With the console working over SSL the next step is to get the Director to talk to the File Daemon, this example will use a remote FD running on client1.example.com.
Assuming you've created the certificates for client1.example.com already, you just have to add them to the configuration in two places, first to secure the communications with the Director. Edit your /usr/local/etc/bacula-fd.conf to look more or less like this:
Director {
Name = director1-dir
Password = "topsecret"
TLS Enable = yes
TLS Require = yes
TLS Verify Peer = yes
TLS Allowed CN = "director1.example.com"
TLS CA Certificate File = /usr/local/etc/bacula/cacert.pem
TLS Certificate = /usr/local/etc/bacula/client1.example.com.cert
TLS Key = /usr/local/etc/bacula/client1.example.com.key
}
This forces the communications from the director to be encrypted and tells the FD to only allow incoming connections from director1.example.com, so now the FD knows to expect TLS from the director, next we have to configure the director to speak TLS to this client, do this in the Client Resource on the director
Client {
Name = client1-fd
Address = clients1.example.com
FDPort = 9102
Catalog = MyCatalog
Password = "topsecret"
Job Retention = 1 year
File Retention = 60 days
TLS Enable = yes
TLS Require = yes
TLS CA Certificate File = /usr/local/etc/bacula/certs/cacert.pem
TLS Certificate = /usr/local/etc/bacula/certs/director1.example.com.cert
TLS Key = /usr/local/etc/bacula/certs/director1.example.com.key
}
Now restart both the FD and the Director, you can do a simple test in the console by issuing a status client command like below, you should get a full status output.
# bconsole
Connecting to Director director1.example.com:9101
1000 OK: director1-dir Version: 1.38.11 (28 June 2006)
Enter a period to cancel a command.
*status client
Using default Catalog name=MyCatalog DB=bacula
The defined Client resources are:
1: client1-fd
2: client2-fd
3: client3-fd
Select Client (File daemon) resource (1-3): 1
Connecting to Client client1-fd at client1.example.com:9102
hive-fd Version: 1.38.11 (28 June 2006) i386-portbld-freebsd4.10 freebsd 4.10-RELEASE
Daemon started 18-Jul-06 21:11, 2 Jobs run since started.
Terminated Jobs:
JobId Level Files Bytes Status Finished Name
======================================================================
19 Incr 495 92,615,800 OK 19-Jul-06 04:11 client1_main
20 Full 13 62,443,895 OK 19-Jul-06 04:28 client1_db
====
Running Jobs:
Director connected at: 19-Jul-06 09:40
No Jobs running.
====
You should now do the same with all your File Daemons and related Client Resources, it is very simple just always tell the software on a given machine to use a certificate signed by your CA or by CAcert.org and that has as its Common Name the full hostname. It is ok if you use the same certificate on the Director and File Daemon on director1.example.com.
We will come back to the File Daemon a bit later on, only then will it truely be SSL enabled, but we will systematically work our way to that.