TLS in Bareos 17.2.5
852 views
Skip to first unread message
Jörg Woll
Apr 7, 2018, 11:34:05 PM4/7/18
to bareos-users
Guten Morgen,
bis jetzt wurde bei uns BackupPC als Datensicherung genutzt, aber das partielle Rücksichern findet auf dem Client statt oder als einzelne Datei im Webinterface. Vor Verschlüsselung reden wir erst gar nicht. Da sich der Status unserer Firma ändert, ändert sich auch die Sicherheitsrichtlinien. Damit bin ich auf Bareos gekommen.
Die Installation läuft zur Zeit im Produktivtest sehr zufriedenstellend. Jetzt haben wir uns zum Test einen 2. Server aufgebaut. Hintergrund ist gesicherte Verbindung per TLS und Verschlüsselung der Backups nach Datenschutzrichtlinie.
Und genau da hakt es bei mir. Zu Bacula findet man eine ganze Menge an Konfigurationen, teilweise vor der Zeit des Forks zu Bareos. Ich habe die Konfiguration nach Handbuch gemacht und habe immerwieder das Problem mit dem Handshake wenn ich auf die bconsole gehe. Vom Faillogin auf der Webui ganz zu schweigen. Ich muss leider sagen, das ich mich bis dato noch nicht groß mit TLS beeschäftigt habe, ausser ein paar Zertifikate für Webseiten. Das meiste wird bei uns per SSH bzw per Routing auf der Firewall erledigt. Vielleicht hat einer eine Anleitung nach der man mal so etwas vernünftig nachvollziehen kann.
Vielen Dank im Vorraus
Gruß Jörg
Good Morning,
Until now BackupPC was used as a backup, but the partial restore takes place on the client or as a single file in the web interface. Before encryption, we do not even talk. As the status of our company changes, so does the security policy. That's how I came to Bareos.
The installation is currently running very satisfactorily in the productive test. Now we have set up a second server for testing. Background is secured connection via TLS and encryption of the backups according to the Privacy Policy.
And that's where it hooks up with me. There are a lot of configurations for Bacula, some before the time of the fork to Bareos. I made the configuration according to manual and have always the problem with the handshake when I go to the bconsole. Not to mention the Faillogin on the Webui. Unfortunately, I have to say, that I have not dealt with TLS until now, except for a few certificates for websites. Most of it is done by SSH or via routing on the firewall. Maybe someone has a manual after which you can understand something so reasonable.
Many thanks in advance
Greetings Joerg
bis jetzt wurde bei uns BackupPC als Datensicherung genutzt, aber das partielle Rücksichern findet auf dem Client statt oder als einzelne Datei im Webinterface. Vor Verschlüsselung reden wir erst gar nicht. Da sich der Status unserer Firma ändert, ändert sich auch die Sicherheitsrichtlinien. Damit bin ich auf Bareos gekommen.
Die Installation läuft zur Zeit im Produktivtest sehr zufriedenstellend. Jetzt haben wir uns zum Test einen 2. Server aufgebaut. Hintergrund ist gesicherte Verbindung per TLS und Verschlüsselung der Backups nach Datenschutzrichtlinie.
Und genau da hakt es bei mir. Zu Bacula findet man eine ganze Menge an Konfigurationen, teilweise vor der Zeit des Forks zu Bareos. Ich habe die Konfiguration nach Handbuch gemacht und habe immerwieder das Problem mit dem Handshake wenn ich auf die bconsole gehe. Vom Faillogin auf der Webui ganz zu schweigen. Ich muss leider sagen, das ich mich bis dato noch nicht groß mit TLS beeschäftigt habe, ausser ein paar Zertifikate für Webseiten. Das meiste wird bei uns per SSH bzw per Routing auf der Firewall erledigt. Vielleicht hat einer eine Anleitung nach der man mal so etwas vernünftig nachvollziehen kann.
Vielen Dank im Vorraus
Gruß Jörg
Good Morning,
Until now BackupPC was used as a backup, but the partial restore takes place on the client or as a single file in the web interface. Before encryption, we do not even talk. As the status of our company changes, so does the security policy. That's how I came to Bareos.
The installation is currently running very satisfactorily in the productive test. Now we have set up a second server for testing. Background is secured connection via TLS and encryption of the backups according to the Privacy Policy.
And that's where it hooks up with me. There are a lot of configurations for Bacula, some before the time of the fork to Bareos. I made the configuration according to manual and have always the problem with the handshake when I go to the bconsole. Not to mention the Faillogin on the Webui. Unfortunately, I have to say, that I have not dealt with TLS until now, except for a few certificates for websites. Most of it is done by SSH or via routing on the firewall. Maybe someone has a manual after which you can understand something so reasonable.
Many thanks in advance
Greetings Joerg
Jörg Woll
Apr 9, 2018, 12:32:59 AM4/9/18
to bareos-users
I forgot to tell you, SD and FD are running on a server and all with an IP address. For lack of viable IPs and upcoming reformatting of the network. How can you configure it. that the connection to the clients is encrypted and you can still encrypt the backups.
Greetings Joerg
Jörg Woll
Apr 15, 2018, 4:39:47 AM4/15/18
to bareos-users
Can someone help me with the TLS configuration
Jörg Steffens
Apr 15, 2018, 7:18:34 AM4/15/18
to bareos...@googlegroups.com
Hello Jörg,
On 08.04.2018 at 05:34 wrote 'Jörg Woll' via bareos-users:
> Until now BackupPC was used as a backup, but the partial restore takes place on the client or as a single file in the web interface. Before encryption, we do not even talk. As the status of our company changes, so does the security policy. That's how I came to Bareos.
> The installation is currently running very satisfactorily in the productive test. Now we have set up a second server for testing. Background is secured connection via TLS and encryption of the backups according to the Privacy Policy.
> And that's where it hooks up with me. There are a lot of configurations for Bacula, some before the time of the fork to Bareos. I made the configuration according to manual and have always the problem with the handshake when I go to the bconsole. Not to mention the Faillogin on the Webui. Unfortunately, I have to say, that I have not dealt with TLS until now, except for a few certificates for websites. Most of it is done by SSH or via routing on the firewall. Maybe someone has a manual after which you can understand something so reasonable.
I guess, you are already aware of the documentation, see
http://doc.bareos.org/master/html/bareos-manual-main-reference.html#DataEncryption
The last time I configured this, I used the xca tool to create a local
CA and the required certificates for the damoens. You have to export the
certificates and keys in PEM format.
Using the IP addresses is not an issue, as long as you use the "TLS
Allowed CN" directives. This defines what systems (certificates) are
permitted to access.
The http://www.bacula-buch.de/ by Philipp Storz (one of the founders of
Bareos) describes this in more detail. Unfortunately out of print, but
still available on a couple of places.
Last but not least: with bareos >= 18.2 (currently master) certificates
are no longer required of encrypted connections. Instead Bareos will use
TLS-PSK (Pre Shared Keys) by default to encrypt the traffic. No extra
configuration required.
regard,
Jörg
--
Jörg Steffens joerg.s...@bareos.com
Bareos GmbH & Co. KG Phone: +49 221 630693-91
http://www.bareos.com Fax: +49 221 630693-10
Sitz der Gesellschaft: Köln | Amtsgericht Köln: HRA 29646
Komplementär: Bareos Verwaltungs-GmbH
Geschäftsführer:
S. Dühr, M. Außendorf, Jörg Steffens, P. Storz
On 08.04.2018 at 05:34 wrote 'Jörg Woll' via bareos-users:
> Until now BackupPC was used as a backup, but the partial restore takes place on the client or as a single file in the web interface. Before encryption, we do not even talk. As the status of our company changes, so does the security policy. That's how I came to Bareos.
> The installation is currently running very satisfactorily in the productive test. Now we have set up a second server for testing. Background is secured connection via TLS and encryption of the backups according to the Privacy Policy.
> And that's where it hooks up with me. There are a lot of configurations for Bacula, some before the time of the fork to Bareos. I made the configuration according to manual and have always the problem with the handshake when I go to the bconsole. Not to mention the Faillogin on the Webui. Unfortunately, I have to say, that I have not dealt with TLS until now, except for a few certificates for websites. Most of it is done by SSH or via routing on the firewall. Maybe someone has a manual after which you can understand something so reasonable.
http://doc.bareos.org/master/html/bareos-manual-main-reference.html#DataEncryption
The last time I configured this, I used the xca tool to create a local
CA and the required certificates for the damoens. You have to export the
certificates and keys in PEM format.
Using the IP addresses is not an issue, as long as you use the "TLS
Allowed CN" directives. This defines what systems (certificates) are
permitted to access.
The http://www.bacula-buch.de/ by Philipp Storz (one of the founders of
Bareos) describes this in more detail. Unfortunately out of print, but
still available on a couple of places.
Last but not least: with bareos >= 18.2 (currently master) certificates
are no longer required of encrypted connections. Instead Bareos will use
TLS-PSK (Pre Shared Keys) by default to encrypt the traffic. No extra
configuration required.
regard,
Jörg
--
Jörg Steffens joerg.s...@bareos.com
Bareos GmbH & Co. KG Phone: +49 221 630693-91
http://www.bareos.com Fax: +49 221 630693-10
Sitz der Gesellschaft: Köln | Amtsgericht Köln: HRA 29646
Komplementär: Bareos Verwaltungs-GmbH
Geschäftsführer:
S. Dühr, M. Außendorf, Jörg Steffens, P. Storz
Message has been deleted
Jörg Woll
Apr 15, 2018, 11:49:44 AM4/15/18
to bareos-users
I use keys and certs in .key and .crt format, my mistake. That explains a lot. I was so happy to have found a guide ..... :)
I have given my server here 4 IPs and made 4 DNS entries. Resolution is correct. Do I have to create a certificate for each daemon?
The example in your manual, run all services on a server, or are they distributed in the network, so their own server? I would appreciate an answer.
Also a great program. We are on the job in changing our backup strategy. Bareos jumped in my eye. Installation and basic configuration were done quickly. After the first tests to restore and in conjunction with the rear were successful, within the LAN. Of course, it also aims to secure clients from the DMZ and other networks as well as WAN. When is the 18.2 in the nightly expected?
I have given my server here 4 IPs and made 4 DNS entries. Resolution is correct. Do I have to create a certificate for each daemon?
The example in your manual, run all services on a server, or are they distributed in the network, so their own server? I would appreciate an answer.
Also a great program. We are on the job in changing our backup strategy. Bareos jumped in my eye. Installation and basic configuration were done quickly. After the first tests to restore and in conjunction with the rear were successful, within the LAN. Of course, it also aims to secure clients from the DMZ and other networks as well as WAN. When is the 18.2 in the nightly expected?
Greetings Joerg
Jörg Steffens
Apr 15, 2018, 1:50:37 PM4/15/18
to bareos...@googlegroups.com
On 15.04.2018 at 17:49 wrote 'Jörg Woll' via bareos-users:
> I use keys and certs in .key and .crt format, my mistake. That explains a lot. I was so happy to have found a guide ..... :)
> I have given my server here 4 IPs and made 4 DNS entries. Resolution is correct. Do I have to create a certificate for each daemon?
This is up to you. It makes sense to create a certificate for each used
> I use keys and certs in .key and .crt format, my mistake. That explains a lot. I was so happy to have found a guide ..... :)
> I have given my server here 4 IPs and made 4 DNS entries. Resolution is correct. Do I have to create a certificate for each daemon?
daemon Name. So if you name your director "bareos-dir", create a
certificate with CN "cn=bareos-dir" and permit access to all required
SDs and FDs for this CN. However, in principle you can make it work with
only a single certificate "cn=myoneandonlycert". Configure the cert and
key in all components and set "TLS Allowed CN = myoneandonlycert" in all
components. With this all traffic would be encrypted, however, I would
not consider this a secure or sane setup.
> The example in your manual, run all services on a server, or are they distributed in the network, so their own server? I would appreciate an answer.
> When is the 18.2 in the nightly expected?
already available in master. However, be aware that if you want to
combine a bareos 18 director with a bareos 17 client, you have to
disable TLS PSK by setting "TLS Psk Enable = no"
Reply all
Reply to author
Forward
0 new messages