Enable TLS Communications Encryption between File Daemon and Storage Daemon

Let’s consider “darkstar-fd” (on “darkstar.example.com”) and “arrakis-fd” (at “arrakis.example.com”) clients, needing to connect to “caladan-sd” storage daemon at “caladan.example.com” using TLS.

  • In bacula-fd.conf file at darkstar.example.com:

    FileDaemon {
        Name = darkstar-fd
        FD Port = 9112
        FD Address = darkstar.example.com
        WorkingDirectory = /usr/local/bacula/working
        Pid Directory = /var/run
        Maximum Concurrent Jobs = 10
        TLS Enable = yes
        TLS Require = yes
        TLS CA Certificate File = /usr/local/bacula/etc/ssl/certs/root_cert.pem
        TLS Certificate = /usr/local/bacula/etc/ssl/certs/darkstar_cert.pem
        TLS Key = /usr/local/bacula/etc/ssl/keys/darkstar_key.pem
    }
    
  • In bacula-fd.conf file at “arrakis.example.com”:

    FileDaemon {
        Name = arrakis-fd
        FD Port = 9112
        FD Address = arrakis.example.com
        WorkingDirectory = /usr/local/bacula/working
        Pid Directory = /var/run
        Maximum Concurrent Jobs = 10
        TLS Enable = yes
        TLS Require = yes
        TLS CA Certificate File = /usr/local/bacula/etc/ssl/certs/root_cert.pem
        TLS Certificate = /usr/local/bacula/etc/ssl/certs/arrakis_cert.pem
        TLS Key = /usr/local/bacula/etc/ssl/keys/arrakis_key.pem
    }
    
  • In bacula-sd.conf file at “caladan.example.com”:

    Storage {
        Name = caladan-sd
        SD Port = 9113
        SD Address = caladan.example.com
        WorkingDirectory = "/usr/local/bacula/working"
        Pid Directory = "/var/run"
        Maximum Concurrent Jobs = 40
        TLS Enable = yes
        TLS Require = yes
        TLS Allowed CN = darkstar.example.com , arrakis.example.com
        TLS CA Certificate File = /usr/local/bacula/etc/ssl/certs/root_cert.pem
        TLS Certificate = /usr/local/bacula/etc/ssl/certs/caladan_cert.pem
        TLS Key = /usr/local/bacula/etc/ssl/keys/caladan_key.pem
    }
    

Note

The TLS Allowed CN directive is only configured on the Storage Daemon side. This is due to the fact that the communication in this case is always between the Storage Daemon acting as a “TLS server” and the File Daemon acting as a “TLS client”. In this case, the client is the peer in the TLS communications context. The CN in the client’s certificate subject will be checked by the Storage Daemon if it is an Allowed CN. in the case of the above example, TLS AllowedCN = darkstar.example.com, arrakis.example.com is allowing “darkstar-fd” (at darkstar.example.com) and “arrakis-fd” (at arrakis.example.com) clients to connect to “caladan-sd” storage daemon at “caladan.example.com” using TLS.

Go back to Enable TLS Communications Encryption between Daemons chapter.

Go back to the Example TLS Configuration Files chapter.

Go back to the Bacula Communications Encryption chapter.

Go back to the main Advanced Features Usage page.