The documentation for TLS enabling Bacula is pretty crap, so here is my attempt to make my own:
Each network connection in bacula can and should be SSL enabled. First you need to ensure your bacula programs can understand SSL:
# ldd `which bacula-dir` /usr/local/sbin/bacula-dir: libssl.so.4 => /usr/lib/libssl.so.4 (0x28185000) libcrypto.so.4 => /lib/libcrypto.so.4 (0x281b3000) libcrypt.so.3 => /lib/libcrypt.so.3 (0x2845c000) # ldd `which bacula-sd` /usr/local/sbin/bacula-sd: libssl.so.4 => /usr/lib/libssl.so.4 (0x2810b000) libcrypto.so.4 => /lib/libcrypto.so.4 (0x28139000) # ldd `which bacula-fd` /usr/local/sbin/bacula-fd: libssl.so.4 => /usr/lib/libssl.so.4 (0x280ef000) libcrypto.so.4 => /lib/libcrypto.so.4 (0x2811d000) # ldd `which bconsole` /usr/local/sbin/bconsole: libssl.so.4 => /usr/lib/libssl.so.4 (0x28137000) libcrypto.so.4 => /lib/libcrypto.so.4 (0x28165000)
The output above is trimmed, but you should see at least something similar listing those libraries, if you see them you're ready to roll, else go back your build and add SSL support.
NOTE:: In order for this to work on RedHat Enterprise 4 based machines, like CentOS 4 you need to use the RPMs in the rpms-beta section from the bacula binary distribution site, this might change in future but as of 21 July 2006, that is your only hope.
I recommend before trying to get SSL going first get backups working 100% without TLS, if security of files is a major problem get them going using dummy File Sets that just copy a couple of test files, but first ensure that basic communications are going between all the components of the system, you should be able to run a backup job of a remote client and have it arrive on local tape or files before attempting this.
During this example I'll use the following conventions:
Machine Names |
|
director1.example.com |
The main director server running dir, fd and sd |
client1.example.com |
A remote client machine running fd |
File Locations |
|
/usr/local/etc/ |
Location for bacula-fd.conf etc |
/usr/local/etc/bacula/ |
Location for certificate files and other included configs |
Bacula Daemon Names |
|
director1-dir |
The director instanse running on director1.example.com |
client1-fd |
File Daemon running on client1.example.com |
director1-sd |
Storage Daemon running on director1.example.com |
The first thing you need to do is create certificates for everything. You will either need to use CAcert.org or your own CA. If you wish to setup your own CA on a Unix machine I recommend the guide and scripts found here.
Each machine needs a few SSL related files created, a key, a certificate signing request and a certificate. The actual details of all these are beyond the scope of this but I'll give some details as I go along.
First we need to create a key file, this is basically just 2 huge prime numbers that will be used during the mathematical equations that make encryption work, we use the openssl command to create it. You have to supply a password on this file, we will remove it later on.
# cd /usr/local/etc/bacula # openssl genrsa -des3 -out director1.example.com.key 1024 Generating RSA private key, 1024 bit long modulus ...........................++++++ ..++++++ e is 65537 (0x10001) Enter pass phrase for director1.example.com.key: Verifying - Enter pass phrase for director1.example.com.key:
With the key created we can now make the certificate signing request file, this is essentially a file you send to either your own CA or to CAcert.org so that it can be signed by the Certificate Authority.
NOTE: It is very important that under the Common Name field you specify the full hostname of the machine in question, this has to be the hostname you use in your Storage, Client, Director etc configuration sections, if these do not match you will get a very confusing error message.
# openssl req -new -key director1.example.com.key -out director1.example.com.csr Enter pass phrase for director1.example.com.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:GB State or Province Name (full name) [Some-State]:London Locality Name (eg, city) []:London Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example Organizational Unit Name (eg, section) []:director1.example.com Common Name (eg, YOUR name) []: Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
You should now have a file director1.example.com.csr send this to your CA or to CAcert.org and get it signed, they will produce a response file that should be called something like director1.example.com.cert, place this file in /usr/local/etc/bacula
If you used CAcert.org then get this file and place it in /usr/local/etc/bacula/cacert.pem otherwise get the file ca-cert.pem from your own CA and place it in the same location, taking care to rename it to cacert.pem.
Now we need to remove the password from the key file, bacula does not support supplying passwords to these files:
# openssl rsa -in director1.example.com.key -out director1.example.com-nopass.key # mv director1.example.com-nopass.key director1.example.com.key
Repeat this certificate creation steps - create a key, csr and cert - for each of your clients and directors, even machines that just run monitor agents and place them in the right directories, remember to use the correct host names in the Common Name fields.
While setting this up a lot of things wont work, so do the next steps when you have time to do maintenance that wont affect your backups schedules.
Now start following the sections below, they are a systematic approach with steps to verify you got it right during each step, doing it like this will identify problems early and allow you identify at what point any errors were introduced.
NOTE:: There is a troubleshooting section at the bottom of this document that deals with some common error messages while setting up TLS.
TLS enable bconsole to Director communications.
TLS enable Director to Client communications.
TLS enable Director to Storage communications.
TLS enable File Daemon to Storage Daemon communications.
At this point all the possible paths of communication of a simple Bacula deployment will be TLS enabled, just be sure to complete the steps here for all your clients and any new ones you configure. Since the Storage Daemon though requires TLS to be used you should quickly find out if a client was left out since it wont be able to run a backup succesfully.
Troubleshooting
The error messages produced by bacula in relation to TLS is not very informative, here are some examples and possible causes:
31-Jul 13:11 bacula-dir: ERROR in tls.c:107 Error with certificate at depth: 1, issuer = /CN=client-fd/C=ES/ST=Bizkaia/L=Bilbao..., ERR=19:self signed certificate in certificate chain |
The problem here is that you are using Self Signed certificates, possibly using your own CA. The FDs and Directors will confirm that everything is using the same CA, so be 100% sure you are distributing the same cacert.pem to all your machines. |
21-Jul 19:32 bconsole: ERROR in tls.c:83 TLS read/write failure.: ERR=error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number Bad response to Hello command: ERR=No data available Director authorization problem. |
This usually means that the Common Name in the certificate does not match your DNS reverse lookup. |
11-Mar 07:11 theDirector JobId 0: Error: tls.c:95 Error with certificate at depth: 0, issuer = /C=us/L=city/O=theOrg/OU=orgUnit/CN=theOrg CA/emailAddress=orgUnit@mail.theOrg.net, subject = /C=us/L=city/O=theOrg/OU=orgUnit/CN=theUniqueCommonName, ERR=26:unsupported certificate purpose |
SSL Certificates can have an optional purpose field set, your CA probably set one, the easiest way to fix this is to disable the option for newly created certificates. For TinyCA you can drop down the pulldown menu for nsCertType and use not set |
Changelog
21 July 2006 |
Dave from woh.rr.com pointed out an ommission in the Storage Daemon example configs, I forgot TLS Enable = yes in the document |
21 July 2006 |
Dave from woh.rr.com pointed out that naming of the cacert.pem file is different if using the suggested CA, I've clarified this in the document |
21 July 2006 |
Mention the use of the Beta RPMs for CentOS 4.3 and RedHat Enterprise 4 |
31 July 2006 |
Add a section about troubleshooting listing possible error messages and causes. |
12 March 2008 |
Add a troubleshooting section for nsCertType thanks to Hydro Meteor from the Bacula List |