Kern Sibbald wrote:
Hello,Does anyone have any *real* bacula .conf examples of using the new TLS data encryption feature? I would like to add them to the manual.
Here are the TLS portions of my configuration files:
bacula-dir.conf:
Director { # define myself
Name = backup1-dir
...
TLS Require = yes
TLS Verify Peer = yes
TLS Allowed CN = "[EMAIL PROTECTED]"
TLS Allowed CN = "[EMAIL PROTECTED]"
TLS CA Certificate File = /usr/local/etc/ssl/ca.pem
# This is a server certificate, used for incoming
# console connections.
TLS Certificate = /usr/local/etc/ssl/backup1/cert.pem
TLS Key = /usr/local/etc/ssl/backup1/key.pem
}
Storage {
Name = File
Address = backup1.example.com
...
TLS Require = yes
TLS CA Certificate File = /usr/local/etc/ssl/ca.pem
# This is a client certificate, used by the director to
# connect to the storage daemon
TLS Certificate = /usr/local/etc/ssl/[EMAIL PROTECTED]/cert.pem
TLS Key = /usr/local/etc/ssl/[EMAIL PROTECTED]/key.pem
}
bacula-fd.conf:
Director {
Name = backup1-dir
...
TLS Require = yes
TLS Verify Peer = yes
# Allow only the Director to connect
TLS Allowed CN = "[EMAIL PROTECTED]"
TLS CA Certificate File = /usr/local/etc/ssl/ca.pem\
# This is a server certificate. It is used by connecting
# directors to verify the authenticity of this file daemon
TLS Certificate = /usr/local/etc/ssl/server1/cert.pem
TLS Key = /usr/local/etc/ssl/server1/key.pem
}
bacula-sd.conf:
Storage { # definition of myself
Name = backup1-sd
...
# These TLS configuration options are used for incoming
# file daemon connections. Director TLS settings are handled
# below.
TLS Require = yes
# Peer certificate is not required/requested -- peer validity
# is verified by the storage connection cookie provided to the
# File Daemon by the director.
TLS Verify Peer = no
TLS CA Certificate File = /usr/local/etc/ssl/ca.pem
# This is a server certificate. It is used by connecting
# file daemons to verify the authenticity of this storage daemon
TLS Certificate = /usr/local/etc/ssl/backup1/cert.pem
TLS Key = /usr/local/etc/ssl/backup1/key.pem
}
#
# List Directors who are permitted to contact Storage daemon
#
Director {
Name = backup1-dir
...
TLS Require = yes
# Require the connecting director to provide a certificate
# with the matching CN.
TLS Verify Peer = yes
TLS Allowed CN = "[EMAIL PROTECTED]"
TLS CA Certificate File = /usr/local/etc/ssl/ca.pem
# This is a server certificate. It is used by the connecting
# director to verify the authenticity of this storage daemon
TLS Certificate = /usr/local/etc/ssl/backup1/cert.pem
TLS Key = /usr/local/etc/ssl/backup1/key.pem
}
signature.asc
Description: OpenPGP digital signature
