====== Bacula ======

===== Generate certificates =====
<code>
cd /etc/bacula
</code>
The first time, generate a new CA certificate for signing

<code>
sed -i "s/365'/3650'/" /usr/lib/ssl/misc/CA.pl
/usr/lib/ssl/misc/CA.pl -newca
</code>
Generate a CSR signing request, and then sign it.  The challenge password can be empty, but be sure the Common Name matches the DNS name you will use to connect to the remote bacula-fd server!

<code>
/usr/lib/ssl/misc/CA.pl -newreq-nodes
SSLEAY_CONFIG='-days 3650' /usr/lib/ssl/misc/CA.pl -sign

mv newkey.pem bacula-<client>.key  -OR-  head -15 newreq.pem > bacula-<client>.key
mv newcert.pem bacula-<client>.crt
</code>
copy (scp) <tt>bacula-<client>.key</tt> <tt>bacula-<client>.crt</tt> and <tt>cacert.pem</tt> to the FD client machine and change ownership/permissions.

<code>
chmod 640 bacula-<client>.* cacert.pem
chgrp bacula bacula-<client>.* cacert.pem
</code>
===== Add relevant sections to the .conf files =====
/etc/bacula/bacula-dir.conf

<code>
Director {
  ...
  # console --> director server
  TLS Enable = yes
  TLS Require = yes
  TLS Verify Peer = yes
  TLS Key = /etc/bacula/bacula-<client>.key
  TLS Certificate = /etc/bacula/bacula-<client>.crt
  TLS CA Certificate File = /etc/bacula/demoCA/cacert.pem
}

Client {
  ...
  # director --> file daemon client
  TLS Enable = yes
  TLS Require = yes
  TLS Key = /etc/bacula/bacula.key
  TLS Certificate = /etc/bacula/bacula.crt
  TLS CA Certificate File = /etc/bacula/demoCA/cacert.pem
}

Storage {
  ...
  # director --> storage daemon client
  TLS Enable = yes
  TLS Require = yes
  TLS Key = /etc/bacula/bacula.key
  TLS Certificate = /etc/bacula/bacula.crt
  TLS CA Certificate File = /etc/bacula/demoCA/cacert.pem
}
</code>

/etc/bacula/bacula-fd.conf

<code>
Director {
  ...
  # director --> filedaemon server
  TLS Enable = yes
  TLS Require = yes
  TLS Verify Peer = yes
  TLS Key = /etc/bacula/bacula.key
  TLS Certificate = /etc/bacula/bacula.crt
  TLS CA Certificate File = /etc/bacula/cacert.pem
}

FileDaemon {
  ...
  # file daemon --> storage daemon client
  TLS Enable = yes
  TLS Require = yes
  TLS Key = /etc/bacula/bacula-<client>.key
  TLS Certificate = /etc/bacula/bacula-<client>.crt
  TLS CA Certificate File = /etc/bacula/cacert.pem
}
</code>

/etc/bacula/bacula-sd.conf

<code>
Storage {
  ...
  # file daemon --> storage daemon server
  TLS Enable = yes
  TLS Require = yes
  TLS Verify Peer = yes
  TLS Key = /etc/bacula/bacula.key
  TLS Certificate = /etc/bacula/bacula.crt
  TLS CA Certificate File = /etc/bacula/cacert.pem
}

Director {
  ...
  # director --> storage daemon server
  TLS Enable = yes
  TLS Require = yes
  TLS Verify Peer = yes
  TLS Key = /etc/bacula/bacula.key
  TLS Certificate = /etc/bacula/bacula.crt
  TLS CA Certificate File = /etc/bacula/cacert.pem
}
</code>

/etc/bacula/bconsole.conf

<code>
Director {
  ...
  # bconsole --> director client
  TLS Enable = yes
  TLS Require = yes
  TLS Key = /etc/bacula/bacula.key
  TLS Certificate = /etc/bacula/bacula.crt
  TLS CA Certificate File = /etc/bacula/demoCA/cacert.pem
}
</code>