Hello,
I'm trying to get tls going on bacula 1.38.11. I've created and
installed keys via the howto at:
http://www.eclectica.ca/howto/ssl-cert-howto.php
This part went fine and the relevant portions of my config are below. I've
restarted the daemons and all worked fine, i did not get any errors. When i
atempted to connect with bconsole i got an authorization error:
#bconsole -c bconsole.conf
Connecting to Director zeus:9101
Authorization problem: Remote server requires TLS.
Director authorization problem.
Most likely the passwords do not agree.
If you are using TLS, there may have been a certificate validation error
during the TLS handshake.
Please see http://www.bacula.org/rel-manual/faq.html#AuthorizationErrors for
help.
I've checked that location, and i've verified the names match. I'm running a
local dns server and have added an a record for the bacula entry. I'm
suspecting i have my tls options defined incorrectly.
Any help appreciated.
Thanks.
Dave.
# host bacula.example.com
bacula.example.com has address 192.168.0.3
bconsole.conf:
Director {
Name = bacula-dir
DIRport = 9101
address = bacula.example.com
Password = "xxx"
}
bacula-fd.conf:
#
# List Directors who are permitted to contact this File daemon
#
Director {
Name = bacula-dir
Password = "xxx"
TLS Require = yes
TLS Verify Peer = yes
# Allow only the Director to connect
TLS Allowed CN = "bacula.example.com"
TLS CA Certificate File = /usr/local/etc/bacula/cacert.pem
# This is a server certificate. It is used by connecting
# directors to verify the authenticity of this file daemon
TLS Certificate = /usr/local/etc/bacula/cert.pem
TLS Key = /usr/local/etc/bacula/key.pem
}
bacula-sd.conf:
Storage { # definition of myself
Name = bacula-sd
SDPort = 9103 # Director's port
WorkingDirectory = "/var/db/bacula"
Pid Directory = "/var/run"
Maximum Concurrent Jobs = 20
# These TLS configuration options are used for incoming
# file daemon connections. Director TLS settings are handled
# below.
TLS Require = yes
# Peer certificate is not required/requested -- peer validity
# is verified by the storage connection cookie provided to the
# File Daemon by the director.
TLS Verify Peer = no
TLS CA Certificate File = /usr/local/etc/bacula/cacert.pem
# This is a server certificate. It is used by connecting
# file daemons to verify the authenticity of this storage daemon
TLS Certificate = /usr/local/etc/bacula/cert.pem
TLS Key = /usr/local/etc/bacula/key.pem
}
#
# List Directors who are permitted to contact Storage daemon
#
Director {
Name = bacula-dir
Password = "xxx"
TLS Require = yes
# Require the connecting director to provide a certificate
# with the matching CN.
TLS Verify Peer = yes
TLS Allowed CN = "bacula.example.com"
TLS CA Certificate File = /usr/local/etc/bacula/cacert.pem
# This is a server certificate. It is used by the connecting
# director to verify the authenticity of this storage daemon
TLS Certificate = /usr/local/etc/bacula/cert.pem
TLS Key = /usr/local/etc/bacula/key.pem
}
Device {
Name = FileStorage
Media Type = File
Archive Device = /backup/bacula
LabelMedia = yes; # lets Bacula label unlabeled media
Random Access = Yes;
AutomaticMount = yes; # when device opened, read it
RemovableMedia = no;
AlwaysOpen = no;
}
bacula-dir.conf:
Director { # define myself
Name = bacula-dir
DIRport = 9101 # where we listen for UA connections
QueryFile = "/usr/local/share/bacula/query.sql"
WorkingDirectory = "/var/db/bacula"
PidDirectory = "/var/run"
Maximum Concurrent Jobs = 3
Password = "xxx"
Messages = Daemon
TLS Require = yes
TLS Verify Peer = yes
TLS Allowed CN = "[EMAIL PROTECTED]"
TLS CA Certificate File = /usr/local/etc/bacula/cacert.pem
# This is a server certificate
# used for incoming console connections from the first client
TLS Certificate = /usr/local/etc/bacula/cert.pem
TLS Key = /usr/local/etc/bacula/key.pem
}
# Definition of file storage device
Storage {
Name = File
Address = bacula.example.com # N.B. Use a fully qualified
name here
SDPort = 9103
Password = "xxx"
Device = FileStorage
Media Type = File
TLS Require = yes
TLS CA Certificate File = /usr/local/etc/bacula/cacert.pem
# This is a client certificate, used by the director to
# connect to the storage daemon
TLS Certificate = /usr/local/etc/bacula/cert.pem
TLS Key = /usr/local/etc/bacula/key.pem
}
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users
