Avamar 19.3+：Goav 安全性金鑰存放區會透過自動修正顯示並檢查金鑰存放區和加密箱的執行狀況

./goav security keystore show

此命令會將所有金鑰存放區列印到螢幕。

./goav security keystore show --all

./goav security keystore check-config

此命令會針對所有金鑰存放區執行數次執行狀況檢查，並自動修正。
- 檢查每個金鑰庫是否存在。
- 檢查金鑰庫許可權和擁有權
- 檢查加密箱金鑰庫密碼短語運行狀況。
- 檢查密碼箱/金鑰庫密碼是否匹配。
- 檢查每個金鑰庫的格式是否正確 （PKCS12）。
- 檢查每個金鑰庫中是否存在每個必需的別名（證書）。
- 列印帶有詳細問題訊息的通過/失敗摘要。
- 自動重新生成丟失的金鑰庫。
- 自動修復許可權和擁有權。
- 如果密碼箱密碼與金鑰庫密碼不匹配，則自動重新生成金鑰庫。
- 在重新生成
之前備份現有金鑰庫 - 如有必要，自動重新生成密鑰庫或特定別名。
- 從 Java RMI 金鑰庫更新 MCSSL 私鑰條目，以與 avi 和 tomcat 金鑰庫同步。
- 重新啟動適當的服務

./goav security keystore check-config --fix

root@ser-ave03:/home/admin/#: ./goav security keystore show
===========================================================
GoAv    :        1.39
Avamar  :        19.7
Date    :        19 Oct 2022 10:28 MDT
===========================================================
NOTE: This is not an official tool
===========================================================
Use the arrow keys to navigate: ↓ ↑ → ←
Select Keystore to Print:
    RMI_SSL_KEYSTORE
    AVAMAR_KEYSTORE
  → AVINSTALLER_KEYSTORE
    TOMCAT_KEYSTORE

root@avmr-4400-rtp:/usr/local/avamar/lib/#: ~admin/goav security keystore check-config
===========================================================
GoAv    :        1.49
Avamar  :        19.4
Date    :        17 Mar 2023 13:31 EDT
===========================================================
COMMAND :  /home/admin/goav security keystore check-config
NOTE: This is not an official tool
===========================================================
Table: Keystore Existence/Permissions Check
-------------------------------------------

          Name         |                  Path                  | Exists |  Current Permissions  | Expected Permissions |   Current Ownership   | Expected Ownership
-----------------------+----------------------------------------+--------+-----------------------+----------------------+-----------------------+---------------------
  RMI_SSL_KEYSTORE     | /usr/local/avamar/lib/rmi_ssl_keystore | true   | rw-rw----             | rw-rw----            | root admin            | root admin
  AVAMAR_KEYSTORE      | /usr/local/avamar/lib/avamar_keystore  | true   | rw-rw----             | rw-rw----            | root root             | root admin
  AVINSTALLER_KEYSTORE | /usr/local/avamar/lib/avi/avi_keystore | false  | emtpy: file not found | rw-r--r--            | empty: file not found | avi avi
  TOMCAT_KEYSTORE      | /home/admin/.keystore                  | true   | rwxr-----             | rwxr-----            | admin admin           | admin admin


Task: Lockbox Passphrase Check
------------------------------

Keystore Passphrase (From Lockbox): changeme


Table: Lockbox/Keystore Passphrase Match
----------------------------------------

          Name         |  Lockbox/Keystore Passphrase
                       |             Match
-----------------------+---------------------------------
  RMI_SSL_KEYSTORE     | false
  AVAMAR_KEYSTORE      | true
  AVINSTALLER_KEYSTORE | false
  TOMCAT_KEYSTORE      | true


Keystore Format (JKS/PKCS12)
----------------------------

          Name         | Format
-----------------------+----------
  RMI_SSL_KEYSTORE     | Unknown
  AVAMAR_KEYSTORE      | PKCS12
  AVINSTALLER_KEYSTORE | Unknown
  TOMCAT_KEYSTORE      | PKCS12


Table: Keystore Alias Check
---------------------------

          Name         |                  Path                  |   Alias   | Exists
-----------------------+----------------------------------------+-----------+---------
  RMI_SSL_KEYSTORE     | /usr/local/avamar/lib/rmi_ssl_keystore | mcssl     | false
  RMI_SSL_KEYSTORE     | /usr/local/avamar/lib/rmi_ssl_keystore | mcjwt     | false
  AVAMAR_KEYSTORE      | /usr/local/avamar/lib/avamar_keystore  | mcecroot  | true
  AVAMAR_KEYSTORE      | /usr/local/avamar/lib/avamar_keystore  | mcectls   | true
  AVAMAR_KEYSTORE      | /usr/local/avamar/lib/avamar_keystore  | mcrsaroot | true
  AVAMAR_KEYSTORE      | /usr/local/avamar/lib/avamar_keystore  | mcrsatls  | true
  AVINSTALLER_KEYSTORE | /usr/local/avamar/lib/avi/avi_keystore | tomcat    | false
  AVINSTALLER_KEYSTORE | /usr/local/avamar/lib/avi/avi_keystore | mcssl     | false
  TOMCAT_KEYSTORE      | /home/admin/.keystore                  | tomcat    | false
  TOMCAT_KEYSTORE      | /home/admin/.keystore                  | mcssl     | true


Summary
-------

*** FAIL *** keystore check-config FAILED OVERALL
PROBLEM: AVINSTALLER_KEYSTORE does not exist
PROBLEM: AVAMAR_KEYSTORE ownership/permissions incorrect
PROBLEM: AVINSTALLER_KEYSTORE ownership/permissions incorrect
PROBLEM: changeme is not the correct passphrase for keystore RMI_SSL_KEYSTORE
PROBLEM: changeme is not the correct passphrase for keystore AVINSTALLER_KEYSTORE
PROBLEM: RMI_SSL_KEYSTORE format unknown, keystore might not be readable or passphrase mismatch
PROBLEM: AVINSTALLER_KEYSTORE format unknown, keystore might not be readable or passphrase mismatch
PROBLEM: mcssl alias does not exist in RMI_SSL_KEYSTORE
PROBLEM: mcjwt alias does not exist in RMI_SSL_KEYSTORE
PROBLEM: tomcat alias does not exist in AVINSTALLER_KEYSTORE
PROBLEM: mcssl alias does not exist in AVINSTALLER_KEYSTORE
PROBLEM: tomcat alias does not exist in TOMCAT_KEYSTORE

root@avamar-rtp:/usr/local/avamar/lib/#: ~admin/goav security keystore check-config --fix
===========================================================
GoAv    :        1.49
Avamar  :        19.4
Date    :        17 Mar 2023 13:32 EDT
===========================================================
COMMAND :  /home/admin/goav security keystore check-config --fix
NOTE: This is not an official tool
===========================================================
Table: Keystore Existence/Permissions Check
-------------------------------------------

          Name         |                  Path                  | Exists |  Current Permissions  | Expected Permissions |   Current Ownership   | Expected Ownership
-----------------------+----------------------------------------+--------+-----------------------+----------------------+-----------------------+---------------------
  RMI_SSL_KEYSTORE     | /usr/local/avamar/lib/rmi_ssl_keystore | true   | rw-rw----             | rw-rw----            | root admin            | root admin
  AVAMAR_KEYSTORE      | /usr/local/avamar/lib/avamar_keystore  | true   | rw-rw----             | rw-rw----            | root root             | root admin
  AVINSTALLER_KEYSTORE | /usr/local/avamar/lib/avi/avi_keystore | false  | emtpy: file not found | rw-r--r--            | empty: file not found | avi avi
  TOMCAT_KEYSTORE      | /home/admin/.keystore                  | true   | rwxr-----             | rwxr-----            | admin admin           | admin admin


Task: Lockbox Passphrase Check
------------------------------

Keystore Passphrase (From Lockbox): changeme


Table: Lockbox/Keystore Passphrase Match
----------------------------------------

          Name         |  Lockbox/Keystore Passphrase
                       |             Match
-----------------------+---------------------------------
  RMI_SSL_KEYSTORE     | false
  AVAMAR_KEYSTORE      | true
  AVINSTALLER_KEYSTORE | false
  TOMCAT_KEYSTORE      | true


Keystore Format (JKS/PKCS12)
----------------------------

          Name         | Format
-----------------------+----------
  RMI_SSL_KEYSTORE     | Unknown
  AVAMAR_KEYSTORE      | PKCS12
  AVINSTALLER_KEYSTORE | Unknown
  TOMCAT_KEYSTORE      | PKCS12


Table: Keystore Alias Check
---------------------------

          Name         |                  Path                  |   Alias   | Exists
-----------------------+----------------------------------------+-----------+---------
  RMI_SSL_KEYSTORE     | /usr/local/avamar/lib/rmi_ssl_keystore | mcssl     | false
  RMI_SSL_KEYSTORE     | /usr/local/avamar/lib/rmi_ssl_keystore | mcjwt     | false
  AVAMAR_KEYSTORE      | /usr/local/avamar/lib/avamar_keystore  | mcecroot  | true
  AVAMAR_KEYSTORE      | /usr/local/avamar/lib/avamar_keystore  | mcectls   | true
  AVAMAR_KEYSTORE      | /usr/local/avamar/lib/avamar_keystore  | mcrsaroot | true
  AVAMAR_KEYSTORE      | /usr/local/avamar/lib/avamar_keystore  | mcrsatls  | true
  AVINSTALLER_KEYSTORE | /usr/local/avamar/lib/avi/avi_keystore | tomcat    | false
  AVINSTALLER_KEYSTORE | /usr/local/avamar/lib/avi/avi_keystore | mcssl     | false
  TOMCAT_KEYSTORE      | /home/admin/.keystore                  | tomcat    | false
  TOMCAT_KEYSTORE      | /home/admin/.keystore                  | mcssl     | true


Summary
-------

*** FAIL *** keystore check-config FAILED OVERALL
PROBLEM: AVINSTALLER_KEYSTORE does not exist
PROBLEM: AVAMAR_KEYSTORE ownership/permissions incorrect
PROBLEM: AVINSTALLER_KEYSTORE ownership/permissions incorrect
PROBLEM: changeme is not the correct passphrase for keystore RMI_SSL_KEYSTORE
PROBLEM: changeme is not the correct passphrase for keystore AVINSTALLER_KEYSTORE
PROBLEM: RMI_SSL_KEYSTORE format unknown, keystore might not be readable or passphrase mismatch
PROBLEM: AVINSTALLER_KEYSTORE format unknown, keystore might not be readable or passphrase mismatch
PROBLEM: mcssl alias does not exist in RMI_SSL_KEYSTORE
PROBLEM: mcjwt alias does not exist in RMI_SSL_KEYSTORE
PROBLEM: tomcat alias does not exist in AVINSTALLER_KEYSTORE
PROBLEM: mcssl alias does not exist in AVINSTALLER_KEYSTORE
PROBLEM: tomcat alias does not exist in TOMCAT_KEYSTORE


************************
Task: Auto-Fix Keystores
************************

INFO: Begin fixing any keystore issues...
INFO: Renaming /usr/local/avamar/lib/rmi_ssl_keystore in order to regenerate...
INFO: Renamed /usr/local/avamar/lib/rmi_ssl_keystore to /usr/local/avamar/lib/x-rmi_ssl_keystore.bak
INFO: Renaming /usr/local/avamar/lib/rmi_ssl_keystore in order to regenerate succeeded
INFO: Regenerating RMI_SSL_KEYSTORE
Generating 3,072 bit RSA key pair and self-signed certificate (SHA512withRSA) with a validity of 3,650 days
        for: CN=avamar-rtp, OU=Avamar, O=DELL-EMC, L=Irvine, ST=California, C=US
[Storing /usr/local/avamar/lib/rmi_ssl_keystore]
Generating 3,072 bit RSA key pair and self-signed certificate (SHA512withRSA) with a validity of 3,650 days
        for: CN=avamar-rtp, OU=Avamar, O=DELL-EMC, L=Irvine, ST=California, C=US
Enter key password for <mcjwt>
        (RETURN if same as keystore password):  [Storing /usr/local/avamar/lib/rmi_ssl_keystore]
INFO: RMI_SSL_KEYSTORE Successfully Regenerated
INFO: Please re-import any vcenter certificate if vcenter certificate authentication is used
INFO: RMI_SSL_KEYSTORE Permissions & Ownership Updated


INFO: Regenerating AVINSTALLER_KEYSTORE
Generating 3,072 bit RSA key pair and self-signed certificate (SHA512withRSA) with a validity of 3,650 days
        for: CN=avamar-rtp, OU=Avamar, O=DELL-EMC, L=Irvine, ST=California, C=US
[Storing /usr/local/avamar/lib/avi/avi_keystore]
INFO: AVINSTALLER_KEYSTORE Successfully Regenerated
INFO: AVINSTALLER_KEYSTORE Permissions & Ownership Updated


INFO: Renaming /home/admin/.keystore in order to regenerate...
INFO: Renamed /home/admin/.keystore to /home/admin/x-.keystore.bak
INFO: Renaming /home/admin/.keystore in order to regenerate succeeded
INFO: Regenerating TOMCAT_KEYSTORE
Generating 3,072 bit RSA key pair and self-signed certificate (SHA512withRSA) with a validity of 3,650 days
        for: CN=avamar-rtp, OU=Avamar, O=DELL-EMC, L=Irvine, ST=California, C=US
[Storing /home/admin/.keystore]
INFO: TOMCAT_KEYSTORE Successfully Regenerated
INFO: TOMCAT_KEYSTORE Permissions & Ownership Updated


INFO: Updating mcssl certificate from rmi keystore to tomcat and avi keystore...
INFO: Updating mcssl certificate from rmi keystore to tomcat and avi keystore succeeded
INFO: Restarting MCS   [======>             ]
INFO: Restarting MCS succeeded
INFO: Restarting avinstaller service   [==========>         ]
INFO: Restarting avinstaller service succeeded
INFO: Restarting tomcat service   [                    ]
INFO: Restarting tomcat service succeeded

DONE