Re: [Bacula-users] Re: [Bacula-devel] Using TLS
Quoting Ray Burr [EMAIL PROTECTED]: I just set mine up today. I started with Landon's configuration, but one thing I noticed is that (based on watching with tcpdump) I wasn't getting an encrypted connection from the FD to the SD. I had to add TLS Require = yes to the FileDaemon section on the client configuration to get an encrypted connection. I'm no SSL guru, so maybe I've missed some other problem in my configuration. Ah, lucky you. On my test server, the connections were actually failing until I configured TLS in those additional sections (Client in bacula-dir.conf, and FileDaemon in bacula-fd.conf). BTW, since same certificate may be used (and usually will be used) in various sections, it would be nice if CA and daemon's certificates could be referenced only from the global section of the file (for example Director section in bacula-dir.conf, Storage section in bacula-sd.conf, and FileDaemon section in bacula-fd.conf). Probably not much point in repeating same three lines for each defined Client and Storage in bacula-dir.conf (same goes for bacula-sd.conf and bacula-fd.conf, although not that much repetitions there). An option to globally enable/require TLS from global section of configuration files might be nice to have too. That way, for example, no TLS options would need to be specified in Client and Storage sections of bacula-dir.conf. This message was sent using IMP, the Internet Messaging Program. --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637alloc_id=16865op=click ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
[Bacula-users] Re: [Bacula-devel] Using TLS
Landon Fuller wrote: Kern Sibbald wrote: Hello, Does anyone have any *real* bacula .conf examples of using the new TLS data encryption feature? I would like to add them to the manual. Here are the TLS portions of my configuration files: [...] I just set mine up today. I started with Landon's configuration, but one thing I noticed is that (based on watching with tcpdump) I wasn't getting an encrypted connection from the FD to the SD. I had to add TLS Require = yes to the FileDaemon section on the client configuration to get an encrypted connection. I'm no SSL guru, so maybe I've missed some other problem in my configuration. Here's my (working, as far as I can tell) configuration... I have a director and storage daemon running on server1. There is one TLS-enabled file daemon running on client1. Some other clients are not TLS-enabled, so I use TLS Enable instead of TLS Require in some places to support those. bacula-dir.conf on server1: Director { Name = server1-dir ... TLS Enable = yes TLS Verify Peer = yes TLS Allowed CN = server1.example.com TLS CA Certificate File = /etc/bacula/ssl/ca.pem # This is a server certificate, used for incoming # console connections. TLS Certificate = /etc/bacula/ssl/server1-cert.pem TLS Key = /etc/bacula/ssl/server1-key.pem } Client { Name = client1-fd Address = client1.example.com ... TLS Require = yes TLS CA Certificate File = /etc/bacula/ssl/ca.pem # This is a client certificate, used by the director to # connect to the remote file daemon. TLS Certificate = /etc/bacula/ssl/server1-cert.pem TLS Key = /etc/bacula/ssl/server1-key.pem } bacula-sd.conf on server1: Storage { Name = server1-sd ... # These TLS configuration options are used for incoming # file daemon connections. Director TLS settings are handled # below. TLS Enable = yes # Peer certificate is not required/requested -- peer validity # is verified by the storage connection cookie provided to the # File Daemon by the director. TLS Verify Peer = no TLS CA Certificate File = /etc/bacula/ssl/ca.pem TLS Certificate = /etc/bacula/ssl/server1-cert.pem TLS Key = /etc/bacula/ssl/server1-key.pem } Director { Name = server1-dir ... TLS Require = yes # Require the connecting director to provide a certificate # with the matching CN. TLS Verify Peer = yes TLS Allowed CN = server1.example.com TLS CA Certificate File = /etc/bacula/ssl/ca.pem TLS Certificate = /etc/bacula/ssl/server1-cert.pem TLS Key = /etc/bacula/ssl/server1-key.pem } bconsole.conf on server1: Director { Name = server1-dir Address = server1.example.com ... TLS Require = yes TLS CA Certificate File = /etc/bacula/ssl/ca.pem TLS Certificate = /etc/bacula/ssl/server1-cert.pem TLS Key = /etc/bacula/ssl/server1-key.pem } bacula-fd.conf on client1: Director { Name = server1-dir ... TLS Require = yes TLS Verify Peer = yes # Allow only the Director to connect TLS Allowed CN = server1.example.com TLS CA Certificate File = /etc/bacula/ssl/ca.pem # This is a server certificate. It is used by connecting # directors to verify the authenticity of this file daemon TLS Certificate = /etc/bacula/ssl/client1-cert.pem TLS Key = /etc/bacula/ssl/client1-key.pem } FileDaemon { Name = client1-fd ... # I think this is used when connecting to the storage daemon. TLS Require = yes TLS CA Certificate File = /etc/bacula/ssl/ca.pem TLS Certificate = /etc/bacula/ssl/client1-cert.pem TLS Key = /etc/bacula/ssl/client1-key.pem } --- SF.Net email is sponsored by: Tame your development challenges with Apache's Geronimo App Server. Download it for free - -and be entered to win a 42 plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
[Bacula-users] Re: [Bacula-devel] Using TLS
Ray Burr wrote: Landon Fuller wrote: Kern Sibbald wrote: Hello, Does anyone have any *real* bacula .conf examples of using the new TLS data encryption feature? I would like to add them to the manual. Here are the TLS portions of my configuration files: [...] I just set mine up today. I started with Landon's configuration, but one thing I noticed is that (based on watching with tcpdump) I wasn't getting an encrypted connection from the FD to the SD. I had to add TLS Require = yes to the FileDaemon section on the client configuration to get an encrypted connection. I'm no SSL guru, so maybe I've missed some other problem in my configuration. Whoops, I forgot that section. Yeah, you'll need the TLS Require line. FileDaemon { Name = client1-fd ... # I think this is used when connecting to the storage daemon. TLS Require = yes TLS CA Certificate File = /etc/bacula/ssl/ca.pem TLS Certificate = /etc/bacula/ssl/client1-cert.pem TLS Key = /etc/bacula/ssl/client1-key.pem } Since the storage daemon isn't validating client certificates (and doesn't really need to -- the client can only connect with a valid cookie from the Directory), you shouldn't need to specify Certificate/Key pair here. -landonf signature.asc Description: OpenPGP digital signature
[Bacula-users] Re: [Bacula-devel] Using TLS
Kern Sibbald wrote: Hello, Does anyone have any *real* bacula .conf examples of using the new TLS data encryption feature? I would like to add them to the manual. Here are the TLS portions of my configuration files: bacula-dir.conf: Director {# define myself Name = backup1-dir ... TLS Require = yes TLS Verify Peer = yes TLS Allowed CN = [EMAIL PROTECTED] TLS Allowed CN = [EMAIL PROTECTED] TLS CA Certificate File = /usr/local/etc/ssl/ca.pem # This is a server certificate, used for incoming # console connections. TLS Certificate = /usr/local/etc/ssl/backup1/cert.pem TLS Key = /usr/local/etc/ssl/backup1/key.pem } Storage { Name = File Address = backup1.example.com ... TLS Require = yes TLS CA Certificate File = /usr/local/etc/ssl/ca.pem # This is a client certificate, used by the director to # connect to the storage daemon TLS Certificate = /usr/local/etc/ssl/[EMAIL PROTECTED]/cert.pem TLS Key = /usr/local/etc/ssl/[EMAIL PROTECTED]/key.pem } bacula-fd.conf: Director { Name = backup1-dir ... TLS Require = yes TLS Verify Peer = yes # Allow only the Director to connect TLS Allowed CN = [EMAIL PROTECTED] TLS CA Certificate File = /usr/local/etc/ssl/ca.pem\ # This is a server certificate. It is used by connecting # directors to verify the authenticity of this file daemon TLS Certificate = /usr/local/etc/ssl/server1/cert.pem TLS Key = /usr/local/etc/ssl/server1/key.pem } bacula-sd.conf: Storage { # definition of myself Name = backup1-sd ... # These TLS configuration options are used for incoming # file daemon connections. Director TLS settings are handled # below. TLS Require = yes # Peer certificate is not required/requested -- peer validity # is verified by the storage connection cookie provided to the # File Daemon by the director. TLS Verify Peer = no TLS CA Certificate File = /usr/local/etc/ssl/ca.pem # This is a server certificate. It is used by connecting # file daemons to verify the authenticity of this storage daemon TLS Certificate = /usr/local/etc/ssl/backup1/cert.pem TLS Key = /usr/local/etc/ssl/backup1/key.pem } # # List Directors who are permitted to contact Storage daemon # Director { Name = backup1-dir ... TLS Require = yes # Require the connecting director to provide a certificate # with the matching CN. TLS Verify Peer = yes TLS Allowed CN = [EMAIL PROTECTED] TLS CA Certificate File = /usr/local/etc/ssl/ca.pem # This is a server certificate. It is used by the connecting # director to verify the authenticity of this storage daemon TLS Certificate = /usr/local/etc/ssl/backup1/cert.pem TLS Key = /usr/local/etc/ssl/backup1/key.pem } signature.asc Description: OpenPGP digital signature