Encryption and Security Considerations for VACM

VACM can optionally utilize the OpenSSL encryption libraries to create secure communications connections in virtually all aspects of operation. The only exceptions are in modules which require direct interfaces to hardware over LAN where SSL protocol version 1 encryption may not be available on the remote hardware. To enable encryption support, you must first ensure that the OpenSSL libraries are installed on your Node Controller. If you are going to use any modules which require agent daemons, you must also ensure the OpenSSL libraries are installed on every remote system you wish to manage and monitor. Once the libraries are installed, pass the --enable-ssl commandline option to the autogen.sh configuration script, and make sure to verify in the output that OpenSSL was detected. VACM itself has a number of security features which ensure that only authorized administrators may manage or monitor systems. Each administrator must have a valid Nexxus user account. The account can only be logged into from authorized internet addresses, and once authenticated and authorized, the user may only execute commands that have been authorized for the particular user.

In order to utilize an SSL connection, you will need to generate a key and a certificate file on the nexxus machine as well as on any nodes which will be managed using sysstatd or user_admd.

To generate a cerificate and key on the nexxus machine:
openssl req -x509 -newkey rsa:1024 -keyout /usr/lib/vacm/vacm.key -out \
After filling in all the information you will have a valid SSL certificate file and key file available to VACM. The problem now arises that you will have to enter a passphrase every time you wish to start nexxus. This is not always the desirable effect in a cluster environment. You can unwrap the passphrase from the key with the following commands, but you should bear in mind that there are serious security implications in doing this. Please ensure that this is truly necessary in your environment.
openssl rsa -in /usr/lib/vacm/vacm.key -out /usr/lib/vacm/vacm.key.unwrapped
mv /usr/lib/vacm/vacm.key /usr/lib/vacm/vacm.key.wrapped
mv /usr/lib/vacm/vacm.key.unwrapped /usr/lib/vacm/vacm.key

Similarly, on the node side:
openssl req -x509 -newkey rsa:1024 -keyout /etc/vacm.key -out \
As with the nexxus key file, you may want to unwrap the password on this key. The following should do it.
openssl rsa -in /etc/vacm.key -out /etc/vacm.key.unwrapped
mv /etc/vacm.key /etc/vacm.key.wrapped
mv /etc/vacm.key.unwrapped /etc/vacm.key