Frequently Asked Questions


How can I make Zimonitor to accept our OBS SSL certificate?
We have SSL certificate but it's not accepted by Zimonitor.

This article provides instruction on how to setup strong SSL security on AhsayOBS. 
FAQ: How to setup strong SSL security on AhsayOBS (3214)

 

Article ID: 3214
Reviewed: 03/06/2015

Product Version:
AhsayOBS: Pre-7.3.2.0
OS: All platforms

Description:
This article provides instruction on how to setup strong SSL security on AhsayOBS. 

This includes disabling of SSLv3 because of vulnerabilities in the protocol (e.g. susceptible to security vulnerabilities such as POODLE (Padding Oracle On Downgraded Legacy Encryption) and FREAK (Factoring RSA Export Keys)), as well as setup of a strong cipher suite (e.g. disabling the DHE_EXPORT cipher (Diffie-Hellman key exchange) susceptible to Logjam vulnerability).

Steps:
To disable SSLv3, first ensure that your AhsayOBS server is patched to version 6.21.2.0 or above (disabling of SSLv3 is only supported since version 6.21.2.0):
 

  • For AhsayOBS upgraded from version pre-6.21.2.0, you can refer to the following KB article for instruction:
    https://forum.ahsay.com/viewtopic.php?f=22&t=10686
     
  • For new installation of AhsayOBS version 6.21.2.0 or above, SSLv3 is disabled by default.

Next, to disable all weak cipher suite on AhsayOBS (including the DHE_EXPORT ciphers):
 

  1. Edit the server.xml file found under ${Install-Home}\conf
     
    • Open 'server.xml' with a text editor:
       

      server.xml

      ...

       - <Service name="Tomcat-Standalone">

            <Connector address="0.0.0.0" port="80" maxHttpHeaderSize="8192" socketBuffer="65536" maxThreads="500" ...

              minSpareThreads="50" maxSpareThreads="50" maxKeepAliveRequests="200" enableLookups="false" ...

              ...

            <Connector address="0.0.0.0" port="443" maxHttpHeaderSize="8192" socketBuffer="65536" maxThreads="500" ...

              minSpareThreads="50" maxSpareThreads="50" maxKeepAliveRequests="200" enableLookups="false" ...

              acceptCount="200" connectionTimeout="60000" disableUploadTimeout="true" URIEncoding="utf-8" ...

              ...

              sslProtocol="TLS" />

       ...

    • Update the HTTPS connector, by adding the cipher parameter and values:

      ciphers="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,
      TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA"
       

      server.xml (Updated)

      ...

       - <Service name="Tomcat-Standalone">

            <Connector address="0.0.0.0" port="80" maxHttpHeaderSize="8192" socketBuffer="65536" maxThreads="500" ...

              minSpareThreads="50" maxSpareThreads="50" maxKeepAliveRequests="200" enableLookups="false" ...

              ...

            <Connector address="0.0.0.0" port="443" maxHttpHeaderSize="8192" socketBuffer="65536" maxThreads="500" ...

              minSpareThreads="50" maxSpareThreads="50" maxKeepAliveRequests="200" enableLookups="false" ...

              acceptCount="200" connectionTimeout="60000" disableUploadTimeout="true" URIEncoding="utf-8" ...

              ...

              sslProtocol="TLS" ciphers="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,
              TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,
              SSL_RSA_WITH_3DES_EDE_CBC_SHA"/>

       ...

    • Save and exit from the text editor.
  2. Restart the AhsayOBS, AhsayRDR or AhsayRPS service by:
     
    • (Windows) [ Control Panel ] > [ Administrative Tools ] > [ Services ] > [ Ahsay Offsite Backup Server ]
       
    • (Linux) Run [ ${Install-Home} / bin / startup.sh ]

Keywords:
sslv3, SSL, https, http, v3, POODLE, poodle, freak, weak, cipher, ciphersuite, suite, key

Why is the Backup server disconnected?

 

When Zimonitor detects 10 errors in a row, it temporary inactivates the Backup server from making further API calls. The main reason for that is to avoid unneccessary API calls to your server when it's busy, even though the Ahsay OBS and CBS are built to ignore the API calls while very busy.

Zimonitor is default set to try to re-activate the connection after 3 hours. It resets the errors and start over trying to call the API of your server.

You can set your own value for when the server should be re-activated again, on the Edit view of each Backup server in Zimonitor.

Restart time cykel

 

Common causes of inactivation:

  • New firewall rules blocking external access to the OBS/CBS
  • Changed username or password to the OBS/CBS
  • API calls are blocked in the OBS/CBS settings and Zimonitor's IP is not whitelisted (Open or restrict the API for the IP numbers of Zimonitor)
  • A very busy OBS/CBS not responding on API calls

On the Error tab of the Backup server in Zimonitor you can find more details on what kind of errors Zimonitor has detected.

 

 

What are the requirements of a Local installation?

We offer a pre-configured virtual machine running Ubuntu for Hyper-V (2012) or VMware ESXi and the requirements are:

  • At least 2GB of memory, but we recommend 4GB
  • 10GB of storage (virtual HD size is 500GB to ensure that you have enough storage space for the future)

What is the difference between Cloud version and the Local installation?

  • There are no differences between the features of the cloud version and the local installation.
  • You have a free trial on the Cloud version, but we don't offer a trial on the Local installation since it require a server setup and configuration from our side. On cloud you can signup your self and be up and running within a few minutes.

Why can't I find a new Backup user in Zimonitor?
I'm missing a Backup user in Zimonitor.

 

When Zimonitor tries to update all Backup users it starts by getting the list from the API of the OBS. If the process on the OBS runs into trouble it can't deliver any Backup users at all through the API.
We have seen this happen on the OBS v6 and the error message the OBS returns is:
[UserCacheManager.NoSuchUserExpt] User '[BACKUP USER NAME]' not found.

The reason for this seems to be that the OBS have found a Backup user folder in the user section of the server, but can't find that user elsewhere, and therefore returns the error.

The solution is to remove the old folder for the Backup user named in the error message, from the user section of the OBS. Our experience is that many OBS owner keep the old backup users just in case in the user section and rename them to "[BACKUP USER NAME].old". But it's best to move them to another folder though it seems to be a burden to the OBS. If that doesn't work, try add the user again from the OBS user interface, and then delete it from the same. If nothing of the above works you have to contact Ahsay to see if they can help you with the issue.

Note that you can have multiple Backup users blocking the API call, but the error message only shows one at a time.

You can try the API your self via a browser (if you haven't restricted the API for certain IP-addresses or is using the URL-rewriter setup).
[YOUR_OBS_SERVER_URL]/obs/api/ListUsers.do?SysUser=SYSTEM_USER&SysPwd=PASSWORD

The output should be in the XML-format containing all your Backup users, which normally is presented quite readable in the browser. The error on the other hand is very short, as above, and easy to read.

You can find all API related errors your server has reported lately in the Error tab of the server inside Zimonitor.

 

Why do I get so many tickets in Zimonitor?

 

If you experience that you get tickets on Backup jobs with status code Success even if you haven't selected so in the Ticket settings, it's probably because you have selected to create tickets on In progress. 

This occurs when Zimonitor asks the API and the backup job is in progress at the same time. This job will later be converted to another status like Success etc. therefor it seems like it's creating tickets on In progress.

For more information about Tickets 

Why can't I find a new Backup user in Zimonitor?
I'm missing a Backup user in Zimonitor.

 

The API gives an error about corrupted profile.

<err>[UserCacheManager.login] Profile corrupted '[a_backup_user_name]'. unexpected end of document</err>

The error message suggests that the user profile got corrupt, therefore, please check if you can open the Profile.xml for this account using the IE browser. The file would be located under the OBS server user home %User_home%\%username%\db folder.

If you are unable to open and view the whole content of the xml file via the browser, please try the following steps to recover the profile.

1. from the folder %User_home%\%username%\db rename the Profile.xml to Profile.xml.bak
2. under the same folder, copy the file Profile.xml.11 and rename this to Profile.xml
3. check under AhsayOBS web console to see if you can view the account %username%

This would use the old backup copy Profile.xml.11 to help recover the account.

Please refer to the article below for reference:
https://forum.ahsay.com/viewtopic.php?f=82&t=9997

If all profile do not work for that user, please login to the OBM client machine, and send the config folder which is under the .obm folder to your Ahsay support contact, they need to recover the user's profile on their side.

You can find all API related errors your server has reported lately in the Error tab of the server inside Zimonitor.

Why is a backup user strike-through?

The strike-through appears when Zimonitor asks the API if the backup user still exists on the backup server and not returning the object. Sometimes the backup server do not respond due to busy doing heavy jobs or similar, this and situations can cause the strike-through. This will be corrected as soon as the backup server answers again.