This is an old revision of the document!
<toc><ul><li><link topicref=“2”>Download/Compile (SUSE)</link></li><li><link topicref=“3”>Download/Compile (Debian)</link></li><li><link topicref=“4”>Generate certificates</link></li><li><link topicref=“5”>Add relevant sections to the .conf files</link></li></ul></toc> If RPM's are not available for your version, then rebuild for your Linux version.
rpmbuild --rebuild --define 'build_su9 1' --define 'build_mysql5 1' bacula-2.0.2-1.src.rpm
Version 1.38.0 of bacula supports SSL/TLS when compiled from source, but the available RPMS were not built with SSL/TLS support.
I installed the available RPM first so I could replace the binaries with SSL-enabled ones.
I downloaded the source package for 1.38.x (tar.gz) and did a configure with SSL and the options I found in the .spec file of the SRC rpm: <p><strong>Server:</strong></p>
./configure \ --prefix=/usr \ --sbindir=/usr/sbin \ --sysconfdir=/etc/bacula \ --with-scriptdir=/etc/bacula \ --enable-smartalloc \ --with-openssl \ --with-sqlite \ --with-working-dir=/var/bacula \ --with-pid-dir=/var/run \ --with-subsys-dir=/var/lock/subsys \ --with-dir-user=bacula \ --with-dir-group=bacula \ --with-sd-user=bacula \ --with-sd-group=disk \ --with-fd-user=root \ --with-fd-group=bacula \ --with-readline
<strong>Client (fd):</strong>
./configure \ --prefix=/usr \ --sbindir=/usr/sbin \ --sysconfdir=/etc/bacula \ --with-scriptdir=/etc/bacula \ --enable-smartalloc \ --with-openssl \ --enable-client-only \ --with-working-dir=/var/bacula \ --with-pid-dir=/var/run \ --with-subsys-dir=/var/lock/subsys
and installed the binaries over top of the RPM ones:
make -j6 make -C src/dird/ install make -C src/console/ install make -C src/filed/ install make -C src/stored/ install
This is a complete source installation, not replacing existing packages (since there are none for 1.38 yet)
apt-get install mysql-server libmysqlclient15-dev libssl-dev libreadline5-dev /usr/sbin/groupadd -g 90 bacula /usr/sbin/useradd -c 'Bacula' -d /var/lib/bacula -m -k /dev/null -g bacula -u 90 -s /bin/bash bacula ./configure \ --prefix=/usr \ --sbindir=/usr/sbin \ --sysconfdir=/etc/bacula \ --with-scriptdir=/etc/bacula \ --enable-smartalloc \ --with-openssl \ --with-mysql \ --with-working-dir=/var/lib/bacula \ --with-pid-dir=/var/run \ --with-subsys-dir=/var/lock \ --with-dir-user=bacula \ --with-dir-group=bacula \ --with-sd-user=bacula \ --with-sd-group=bacula \ --with-fd-user=root \ --with-fd-group=bacula \ --with-readline make -j6 && make install cd /etc/init.d/ && ln -s /etc/bacula/bacula . && /usr/sbin/update-rc.d bacula defaults
cd /etc/bacula
The first time, generate a new CA certificate for signing
sed -i 's/365'/3650'/' /usr/lib/ssl/misc/CA.pl /usr/lib/ssl/misc/CA.pl -newca
Generate a CSR signing request, and then sign it. The challenge password can be empty, but be sure the Common Name matches the DNS name you will use to connect to the remote bacula-fd server!
/usr/lib/ssl/misc/CA.pl -newreq-nodes SSLEAY_CONFIG='-days 3650' /usr/lib/ssl/misc/CA.pl -sign mv newkey.pem bacula-<client>.key -OR- head -15 newreq.pem > bacula-<client>.key mv newcert.pem bacula-<client>.crt
copy (scp) <tt>bacula-<client>.key</tt> <tt>bacula-<client>.crt</tt> and <tt>cacert.pem</tt> to the FD client machine and change ownership/permissions.
chmod 640 bacula-<client>.* cacert.pem chgrp bacula bacula-<client>.* cacert.pem
<tt>/etc/bacula/bacula-dir.conf</tt>
Director { ... # console --> director server TLS Enable = yes TLS Require = yes TLS Verify Peer = yes TLS Key = /etc/bacula/bacula-<client>.key TLS Certificate = /etc/bacula/bacula-<client>.crt TLS CA Certificate File = /etc/bacula/demoCA/cacert.pem } Client { ... # director --> file daemon client TLS Enable = yes TLS Require = yes TLS Key = /etc/bacula/bacula.key TLS Certificate = /etc/bacula/bacula.crt TLS CA Certificate File = /etc/bacula/demoCA/cacert.pem } Storage { ... # director --> storage daemon client TLS Enable = yes TLS Require = yes TLS Key = /etc/bacula/bacula.key TLS Certificate = /etc/bacula/bacula.crt TLS CA Certificate File = /etc/bacula/demoCA/cacert.pem }
<tt>/etc/bacula/bacula-fd.conf</tt>
Director { ... # director --> filedaemon server TLS Enable = yes TLS Require = yes TLS Verify Peer = yes TLS Key = /etc/bacula/bacula.key TLS Certificate = /etc/bacula/bacula.crt TLS CA Certificate File = /etc/bacula/cacert.pem } FileDaemon { ... # file daemon --> storage daemon client TLS Enable = yes TLS Require = yes TLS Key = /etc/bacula/bacula-<client>.key TLS Certificate = /etc/bacula/bacula-<client>.crt TLS CA Certificate File = /etc/bacula/cacert.pem }
<tt>/etc/bacula/bacula-sd.conf</tt>
Storage { ... # file daemon --> storage daemon server TLS Enable = yes TLS Require = yes TLS Verify Peer = yes TLS Key = /etc/bacula/bacula.key TLS Certificate = /etc/bacula/bacula.crt TLS CA Certificate File = /etc/bacula/cacert.pem } Director { ... # director --> storage daemon server TLS Enable = yes TLS Require = yes TLS Verify Peer = yes TLS Key = /etc/bacula/bacula.key TLS Certificate = /etc/bacula/bacula.crt TLS CA Certificate File = /etc/bacula/cacert.pem }
<tt>/etc/bacula/bconsole.conf</tt>
Director { ... # bconsole --> director client TLS Enable = yes TLS Require = yes TLS Key = /etc/bacula/bacula.key TLS Certificate = /etc/bacula/bacula.crt TLS CA Certificate File = /etc/bacula/demoCA/cacert.pem }