Enable TLS Communications Encryption between File Daemon and Storage Daemon
Let’s consider “darkstar-fd” (on “darkstar.example.com”) and “arrakis-fd” (at “arrakis.example.com”) clients, needing to connect to “caladan-sd” storage daemon at “caladan.example.com” using TLS.
In bacula-fd.conf file at darkstar.example.com:
FileDaemon { Name = darkstar-fd FD Port = 9112 FD Address = darkstar.example.com WorkingDirectory = /usr/local/bacula/working Pid Directory = /var/run Maximum Concurrent Jobs = 10 TLS Enable = yes TLS Require = yes TLS CA Certificate File = /usr/local/bacula/etc/ssl/certs/root_cert.pem TLS Certificate = /usr/local/bacula/etc/ssl/certs/darkstar_cert.pem TLS Key = /usr/local/bacula/etc/ssl/keys/darkstar_key.pem }
In bacula-fd.conf file at “arrakis.example.com”:
FileDaemon { Name = arrakis-fd FD Port = 9112 FD Address = arrakis.example.com WorkingDirectory = /usr/local/bacula/working Pid Directory = /var/run Maximum Concurrent Jobs = 10 TLS Enable = yes TLS Require = yes TLS CA Certificate File = /usr/local/bacula/etc/ssl/certs/root_cert.pem TLS Certificate = /usr/local/bacula/etc/ssl/certs/arrakis_cert.pem TLS Key = /usr/local/bacula/etc/ssl/keys/arrakis_key.pem }
In bacula-sd.conf file at “caladan.example.com”:
Storage { Name = caladan-sd SD Port = 9113 SD Address = caladan.example.com WorkingDirectory = "/usr/local/bacula/working" Pid Directory = "/var/run" Maximum Concurrent Jobs = 40 TLS Enable = yes TLS Require = yes TLS Allowed CN = darkstar.example.com , arrakis.example.com TLS CA Certificate File = /usr/local/bacula/etc/ssl/certs/root_cert.pem TLS Certificate = /usr/local/bacula/etc/ssl/certs/caladan_cert.pem TLS Key = /usr/local/bacula/etc/ssl/keys/caladan_key.pem }
Note
The TLS Allowed CN directive is only configured on the Storage Daemon side. This is due to the fact that the communication in this case is always between the Storage Daemon acting as a “TLS server” and the File Daemon acting as a “TLS client”. In this case, the client is the peer in the TLS communications context. The CN in the client’s certificate subject will be checked by the Storage Daemon if it is an Allowed CN. in the case of the above example, TLS AllowedCN = darkstar.example.com, arrakis.example.com is allowing “darkstar-fd” (at darkstar.example.com) and “arrakis-fd” (at arrakis.example.com) clients to connect to “caladan-sd” storage daemon at “caladan.example.com” using TLS.
See also
Go back to:
Go back to Enable TLS Communications Encryption between Daemons chapter.
Go back to the Example TLS Configuration Files chapter.
Go back to the Bacula Communications Encryption chapter.
Go back to the main Advanced Features Usage page.