-
-
Notifications
You must be signed in to change notification settings - Fork 32
TLS Setup
In order to enable communication encryption between the Bacula components, the tls_* parameters must be used. The following example shows how these settings can be used in a Bacula profile (parameter names follow the Bacula setting names detailed in the bacula documentation):
$bacula_ssldir = "/usr/local/etc/bacula/certs"
$tls_ca_certificate_file = "${bacula_ssldir}/ca.crt"
$tls_dh_file = "${bacula_ssldir}/dh-params.pem"
$tls_certificate = "${bacula_ssldir}/${facts['networking']['fqdn']}.crt"
$tls_key = "${bacula_ssldir}/${facts['networking']['fqdn']}.key"
# Manage $tls_ca_certificate_file, $tls_dh_file, $tls_certificate and $tls_key files here.
# See notes bellow.
class { 'bacula':
# ...
tls_enable => 'yes',
tls_require => 'yes',
tls_verify_peer => 'yes',
tls_ca_certificate_file => $tls_ca_certificate_file,
tls_dh_file => $tls_dh_file,
tls_certificate => $tls_certificate,
tls_key => $tls_key,
}Note: this configuration encrypts communication only and does not encrypt the backed-up data. If you are interested in the latest, see PKI Setup.
Puppet use it's own Public-Key Infrastructure (PKI) for encrypting communication, therefore you may want to reuse this material to configure encryption. In the above example, Bacula is configured to find keys in /usr/local/etc/bacula/certs. We can copy the puppet certificates and key in this directory:
file { $bacula_ssldir:
ensure => directory,
owner => 'root',
group => 'bacula',
mode => '0750',
}
file { $tls_ca_certificate_file:
ensure => present,
owner => 'root',
group => 'bacula',
mode => '0644',
source => 'file:///etc/puppetlabs/puppet/ssl/certs/ca.pem',
}
file { $tls_certificate:
ensure => present,
owner => 'root',
group => 'bacula',
mode => '0644',
source => "file:///etc/puppetlabs/puppet/ssl/certs/${facts['networking']['fqdn']}.pem",
}
file { $tls_key:
ensure => present,
owner => 'root',
group => 'bacula',
mode => '0640',
source => "file:///etc/puppetlabs/puppet/ssl/private_keys/${facts['networking']['fqdn']}.pem",
}At your convenience, you may choose to build a PKI for Bacula. In such a situation, fetching the different certificates and keys from the Puppet Master will probably make sense.
To enable forward secrecy, use the tls_dh_file parameter of the bacula class to point to a generated Diffie-Hellman parameters file. You can generate one using:
exec { 'bacula-dhparams':
command => "openssl dhparam -out ${tls_dh_file} -5 2048",
path => '/usr/bin',
creates => $tls_dh_file,
provider => 'shell',
}