====== Bacula ======
===== Generate certificates =====
cd /etc/bacula
The first time, generate a new CA certificate for signing
sed -i "s/365'/3650'/" /usr/lib/ssl/misc/CA.pl
/usr/lib/ssl/misc/CA.pl -newca
Generate a CSR signing request, and then sign it. The challenge password can be empty, but be sure the Common Name matches the DNS name you will use to connect to the remote bacula-fd server!
/usr/lib/ssl/misc/CA.pl -newreq-nodes
SSLEAY_CONFIG='-days 3650' /usr/lib/ssl/misc/CA.pl -sign
mv newkey.pem bacula-.key -OR- head -15 newreq.pem > bacula-.key
mv newcert.pem bacula-.crt
copy (scp) bacula-.key bacula-.crt and cacert.pem to the FD client machine and change ownership/permissions.
chmod 640 bacula-.* cacert.pem
chgrp bacula bacula-.* cacert.pem
===== Add relevant sections to the .conf files =====
/etc/bacula/bacula-dir.conf
Director {
...
# console --> director server
TLS Enable = yes
TLS Require = yes
TLS Verify Peer = yes
TLS Key = /etc/bacula/bacula-.key
TLS Certificate = /etc/bacula/bacula-.crt
TLS CA Certificate File = /etc/bacula/demoCA/cacert.pem
}
Client {
...
# director --> file daemon client
TLS Enable = yes
TLS Require = yes
TLS Key = /etc/bacula/bacula.key
TLS Certificate = /etc/bacula/bacula.crt
TLS CA Certificate File = /etc/bacula/demoCA/cacert.pem
}
Storage {
...
# director --> storage daemon client
TLS Enable = yes
TLS Require = yes
TLS Key = /etc/bacula/bacula.key
TLS Certificate = /etc/bacula/bacula.crt
TLS CA Certificate File = /etc/bacula/demoCA/cacert.pem
}
/etc/bacula/bacula-fd.conf
Director {
...
# director --> filedaemon server
TLS Enable = yes
TLS Require = yes
TLS Verify Peer = yes
TLS Key = /etc/bacula/bacula.key
TLS Certificate = /etc/bacula/bacula.crt
TLS CA Certificate File = /etc/bacula/cacert.pem
}
FileDaemon {
...
# file daemon --> storage daemon client
TLS Enable = yes
TLS Require = yes
TLS Key = /etc/bacula/bacula-.key
TLS Certificate = /etc/bacula/bacula-.crt
TLS CA Certificate File = /etc/bacula/cacert.pem
}
/etc/bacula/bacula-sd.conf
Storage {
...
# file daemon --> storage daemon server
TLS Enable = yes
TLS Require = yes
TLS Verify Peer = yes
TLS Key = /etc/bacula/bacula.key
TLS Certificate = /etc/bacula/bacula.crt
TLS CA Certificate File = /etc/bacula/cacert.pem
}
Director {
...
# director --> storage daemon server
TLS Enable = yes
TLS Require = yes
TLS Verify Peer = yes
TLS Key = /etc/bacula/bacula.key
TLS Certificate = /etc/bacula/bacula.crt
TLS CA Certificate File = /etc/bacula/cacert.pem
}
/etc/bacula/bconsole.conf
Director {
...
# bconsole --> director client
TLS Enable = yes
TLS Require = yes
TLS Key = /etc/bacula/bacula.key
TLS Certificate = /etc/bacula/bacula.crt
TLS CA Certificate File = /etc/bacula/demoCA/cacert.pem
}