Hi, to help getting you a useful answer I send this to the mailing list, too... it's much more likely you get useful advice there as I'm not very experienced reagrding TLS in Bacula, and don't have the time to try things now...
Anyway, some comments are inline. On 5/10/2007 1:09 PM, alejandro lencina wrote: > > Hi, > > I'm a Spanish computer science student and I'm working on my thesis > which is basically deploying Bacula for my school. I'm kinda desperate > because my due date is coming closer and closer and I'm stuck > configuring TLS communications. I really wish you could help with this... > > I'm trying first to get bconsole and the director to communicate using > tls. Good start, IMO. > So, I created all the certifications and set up my own CA following > the instructions at http://www.devco.net/pubwiki/Bacula/TLS. The PROBLEM > I have is that my director ignores the 'TLS Require = yes' directive. It > even permits communicating with my FD which has no TLS directives That would be a bug... probably user-friendly, but still a bug :-) > (if I > do a *status client on another machine that FD responds). Therefore, > since I'm not experienced and I don't know how to use a packet sniffer I > have no way to know if TLS is working. Try ethereal / wireshark on the client machine, and just play around with it... as a CS student you should figure out how it works quite easily ;-) (Only kidding, I know how pressing these deadlines can be.) > Some other info that might be useful: > - OpenSuSE 10.2 > - Bacula 2.0.2 > - OpenSSL 0.9.8d > > > > Here I include part of the config files: > > *Note that I even disabled TLS on bconsole and STILL it connects to the > director > > bconsole.conf > ---------------------- > Director { > Name = canaan-dir > DIRport = 9101 > address = canaan > Password = "qLSoAnsFKtVxe1L22yeiVhuhmFPqs6 > DlgSbO25di5WV2" > TLS Enable = no > TLS Require = yes > TLS CA Certificate File = /etc/bacula/tls/ca-cert.pem > TLS Certificate = /etc/bacula/tls/canaan2.cert > TLS Key = /etc/bacula/tls/canaan2.key > } > > bacula-dir.conf > ------------------------ > > Director { # define myself > Name = canaan-dir > DIRport = 9101 # where we listen for UA connections > QueryFile = "/etc/bacula/query.sql" > WorkingDirectory = "/var/bacula" > PidDirectory = "/var/run" > Maximum Concurrent Jobs = 1 > Password = "qLSoAnsFKtVxe1L22yeiVhuhmFPqs6DlgSbO25di5WV2" # > Console password > Messages = Daemon > TLS Enable = yes > TLS Require = yes > TLS Verify Peer = yes > TLS Allowed CN = "canaan" > TLS CA Certificate File = /etc/bacula/tls/ca-cert.pem > TLS Certificate = /etc/bacula/tls/canaan2.cert > TLS Key = /etc/bacula/tls/canaan2.key > } I suspect you need to create a console resource with the necessary TLS information in it. Otherwise, if I understand things correctly, the DIR has no way to verify the clients identity. The above is just a guess, though! Good luck! Arno -- IT-Service Lehmann [EMAIL PROTECTED] http://www.its-lehmann.de ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Bacula-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/bacula-users
