Landon Fuller wrote:
Kern Sibbald wrote:
Hello,
Does anyone have any *real* bacula .conf examples of using the new TLS
data encryption feature? I would like to add them to the manual.
Here are the TLS portions of my configuration files:
[...]
I just set mine up today. I started with Landon's configuration, but
one thing I noticed is that (based on watching with tcpdump) I wasn't
getting an encrypted connection from the FD to the SD. I had to add
"TLS Require = yes" to the FileDaemon section on the client
configuration to get an encrypted connection. I'm no SSL guru, so maybe
I've missed some other problem in my configuration.
Here's my (working, as far as I can tell) configuration... I have a
director and storage daemon running on server1. There is one
TLS-enabled file daemon running on client1. Some other clients are not
TLS-enabled, so I use "TLS Enable" instead of "TLS Require" in some
places to support those.
bacula-dir.conf on server1:
Director {
Name = server1-dir
...
TLS Enable = yes
TLS Verify Peer = yes
TLS Allowed CN = "server1.example.com"
TLS CA Certificate File = /etc/bacula/ssl/ca.pem
# This is a server certificate, used for incoming
# console connections.
TLS Certificate = /etc/bacula/ssl/server1-cert.pem
TLS Key = /etc/bacula/ssl/server1-key.pem
}
Client {
Name = client1-fd
Address = client1.example.com
...
TLS Require = yes
TLS CA Certificate File = /etc/bacula/ssl/ca.pem
# This is a client certificate, used by the director to
# connect to the remote file daemon.
TLS Certificate = /etc/bacula/ssl/server1-cert.pem
TLS Key = /etc/bacula/ssl/server1-key.pem
}
bacula-sd.conf on server1:
Storage {
Name = server1-sd
...
# These TLS configuration options are used for incoming
# file daemon connections. Director TLS settings are handled
# below.
TLS Enable = yes
# Peer certificate is not required/requested -- peer validity
# is verified by the storage connection cookie provided to the
# File Daemon by the director.
TLS Verify Peer = no
TLS CA Certificate File = /etc/bacula/ssl/ca.pem
TLS Certificate = /etc/bacula/ssl/server1-cert.pem
TLS Key = /etc/bacula/ssl/server1-key.pem
}
Director {
Name = server1-dir
...
TLS Require = yes
# Require the connecting director to provide a certificate
# with the matching CN.
TLS Verify Peer = yes
TLS Allowed CN = "server1.example.com"
TLS CA Certificate File = /etc/bacula/ssl/ca.pem
TLS Certificate = /etc/bacula/ssl/server1-cert.pem
TLS Key = /etc/bacula/ssl/server1-key.pem
}
bconsole.conf on server1:
Director {
Name = server1-dir
Address = server1.example.com
...
TLS Require = yes
TLS CA Certificate File = /etc/bacula/ssl/ca.pem
TLS Certificate = /etc/bacula/ssl/server1-cert.pem
TLS Key = /etc/bacula/ssl/server1-key.pem
}
bacula-fd.conf on client1:
Director {
Name = server1-dir
...
TLS Require = yes
TLS Verify Peer = yes
# Allow only the Director to connect
TLS Allowed CN = "server1.example.com"
TLS CA Certificate File = /etc/bacula/ssl/ca.pem
# This is a server certificate. It is used by connecting
# directors to verify the authenticity of this file daemon
TLS Certificate = /etc/bacula/ssl/client1-cert.pem
TLS Key = /etc/bacula/ssl/client1-key.pem
}
FileDaemon {
Name = client1-fd
...
# I think this is used when connecting to the storage daemon.
TLS Require = yes
TLS CA Certificate File = /etc/bacula/ssl/ca.pem
TLS Certificate = /etc/bacula/ssl/client1-cert.pem
TLS Key = /etc/bacula/ssl/client1-key.pem
}
-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php
_______________________________________________
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users
