Enabling TLS Authentication between Director and Console

#. If you’re using an anonymous console: You only need to define the TLS directives in the resource of both bacula-dir.conf and bconsole.conf files.

In bacula-dir.conf:

Director {
    Name = darkstar-dir
    DIR Port = 9111
    DIR Address = darkstar.example.com
    QueryFile = "/usr/local/bacula/scripts/query.sql"
    WorkingDirectory = "/usr/local/bacula/working"
    PidDirectory = "/var/run"
    Maximum Concurrent Jobs = 10
    Password = "password"
    Messages = Daemon
    TLS Enable = yes
    TLS Require = yes
    TLS Verify Peer = yes
    TLS Authenticate = yes
    TLS CA Certificate File = /usr/local/bacula/etc/ssl/certs/root_cert.pem
    TLS Certificate = /usr/local/bacula/etc/ssl/certs/darkstar_cert.pem
    TLS Key = /usr/local/bacula/etc/ssl/keys/darkstar_key.pem
}

In bconsole.conf:

Director {
    Name = darkstar-dir
    DIRport = 9111
    Address = darkstar.example.com
    Password = "password"
    TLS Enable = yes
    TLS Require = yes
    TLS Authenticate = yes
    TLS CA Certificate File = /usr/local/bacula/etc/ssl/certs/root_cert.pem
    TLS Certificate = /usr/local/bacula/etc/ssl/certs/darkstar_cert.pem
    TLS Key = /usr/local/bacula/etc/ssl/keys/darkstar_key.pem
}

#. If you are using a named console: You only need to define the TLS directives in the resource of both bacula-dir.conf and bconsole.conf .

  • In bacula-dir.conf: There is no need to configure TLS in the resource as for option SEE:

    Director {
        Name = darkstar-dir
        DIR Port = 9111
        DIR Address = darkstar.example.com
        QueryFile = "/usr/local/bacula/scripts/query.sql"
        WorkingDirectory = "/usr/local/bacula/working"
        PidDirectory = "/var/run"
        Maximum Concurrent Jobs = 10
        Password = "password"
        Messages = Daemon
    }
    

Instead, the resource has the TLS configurations:

Console {
    Name = darkstar-con
    Password = "password"
    TLS Enable = yes
    TLS Require = yes
    TLS Verify Peer = yes
    TLS Authenticate = yes
    TLS CA Certificate File = /usr/local/bacula/etc/ssl/certs/root_cert.pem
    TLS Certificate = /usr/local/bacula/etc/ssl/certs/darkstar_cert.pem
    TLS Key = /usr/local/bacula/etc/ssl/keys/darkstar_key.pem
}
  • In bconsole.conf: There is no need to configure TLS in the resource as for option SEE:

Director {
    Name = darkstar-dir
    DIRport = 9111
    Address = darkstar.example.com
    Password = "password"
}

Instead, the resource has the TLS configurations:

Console {
    Name = darkstar-con
    Password = "password"
    TLS Enable = yes
    TLS Require = yes
    TLS Verify Peer = yes
    TLS Authenticate = yes
    TLS CA Certificate File = /usr/local/bacula/etc/ssl/certs/root_cert.pem
    TLS Certificate = /usr/local/bacula/etc/ssl/certs/darkstar_cert.pem
    TLS Key = /usr/local/bacula/etc/ssl/keys/darkstar_key.pem
}

Go back to the Enable TLS Authentication Between Daemons chapter.

Go back to the Example TLS Configuration Files chapter.

Go back to the Bacula Communications Encryption chapter.

Go back to the main Advanced Features Usage page.