• Bacula
• TLS
• bconsole2director

We will start simple, by first getting bconsole and the director to speak to each other using TLS. My example assumes that the bconsole and director runs on the same machine - director1.example.com in this example.

Edit /usr/local/etc/bconsole.conf and add the following lines to the Director section:

Director {
  Name = director1-dir
  DIRport = 9101
  address = director1.example.com
  Password = "topsecret"
  TLS Enable = yes
  TLS Require = yes
  TLS CA Certificate File = /usr/local/etc/bacula/certs/cacert.pem
  TLS Certificate = /usr/local/etc/bacula/certs/director1.example.com.cert
  TLS Key = /usr/local/etc/bacula/certs/director1.example.com.key

}

• If you want to get bconsole from a remote host to work on a local director, just specify its own certificates in the above code.

This tells bconsole to use the SSL certificate files when communicating with the director, it tells it that it has to use SSL else the connection should not be allowed.

This point you will not be able to connect to the Director since it does not yet have SSL configured, configure your Director section in bacula-dir.conf as follows:

Director {
  Name = director1-dir
  DIRport = 9101
  QueryFile = "/usr/local/share/bacula/query.sql"
  WorkingDirectory = "/var/bacula"
  PidDirectory = "/var/run"
  Maximum Concurrent Jobs = 1
  Password = "topsecret"
  Messages = Daemon
  TLS Enable = yes
  TLS Require = yes
  TLS Verify Peer = yes
  TLS Allowed CN = "director1.example.com"
  TLS CA Certificate File = /usr/local/etc/bacula/certs/cacert.pem
  TLS Certificate = /usr/local/etc/bacula/certs/director1.example.com.cert
  TLS Key = /usr/local/etc/bacula/certs/director1.example.com.key
}

• If your bcsonole runs on another host you can add that host here as well, simply add another line for TLS Allowed CN.

The above tells the director to use the SSL bits, but also that it is required for connections and to only allow clients whose certificates belong to director1.example.com to connect.

Now restart the director using your operating system RC system, at this point your director can't communicate with any clients, storage etc, but your console should be able to talk to the director. If your console can connect succesfully then you can be sure it is using SSL due to the TLS Require = yes commands in the configuration files.

# bconsole
Connecting to Director director1.example.com:9101
1000 OK: director1-dir Version: 1.38.11 (28 June 2006)
Enter a period to cancel a command.
*