How to install Access Appliance certificate on Extra Data Backup VM of Alta SaaS Protection Export Service

To enable secure communication between the EDB on-premises VM (where the Alta SaaS Protection Export Service is installed) and the on-premises S3 Storage Access Appliance, you must install the Access Appliance’s root and intermediate certificates on the EDB VM. This ensures SSL/TLS connectivity when exporting data from Alta SaaS Protection to the Access Appliance using the S3 protocol.

• EDB VM: System running the Alta SaaS Protection Export Service, used to download data from Alta SaaS Protection Store to a destination storage (in this case, an on-premises Access Appliance).
• Access Appliance: Used as the destination storage for extra backup copies, accessed via the S3 protocol.

A. Download the Access Appliance Certificate

You can obtain the Access Appliance certificate using either of the following methods:

Method 1: Using the Access Appliance GUI

1. Log in to the Access Appliance web interface.
2. Navigate to:
   Settings > Security Management > Certificates > Download Root Certificate
3. Download the root certificate file.

Method 2 (Preferred): Using the Command Line

1. Access the Access Appliance command line.
2. Run the following command:

   Cluster clish> system certificate show

3. Copy the output containing the certificates.

B. Prepare the Certificates for Windows

1. Separate the Certificates:

   • The output or downloaded file may contain both root and intermediate certificates, each beginning with -----BEGIN CERTIFICATE-----.
   • Copy each certificate (including the BEGIN and END lines) into a separate file .pem files (e.g., root.pem, intermediate.pem).

2. Convert PEM to CRT Format:

   • Use OpenSSL to convert each .pem file to .crt a format for Windows:

     openssl x509 -outform der -in certificate.pem -out certificate.crt

   • Repeat for both root and intermediate certificates.

3. Identify Certificate Types:

   • To verify which certificate is root or intermediate, run:

     openssl x509 -inform der -noout -text -in certificate.crt

   • Check the CN (Common Name) in the output:
     • CN = VxOS Root CA → Root certificate
     • CN = VxOS Stem CA → Intermediate certificate

C. Import Certificates into Windows VM

1. Open the Certificates Snap-in

• Press Windows+R, type mmc, and press Enter.
• Go to File > Add/Remove Snap-in.
• Select Certificates and click Add.
• Choose Computer account > Next > Local Computer > Finish.
• Click OK to close the snap-in window.

2. Import the Root CA Certificate

• In the MMC console, expand Certificates (Local Computer).
• Right-click Trusted Root Certification Authorities > All Tasks > Import.
• Follow the wizard to import the root CA .crt file.
• Ensure the certificate store is set to Trusted Root Certification Authorities.
• Complete the wizard.

3. Import the Intermediate CA Certificate

• In the MMC console, right-click Intermediate Certification Authorities > All Tasks > Import.
• Follow the wizard to import the intermediate CA .crt file.
• Ensure the certificate store is set to Intermediate Certification Authorities.
• Complete the wizard.
• Repeat if you have multiple intermediate certificates.

4. Verify the Installation (Recommended)

• In MMC, expand Trusted Root Certification Authorities and Intermediate Certification Authorities to confirm your certificates are present.

D. Test the Connection

After importing the certificates, use the ASP Custom utility, AWS CLI, or S3 Browser tool from the Export Service VM to access the S3 bucket and confirm that you can connect using the SSL link and that the certificate is recognized.

• If issues are encountered, verify that the certificates are correctly separated and imported into the appropriate stores.