Avamar: Cómo volver a generar certificados
Resumen: Cómo restablecer o volver a generar certificados debido a vencimiento (o configuración incorrecta).
Este artículo se aplica a
Este artículo no se aplica a
Este artículo no está vinculado a ningún producto específico.
No se identifican todas las versiones del producto en este artículo.
Instrucciones
Casos de uso:
- Regeneración de certificados según demanda.
- Cuando los servicios de Avamar están inactivos y no se pueden reiniciar debido a certificados vencidos o configurados erróneamente.
Notas:
- Varios de estos procedimientos requieren que se reinicien los servicios en ejecución. Esto puede interrumpir la ejecución de respaldos y trabajos de replicación. Los servicios no se deben reiniciar mientras se ejecutan tareas de mantenimiento de Avamar (punto de control (cp), validación de punto de control (hfscheck) o recolección de elementos no utilizados).
- La regeneración de los almacenes de claves y la actualización del almacén de certificados de Data Domain se pueden realizar automáticamente con la herramienta GoAV. Consulte el siguiente artículo para obtener más información: Avamar: Cómo usar el almacén de claves de seguridad Goav
- Si se utilizará la herramienta GoAV, asegúrese de que Avamar descargue y extraiga la copia más reciente: Herramienta de productos GoAV para administración y solución de problemas
- SE DEBE crear un punto de control antes de realizar cualquier actualización.
Revise los vencimientos existentes para determinar qué actualizaciones son necesarias:
- Inicie sesión en Avamar Utility Node como administrador.
- Eleve al privilegio raíz.
- Configure la variable "storepath":
Para Avamar v19.7 y versiones posteriores:
storepath=/home/tomcat/.keystore
Para Avamar 19.4 y versiones anteriores:
storepath=/home/admin/.keystore - Ejecute el siguiente comando para imprimir las fechas de vencimiento del certificado:
storepass=`ask_pass -r keystore_passphrase` && echo "MC Root certificates: " && keytool -list -keystore /usr/local/avamar/lib/avamar_keystore -storepass $storepass -v | egrep "Alias name|Valid from" && echo && echo "MCSDK certificate: " && keytool -list -keystore /usr/local/avamar/lib/rmi_ssl_keystore -storepass $storepass -v | egrep "Alias name|Valid from" && echo && echo "Admin/DTLT certificate: " && keytool -list -alias tomcat -keystore $storepath -storepass $storepass -v | egrep "Alias name|Valid from" && echo && echo "Avi certificate: " && keytool -list -alias tomcat -keystore /usr/local/avamar/lib/avi/avi_keystore -storepass $storepass -v | egrep "Alias name|Valid from" && echo && echo "Apache certificate: " && openssl x509 -in /etc/apache2/ssl.crt/server.crt -noout -dates
Ejemplos de resultados (basados en comandos ejecutados el 18 de febrero de 2026):MC Root certificates: Alias name: mcectls Valid from: Thu Feb 13 20:21:48 PST 2025 until: Tue Feb 12 20:21:48 PST 2030 Alias name: mcrsatls Valid from: Thu Feb 13 20:21:50 PST 2025 until: Tue Feb 12 20:21:50 PST 2030 Alias name: mcecroot Valid from: Thu Feb 13 20:21:48 PST 2025 until: Tue Feb 12 20:21:48 PST 2030 Alias name: mcrsaroot Valid from: Thu Feb 13 20:21:49 PST 2025 until: Tue Feb 12 20:21:49 PST 2030 MCSDK certificate: Alias name: mcssl Valid from: Thu Feb 13 20:21:43 PST 2025 until: Sun Feb 11 20:21:43 PST 2035 Alias name: mcjwt Valid from: Thu Feb 13 20:21:45 PST 2025 until: Sun Feb 11 20:21:45 PST 2035 Admin/DTLT certificate: Alias name: tomcat Valid from: Thu Feb 13 20:22:02 PST 2025 until: Sun Feb 11 20:22:02 PST 2035 Avi certificate: Alias name: tomcat Valid from: Thu Feb 13 20:22:00 PST 2025 until: Sun Feb 11 20:22:00 PST 2035 Apache certificate: notBefore=Feb 1 04:49:34 2022 GMT notAfter=Jan 31 04:49:34 2027 GMT
(No ha caducado nada)MC Root certificates: Alias name: mcectls Valid from: Thu Feb 13 20:21:48 PST 2025 until: Tue Mar 12 20:21:48 PST 2026 Alias name: mcrsatls Valid from: Thu Feb 13 20:21:50 PST 2025 until: Tue Mar 12 20:21:50 PST 2026 Alias name: mcecroot Valid from: Thu Feb 13 20:21:48 PST 2025 until: Tue Mar 12 20:21:48 PST 2026 Alias name: mcrsaroot Valid from: Thu Feb 13 20:21:49 PST 2025 until: Tue Mar 12 20:21:49 PST 2026 MCSDK certificate: Alias name: mcssl Valid from: Thu Feb 13 20:21:43 PST 2025 until: Sun Feb 11 20:21:43 PST 2035 Alias name: mcjwt Valid from: Thu Feb 13 20:21:45 PST 2025 until: Sun Feb 11 20:21:45 PST 2035 Admin/DTLT certificate: Alias name: tomcat Valid from: Thu Feb 13 20:22:02 PST 2025 until: Sun Feb 11 20:22:02 PST 2035 Avi certificate: Alias name: tomcat Valid from: Thu Feb 13 20:22:00 PST 2025 until: Sun Feb 11 20:22:00 PST 2035 Apache certificate: notBefore=Feb 1 04:49:34 2022 GMT notAfter=Jan 31 04:49:34 2027 GMT
(Los certificados raíz de MC vencen dentro de un mes)MC Root certificates: Alias name: mcectls Valid from: Thu Feb 13 20:21:48 PST 2025 until: Tue Feb 12 20:21:48 PST 2026 Alias name: mcrsatls Valid from: Thu Feb 13 20:21:50 PST 2025 until: Tue Feb 12 20:21:50 PST 2026 Alias name: mcecroot Valid from: Thu Feb 13 20:21:48 PST 2025 until: Tue Feb 12 20:21:48 PST 2026 Alias name: mcrsaroot Valid from: Thu Feb 13 20:21:49 PST 2025 until: Tue Feb 12 20:21:49 PST 2026 MCSDK certificate: Alias name: mcssl Valid from: Thu Feb 13 20:21:43 PST 2025 until: Sun Feb 11 20:21:43 PST 2035 Alias name: mcjwt Valid from: Thu Feb 13 20:21:45 PST 2025 until: Sun Feb 11 20:21:45 PST 2035 Admin/DTLT certificate: Alias name: tomcat Valid from: Thu Feb 13 20:22:02 PST 2025 until: Sun Feb 11 20:22:02 PST 2035 Avi certificate: Alias name: tomcat Valid from: Thu Feb 13 20:22:00 PST 2025 until: Sun Feb 11 20:22:00 PST 2035 Apache certificate: notBefore=Feb 1 04:49:34 2022 GMT notAfter=Jan 31 04:49:34 2027 GMT
(Los certificados raíz de MC vencieron)MC Root certificates: Alias name: mcectls Valid from: Thu Feb 13 20:21:48 PST 2025 until: Tue Feb 12 20:21:48 PST 2030 Alias name: mcrsatls Valid from: Thu Feb 13 20:21:50 PST 2025 until: Tue Feb 12 20:21:50 PST 2030 Alias name: mcecroot Valid from: Thu Feb 13 20:21:48 PST 2025 until: Tue Feb 12 20:21:48 PST 2030 Alias name: mcrsaroot Valid from: Thu Feb 13 20:21:49 PST 2025 until: Tue Feb 12 20:21:49 PST 2030 MCSDK certificate: Alias name: mcssl Valid from: Thu Feb 13 20:21:43 PST 2025 until: Sun Feb 11 20:21:43 PST 2035 Alias name: mcjwt Valid from: Thu Feb 13 20:21:45 PST 2025 until: Sun Feb 11 20:21:45 PST 2035 Admin/DTLT certificate: Alias name: tomcat Valid from: Thu Feb 13 20:22:02 PST 2025 until: Sun Feb 11 20:22:02 PST 2035 Avi certificate: Alias name: tomcat Valid from: Thu Feb 13 20:22:00 PST 2025 until: Sun Feb 11 20:22:00 PST 2035 Apache certificate: notBefore=Feb 1 04:49:34 2021 GMT notAfter=Jan 31 04:49:34 2026 GMT
(El certificado Apache venció).
Actualice los certificados correspondientes desde la sección correspondiente en el apéndice que aparece a continuación:
- Regeneración de los certificados de Apache solamente
- Regeneración de los certificados Tomcat solamente
- Regeneración de los certificados AVI solamente
- Regeneración de los certificados del kit para desarrolladores (MCSDK) del servidor de consola de administración (MCS)
- Regeneración de los certificados raíz de la consola de administración (MC)
- Regeneración de todos los certificados
Realice verificaciones posteriores al cambio:
- Verifique que todos los servicios de Avamar estén en ejecución:
dpnctl status - Realizar un respaldo de prueba
- Realice una búsqueda de respaldo para la restauración
Appendix:
Regeneración de los certificados de Apache únicamente:
Los certificados de Apache se almacenan como archivos de certificado con formato de correo con privacidad mejorada (PEM) normal.
- Inicie sesión en Avamar Utility Node como administrador.
- Eleve al privilegio raíz.
- Haga una copia de respaldo de los archivos de certificado existentes:
cp -p /etc/apache2/ssl.crt/server.crt /etc/apache2/ssl.crt/server.crt.`date +%y%m%d` cp -p /etc/apache2/ssl.key/server.key /etc/apache2/ssl.key/server.key.`date +%y%m%d`
- Verifique que exista la copia de respaldo:
ls -al /etc/apache2/ssl.crt/server.crt* ls -al /etc/apache2/ssl.key/server.key*
- El certificado de Apache se puede actualizar mediante GoAV (v18.4 y versiones posteriores) O mediante la ejecución de un script en el comando Avamar:
GoAV (y un resultado de muestra):
./goav security certificate apache regenerate╔════════════════════════════════════════════════════════╗ ║ GoAV v2.02 ║ ╟────────────────────────────────────────────────────────╢ ║ Build : 02 Feb 2026 19:03 UTC ║ ║ Date : 18 Feb 2026 04:52 UTC ║ ║ Avamar: 19.4.100-124 ║ ╟────────────────────────────────────────────────────────╢ ║ Command:./goav security certificate apache regenerate ║ ╟────────────────────────────────────────────────────────╢ ║ NOTE: This tool was created and is maintained ║ ║ by the ISG Support Tools team. ║ ╚════════════════════════════════════════════════════════╝ ┃ Select a Key Size in bits: ┃ > 2048 ┃ 3072 ┃ 4096
(Seleccione el tamaño de clave necesario o tome el valor predeterminado de 2048)Apache x509 Certificate Configuration ------------------------------------- Apache Private Key ------------------ Location /etc/apache2/ssl.key/server.key Modulus MD5sum 0d35d9c14239093d4f5e28bd5f2f98c8 Key Size 2048 Apache Server Cert ------------------ Location /etc/apache2/ssl.crt/server.crt Serial 129741042722659803976190762572696306257 Subject C=US, ST=Texas, L=Round Rock, O=Dell Technologies, CN=server.company.com Issuer C=US, ST=Texas, L=Round Rock, O=Dell Technologies, CN=server.company.com Valid Range YYYY/MM/DD - valid from: 2026/02/18, valid to: 2028/02/18 Modulus MD5sum 0d35d9c14239093d4f5e28bd5f2f98c8 Key Size 2048 Subject Alt Names server.company.com
-- o --
Avamar Script (y ejemplo de salida):
gen-ssl-cert --updateapache --noupdateavi --keystorepwd=$(avlockbox.sh -r keystore_passphrase) --verboseopenssl genrsa -out /tmp/gen-ssl-cert-server.key.9085 3072 Generating RSA private key, 3072 bit long modulus e is 65537 (0x10001) openssl req -new -key /tmp/gen-ssl-cert-server.key.9085 -out /tmp/gen-ssl-cert-server.csr.9085 < /tmp/gen-ssl-cert-answers.9085 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ... |-30200 /usr/sbin/httpd-prefork -DSYSCONFIG -DSSL -C PidFile /var/run/httpd.pid -C Include /etc/apache2/sysconfig.d//loadmodule.conf -C Include /etc/apache2/sysconfig.d//global.conf -f /etc/apache2/httpd.conf -c Include /etc/apache2/sysconfig.d//include.conf -DSYSTEMD -DFOREGROUND -k start `-30206 /usr/sbin/httpd-prefork -DSYSCONFIG -DSSL -C PidFile /var/run/httpd.pid -C Include /etc/apache2/sysconfig.d//loadmodule.conf -C Include /etc/apache2/sysconfig.d//global.conf -f /etc/apache2/httpd.conf -c Include /etc/apache2/sysconfig.d//include.conf -DSYSTEMD -DFOREGROUND -k start Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable. /sbin/service apache2 stop /sbin/service apache2 start
Regeneración de los certificados de Tomcat únicamente:
- El almacenamiento de claves de Tomcat almacena los certificados de Tomcat.
- Regenera "/home/tomcat/.keystore" o "/home/admin/.keystore" según la versión de Avamar.
- Inicie sesión en Avamar Utility Node como administrador.
- Eleve al privilegio raíz.
- Realice una copia de respaldo del almacenamiento de claves existente:
cp -p /home/tomcat/.keystore /home/tomcat/.keystore.`date +%y%m%d`
(Sustituya /home/admin/.keystore por /home/tomcat/.keystore en Avamar 19.4 y versiones anteriores) - Verifique que exista la copia de respaldo:
ls -al /home/tomcat/.keystore*
(Sustituya /home/admin/.keystore por /home/tomcat/.keystore en Avamar 19.4 y versiones anteriores) - El almacenamiento de claves se puede actualizar mediante GoAV O mediante la ejecución de comandos en Avamar:
GoAV command (y un resultado de muestra):
./goav security keystore regenerate╔════════════════════════════════════════════════════════╗ ║ GoAV v2.02 ║ ╟────────────────────────────────────────────────────────╢ ║ Build : 02 Feb 2026 19:03 UTC ║ ║ Date : 18 Feb 2026 05:37 UTC ║ ║ Avamar: 19.4.100-124 ║ ╟────────────────────────────────────────────────────────╢ ║ Command:/home/admin/20260218/goav security keystore ║ ║ regenerate ║ ╟────────────────────────────────────────────────────────╢ ║ NOTE: This tool was created and is maintained ║ ║ by the ISG Support Tools team. ║ ╚════════════════════════════════════════════════════════╝ ┃ Select Keystore to Regenerate ┃ RMI_SSL_KEYSTORE ┃ AVAMAR_KEYSTORE ┃ AVI_KEYSTORE ┃ > TOMCAT_KEYSTORE
(Seleccione la TOMCAT_KEYSTORE)⣯ Fixing any Tomcat issues ... ══════════════════ Fixing Keystore Issues ══════════════════ Regenerated Tomcat Keystore ✓ ═══════════════════ Restarting Services ═══════════════════ ┃ Tomcat restart required, restart Tomcat? ┃ ┃ yes no
(Seleccione "Sí")═══════════════════ Restarting Services ═══════════════════ ⣻ Restarting Tomcat... ... Tomcat restarted
-- o --
avamar comandos:- Configure la variable tomcat_keystore:
Para Avamar v19.7 y versiones posteriores:
TOMCAT_KEYSTORE=/home/tomcat/.keystore
Para Avamar 19.4 y versiones anteriores:
TOMCAT_KEYSTORE=/home/admin/.keystore - Vuelva a generar el almacén de claves Tomcat mediante la ejecución de los siguientes comandos:
mv $TOMCAT_KEYSTORE /home/admin/tomcat_keystore.bak
keytool -genkeypair -v -alias tomcat -keyalg RSA -sigalg SHA256withRSA -keysize 3072 -keystore $TOMCAT_KEYSTORE -storepass $(avlockbox.sh -r keystore_passphrase) -validity 3650 -dname "CN=$(hostname -f), OU=Dell EMC, O=Dell Technologies, L=Irvine, ST=California, C=US"
keytool -export -file /tmp/mcssl.pem -alias mcssl -keystore /usr/local/avamar/lib/rmi_ssl_keystore -storepass $(avlockbox.sh -r keystore_passphrase)
keytool -import -file /tmp/mcssl.pem -alias mcssl -keystore $TOMCAT_KEYSTORE -storepass $(avlockbox.sh -r keystore_passphrase) - Actualice los permisos y la propiedad del almacenamiento de claves:
Para Avamar v19.7 y versiones posteriores:
chmod 640 $TOMCAT_KEYSTORE
chown root:tomcat $TOMCAT_KEYSTORE
Para Avamar 19.4 y versiones anteriores:
chmod 740 $TOMCAT_KEYSTORE
chown admin:admin $TOMCAT_KEYSTORE
- Configure la variable tomcat_keystore:
Regeneración de los certificados AVI únicamente:
Regenera /usr/local/avamar/lib/avi/avi_keystore
- Inicie sesión en Avamar Utility Node como administrador.
- Eleve al privilegio raíz.
- Realice una copia de respaldo del almacenamiento de claves existente:
cp -p /usr/local/avamar/lib/avi/avi_keystore /usr/local/avamar/lib/avi/avi_keystore.`date +%y%m%d` - Verifique que exista la copia de respaldo:
ls -al /usr/local/avamar/lib/avi/avi_keystore* - El almacenamiento de claves se puede actualizar mediante GoAV O mediante la ejecución de comandos en Avamar:
GoAV comandos (y ejemplos de salidas):
./goav security keystore regenerate╔════════════════════════════════════════════════════════╗ ║ GoAV v2.02 ║ ╟────────────────────────────────────────────────────────╢ ║ Build : 02 Feb 2026 19:03 UTC ║ ║ Date : 18 Feb 2026 05:37 UTC ║ ║ Avamar: 19.4.100-124 ║ ╟────────────────────────────────────────────────────────╢ ║ Command:/home/admin/20260218/goav security keystore ║ ║ regenerate ║ ╟────────────────────────────────────────────────────────╢ ║ NOTE: This tool was created and is maintained ║ ║ by the ISG Support Tools team. ║ ╚════════════════════════════════════════════════════════╝ ┃ Select Keystore to Regenerate ┃ RMI_SSL_KEYSTORE ┃ AVAMAR_KEYSTORE ┃ > AVI_KEYSTORE ┃ TOMCAT_KEYSTORE
(Seleccione la AVI_KEYSTORE)... ══════════════════ Fixing Keystore Issues ══════════════════ Regenerated Avi Keystore ✓ ═══════════════════ Restarting Services ═══════════════════ ┃ Avinstaller restart required, restart AVI? ┃ ┃ yes no
(Seleccione "Sí")═══════════════════ Restarting Services ═══════════════════ ⣽ Restarting Avinstaller... ... Avinstaller restarted
-- O --
Avamar commands (and sample output):
(El servicio se reinicia automáticamente)
mv /usr/local/avamar/lib/avi/avi_keystore /usr/local/avamar/lib/avi/avi_keystore-$(date -I)
gen-ssl-cert --norestart --noupdateapache --updateavi --keystorepwd=$(avlockbox.sh -r keystore_passphrase) --verbosegen-ssl-cert: INFO: Regenerating avinstaller SSL certifcate keytool -genkey -alias tomcat -keyalg RSA -sigalg SHA512withRSA -keysize 3072 -keypass ######### -storepass ########## -keystore /usr/local/avamar/lib/avi/avi_keystore -validity 3650 -dname "CN=server.company.com, O=Dell Technologies, OU=Dell EMC, L=Irvine, S=CA, C=US" gen-ssl-cert: INFO: Successfully created tomcat in java keystore gen-ssl-cert: INFO: Restarting avinstaller service gen-ssl-cert: INFO: avinstaller service restart complete gen-ssl-cert: INFO: Restarting LDLS service gen-ssl-cert: INFO: LDLS service restart complete
keytool -export -file /tmp/mcssl.pem -alias mcssl -keystore /usr/local/avamar/lib/rmi_ssl_keystore -storepass $(avlockbox.sh -r keystore_passphrase)
Certificate stored in file </tmp/mcssl.pem>
keytool -import -file /tmp/mcssl.pem -alias mcssl -keystore /usr/local/avamar/lib/avi/avi_keystore -storepass $(avlockbox.sh -r keystore_passphrase)Owner: CN=server.company.com, OU=Avamar, O=Dell, L=Irvine, ST=California, C=US Issuer: CN=server.company.com, OU=Avamar, O=Dell, L=Irvine, ST=California, C=US Serial number: d93e3be Valid from: Wed Feb 18 16:11:15 PST 2026 until: Sat Feb 16 16:11:15 PST 2036 Certificate fingerprints: SHA1: 82:82:81:B4:C9:BD:03:E1:8A:E0:AE:8A:59:55:EF:B5:1F:3B:27:5F SHA256: AC:E7:AE:CE:04:13:E0:86:88:1E:3E:FA:17:DA:B6:A5:3D:3D:74:F3:EB:70:57:63:58:B1:74:B3:50:28:EA:01 Signature algorithm name: SHA512withRSA Subject Public Key Algorithm: 3072-bit RSA key Version: 3 Trust this certificate? [no]:
Seleccione "y".Certificate was added to keystore
chmod 644 /usr/local/avamar/lib/avi/avi_keystore
chown avi:avi /usr/local/avamar/lib/avi/avi_keystore
Regeneración de los certificados del kit para desarrolladores (MCSDK) del servidor de consola de administración (MCS):
- Esto actualiza el almacén de claves RMI de Avamar que contiene el certificado MCSDK y la clave de firma JWT
- Regenera "/usr/local/avamar/lib/rmi_ssl_keystore"
- El certificado MCSDK maneja las comunicaciones de invocación de método remoto (RMI) de Java con Data Protection Central (DPC), Avamar Administrator Console, Proxy Deployment Manager (PDM) y Client Manager (AAM).
- También se debe actualizar el certificado tomcat. El almacenamiento de claves de Tomcat almacena los certificados de Tomcat.
- Regenera "/home/tomcat/.keystore" o "/home/admin/.keystore" según la versión de Avamar
- Los certificados AVI también deben actualizarse
- Regenera "/usr/local/avamar/lib/avi/avi_keystore"
- Inicie sesión en Avamar Utility Node como administrador.
- Eleve al privilegio raíz.
- Haga una copia de respaldo de los almacenes de claves existentes:
cp -p /usr/local/avamar/lib/rmi_ssl_keystore /usr/local/avamar/lib/rmi_ssl_keystore.`date +%y%m%d` cp -p /usr/local/avamar/lib/avi/avi_keystore /usr/local/avamar/lib/avi/avi_keystore.`date +%y%m%d` cp -p /home/tomcat/.keystore /home/tomcat/.keystore.`date +%y%m%d`
(Sustituya /home/admin/.keystore por /home/tomcat/.keystore en Avamar 19.4 y versiones anteriores) - Verifique que existan las copias de respaldo:
ls -al /usr/local/avamar/lib/rmi_ssl_keystore* ls -al /usr/local/avamar/lib/avi/avi_keystore* ls -al /home/tomcat/.keystore*
(Sustituya /home/admin/.keystore por /home/tomcat/.keystore en Avamar 19.4 y versiones anteriores) - Respalde MCS:
- Cambie a admin.
- Ejecute el siguiente comando para realizar el respaldo (también conocido como vaciado):
mcserver.sh --flush=== BEGIN === check.mcs (preflush) check.mcs passed === PASS === check.mcs PASSED OVERALL (preflush) Flushing Administrator Server... Administrator Server flushed.
- Escriba exit para volver a la sesión como raíz.
- Los almacenamientos de claves se pueden actualizar mediante GoAV O mediante la ejecución de comandos en Avamar:
GoAV comandos (y ejemplos de salidas):- MCSDK:
./goav security keystore regenerate╔════════════════════════════════════════════════════════╗ ║ GoAV v2.02 ║ ╟────────────────────────────────────────────────────────╢ ║ Build : 02 Feb 2026 19:03 UTC ║ ║ Date : 18 Feb 2026 05:37 UTC ║ ║ Avamar: 19.4.100-124 ║ ╟────────────────────────────────────────────────────────╢ ║ Command:/home/admin/20260218/goav security keystore ║ ║ regenerate ║ ╟────────────────────────────────────────────────────────╢ ║ NOTE: This tool was created and is maintained ║ ║ by the ISG Support Tools team. ║ ╚════════════════════════════════════════════════════════╝ ┃ Select Keystore to Regenerate ┃ > RMI_SSL_KEYSTORE ┃ AVAMAR_KEYSTORE ┃ AVI_KEYSTORE ┃ TOMCAT_KEYSTORE
(Seleccione la RMI_SSL_KEYSTORE)⣯ Stopping MCS... ... ══════════════════ Fixing Keystore Issues ══════════════════ Regenerated RMI Keystore ✓ ══════ Loading vCenter Certificates into RMI Keystore ══════ ═══════════════════ Restarting Services ═══════════════════ ┃ MCS restart required, restart MCS? ┃ ┃ yes no
(Seleccione "Sí")
Si se recibe lo siguiente:unable to take mcs flush: The Administrator Server is not running. ERROR: Cannot flush the Administrator Server while it is not running. Start the Administrator Server first.
Reinicie manualmente MCS mediante la ejecución del siguiente comando como administrador:mcserver.sh --start - Tomcat:
./goav security keystore regenerate╔════════════════════════════════════════════════════════╗ ║ GoAV v2.02 ║ ╟────────────────────────────────────────────────────────╢ ║ Build : 02 Feb 2026 19:03 UTC ║ ║ Date : 18 Feb 2026 05:37 UTC ║ ║ Avamar: 19.4.100-124 ║ ╟────────────────────────────────────────────────────────╢ ║ Command:/home/admin/20260218/goav security keystore ║ ║ regenerate ║ ╟────────────────────────────────────────────────────────╢ ║ NOTE: This tool was created and is maintained ║ ║ by the ISG Support Tools team. ║ ╚════════════════════════════════════════════════════════╝ ┃ Select Keystore to Regenerate ┃ RMI_SSL_KEYSTORE ┃ AVAMAR_KEYSTORE ┃ AVI_KEYSTORE ┃ > TOMCAT_KEYSTORE
(Seleccione la TOMCAT_KEYSTORE)⣯ Fixing any Tomcat issues ... ══════════════════ Fixing Keystore Issues ══════════════════ Regenerated Tomcat Keystore ✓ ═══════════════════ Restarting Services ═══════════════════ ┃ Tomcat restart required, restart Tomcat? ┃ ┃ yes no
(Seleccione "Sí")═══════════════════ Restarting Services ═══════════════════ ⣻ Restarting Tomcat... ... Tomcat restarted
- AVI:
./goav security keystore regenerate╔════════════════════════════════════════════════════════╗ ║ GoAV v2.02 ║ ╟────────────────────────────────────────────────────────╢ ║ Build : 02 Feb 2026 19:03 UTC ║ ║ Date : 18 Feb 2026 05:37 UTC ║ ║ Avamar: 19.4.100-124 ║ ╟────────────────────────────────────────────────────────╢ ║ Command:/home/admin/20260218/goav security keystore ║ ║ regenerate ║ ╟────────────────────────────────────────────────────────╢ ║ NOTE: This tool was created and is maintained ║ ║ by the ISG Support Tools team. ║ ╚════════════════════════════════════════════════════════╝ ┃ Select Keystore to Regenerate ┃ RMI_SSL_KEYSTORE ┃ AVAMAR_KEYSTORE ┃ > AVI_KEYSTORE ┃ TOMCAT_KEYSTORE
(Seleccione la AVI_KEYSTORE)... ══════════════════ Fixing Keystore Issues ══════════════════ Regenerated Avi Keystore ✓ ═══════════════════ Restarting Services ═══════════════════ ┃ Avinstaller restart required, restart AVI? ┃ ┃ yes no
(Seleccione "Sí")═══════════════════ Restarting Services ═══════════════════ ⣽ Restarting Avinstaller... ... Avinstaller restarted ✓
avamar comandos:- MCSCK (en inglés)
mv /usr/local/avamar/lib/rmi_ssl_keystore /usr/local/avamar/lib/rmi_ssl_keystore-$(date -I)
keytool -genkeypair -v -alias mcssl -keyalg RSA -sigalg SHA512withRSA -keysize 3072 -keystore /usr/local/avamar/lib/rmi_ssl_keystore -validity 3650 -dname "CN=$(hostname -f), OU=Avamar, O=DELL-EMC, L=Irvine, ST=California, C=US" -storepass `ask_pass -r keystore_passphrase` -keypass `ask_pass -r keystore_passphrase` -noprompt
keytool -genkeypair -v -alias mcjwt -keyalg RSA -sigalg SHA512withRSA -keysize 3072 -keystore /usr/local/avamar/lib/rmi_ssl_keystore -validity 3650 -dname "CN=$(hostname -f), OU=Avamar, O=DELL-EMC, L=Irvine, ST=California, C=US" -storepass `ask_pass -r keystore_passphrase` -keypass `ask_pass -r keystore_passphrase` -noprompt
chown root:admin /usr/local/avamar/lib/rmi_ssl_keystore
chmod 660 /usr/local/avamar/lib/rmi_ssl_keystore
Como administrador:
mcserver.sh --stop
mcserver.sh --start - Tomcat:
- Configure la variable tomcat_keystore:
Para Avamar v19.7 y versiones posteriores:
TOMCAT_KEYSTORE=/home/tomcat/.keystore
Para Avamar 19.4 y versiones anteriores:
TOMCAT_KEYSTORE=/home/admin/.keystore - Vuelva a generar el almacén de claves Tomcat mediante la ejecución de los siguientes comandos:
mv $TOMCAT_KEYSTORE /home/admin/tomcat_keystore.bak
keytool -genkeypair -v -alias tomcat -keyalg RSA -sigalg SHA256withRSA -keysize 3072 -keystore $TOMCAT_KEYSTORE -storepass $(avlockbox.sh -r keystore_passphrase) -validity 3650 -dname "CN=$(hostname -f), OU=Dell EMC, O=Dell Technologies, L=Irvine, ST=California, C=US"
keytool -export -file /tmp/mcssl.pem -alias mcssl -keystore /usr/local/avamar/lib/rmi_ssl_keystore -storepass $(avlockbox.sh -r keystore_passphrase)
keytool -import -file /tmp/mcssl.pem -alias mcssl -keystore $TOMCAT_KEYSTORE -storepass $(avlockbox.sh -r keystore_passphrase) - Actualice los permisos y la propiedad del almacenamiento de claves:
Para Avamar v19.7 y versiones posteriores:
chmod 640 $TOMCAT_KEYSTORE
chown root:tomcat $TOMCAT_KEYSTORE
Para Avamar 19.4 y versiones anteriores:
chmod 740 $TOMCAT_KEYSTORE
chown admin:admin $TOMCAT_KEYSTORE
- Configure la variable tomcat_keystore:
- AVI (el servicio se reinicia automáticamente):
mv /usr/local/avamar/lib/avi/avi_keystore /usr/local/avamar/lib/avi/avi_keystore-$(date -I)
gen-ssl-cert --norestart --noupdateapache --updateavi --keystorepwd=$(avlockbox.sh -r keystore_passphrase) --verbosegen-ssl-cert: INFO: Regenerating avinstaller SSL certifcate keytool -genkey -alias tomcat -keyalg RSA -sigalg SHA512withRSA -keysize 3072 -keypass ######### -storepass ########## -keystore /usr/local/avamar/lib/avi/avi_keystore -validity 3650 -dname "CN=server.company.com, O=Dell Technologies, OU=Dell EMC, L=Irvine, S=CA, C=US" gen-ssl-cert: INFO: Successfully created tomcat in java keystore gen-ssl-cert: INFO: Restarting avinstaller service gen-ssl-cert: INFO: avinstaller service restart complete gen-ssl-cert: INFO: Restarting LDLS service gen-ssl-cert: INFO: LDLS service restart complete
keytool -export -file /tmp/mcssl.pem -alias mcssl -keystore /usr/local/avamar/lib/rmi_ssl_keystore -storepass $(avlockbox.sh -r keystore_passphrase)Certificate stored in file </tmp/mcssl.pem>
keytool -import -file /tmp/mcssl.pem -alias mcssl -keystore /usr/local/avamar/lib/avi/avi_keystore -storepass $(avlockbox.sh -r keystore_passphrase)Owner: CN=server.company.com, OU=Avamar, O=Dell, L=Irvine, ST=California, C=US Issuer: CN=server.company.com, OU=Avamar, O=Dell, L=Irvine, ST=California, C=US Serial number: d93e3be Valid from: Wed Feb 18 16:11:15 PST 2026 until: Sat Feb 16 16:11:15 PST 2036 Certificate fingerprints: SHA1: 82:82:81:B4:C9:BD:03:E1:8A:E0:AE:8A:59:55:EF:B5:1F:3B:27:5F SHA256: AC:E7:AE:CE:04:13:E0:86:88:1E:3E:FA:17:DA:B6:A5:3D:3D:74:F3:EB:70:57:63:58:B1:74:B3:50:28:EA:01 Signature algorithm name: SHA512withRSA Subject Public Key Algorithm: 3072-bit RSA key Version: 3 Trust this certificate? [no]:
Seleccione "y".Certificate was added to keystore
chmod 644 /usr/local/avamar/lib/avi/avi_keystore
chown avi:avi /usr/local/avamar/lib/avi/avi_keystore
- MCSDK:
Regeneración de los certificados raíz del servicio de consola de administración (MCS):
- Este paso actualiza todos los certificados raíz de MCS.
- Regenera "/usr/local/avamar/lib/avamar_keystore"
- Estos certificados solo se deben actualizar si vencieron o están a punto de vencer.
- Afecta los respaldos, las restauraciones y la replicación de clientes si la seguridad de sesión está activada.
- Los certificados de red de área de almacenamiento global (GSAN) también se deben volver a generar.
- Inicie sesión en Avamar Utility Node como administrador.
- Eleve al privilegio raíz.
- Realice una copia de respaldo del almacenamiento de claves existente:
cp -p /usr/local/avamar/lib/avamar_keystore /usr/local/avamar/lib/avamar_keystore.`date +%y%m%d` - Verifique que exista la copia de respaldo:
ls -al /usr/local/avamar/lib/avamar_keystore* - Respalde MCS:
- Cambie a admin.
- Ejecute el siguiente comando para realizar el respaldo (también conocido como vaciado):
mcserver.sh --flush=== BEGIN === check.mcs (preflush) check.mcs passed === PASS === check.mcs PASSED OVERALL (preflush) Flushing Administrator Server... Administrator Server flushed.
- Escriba "exit" para volver a la sesión como raíz.
- El almacenamiento de claves se puede actualizar mediante GoAV O mediante la ejecución de comandos en Avamar:
GoAV command (y un resultado de muestra):
./goav security keystore regenerate╔════════════════════════════════════════════════════════╗ ║ GoAV v2.02 ║ ╟────────────────────────────────────────────────────────╢ ║ Build : 02 Feb 2026 19:03 UTC ║ ║ Date : 18 Feb 2026 05:37 UTC ║ ║ Avamar: 19.4.100-124 ║ ╟────────────────────────────────────────────────────────╢ ║ Command:/home/admin/20260218/goav security keystore ║ ║ regenerate ║ ╟────────────────────────────────────────────────────────╢ ║ NOTE: This tool was created and is maintained ║ ║ by the ISG Support Tools team. ║ ╚════════════════════════════════════════════════════════╝ ┃ Select Keystore to Regenerate ┃ RMI_SSL_KEYSTORE ┃ > AVAMAR_KEYSTORE ┃ AVI_KEYSTORE ┃ TOMCAT_KEYSTORE
(Seleccione la AVAMAR_KEYSTORE)⣯ Stopping MCS... ... ══════════════════ Fixing Keystore Issues ══════════════════ ⢿ Fixing any AVAMAR_KEYSTORE issues... Regenerated Avamar Keystore ✓ ═══════════════════ Restarting Services ═══════════════════ ┃ MCS restart required, restart MCS? ┃ ┃ yes no ←/→ toggle • enter submit • y yes • n no
(Seleccione "Sí")
Si se recibe lo siguiente:unable to take mcs flush: The Administrator Server is not running. ERROR: Cannot flush the Administrator Server while it is not running. Start the Administrator Server first.
Reinicie manualmente MCS mediante la ejecución del siguiente comando como administrador:mcserver.sh --start-- o --
Avamar Comandos (y ejemplo de salida):
mv /usr/local/avamar/lib/avamar_keystore /usr/local/avamar/lib/avamar_keystore-$(date -I)
mcrootca allINFO: Executing mcrootca... INFO: Initializing, may take a few moments... INFO: Generating, saving and verifying MC EC root key and certificate... INFO: Successfully generated, saved and verified MC EC root key and certificate. INFO: Generating and saving EC TLS key and certificate... INFO: Successfully generated and saved EC TLS key and certificate. INFO: Verifying EC TLS certificate... INFO: Successfully verified EC TLS certificate. INFO: Test loading EC CA certificate(s)... INFO: Successfully loaded EC CA certificate(s)... INFO: Verifying EC CA certificate(s)... INFO: Successfully verified EC CA certificate(s)... INFO: Setting EC root key and certificate as new... INFO: Successfully set EC root key and certificate as new. INFO: Generating, saving and verifying MC RSA root key and certificate... INFO: Successfully generated, saved and verified MC RSA root key and certificate. INFO: Generating and saving RSA TLS key and certificate... INFO: Successfully generated and saved RSA TLS key and certificate. INFO: Verifying RSA TLS certificate... INFO: Successfully verified RSA TLS certificate. INFO: Test loading RSA CA certificate(s)... INFO: Successfully loaded RSA CA certificate(s)... INFO: Verifying RSA CA certificate(s)... INFO: Successfully verified RSA CA certificate(s)... INFO: Test loading TLS certificate... INFO: Successfully loaded TLS certificate. INFO: Verifying TLS certificate... INFO: Successfully verified TLS certificate. INFO: Setting RSA root key and certificate as new... INFO: Successfully set RSA root key and certificate as new. INFO: mcrootca exited with return value = 0
Como administrador:
mcserver.sh --stop
mcserver.sh --start - Regenerar los certificados de GSAN:
- Respalde el directorio "/usr/local/avamar/etc":
tar -cvf /home/admin/avamar_etc_bk.`date +%y%m%d` /usr/local/avamar/etc/ - Ejecute el siguiente comando:
enable_secure_config.sh --certs
- Respalde el directorio "/usr/local/avamar/etc":
- Actualizar el almacén de certificados de Data Domain (DD):
esto se puede hacer nuevamente mediante la utilidad GoAV o manualmente.
Comando GoAV y ejemplo de salida:
./goav dd check-ssl --fix╔════════════════════════════════════════════════════════╗ ║ GoAV v2.02 ║ ╟────────────────────────────────────────────────────────╢ ║ Build : 02 Feb 2026 19:03 UTC ║ ║ Date : 18 Feb 2026 05:37 UTC ║ ║ Avamar: 19.4.100-124 ║ ╟────────────────────────────────────────────────────────╢ ║ Command:/home/admin/20260218/goav dd check-ssl --fix ║ ╟────────────────────────────────────────────────────────╢ ║ NOTE: This tool was created and is maintained ║ ║ by the ISG Support Tools team. ║ ╚════════════════════════════════════════════════════════╝ Session Security Enabled PASSED DDR Security Feature Manual Flag PASSED DDR Host Cert Auto Refresh Flag PASSED GSAN Cert Chain Expiration PASSED GSAN Server Cert Expiration PASSED Get Attached Data Domains PASSED Check DDR Key exists PASSED Test Port 22: dl003.company.com PASSED Test ddr_key ssh auth: dl003.company.com PASSED DD/Avamar time difference: dl003.company.com PASSED DD SCP enabled: dl003.company.com PASSED DD NFS enabled: dl003.company.com PASSED DD system passphrase is set: dl003.company.com PASSED DD imported-host ddboost: dl003.company.com PASSED DD host issuer is attached: dl003.company.com PASSED Av chain.pem imported to DD: dl003.company.com FAILED avamar gsan chain.pem does not exist on Data Domain TASK: Delete imported-host ddboost DONE TASK: Load gsan chain depth 0 DONE TASK: Delete imported ca/login auth DONE TASK: Restart ddboost DONE TASK: Stop MCS DONE TASK: Start MCS DONE TASK: Sync Data Domain DONE Backup Scheduler Status FAILED Removed /usr/local/avamar/etc/10.n.n.16 ✓ Removed /usr/local/avamar/etc/client/10.n.n.16 ✓ Generating new certificates... "/usr/local/avamar/var/.avagent" avagent Info <19803>: Ignoring the --service flag. avagent Info <5702>: Command Line: avagent.bin --gencerts=true --mcsaddr=10.n.n.16 avagent Info <5703>: Parsed Flags: avagent.bin --gencerts=true --mcsaddr=10.n.n.16 2025/01/18-18:20:51.46677 [avagent] <1291> FIPS mode enabled avagent Info <42249>: Checking for stale certificate lock avagent Info <19805>: Creating directory '/usr/local/avamar/etc/10.n.n.16' for certificates avagent Info <19807>: Creating certificates in '/usr/local/avamar/etc/10.n.n.16' avagent Info <43701>: agent_message::resolve_client_ip ping to MCS 10.n.n.16:10.n.n.16 using local IP:(none) failed, Program malfunction, Parse bind IP failed for IP: (none) avagent Info <18918>: Registration: Processing secure registration with the MCS. avagent Info <18921>: Registration: Requesting root CA from the MCS. avagent Info <18926>: Registration: Saving root CA. avagent Info <18928>: Registration: Creating certificate signing request. avagent Info <18930>: Registration: Sending the certificate signing request to the MCS. avagent Info <18932>: Registration: Saving client certificate. avagent Info <18934>: Registration: Secure registration complete. avagent Info <41048>: Requesting network configuration from the MCS. avagent Info <5405>: avagent returning with exitcode 0 2026/02/18-18:20:52.13501 [avagent] Config: VARDIR=/usr/local/avamar/var, HOMEDIR=/root 2026/02/18-18:20:52.13506 [avagent] Looking for flag file "/usr/local/avamar/var/avamar.cmd" 2026/02/18-18:20:52.13509 [avagent] Looking for flag file "/usr/local/avamar/var/avagent.cmd" 2026/02/18-18:20:52.13517 [avagent] Looking for flag file "/usr/local/avamar/var/.avagent" avagent Info <19803>: Ignoring the --service flag. avagent Info <5702>: Command Line: avagent.bin --gencerts=true --mcsaddr=10.n.n.16 --sysdir=/usr/local/avamar/etc/client avagent Info <5703>: Parsed Flags: avagent.bin --gencerts=true --mcsaddr=10.n.n.16 --sysdir=/usr/local/avamar/etc/client 2026/02/18-18:20:52.14446 [avagent] <1291> FIPS mode enabled avagent Info <42249>: Checking for stale certificate lock avagent Info <19805>: Creating directory '/usr/local/avamar/etc/client/10.n.n.16' for certificates avagent Info <19807>: Creating certificates in '/usr/local/avamar/etc/client/10.n.n.16' avagent Info <43701>: agent_message::resolve_client_ip ping to MCS 10.n.n.16:10.n.n.16 using local IP:(none) failed, Program malfunction, Parse bind IP failed for IP: (none) avagent Info <18918>: Registration: Processing secure registration with the MCS. avagent Info <18921>: Registration: Requesting root CA from the MCS. avagent Info <18926>: Registration: Saving root CA. avagent Info <18928>: Registration: Creating certificate signing request. avagent Info <18930>: Registration: Sending the certificate signing request to the MCS. avagent Info <18932>: Registration: Saving client certificate. avagent Info <18934>: Registration: Secure registration complete. avagent Info <41048>: Requesting network configuration from the MCS. avagent Info <5405>: avagent returning with exitcode 0 Generated certificates for 10.n.n.16 ✓ Testing Avtar connection... avtar Info <5551>: Command Line: /usr/local/avamar/bin/avtar.bin --flagfile=/usr/local/avamar/etc/usersettings.cfg --server=avacrk003 --vardir=/usr/local/avamar/var --bindir=/usr/local/avamar/bin --id=root --password=**************** --vardir=/usr/local/avamar/var --bindir=/usr/local/avamar/bin --sysdir=/usr/local/avamar/etc --backups --account=/MC_BACKUPS --count=10 --encrypt=tls avtar Info <7977>: Starting at 2026-02-18 18:20:53 GMT [avtar Dec 8 2023 07:07:43 19.10.100-135 Linux-x86_64] avtar Info <6555>: Initializing connection avtar Info <5552>: Connecting to Avamar Server (avacrk003) avtar Info <5554>: Connecting to one node in each datacenter avtar Info <5583>: Login User: "root", Domain: "default", Account: "/MC_BACKUPS" avtar Info <5580>: Logging in on connection 0 (server 0) avtar Info <5582>: Avamar Server login successful avtar Info <10632>: Using Client-ID='6638d648ef621aa9dc20be40ab49e0820dac9b39' avtar Info <5550>: Successfully logged into Avamar Server [19.10.0-135] avtar Info <19849>: Selecting 10 backups avtar Info <7377>: Backups for /MC_BACKUPS as of 2025-11-25 18:20:53 GMT avtar Info <5314>: Command completed (exit code 0: success) Date Time Seq Label Size Plugin Working directory Targets 2026-02-18 18:15:56 3726 2034984K Linux /usr/local/avamar var/mc/server_data 2026-02-17 18:08:30 3725 2034952K Linux /usr/local/avamar var/mc/server_data 2026-02-16 17:31:43 3724 2033952K Linux /usr/local/avamar var/mc/server_data 2026-02-15 08:00:31 3723 1035390K Linux /usr/local/avamar var/mc/server_data 2026-02-14 07:45:20 3722 1035346K Linux /usr/local/avamar var/mc/server_data 2026-02-13 08:00:29 3721 1035313K Linux /usr/local/avamar var/mc/server_data 2026-02-12 07:45:19 3720 1035269K Linux /usr/local/avamar var/mc/server_data 2026-02-11 08:00:30 3719 1035419K Linux /usr/local/avamar var/mc/server_data 2026-02-10 07:45:18 3718 1035377K Linux /usr/local/avamar var/mc/server_data 2026-02-09 08:00:30 3717 1035511K Linux /usr/local/avamar var/mc/server_data
-- o --
pasos manuales:- Siga "Situación 1" del artículo de la ruta de resolución Avamar: DD se muestra en rojo en la AUI de Avamar
- Genere un nuevo conjunto de certificados de cliente para avtar, si existen:
Compruebe si existen certificados de cliente TANTO en "/usr/local/avamar/etc" como en "/usr/local/avamar/etc/client":
cd /usr/local/avamar/etc/$(hostname -i)
cd /usr/local/avamar/etc/client/$(hostname -i)
Si en ambos comandos se informa "No existe tal archivo o directorio", significa que Avamar no está utilizando el certificado de cliente. Vaya al paso 9.
Si existen directorios, siga los pasos c-e que se indican a continuación. - Elimine el directorio de certificados de cliente existente:
Advertencia: Copie el siguiente comando como se muestra. NO MODIFICARLOS.
rm -r /usr/local/avamar/etc/$(hostname -i)
rm -r /usr/local/avamar/etc/client/$(hostname -i) - Genere un nuevo conjunto de certificados de cliente para avtar solo para los directorios existentes anteriores:
avagent.bin --gencerts=true --mcsaddr=$(hostname -i)
avagent.bin --gencerts=true --mcsaddr=$(hostname -i) --sysdir=/usr/local/avamar/etc/client - Pruebe una conexión para confirmar si avtar puede conectarse a GSAN:
avtar --backups --path=/MC_BACKUPS --count=5 --encrypt=tls
- Vuelva a registrar los clientes y los proxies de VMware.
- Vuelva a registrar los clientes basados en agente:
mccli client re-register-all - Vuelva a registrar los proxies de VMware reiniciándolos de manera centralizada desde Avamar:
mccli mcs reboot-proxy --all
- Vuelva a registrar los clientes basados en agente:
Regeneración de todos los certificados:
Se vuelven a generar todos los certificados y los almacenes de claves documentados anteriormente.
- Inicie sesión en Avamar Utility Node como administrador.
- Eleve al privilegio raíz.
- Haga una copia de respaldo de los almacenes de claves existentes:
cp -p /usr/local/avamar/lib/rmi_ssl_keystore /usr/local/avamar/lib/rmi_ssl_keystore.`date +%y%m%d` cp -p /usr/local/avamar/lib/avi/avi_keystore /usr/local/avamar/lib/avi/avi_keystore.`date +%y%m%d` cp -p /home/tomcat/.keystore /home/tomcat/.keystore.`date +%y%m%d` cp -p /etc/apache2/ssl.crt/server.crt /etc/apache2/ssl.crt/server.crt.`date +%y%m%d` cp -p /etc/apache2/ssl.key/server.key /etc/apache2/ssl.key/server.key.`date +%y%m%d` cp -p /usr/local/avamar/lib/avamar_keystore /usr/local/avamar/lib/avamar_keystore.`date +%y%m%d`
(Sustituya /home/admin/.keystore por /home/tomcat/.keystore en Avamar 19.4 y versiones anteriores) - Verifique que existan las copias de respaldo:
ls -al /usr/local/avamar/lib/rmi_ssl_keystore* ls -al /usr/local/avamar/lib/avi/avi_keystore* ls -al /home/tomcat/.keystore* ls -al /etc/apache2/ssl.crt/server.crt* ls -al /etc/apache2/ssl.key/server.key* ls -al /usr/local/avamar/lib/avamar_keystore*
(Sustituya /home/admin/.keystore por /home/tomcat/.keystore en Avamar 19.4 y versiones anteriores) - Respalde MCS:
- Cambie a admin.
- Ejecute el siguiente comando para realizar el respaldo (también conocido como vaciado):
mcserver.sh --flush=== BEGIN === check.mcs (preflush) check.mcs passed === PASS === check.mcs PASSED OVERALL (preflush) Flushing Administrator Server... Administrator Server flushed.
- Escriba exit para volver a la sesión como raíz.
- GoAV se puede utilizar para regenerar todos los almacenes de claves a la vez. Como alternativa, los comandos se pueden ejecutar en Avamar.
Comandos de GoAV y ejemplos de salidas:- Vuelva a generar todos los almacenes de claves:
./goav security keystore regenerate --all╔════════════════════════════════════════════════════════╗ ║ GoAV v2.02 ║ ╟────────────────────────────────────────────────────────╢ ║ Build : 02 Feb 2026 19:03 UTC ║ ║ Date : 19 Feb 2026 05:33 UTC ║ ║ Avamar: 19.4.100-124 ║ ╟────────────────────────────────────────────────────────╢ ║ Command:./goav security keystore regenerate --all ║ ╟────────────────────────────────────────────────────────╢ ║ NOTE: This tool was created and is maintained ║ ║ by the ISG Support Tools team. ║ ╚════════════════════════════════════════════════════════╝ ⣯ Stopping MCS... ... Regenerated RMI Keystore ✓ Regenerated Avamar Keystore ✓ Regenerated Avi Keystore ✓ Regenerated Tomcat Keystore ✓ ══════ Loading vCenter Certificates into RMI Keystore ══════ ═══════════════════ Restarting Services ═══════════════════ ┃ MCS restart required, restart MCS? ┃ ┃ yes no
(Seleccione "Sí")
Si se recibe lo siguiente:unable to take mcs flush: The Administrator Server is not running. ERROR: Cannot flush the Administrator Server while it is not running. Start the Administrator Server first.
Reinicie manualmente MCS mediante la ejecución del siguiente comando como administrador:mcserver.sh --start - Certificado Apache:
./goav security certificate apache regenerate╔════════════════════════════════════════════════════════╗ ║ GoAV v2.02 ║ ╟────────────────────────────────────────────────────────╢ ║ Build : 02 Feb 2026 19:03 UTC ║ ║ Date : 18 Feb 2026 04:52 UTC ║ ║ Avamar: 19.4.100-124 ║ ╟────────────────────────────────────────────────────────╢ ║ Command:./goav security certificate apache regenerate ║ ╟────────────────────────────────────────────────────────╢ ║ NOTE: This tool was created and is maintained ║ ║ by the ISG Support Tools team. ║ ╚════════════════════════════════════════════════════════╝ ┃ Select a Key Size in bits: ┃ > 2048 ┃ 3072 ┃ 4096
(Seleccione el tamaño de clave necesario o tome el valor predeterminado de 2048)Apache x509 Certificate Configuration ------------------------------------- Apache Private Key ------------------ Location /etc/apache2/ssl.key/server.key Modulus MD5sum 0d35d9c14239093d4f5e28bd5f2f98c8 Key Size 2048 Apache Server Cert ------------------ Location /etc/apache2/ssl.crt/server.crt Serial 129741042722659803976190762572696306257 Subject C=US, ST=Texas, L=Round Rock, O=Dell Technologies, CN=server.company.com Issuer C=US, ST=Texas, L=Round Rock, O=Dell Technologies, CN=server.company.com Valid Range YYYY/MM/DD - valid from: 2026/02/18, valid to: 2028/02/18 Modulus MD5sum 0d35d9c14239093d4f5e28bd5f2f98c8 Key Size 2048 Subject Alt Names server.company.com
Comandos de Avamar y ejemplos de salidas:- Certificados raíz de MCS:
mv /usr/local/avamar/lib/avamar_keystore /usr/local/avamar/lib/avamar_keystore-$(date -I)
mcrootca allINFO: Executing mcrootca... INFO: Initializing, may take a few moments... INFO: Generating, saving and verifying MC EC root key and certificate... INFO: Successfully generated, saved and verified MC EC root key and certificate. INFO: Generating and saving EC TLS key and certificate... INFO: Successfully generated and saved EC TLS key and certificate. INFO: Verifying EC TLS certificate... INFO: Successfully verified EC TLS certificate. INFO: Test loading EC CA certificate(s)... INFO: Successfully loaded EC CA certificate(s)... INFO: Verifying EC CA certificate(s)... INFO: Successfully verified EC CA certificate(s)... INFO: Setting EC root key and certificate as new... INFO: Successfully set EC root key and certificate as new. INFO: Generating, saving and verifying MC RSA root key and certificate... INFO: Successfully generated, saved and verified MC RSA root key and certificate. INFO: Generating and saving RSA TLS key and certificate... INFO: Successfully generated and saved RSA TLS key and certificate. INFO: Verifying RSA TLS certificate... INFO: Successfully verified RSA TLS certificate. INFO: Test loading RSA CA certificate(s)... INFO: Successfully loaded RSA CA certificate(s)... INFO: Verifying RSA CA certificate(s)... INFO: Successfully verified RSA CA certificate(s)... INFO: Test loading TLS certificate... INFO: Successfully loaded TLS certificate. INFO: Verifying TLS certificate... INFO: Successfully verified TLS certificate. INFO: Setting RSA root key and certificate as new... INFO: Successfully set RSA root key and certificate as new. INFO: mcrootca exited with return value = 0
Como administrador:
mcserver.sh --stop
mcserver.sh --start - MCSCK (en inglés)
mv /usr/local/avamar/lib/rmi_ssl_keystore /usr/local/avamar/lib/rmi_ssl_keystore-$(date -I)keytool -genkeypair -v -alias mcssl -keyalg RSA -sigalg SHA512withRSA -keysize 3072 -keystore /usr/local/avamar/lib/rmi_ssl_keystore -validity 3650 -dname "CN=$(hostname -f), OU=Avamar, O=DELL-EMC, L=Irvine, ST=California, C=US" -storepass `ask_pass -r keystore_passphrase` -keypass `ask_pass -r keystore_passphrase` -noprompt
keytool -genkeypair -v -alias mcjwt -keyalg RSA -sigalg SHA512withRSA -keysize 3072 -keystore /usr/local/avamar/lib/rmi_ssl_keystore -validity 3650 -dname "CN=$(hostname -f), OU=Avamar, O=DELL-EMC, L=Irvine, ST=California, C=US" -storepass `ask_pass -r keystore_passphrase` -keypass `ask_pass -r keystore_passphrase` -noprompt
chown root:admin /usr/local/avamar/lib/rmi_ssl_keystore
chmod 660 /usr/local/avamar/lib/rmi_ssl_keystore
Como administrador:
mcserver.sh --stop
mcserver.sh --start - Tomcat:
- Configure la variable tomcat_keystore:
Para Avamar v19.7 y versiones posteriores:
TOMCAT_KEYSTORE=/home/tomcat/.keystore
Para Avamar 19.4 y versiones anteriores:
TOMCAT_KEYSTORE=/home/admin/.keystore - Vuelva a generar el almacén de claves Tomcat mediante la ejecución de los siguientes comandos:
mv $TOMCAT_KEYSTORE /home/admin/tomcat_keystore.bak
keytool -genkeypair -v -alias tomcat -keyalg RSA -sigalg SHA256withRSA -keysize 3072 -keystore $TOMCAT_KEYSTORE -storepass $(avlockbox.sh -r keystore_passphrase) -validity 3650 -dname "CN=$(hostname -f), OU=Dell EMC, O=Dell Technologies, L=Irvine, ST=California, C=US"
keytool -export -file /tmp/mcssl.pem -alias mcssl -keystore /usr/local/avamar/lib/rmi_ssl_keystore -storepass $(avlockbox.sh -r keystore_passphrase)
keytool -import -file /tmp/mcssl.pem -alias mcssl -keystore $TOMCAT_KEYSTORE -storepass $(avlockbox.sh -r keystore_passphrase) - Actualice los permisos y la propiedad del almacenamiento de claves:
Para Avamar v19.7 y versiones posteriores:
chmod 640 $TOMCAT_KEYSTORE
chown root:tomcat $TOMCAT_KEYSTORE
Para Avamar 19.4 y versiones anteriores:
chmod 740 $TOMCAT_KEYSTORE
chown admin:admin $TOMCAT_KEYSTORE
- Configure la variable tomcat_keystore:
- AVI (el servicio se reinicia automáticamente):
mv /usr/local/avamar/lib/avi/avi_keystore /usr/local/avamar/lib/avi/avi_keystore-$(date -I)
gen-ssl-cert --norestart --noupdateapache --updateavi --keystorepwd=$(avlockbox.sh -r keystore_passphrase) --verbosegen-ssl-cert: INFO: Regenerating avinstaller SSL certifcate keytool -genkey -alias tomcat -keyalg RSA -sigalg SHA512withRSA -keysize 3072 -keypass ######### -storepass ########## -keystore /usr/local/avamar/lib/avi/avi_keystore -validity 3650 -dname "CN=server.company.com, O=Dell Technologies, OU=Dell EMC, L=Irvine, S=CA, C=US" gen-ssl-cert: INFO: Successfully created tomcat in java keystore gen-ssl-cert: INFO: Restarting avinstaller service gen-ssl-cert: INFO: avinstaller service restart complete gen-ssl-cert: INFO: Restarting LDLS service gen-ssl-cert: INFO: LDLS service restart complete
keytool -export -file /tmp/mcssl.pem -alias mcssl -keystore /usr/local/avamar/lib/rmi_ssl_keystore -storepass $(avlockbox.sh -r keystore_passphrase)Certificate stored in file </tmp/mcssl.pem>
keytool -import -file /tmp/mcssl.pem -alias mcssl -keystore /usr/local/avamar/lib/avi/avi_keystore -storepass $(avlockbox.sh -r keystore_passphrase)Owner: CN=server.company.com, OU=Avamar, O=Dell, L=Irvine, ST=California, C=US Issuer: CN=server.company.com, OU=Avamar, O=Dell, L=Irvine, ST=California, C=US Serial number: d93e3be Valid from: Wed Feb 18 16:11:15 PST 2026 until: Sat Feb 16 16:11:15 PST 2036 Certificate fingerprints: SHA1: 82:82:81:B4:C9:BD:03:E1:8A:E0:AE:8A:59:55:EF:B5:1F:3B:27:5F SHA256: AC:E7:AE:CE:04:13:E0:86:88:1E:3E:FA:17:DA:B6:A5:3D:3D:74:F3:EB:70:57:63:58:B1:74:B3:50:28:EA:01 Signature algorithm name: SHA512withRSA Subject Public Key Algorithm: 3072-bit RSA key Version: 3 Trust this certificate? [no]:
Seleccione "y".Certificate was added to keystore
chmod 644 /usr/local/avamar/lib/avi/avi_keystore
chown avi:avi /usr/local/avamar/lib/avi/avi_keystore - Certificado Apache:
gen-ssl-cert --updateapache --noupdateavi --keystorepwd=$(avlockbox.sh -r keystore_passphrase) --verboseopenssl genrsa -out /tmp/gen-ssl-cert-server.key.9085 3072 Generating RSA private key, 3072 bit long modulus e is 65537 (0x10001) openssl req -new -key /tmp/gen-ssl-cert-server.key.9085 -out /tmp/gen-ssl-cert-server.csr.9085 < /tmp/gen-ssl-cert-answers.9085 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ... |-30200 /usr/sbin/httpd-prefork -DSYSCONFIG -DSSL -C PidFile /var/run/httpd.pid -C Include /etc/apache2/sysconfig.d//loadmodule.conf -C Include /etc/apache2/sysconfig.d//global.conf -f /etc/apache2/httpd.conf -c Include /etc/apache2/sysconfig.d//include.conf -DSYSTEMD -DFOREGROUND -k start `-30206 /usr/sbin/httpd-prefork -DSYSCONFIG -DSSL -C PidFile /var/run/httpd.pid -C Include /etc/apache2/sysconfig.d//loadmodule.conf -C Include /etc/apache2/sysconfig.d//global.conf -f /etc/apache2/httpd.conf -c Include /etc/apache2/sysconfig.d//include.conf -DSYSTEMD -DFOREGROUND -k start Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable. /sbin/service apache2 stop /sbin/service apache2 start
- Vuelva a generar todos los almacenes de claves:
- Regenerar los certificados de GSAN:
- Respalde el directorio "/usr/local/avamar/etc":
tar -cvf /home/admin/avamar_etc_bk.`date +%y%m%d` /usr/local/avamar/etc/ - Ejecute el siguiente comando:
enable_secure_config.sh --certs
- Respalde el directorio "/usr/local/avamar/etc":
- Actualizar el almacén de certificados de Data Domain (DD):
esto se puede hacer nuevamente mediante la utilidad GoAV o manualmente.
Comando GoAV y ejemplo de salida:
./goav dd check-ssl --fix╔════════════════════════════════════════════════════════╗ ║ GoAV v2.02 ║ ╟────────────────────────────────────────────────────────╢ ║ Build : 02 Feb 2026 19:03 UTC ║ ║ Date : 18 Feb 2026 05:37 UTC ║ ║ Avamar: 19.4.100-124 ║ ╟────────────────────────────────────────────────────────╢ ║ Command:/home/admin/20260218/goav dd check-ssl --fix ║ ╟────────────────────────────────────────────────────────╢ ║ NOTE: This tool was created and is maintained ║ ║ by the ISG Support Tools team. ║ ╚════════════════════════════════════════════════════════╝ Session Security Enabled PASSED DDR Security Feature Manual Flag PASSED DDR Host Cert Auto Refresh Flag PASSED GSAN Cert Chain Expiration PASSED GSAN Server Cert Expiration PASSED Get Attached Data Domains PASSED Check DDR Key exists PASSED Test Port 22: dl003.company.com PASSED Test ddr_key ssh auth: dl003.company.com PASSED DD/Avamar time difference: dl003.company.com PASSED DD SCP enabled: dl003.company.com PASSED DD NFS enabled: dl003.company.com PASSED DD system passphrase is set: dl003.company.com PASSED DD imported-host ddboost: dl003.company.com PASSED DD host issuer is attached: dl003.company.com PASSED Av chain.pem imported to DD: dl003.company.com FAILED avamar gsan chain.pem does not exist on Data Domain TASK: Delete imported-host ddboost DONE TASK: Load gsan chain depth 0 DONE TASK: Delete imported ca/login auth DONE TASK: Restart ddboost DONE TASK: Stop MCS DONE TASK: Start MCS DONE TASK: Sync Data Domain DONE Backup Scheduler Status FAILED Removed /usr/local/avamar/etc/10.n.n.16 ✓ Removed /usr/local/avamar/etc/client/10.n.n.16 ✓ Generating new certificates... "/usr/local/avamar/var/.avagent" avagent Info <19803>: Ignoring the --service flag. avagent Info <5702>: Command Line: avagent.bin --gencerts=true --mcsaddr=10.n.n.16 avagent Info <5703>: Parsed Flags: avagent.bin --gencerts=true --mcsaddr=10.n.n.16 2025/01/18-18:20:51.46677 [avagent] <1291> FIPS mode enabled avagent Info <42249>: Checking for stale certificate lock avagent Info <19805>: Creating directory '/usr/local/avamar/etc/10.n.n.16' for certificates avagent Info <19807>: Creating certificates in '/usr/local/avamar/etc/10.n.n.16' avagent Info <43701>: agent_message::resolve_client_ip ping to MCS 10.n.n.16:10.n.n.16 using local IP:(none) failed, Program malfunction, Parse bind IP failed for IP: (none) avagent Info <18918>: Registration: Processing secure registration with the MCS. avagent Info <18921>: Registration: Requesting root CA from the MCS. avagent Info <18926>: Registration: Saving root CA. avagent Info <18928>: Registration: Creating certificate signing request. avagent Info <18930>: Registration: Sending the certificate signing request to the MCS. avagent Info <18932>: Registration: Saving client certificate. avagent Info <18934>: Registration: Secure registration complete. avagent Info <41048>: Requesting network configuration from the MCS. avagent Info <5405>: avagent returning with exitcode 0 2026/02/18-18:20:52.13501 [avagent] Config: VARDIR=/usr/local/avamar/var, HOMEDIR=/root 2026/02/18-18:20:52.13506 [avagent] Looking for flag file "/usr/local/avamar/var/avamar.cmd" 2026/02/18-18:20:52.13509 [avagent] Looking for flag file "/usr/local/avamar/var/avagent.cmd" 2026/02/18-18:20:52.13517 [avagent] Looking for flag file "/usr/local/avamar/var/.avagent" avagent Info <19803>: Ignoring the --service flag. avagent Info <5702>: Command Line: avagent.bin --gencerts=true --mcsaddr=10.n.n.16 --sysdir=/usr/local/avamar/etc/client avagent Info <5703>: Parsed Flags: avagent.bin --gencerts=true --mcsaddr=10.n.n.16 --sysdir=/usr/local/avamar/etc/client 2026/02/18-18:20:52.14446 [avagent] <1291> FIPS mode enabled avagent Info <42249>: Checking for stale certificate lock avagent Info <19805>: Creating directory '/usr/local/avamar/etc/client/10.n.n.16' for certificates avagent Info <19807>: Creating certificates in '/usr/local/avamar/etc/client/10.n.n.16' avagent Info <43701>: agent_message::resolve_client_ip ping to MCS 10.n.n.16:10.n.n.16 using local IP:(none) failed, Program malfunction, Parse bind IP failed for IP: (none) avagent Info <18918>: Registration: Processing secure registration with the MCS. avagent Info <18921>: Registration: Requesting root CA from the MCS. avagent Info <18926>: Registration: Saving root CA. avagent Info <18928>: Registration: Creating certificate signing request. avagent Info <18930>: Registration: Sending the certificate signing request to the MCS. avagent Info <18932>: Registration: Saving client certificate. avagent Info <18934>: Registration: Secure registration complete. avagent Info <41048>: Requesting network configuration from the MCS. avagent Info <5405>: avagent returning with exitcode 0 Generated certificates for 10.n.n.16 ✓ Testing Avtar connection... avtar Info <5551>: Command Line: /usr/local/avamar/bin/avtar.bin --flagfile=/usr/local/avamar/etc/usersettings.cfg --server=avacrk003 --vardir=/usr/local/avamar/var --bindir=/usr/local/avamar/bin --id=root --password=**************** --vardir=/usr/local/avamar/var --bindir=/usr/local/avamar/bin --sysdir=/usr/local/avamar/etc --backups --account=/MC_BACKUPS --count=10 --encrypt=tls avtar Info <7977>: Starting at 2026-02-18 18:20:53 GMT [avtar Dec 8 2023 07:07:43 19.10.100-135 Linux-x86_64] avtar Info <6555>: Initializing connection avtar Info <5552>: Connecting to Avamar Server (avacrk003) avtar Info <5554>: Connecting to one node in each datacenter avtar Info <5583>: Login User: "root", Domain: "default", Account: "/MC_BACKUPS" avtar Info <5580>: Logging in on connection 0 (server 0) avtar Info <5582>: Avamar Server login successful avtar Info <10632>: Using Client-ID='6638d648ef621aa9dc20be40ab49e0820dac9b39' avtar Info <5550>: Successfully logged into Avamar Server [19.10.0-135] avtar Info <19849>: Selecting 10 backups avtar Info <7377>: Backups for /MC_BACKUPS as of 2025-11-25 18:20:53 GMT avtar Info <5314>: Command completed (exit code 0: success) Date Time Seq Label Size Plugin Working directory Targets 2026-02-18 18:15:56 3726 2034984K Linux /usr/local/avamar var/mc/server_data 2026-02-17 18:08:30 3725 2034952K Linux /usr/local/avamar var/mc/server_data 2026-02-16 17:31:43 3724 2033952K Linux /usr/local/avamar var/mc/server_data 2026-02-15 08:00:31 3723 1035390K Linux /usr/local/avamar var/mc/server_data 2026-02-14 07:45:20 3722 1035346K Linux /usr/local/avamar var/mc/server_data 2026-02-13 08:00:29 3721 1035313K Linux /usr/local/avamar var/mc/server_data 2026-02-12 07:45:19 3720 1035269K Linux /usr/local/avamar var/mc/server_data 2026-02-11 08:00:30 3719 1035419K Linux /usr/local/avamar var/mc/server_data 2026-02-10 07:45:18 3718 1035377K Linux /usr/local/avamar var/mc/server_data 2026-02-09 08:00:30 3717 1035511K Linux /usr/local/avamar var/mc/server_data
-- o --
pasos manuales:- Siga "Situación 1" del artículo de la ruta de resolución Avamar: DD se muestra en rojo en la AUI de Avamar
- Genere un nuevo conjunto de certificados de cliente para avtar, si existen:
Compruebe si existen certificados de cliente TANTO en "/usr/local/avamar/etc" como en "/usr/local/avamar/etc/client":
cd /usr/local/avamar/etc/$(hostname -i)
cd /usr/local/avamar/etc/client/$(hostname -i)
Si en ambos comandos se informa "No existe tal archivo o directorio", significa que Avamar no está utilizando el certificado de cliente. Vaya al paso 9.
Si existen directorios, siga los pasos c-e que se indican a continuación. - Elimine el directorio de certificados de cliente existente:
Advertencia: Copie el siguiente comando como se muestra. NO MODIFICARLOS.
rm -r /usr/local/avamar/etc/$(hostname -i)
rm -r /usr/local/avamar/etc/client/$(hostname -i) - Genere un nuevo conjunto de certificados de cliente para avtar solo para los directorios existentes anteriores:
avagent.bin --gencerts=true --mcsaddr=$(hostname -i)
avagent.bin --gencerts=true --mcsaddr=$(hostname -i) --sysdir=/usr/local/avamar/etc/client - Pruebe una conexión para confirmar si avtar puede conectarse a GSAN:
avtar --backups --path=/MC_BACKUPS --count=5 --encrypt=tls
- Vuelva a registrar los clientes y los proxies de VMware.
- Vuelva a registrar los clientes basados en agente:
mccli client re-register-all - Vuelva a registrar los proxies de VMware reiniciándolos de manera centralizada desde Avamar:
mccli mcs reboot-proxy --all
- Vuelva a registrar los clientes basados en agente:
Productos afectados
Avamar, Avamar ServerProductos
Data DomainPropiedades del artículo
Número del artículo: 000188770
Tipo de artículo: How To
Última modificación: 23 abr 2026
Versión: 29
Encuentre respuestas a sus preguntas de otros usuarios de Dell
Servicios de soporte
Compruebe si el dispositivo está cubierto por los servicios de soporte.