Veritas NetBackup™ Appliance Security Guide
- About the NetBackup appliance Security Guide
- User authentication
- About user authentication on the NetBackup appliance
- About configuring user authentication
- About user name and password specifications
- User authorization
- Intrusion prevention and intrusion detection systems
- Log files
- Operating system security
- Data security
- Web security
- Network security
- Call Home security
- About AutoSupport
- About Call Home
- About SNMP
- Remote Management Module (RMM) I security
- STIG and FIPS conformance
- Appendix A. Security release content
Replacing the default IPMI SSL certificate
Veritas recommends that the default IPMI SSL certificate used to access the IPMI web interface be replaced with either a certificate signed by a trusted internal or external Certificate Authority (in PEM format), or by a self-signed certificate. You can use the following procedure to create a minimal self-signed certificate on a Linux computer and import it into the IPMI web interface:
To create a minimal self-signed certificate on a Linux computer and import it into the IPMI web interface:
- Run the following command to generate the private key called
$ openssl genrsa -out ipmi.key 2048 Generating RSA private key, 2048 bit long modulus .....+++ .+++ e is 65537 (0x10001)
- Generate a certificate signing request called
ipmi.key, filling in each field with their appropriate values:
To avoid extra warnings in your browser, set the CN to the fully qualified domain name of the IPMI interface. You are about to enter is what is called a Distinguished Name or a DN.
$ openssl req -new -key ipmi.key -out ipmi.csr
Refer to the following guidelines to enter information to be incorporated into your certificate request:
Country Name (2 letter code) [AU]:
Enter your Country's name. For example, US.
State or Province Name (full name) [Some-State]:
Enter your State's or Province's name. For example, OR.
Locality Name (eg, city) :
Enter your Locality name. For example, Springfield.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Enter your Organization's name. For example, Veritas.
Organizational Unit Name (eg, section) :
Enter your Organization Unit's name.
Common Name (eg, YOUR name) :
Email Address :
Enter your email address. For example,
A challenge password :
Enter the appropriate challenge password, which is the extra attribute to be sent with your certificate request.
An optional company name :
Enter the appropriate optional company name, which is the extra attribute to be sent with your certificate request.
Enter '.', to leave any field blank.
ipmi.keyand create a certificate called
ipmi.crtthat is valid for 1 year:
$ openssl x509 -req -in ipmi.csr -out ipmi.crt -signkey ipmi.key -days 365 Signature ok subject=/C=US/ST=OR/L=Springfield /O=Veritas/OU=Your OU/ CN=hostname.your.company/ emailAddressemail@example.com Getting Private key
ipmi.keyto create a certificate in PEM format called
$ cat ipmi.crt ipmi.key > ipmi.pem
ipmi.pemto a host that has access to the appliance's IPMI web interface.
- Log in to your Veritas Remote Management (IPMI web interface).
- Click Configuration > SSL.
The appliance displays the SSL Upload page.
- From the SSL Upload page, click Choose File to import the certificate.
- Select the
ipmi.pemand click Upload.
- A warning may appear that says an SSL certificate already exists, press OK to continue.
- To import the key, click Choose File again (notice it says New Privacy Key next to the button).
- Select the
ipmi.pemand click Upload.
- A confirmation appears stating that the certificate and key were uploaded successfully, press OK to restart the Web service.
- Close and reopen the Veritas Remote Management (IPMI web interface) interface to verify that the new certificate is being presented.