Re: [Bacula-users] Re: [Bacula-devel] Using TLS
Quoting Ray Burr [EMAIL PROTECTED]: I just set mine up today. I started with Landon's configuration, but one thing I noticed is that (based on watching with tcpdump) I wasn't getting an encrypted connection from the FD to the SD. I had to add TLS Require = yes to the FileDaemon section on the client configuration to get an encrypted connection. I'm no SSL guru, so maybe I've missed some other problem in my configuration. Ah, lucky you. On my test server, the connections were actually failing until I configured TLS in those additional sections (Client in bacula-dir.conf, and FileDaemon in bacula-fd.conf). BTW, since same certificate may be used (and usually will be used) in various sections, it would be nice if CA and daemon's certificates could be referenced only from the global section of the file (for example Director section in bacula-dir.conf, Storage section in bacula-sd.conf, and FileDaemon section in bacula-fd.conf). Probably not much point in repeating same three lines for each defined Client and Storage in bacula-dir.conf (same goes for bacula-sd.conf and bacula-fd.conf, although not that much repetitions there). An option to globally enable/require TLS from global section of configuration files might be nice to have too. That way, for example, no TLS options would need to be specified in Client and Storage sections of bacula-dir.conf. This message was sent using IMP, the Internet Messaging Program. --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637alloc_id=16865op=click ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
[Bacula-users] Re: [Bacula-devel] Using TLS
Landon Fuller wrote:
Kern Sibbald wrote:
Hello,
Does anyone have any *real* bacula .conf examples of using the new TLS
data encryption feature? I would like to add them to the manual.
Here are the TLS portions of my configuration files:
[...]
I just set mine up today. I started with Landon's configuration, but
one thing I noticed is that (based on watching with tcpdump) I wasn't
getting an encrypted connection from the FD to the SD. I had to add
TLS Require = yes to the FileDaemon section on the client
configuration to get an encrypted connection. I'm no SSL guru, so maybe
I've missed some other problem in my configuration.
Here's my (working, as far as I can tell) configuration... I have a
director and storage daemon running on server1. There is one
TLS-enabled file daemon running on client1. Some other clients are not
TLS-enabled, so I use TLS Enable instead of TLS Require in some
places to support those.
bacula-dir.conf on server1:
Director {
Name = server1-dir
...
TLS Enable = yes
TLS Verify Peer = yes
TLS Allowed CN = server1.example.com
TLS CA Certificate File = /etc/bacula/ssl/ca.pem
# This is a server certificate, used for incoming
# console connections.
TLS Certificate = /etc/bacula/ssl/server1-cert.pem
TLS Key = /etc/bacula/ssl/server1-key.pem
}
Client {
Name = client1-fd
Address = client1.example.com
...
TLS Require = yes
TLS CA Certificate File = /etc/bacula/ssl/ca.pem
# This is a client certificate, used by the director to
# connect to the remote file daemon.
TLS Certificate = /etc/bacula/ssl/server1-cert.pem
TLS Key = /etc/bacula/ssl/server1-key.pem
}
bacula-sd.conf on server1:
Storage {
Name = server1-sd
...
# These TLS configuration options are used for incoming
# file daemon connections. Director TLS settings are handled
# below.
TLS Enable = yes
# Peer certificate is not required/requested -- peer validity
# is verified by the storage connection cookie provided to the
# File Daemon by the director.
TLS Verify Peer = no
TLS CA Certificate File = /etc/bacula/ssl/ca.pem
TLS Certificate = /etc/bacula/ssl/server1-cert.pem
TLS Key = /etc/bacula/ssl/server1-key.pem
}
Director {
Name = server1-dir
...
TLS Require = yes
# Require the connecting director to provide a certificate
# with the matching CN.
TLS Verify Peer = yes
TLS Allowed CN = server1.example.com
TLS CA Certificate File = /etc/bacula/ssl/ca.pem
TLS Certificate = /etc/bacula/ssl/server1-cert.pem
TLS Key = /etc/bacula/ssl/server1-key.pem
}
bconsole.conf on server1:
Director {
Name = server1-dir
Address = server1.example.com
...
TLS Require = yes
TLS CA Certificate File = /etc/bacula/ssl/ca.pem
TLS Certificate = /etc/bacula/ssl/server1-cert.pem
TLS Key = /etc/bacula/ssl/server1-key.pem
}
bacula-fd.conf on client1:
Director {
Name = server1-dir
...
TLS Require = yes
TLS Verify Peer = yes
# Allow only the Director to connect
TLS Allowed CN = server1.example.com
TLS CA Certificate File = /etc/bacula/ssl/ca.pem
# This is a server certificate. It is used by connecting
# directors to verify the authenticity of this file daemon
TLS Certificate = /etc/bacula/ssl/client1-cert.pem
TLS Key = /etc/bacula/ssl/client1-key.pem
}
FileDaemon {
Name = client1-fd
...
# I think this is used when connecting to the storage daemon.
TLS Require = yes
TLS CA Certificate File = /etc/bacula/ssl/ca.pem
TLS Certificate = /etc/bacula/ssl/client1-cert.pem
TLS Key = /etc/bacula/ssl/client1-key.pem
}
---
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42 plasma tv or your very own
Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php
___
Bacula-users mailing list
Bacula-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-users
[Bacula-users] Re: [Bacula-devel] Using TLS
Ray Burr wrote:
Landon Fuller wrote:
Kern Sibbald wrote:
Hello,
Does anyone have any *real* bacula .conf examples of using the new
TLS data encryption feature? I would like to add them to the manual.
Here are the TLS portions of my configuration files:
[...]
I just set mine up today. I started with Landon's configuration, but
one thing I noticed is that (based on watching with tcpdump) I wasn't
getting an encrypted connection from the FD to the SD. I had to add
TLS Require = yes to the FileDaemon section on the client
configuration to get an encrypted connection. I'm no SSL guru, so maybe
I've missed some other problem in my configuration.
Whoops, I forgot that section. Yeah, you'll need the TLS Require line.
FileDaemon {
Name = client1-fd
...
# I think this is used when connecting to the storage daemon.
TLS Require = yes
TLS CA Certificate File = /etc/bacula/ssl/ca.pem
TLS Certificate = /etc/bacula/ssl/client1-cert.pem
TLS Key = /etc/bacula/ssl/client1-key.pem
}
Since the storage daemon isn't validating client certificates (and
doesn't really need to -- the client can only connect with a valid
cookie from the Directory), you shouldn't need to specify
Certificate/Key pair here.
-landonf
signature.asc
Description: OpenPGP digital signature
[Bacula-users] Re: [Bacula-devel] Using TLS
Kern Sibbald wrote:
Hello,
Does anyone have any *real* bacula .conf examples of using the new TLS data
encryption feature? I would like to add them to the manual.
Here are the TLS portions of my configuration files:
bacula-dir.conf:
Director {# define myself
Name = backup1-dir
...
TLS Require = yes
TLS Verify Peer = yes
TLS Allowed CN = [EMAIL PROTECTED]
TLS Allowed CN = [EMAIL PROTECTED]
TLS CA Certificate File = /usr/local/etc/ssl/ca.pem
# This is a server certificate, used for incoming
# console connections.
TLS Certificate = /usr/local/etc/ssl/backup1/cert.pem
TLS Key = /usr/local/etc/ssl/backup1/key.pem
}
Storage {
Name = File
Address = backup1.example.com
...
TLS Require = yes
TLS CA Certificate File = /usr/local/etc/ssl/ca.pem
# This is a client certificate, used by the director to
# connect to the storage daemon
TLS Certificate = /usr/local/etc/ssl/[EMAIL PROTECTED]/cert.pem
TLS Key = /usr/local/etc/ssl/[EMAIL PROTECTED]/key.pem
}
bacula-fd.conf:
Director {
Name = backup1-dir
...
TLS Require = yes
TLS Verify Peer = yes
# Allow only the Director to connect
TLS Allowed CN = [EMAIL PROTECTED]
TLS CA Certificate File = /usr/local/etc/ssl/ca.pem\
# This is a server certificate. It is used by connecting
# directors to verify the authenticity of this file daemon
TLS Certificate = /usr/local/etc/ssl/server1/cert.pem
TLS Key = /usr/local/etc/ssl/server1/key.pem
}
bacula-sd.conf:
Storage { # definition of myself
Name = backup1-sd
...
# These TLS configuration options are used for incoming
# file daemon connections. Director TLS settings are handled
# below.
TLS Require = yes
# Peer certificate is not required/requested -- peer validity
# is verified by the storage connection cookie provided to the
# File Daemon by the director.
TLS Verify Peer = no
TLS CA Certificate File = /usr/local/etc/ssl/ca.pem
# This is a server certificate. It is used by connecting
# file daemons to verify the authenticity of this storage daemon
TLS Certificate = /usr/local/etc/ssl/backup1/cert.pem
TLS Key = /usr/local/etc/ssl/backup1/key.pem
}
#
# List Directors who are permitted to contact Storage daemon
#
Director {
Name = backup1-dir
...
TLS Require = yes
# Require the connecting director to provide a certificate
# with the matching CN.
TLS Verify Peer = yes
TLS Allowed CN = [EMAIL PROTECTED]
TLS CA Certificate File = /usr/local/etc/ssl/ca.pem
# This is a server certificate. It is used by the connecting
# director to verify the authenticity of this storage daemon
TLS Certificate = /usr/local/etc/ssl/backup1/cert.pem
TLS Key = /usr/local/etc/ssl/backup1/key.pem
}
signature.asc
Description: OpenPGP digital signature
