The documentation for TLS enabling Bacula is pretty crap, so here is my attempt to make my own:

Each network connection in bacula can and should be SSL enabled. First you need to ensure your bacula programs can understand SSL: 

# ldd `which bacula-dir`
/usr/local/sbin/bacula-dir:
        libssl.so.4 => /usr/lib/libssl.so.4 (0x28185000)
        libcrypto.so.4 => /lib/libcrypto.so.4 (0x281b3000)
        libcrypt.so.3 => /lib/libcrypt.so.3 (0x2845c000)
# ldd `which bacula-sd`
/usr/local/sbin/bacula-sd:
        libssl.so.4 => /usr/lib/libssl.so.4 (0x2810b000)
        libcrypto.so.4 => /lib/libcrypto.so.4 (0x28139000)
# ldd `which bacula-fd`
/usr/local/sbin/bacula-fd:
        libssl.so.4 => /usr/lib/libssl.so.4 (0x280ef000)
        libcrypto.so.4 => /lib/libcrypto.so.4 (0x2811d000)
# ldd `which bconsole`
/usr/local/sbin/bconsole:
        libssl.so.4 => /usr/lib/libssl.so.4 (0x28137000)
        libcrypto.so.4 => /lib/libcrypto.so.4 (0x28165000)

The output above is trimmed, but you should see at least something similar listing those libraries, if you see them you're ready to roll, else go back your build and add SSL support.

I recommend before trying to get SSL going first get backups working 100% without TLS, if security of files is a major problem get them going using dummy File Sets that just copy a couple of test files, but first ensure that basic communications are going between all the components of the system, you should be able to run a backup job of a remote client and have it arrive on local tape or files before attempting this.

During this example I'll use the following conventions:

Machine Names

director1.example.com

The main director server running dir, fd and sd

client1.example.com

A remote client machine running fd

File Locations

/usr/local/etc/

Location for bacula-fd.conf etc

/usr/local/etc/bacula/

Location for certificate files and other included configs

Bacula Daemon Names

director1-dir

The director instanse running on director1.example.com

client1-fd

File Daemon running on client1.example.com

director1-sd

Storage Daemon running on director1.example.com

The first thing you need to do is create certificates for everything. You will either need to use CAcert.org or your own CA. If you wish to setup your own CA on a Unix machine I recommend the guide and scripts found here.

Each machine needs a few SSL related files created, a key, a certificate signing request and a certificate. The actual details of all these are beyond the scope of this but I'll give some details as I go along.

First we need to create a key file, this is basically just 2 huge prime numbers that will be used during the mathematical equations that make encryption work, we use the openssl command to create it. You have to supply a password on this file, we will remove it later on. 

# cd /usr/local/etc/bacula
# openssl genrsa -des3 -out director1.example.com.key 1024
Generating RSA private key, 1024 bit long modulus
...........................++++++
..++++++
e is 65537 (0x10001)
Enter pass phrase for director1.example.com.key:
Verifying - Enter pass phrase for director1.example.com.key:

With the key created we can now make the certificate signing request file, this is essentially a file you send to either your own CA or to CAcert.org so that it can be signed by the Certificate Authority. 

# openssl req -new -key director1.example.com.key -out director1.example.com.csr
Enter pass phrase for director1.example.com.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:GB
State or Province Name (full name) [Some-State]:London
Locality Name (eg, city) []:London
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example
Organizational Unit Name (eg, section) []:director1.example.com
Common Name (eg, YOUR name) []:
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

You should now have a file director1.example.com.csr send this to your CA or to CAcert.org and get it signed, they will produce a response file that should be called something like director1.example.com.cert, place this file in /usr/local/etc/bacula

If you used CAcert.org then get this file and place it in /usr/local/etc/bacula/cacert.pem otherwise get the file ca-cert.pem from your own CA and place it in the same location, taking care to rename it to cacert.pem.

Now we need to remove the password from the key file, bacula does not support supplying passwords to these files: 

# openssl rsa -in director1.example.com.key -out director1.example.com-nopass.key
# mv director1.example.com-nopass.key director1.example.com.key

Repeat this certificate creation steps - create a key, csr and cert - for each of your clients and directors, even machines that just run monitor agents and place them in the right directories, remember to use the correct host names in the Common Name fields.

While setting this up a lot of things wont work, so do the next steps when you have time to do maintenance that wont affect your backups schedules.

Now start following the sections below, they are a systematic approach with steps to verify you got it right during each step, doing it like this will identify problems early and allow you identify at what point any errors were introduced.

At this point all the possible paths of communication of a simple Bacula deployment will be TLS enabled, just be sure to complete the steps here for all your clients and any new ones you configure. Since the Storage Daemon though requires TLS to be used you should quickly find out if a client was left out since it wont be able to run a backup succesfully.

Troubleshooting

The error messages produced by bacula in relation to TLS is not very informative, here are some examples and possible causes:

31-Jul 13:11 bacula-dir: ERROR in tls.c:107 Error with certificate at depth: 1, issuer = /CN=client-fd/C=ES/ST=Bizkaia/L=Bilbao..., ERR=19:self signed certificate in certificate chain

The problem here is that you are using Self Signed certificates, possibly using your own CA. The FDs and Directors will confirm that everything is using the same CA, so be 100% sure you are distributing the same cacert.pem to all your machines.

21-Jul 19:32 bconsole: ERROR in tls.c:83 TLS read/write failure.: ERR=error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number Bad response to Hello command: ERR=No data available Director authorization problem.

This usually means that the Common Name in the certificate does not match your DNS reverse lookup.

11-Mar 07:11 theDirector JobId 0: Error: tls.c:95 Error with certificate at depth: 0, issuer = /C=us/L=city/O=theOrg/OU=orgUnit/CN=theOrg CA/emailAddress=orgUnit@mail.theOrg.net, subject = /C=us/L=city/O=theOrg/OU=orgUnit/CN=theUniqueCommonName, ERR=26:unsupported certificate purpose

SSL Certificates can have an optional purpose field set, your CA probably set one, the easiest way to fix this is to disable the option for newly created certificates. For TinyCA you can drop down the pulldown menu for nsCertType and use not set

Changelog

21 July 2006

Dave from woh.rr.com pointed out an ommission in the Storage Daemon example configs, I forgot TLS Enable = yes in the document

21 July 2006

Dave from woh.rr.com pointed out that naming of the cacert.pem file is different if using the suggested CA, I've clarified this in the document

21 July 2006

Mention the use of the Beta RPMs for CentOS 4.3 and RedHat Enterprise 4

31 July 2006

Add a section about troubleshooting listing possible error messages and causes.

12 March 2008

Add a troubleshooting section for nsCertType thanks to Hydro Meteor from the Bacula List

Bacula/TLS (last edited 2008-03-12 15:12:15 by RIPienaar)