Avamar: How to Use Goav security keystore
Summary: Use the Goav tool to show keystore contents or check the health of all the keystores on the Avamar system.
Instructions
Download and Install Goav tool.
See Dell article 000192151 Avamar: Goav tool to download and install the Avamar Goav tool.
Notes
- Upon each subsequent release of Avamar, the feature has to be validated again.
- All goav security commands must be run as root.
Features
Show Keystore Contents.
This command gives a drop-down selection prompt to choose which keystore to print.
./goav security keystore show
This command prints all keystores to the screen.
./goav security keystore show --all
Check Keystore and Lockbox Configuration with an optional automatic fix.
This command performs several health checks against all keystores on the Avamar system.
- Check that each keystore exists.
- Check the keystore permissions and ownership.
- Check that the keystore passphrase in the lockbox is synchronized with the keystore.
- Check that each keystore is the proper format (PKCS12).
- Check that each required alias (certificate) is present in each keystore.
- Check that each required alias (certificate) is not expired in each keystore.
- Show results of the checks in the form of green checkmarks for verified configurations and a red "X" for failed verifications with an error message.
./goav security keystore check-config
This command performs several health checks against all keystores and automatically fixes them.
- Check that each keystore exists.
- Check the keystore permissions and ownership.
- Check that the keystore passphrase in the lockbox is synchronized with the keystore.
- Check that each keystore is the proper format (PKCS12).
- Check that each required alias (certificate) is present in each keystore.
- Check that each required alias (certificate) is not expired in each keystore.
- Show results of the checks in the form of green checkmarks for verified configurations and a red "X" for failed verifications with an error message.
- Auto regenerate missing keystores.
- Automatically fix permissions and ownership.
- Auto regenerate keystores if the entry for the lockbox keystore passphrase does not match the keystore's set passphrase.
- Back up existing keystores before regeneration.
/home/admin/goav_keystore_backup
- Automatically regenerate a keystore or specific alias if a required alias is missing or expired.
- Update MCSSL private key entry from Java RMI keystore to sync with Avinstaller (AVI) and Tomcat keystore.
- Restart appropriate services.
./goav security keystore check-config --fix
Regenerate Keystore.
This command gives a drop-down selection prompt to choose which keystore to regenerate on-demand.
./goav security keystore regenerate
This command regenerates all the keystores.
./goav security keystore regenerate --all
The keystore regeneration command completes the following tasks:
- Back up the existing keystore.
- Regenerate the keystore.
- Update the permissions and ownership of the new keystore.
- Export MCSSL entry from RMI keystore and import to Avinstaller and Tomcat keystore.
- Restart affected services.
Examples
Show a keystore.
root@avamar:/home/admin/#: ./goav security keystore show =========================================================== GoAv : 1.77 Avamar : 19.10 Date : 08 Jul 2024 13:39 CDT =========================================================== COMMAND : ./goav security keystore show NOTE: This is not an official tool =========================================================== ┃ Select Keystore to Print ┃ RMI_SSL_KEYSTORE ┃ AVAMAR_KEYSTORE ┃ > AVI_KEYSTORE ┃ TOMCAT_KEYSTORE ↑ up • ↓ down • / filter • enter submit
Check keystore configuration in passive mode.
root@avamar:/home/admin/#: ./goav security keystore check-config =========================================================== GoAv : 1.77 Avamar : 19.10 Date : 08 Jul 2024 13:41 CDT =========================================================== COMMAND : ./goav security keystore check-config NOTE: This is not an official tool =========================================================== RMI_SSL_KEYSTORE ---------------- Path /usr/local/avamar/lib/rmi_ssl_keystore Exists ✓ Permissions ✓ Ownership ✓ Passphrase ✓ Format ✓ Alias Existence ✓ Alias Expiration ✓ AVAMAR_KEYSTORE --------------- Path /usr/local/avamar/lib/avamar_keystore Exists ✓ Permissions ✓ Ownership ✓ Passphrase ✓ Format ✓ Alias Existence ✓ Alias Expiration ✓ AVI_KEYSTORE ------------ Path /usr/local/avamar/lib/avi/avi_keystore Exists ✓ Permissions ✗ incorrect permissions: r--r--r-- Ownership ✗ incorrect ownership: admin:root Passphrase ✓ Format ✓ Alias Existence ✗ missing entries: mcssl Alias Expiration ✓ TOMCAT_KEYSTORE --------------- Path /home/tomcat/.keystore Exists ✓ Permissions ✓ Ownership ✓ Passphrase ✓ Format ✓ Alias Existence ✓ Alias Expiration ✓
Check keystore configuration in active/automatic fix mode.
root@avamar:/home/admin/#: ./goav security keystore check-config --fix =========================================================== GoAv : 1.77 Avamar : 19.10 Date : 08 Jul 2024 13:42 CDT =========================================================== COMMAND : ./goav security keystore check-config --fix NOTE: This is not an official tool =========================================================== RMI_SSL_KEYSTORE ---------------- Path /usr/local/avamar/lib/rmi_ssl_keystore Exists ✓ Permissions ✓ Ownership ✓ Passphrase ✓ Format ✓ Alias Existence ✓ Alias Expiration ✓ AVAMAR_KEYSTORE --------------- Path /usr/local/avamar/lib/avamar_keystore Exists ✓ Permissions ✓ Ownership ✓ Passphrase ✓ Format ✓ Alias Existence ✓ Alias Expiration ✓ AVI_KEYSTORE ------------ Path /usr/local/avamar/lib/avi/avi_keystore Exists ✓ Permissions ✗ incorrect permissions: r--r--r-- Ownership ✗ incorrect ownership: admin:root Passphrase ✓ Format ✓ Alias Existence ✗ missing entries: mcssl Alias Expiration ✓ TOMCAT_KEYSTORE --------------- Path /home/tomcat/.keystore Exists ✓ Permissions ✓ Ownership ✓ Passphrase ✓ Format ✓ Alias Existence ✓ Alias Expiration ✓ Fix Keystore Issues ------------------- ⢿ Fixing any AVI_KEYSTORE issues...
Regenerate a keystore on-demand.
root@avamar:/home/admin/#: ./goav security keystore regenerate =========================================================== GoAv : 1.77 Avamar : 19.10 Date : 08 Jul 2024 13:45 CDT =========================================================== COMMAND : ./goav security keystore regenerate NOTE: This is not an official tool =========================================================== ┃ Select Keystore to Regenerate ┃ RMI_SSL_KEYSTORE ┃ AVAMAR_KEYSTORE ┃ > AVI_KEYSTORE ┃ TOMCAT_KEYSTORE ↑ up • ↓ down • / filter • enter submit // user selected to regenerate AVI_KEYSTORE Fix Keystore Issues ------------------- ⣟ Restarting Avinstaller...