VACM can optionally utilize the OpenSSL encryption libraries to create secure communications connections in virtually all aspects of operation. The only exceptions are in modules which require direct interfaces to hardware over LAN where SSL protocol version 1 encryption may not be available on the remote hardware. To enable encryption support, you must first ensure that the OpenSSL libraries are installed on your Node Controller. If you are going to use any modules which require agent daemons, you must also ensure the OpenSSL libraries are installed on every remote system you wish to manage and monitor. Once the libraries are installed, pass the --enable-ssl commandline option to the autogen.sh configuration script, and make sure to verify in the output that OpenSSL was detected. VACM itself has a number of security features which ensure that only authorized administrators may manage or monitor systems. Each administrator must have a valid Nexxus user account. The account can only be logged into from authorized internet addresses, and once authenticated and authorized, the user may only execute commands that have been authorized for the particular user.
In order to utilize an SSL connection, you will need to generate a key and a certificate file on the nexxus machine as well as on any nodes which will be managed using sysstatd or user_admd.
To generate a cerificate and key on the nexxus machine:
openssl req -x509 -newkey rsa:1024 -keyout /usr/lib/vacm/vacm.key -out \ /usr/lib/vacm/vacm.cert |
openssl rsa -in /usr/lib/vacm/vacm.key -out /usr/lib/vacm/vacm.key.unwrapped mv /usr/lib/vacm/vacm.key /usr/lib/vacm/vacm.key.wrapped mv /usr/lib/vacm/vacm.key.unwrapped /usr/lib/vacm/vacm.key |
Similarly, on the node side:
openssl req -x509 -newkey rsa:1024 -keyout /etc/vacm.key -out \ /etc/vacm.cert |
openssl rsa -in /etc/vacm.key -out /etc/vacm.key.unwrapped mv /etc/vacm.key /etc/vacm.key.wrapped mv /etc/vacm.key.unwrapped /etc/vacm.key |