. Importing Certificate into the Trust-Store

The following steps show you how to install a SSL certificate purchased from a Certification Authority. Your SSL vendor may have different instructions, please check with them for proper certificate installation. The following examples refer to GoDaddy and VeriSign.

To enable a certificate, you need to use the *Java keytool* \- a key and certificate management utility. The keytool stores the keys and certificates in a so-called *keystore*.

h4. Windows

It is assumed that you have both the private key file and certificate file in the PEM format and OpenSSL tool for Windows is installed into. It is also assumed that the private key file is called {{wildcard.r1soft.com.key}} and the certificate file is called {{wildcard.r1soft.com.crt}} and both are on disk {{C}}, in the root directory.

{info:title=Note}You can download OpenSSL for Windows installation package from [http://gnuwin32.sourceforge.net/packages/openssl.htm].
{info}
----
1. Start a Windows Command Prompt by clicking Start > Command Prompt.

!Command Prompt item in Start Menu_English.png!

Alternatively, you can go to Start > Run > type {{cmd}} without quotes and press <Enter>.

!Run window_cmd_English.png!

2. Use {{C:}} and then {{cd}} \ commands to go to the root directory of the disk C, where the key and certificates are located.

3. Run the following commands to convert the key and the certificate from PEM to DER format.

{code}C:\OpenSSL\bin\openssl pkcs8 -topk8 -nocrypt -in wildcard.r1soft.com.key -inform PEM -out wildcard.r1soft.com.key.der -outform DER
C:\OpenSSL\bin\openssl x509 -in wildcard.r1soft.com.crt -inform PEM -out wildcard.r1soft.com.crt.der -outform DER{code}

4. Use the {{cd}} command to go to the directory where keytool is located.


{code}cd "C:\Program Files\Idera Server Backup\jre\bin\"
{code}

5. Use Internet Explorer to download the ImportKey utility.

Point Internet Explorer to [Importkey Utility|https://github.com/cornet/importkey]&nbsp;and follow instructions on the page to compile the utility.

6. Run the following command. It will launch the ImportKey utility and create the keystore file (default name is {{keystore.ImportKey}}) in your home directory (in Windows 2008 it is usually {{C:\Users\<your username>}}). The private key and the certificate will be placed there.

{code}java ImportKey c:\wildcard.r1soft.com.key.der c:\wildcard.r1soft.com.crt.der cdp
{code}{info:title=Note}
The keystore's password and the key's passwords must be set to *password*.
{info}
7. The following command will allow you to set the password for your keystore file. The default password is importkey. Enter it when prompted and then type the new password, which must be set to "password".

{code}keytool -storepasswd -keystore c:\Users\Administrator\keystore.ImportKey
{code}
8. This command will allow you to set the password for the key file in the keystore. The default password is {{importkey}}. Enter it when prompted and then type the new password, which must be set to "password".

{code}keytool -keypasswd -alias cdp -keystore c:\Users\Administrator\keystore.ImportKey
{code}
9. Use Internet Explorer to download the intermediate certificate chain for GoDaddy Certification Authority (CA).

Point Internet Explorer to [https://certificates.godaddy.com/repository/sf_issuing.crt]. Save the intermediate certificate chain to the root directory of the disk C.

10. Import the received trusted certificate into your keystore file.

{code}keytool -import -alias intermed -file c:\sf_issuing.crt -keystore c:\Users\Administrator\keystore.ImportKey -trustcacerts

{code}
{info:title=Note}
Internet Explorer may change the file extension. So if the command above does not work, try sf_issuing.cer instead of sf_issuing.crt.
{info}
11. Open Windows Explorer. Navigate to the directory {{C:\Program Files\Idera Server Backup\conf}}.

Rename the file {{keystore}} to {{keystore.old}}. Then rename the file {{C:\Users\<your username>\keystore.ImportKey}} to {{C:\Program Files\Idera Server Backup\conf\keystore}}.

12. Restart Backup Manager service.


Follow the instructions below to restart the Backup Manager using the Backup Manager Configuration Utility.

Go to Start > All Programs > Idera Server Backup > Backup Manager Configuration Utility.

!Configuration Utility in Windows Start Menu_2_English.png!

The Configuration Utility will start.

!Configuration Utility window_English.png!

From the "Services" menu, select the "Restart Backup Manager" option.

!Backup Manager Configuration Utility_Enterprise_Restart Server Backup Manager_English.png!

Confirm your request to restart the Backup Manager by clicking "OK."

!Server Backup Agent_Restart the service_English.png!

You will see the following message. Click the "OK" button.

!Server Backup Manager restarted successfully_English.png!

h4. Linux

1. Establish a SSH connection to the Linux server where the Backup Manager is installed. Or log in on the text Linux console.

You should either log in as root or obtain root permissions after login via {{su}} or {{sudo}} command.
{info:title=Note}Your home directory should be set to /root.
{info}
2. Upload the key and the certificate to Backup Manager.

3. Use the {{cd}} command to go to the directory where the keys are in.

4. Run the following commands to convert the key and the certificate files from PEM into DER format.
{code}openssl pkcs8 -topk8 -nocrypt -in wildcard.r1soft.com.key -inform PEM -out wildcard.r1soft.com.key.der -outform DER
openssl x509 -in wildcard.r1soft.com.crt -inform PEM -out wildcard.r1soft.com.crt.der -outform DER{code}
5. Use the {{cd}} command to go to the directory where *keytool* is located.
{code}cd /usr/sbin/r1soft/jre/bin{code}
Give everybody the permissions to execute the&nbsp; *keytool* and *java* applications. The versions of these application hat come with Backup Manager are not executable, so you have to run chmod 755 it.
{code}chmod 755 java keytool{code}
6. Use the {{wget}} command to download the ImportKey utility:
{code}wget http://igniterealtime.jiveon.com/servlet/JiveServlet/download/196707-4718/importkey.zip{code}
7. Unzip ImportKey.zip.
{code} unzip importkey.zip{code}
8. Run the following command. It will launch the ImportKey utility and create the keystore file (default name is *keystore.ImportKey*) in your home directory (root). The private key and the certificate will be placed there.
{code}./java ImportKey /root/wildcard.r1soft.com.key.der /root/wildcard.r1soft.com.crt.der cdp{code}
{info:title=Note}The keystore's password and the key's passwords must be set to *password*.
{info}
9. The following command will allow you to set the password for your keystore file. The default password is *importkey*. Enter it when prompted and then type the new password, which must be set to "*password*".
{code}./keytool -storepasswd -keystore /root/keystore.ImportKey{code}
10. This command will allow you to set the password for the key file in the keystore. The default password is *importkey*. Enter it when prompted and then type the new password, which must be set to "*password*".
{code}./keytool -keypasswd -alias cdp -keystore /root/keystore.ImportKey{code}
11. Rename the *keystore.ImportKey* file (default name) into *keystore*.
{code}mv /root/keystore.ImportKey /root/keystore{code}
12. Run the following command to download the trusted certificate from the Certification Authority (CA). In our example, we connect to *Go Daddy*.
{code}wget -no-check-certificate -O /root/sf_issuing.crt https://certificates.godaddy.com/repository/sf_issuing.crt {code}
13. Import the received trusted certificate into your *keystore* file.
{code}./keytool -import -alias intermed -file /root/sf_issuing.crt -keystore /root/keystore -trustcacerts {code}
14. You may have another keystore in your R1Soft folder. To make a backup copy of it, you should rename it (for example, to "*keystore.old*" as shown in the following example).
{code}mv /usr/sbin/r1soft/conf/keystore /usr/sbin/r1soft/conf/keystore.old{code}
15. Copy the new keystore file to your *R1Soft* folder.
{code}cp /root/keystore /usr/sbin/r1soft/conf/keystore {code}
16. Restart Backup Manager.
{code}/etc/init.d/cdp-server restart{code}

h4. keytool Options

* *\- alias* \- All keystore entries are accessed via unique aliases. Aliases are case-insensitive. An alias is specified when you add an entity to the keystore using the {{\-import}} command. Subsequent keytool commands must use this same alias to refer to the entity. The alias should be set to "cdp".
* *\- file* \- Define absolute or relative path to your certificate file. If you define only file name, it means, that the file is located in the root directory.
* *\- keystore* \- Each keytool command has a {{\-keystore}} option for specifying the name and location of the persistent keystore file for the keystore managed by keytool. A keystore is created when you use {{\-import}} command to add data to a keystore that does not already exist. If you do not specify a {{\-keystore}} option, the default keystore is a file named {{.keystore}} in your home directory (as determined by the "user.home" system property). If that file does not already exist, it will be created.

{excerpt:hidden=true}{*}Windows:*

Given user name uName, the "user.home" property value defaults to:

{code}C:\Winnt\Profiles\uName on multi-user Windows NT systems

C:\Windows\Profiles\uName on multi-user Windows 95 systems

C:\Windows on single-user Windows 95 systems{code}
{excerpt}
Read more about Java keytool for Windows:
[http://java.sun.com/javase/6/docs/technotes/tools/windows/keytool.html]\\

{excerpt:hidden=true}{*}Linux:*

The keystore is by default stored in a file named _.keystore_ in the user's home directory, as determined by the "user.home" system property. If you do not specify a \-keystore option, the default keystore is a file named .keystore in your home directory.{excerpt}

Read more about Java keytool for Linux:
[http://download.oracle.com/javase/6/docs/technotes/tools/solaris/keytool.html].

----
h3. Configuring Backup Manager for SSL Communication

See [Configure Web Server Options].

{excerpt:hidden=true}Instructions on how to install a certificate signed by an authority.
{excerpt}