Director and Console on Different Hosts

If you have your bconsole installed on another host than the Director one, then it is more likely that different public certificate and private key files for director and for console are used. Let’s consider “darkstart-dir” director on “darkstar.example.com” and “arrakis-con” console on “arrakis.example.com”.

  1. If you’re using an anonymous console:

    • In bacula-dir.conf:

      Director {
          Name = darkstar-dir
          DIR Port = 9111
          DIR Address = darkstar.example.com
          QueryFile = "/usr/local/bacula/scripts/query.sql"
          WorkingDirectory = "/usr/local/bacula/working"
          PidDirectory = "/var/run"
          Maximum Concurrent Jobs = 10
          Password = "password"
          Messages = Daemon
          TLS Enable = yes
          TLS Require = yes
          TLS Verify Peer = yes
          TLS Allowed CN = darkstar.example.com
          TLS CA Certificate File = /usr/local/bacula/etc/ssl/certs/root_cert.pem
          TLS Certificate = /usr/local/bacula/etc/ssl/certs/darkstar_cert.pem
          TLS Key = /usr/local/bacula/etc/ssl/keys/darkstar_key.pem
      }
      
    • In bconsole.conf:

      Director {
          Name = darkstar-dir
          DIRport = 9111
          Address = darkstar.example.com
          Password = "password"
          TLS Enable = yes
          TLS Require = yes
          TLS CA Certificate File = /usr/local/bacula/etc/ssl/certs/root_cert.pem
          TLS Certificate = /usr/local/bacula/etc/ssl/certs/darkstar_cert.pem
          TLS Key = /usr/local/bacula/etc/ssl/keys/darkstar_key.pem
      }
      
  2. If you are using a named console:

    • In bacula-dir.conf: There is no need to configure TLS in the Director resource:

      Director {
          Name = darkstar-dir
          DIR Port = 9111
          DIR Address = darkstar.example.com
          QueryFile = "/usr/local/bacula/scripts/query.sql"
          WorkingDirectory = "/usr/local/bacula/working"
          PidDirectory = "/var/run"
          Maximum Concurrent Jobs = 10
          Password = "password"
          Messages = Daemon
      }
      

    Instead, the Console resource has the TLS configurations:

    Console {
        Name = arrakis-con
        Password = "password"
        TLS Enable = yes
        TLS Require = yes
        TLS Allowed CN = arrakis.example.com
        TLS CA Certificate File = /usr/local/bacula/etc/ssl/certs/root_cert.pem
        TLS Certificate = /usr/local/bacula/etc/ssl/certs/darkstar_cert.pem
        TLS Key = /usr/local/bacula/etc/ssl/keys/darkstar_key.pem
    }
    
    • In bconsole.conf: It is not needed to configure TLS in the Director resource:

      Director {
          Name = darkstar-dir
          DIRport = 9111
          Address = darkstar.example.com
          Password = "password"
      }
      

    Instead, the Console resource needs the TLS configuration:

    Console {
        Name = arrakis-con
        Password = "password"
        TLS Enable = yes
        TLS Require = yes
        TLS Verify Peer = yes
        TLS CA Certificate File = /usr/local/bacula/etc/ssl/certs/root_cert.pem
        TLS Certificate = /usr/local/bacula/etc/ssl/certs/arrakis_cert.pem
        TLS Key = /usr/local/bacula/etc/ssl/keys/arrakis_key.pem
    }
    

Go back to Enable TLS Communications Encryption between Console and Director.

Go back to the Bacula Communications Encryption chapter.

Go back to the main Advanced Features Usage page.