diff --git a/manuals/en/main/README.document-conventions.txt b/manuals/en/main/README.document-conventions.txt index 7eb79f9..13ff042 100644 --- a/manuals/en/main/README.document-conventions.txt +++ b/manuals/en/main/README.document-conventions.txt @@ -4,17 +4,15 @@ Please refer to bareos.sty regarding defined macros that should be used. Conventions Domain: example.com -Hosts: ??? +Hosts: + * bareos.example.com (if only one system, or one system for Director and Storage Daemon (and webui) + * bareos-dir.example.com + * bareos-sd1.example.com, bareos-sd2.example.com, ... + * client1.example.com, client2.example.com, ... (Clients, where Bareos is running on). \fileStoragePath \unixConfigPath -Links, internal: -\ilink{Description}{LaTex-Label} - -Links, external -\elink{Description}{URL} - \newcommand{\command}[1]{\path|#1|} \newcommand{\bcommand}[1]{\path|#1|} \newcommand{\file}[1]{\path|#1|} @@ -78,4 +76,4 @@ Using \index: There are 4 indexes: general, dir, sd, fd, console, monitor. The default is general. Maybe the other indexes will get integrated into general. -It is possible to define a hierachie of index words, seperated by "!". +It is possible to define a hierarchy of index words, separated by "!". diff --git a/manuals/en/main/bareos-manual-main-reference.tex b/manuals/en/main/bareos-manual-main-reference.tex index 55272b2..91956c5 100644 --- a/manuals/en/main/bareos-manual-main-reference.tex +++ b/manuals/en/main/bareos-manual-main-reference.tex @@ -45,7 +45,7 @@ % mdframed does not work on openSUSE 12.2 %\usepackage{mdframed} -% check for undefined references (refcheck), +% check for undefined references (refcheck), % but don't write them as marginal notes, % instead only write remarks to the log file \usepackage[norefs,nocites]{refcheck} diff --git a/manuals/en/main/bconsole-resource-director-definitions.tex b/manuals/en/main/bconsole-resource-director-definitions.tex index 627270a..a5658fa 100644 --- a/manuals/en/main/bconsole-resource-director-definitions.tex +++ b/manuals/en/main/bconsole-resource-director-definitions.tex @@ -8,8 +8,7 @@ \defDirective{Console}{Director}{Dir Port}{}{}{% This port must be identical to the -\linkResourceDirective{Dir}{Director}{Dir Port} specified in the {\bf Director} resource of -the \nameref{DirectorChapter} file. +\linkResourceDirective{Dir}{Director}{Dir Port} specified in the \nameref{DirectorChapter} file. } \defDirective{Console}{Director}{Heartbeat Interval}{}{}{% @@ -21,11 +20,8 @@ } \defDirective{Console}{Director}{Password}{}{}{% -Where the password is the password needed for the Director to accept the -Console connection. This password must be identical to the {\bf Password} -specified in the {\bf Director} resource of the -\nameref{DirectorChapter} file. This -directive is required. +This password is used to authenticate when connecting to the \bareosDir as default console. +It must correspond to \linkResourceDirective{Dir}{Director}{Password}. } \defDirective{Console}{Director}{TLS Authenticate}{}{}{% diff --git a/manuals/en/main/director-resource-director-definitions.tex b/manuals/en/main/director-resource-director-definitions.tex index 142c5a6..8a4c908 100644 --- a/manuals/en/main/director-resource-director-definitions.tex +++ b/manuals/en/main/director-resource-director-definitions.tex @@ -151,13 +151,9 @@ \defDirective{Dir}{Director}{Password}{}{}{% Specifies the password that must be supplied for the default Bareos -Console to be authorized. The same password must appear in the {\bf -Director} resource of the Console configuration file. For added -security, the password is never passed across the network but instead a -challenge response hash code created with the password. -Bareos tries to generate a random password during the configuration -process, otherwise it will be left blank and you must manually supply -it. +Console to be authorized. +This password correspond to \linkResourceDirective{Console}{Director}{Password} +of the Console configuration file. The password is plain text. } diff --git a/manuals/en/main/tls.tex b/manuals/en/main/tls.tex index b41064f..d70b170 100644 --- a/manuals/en/main/tls.tex +++ b/manuals/en/main/tls.tex @@ -3,19 +3,19 @@ \chapter{Transport Encryption} \label{CommEncryption} \label{sec:TransportEncryption} \index[general]{Communications Encryption} -\index[general]{Encryption!Communications} +\index[general]{Encryption!Communication} \index[general]{Encryption!Transport} \index[general]{Transport Encryption} \index[general]{TLS} +\index[general]{SSL} Bareos TLS (Transport Layer Security) is built-in network encryption code to provide secure network transport similar to -that offered by {\bf stunnel} or {\bf ssh}. The data written to +that offered by \command{stunnel} or \command{ssh}. The data written to Volumes by the Storage daemon is not encrypted by this code. -For data encryption, please see the \ilink{Data Encryption -Chapter}{DataEncryption} of this manual. +For data encryption, please see the \nameref{DataEncryption} chapter. -The Bareos encryption implementations were written by Landon Fuller. +The initial Bacula encryption implementation has been written by Landon Fuller. Supported features of this code include: \begin{itemize} @@ -25,8 +25,8 @@ \chapter{Transport Encryption} \item Forward Secrecy Support via Diffie-Hellman Ephemeral Keying \end{itemize} -This document will refer to both "server" and "client" contexts. These -terms refer to the accepting and initiating peer, respectively. +This document will refer to both \bquote{server} and \bquote{client} contexts. +These terms refer to the accepting and initiating peer, respectively. Diffie-Hellman anonymous ciphers are not supported by this code. The use of DH anonymous ciphers increases the code complexity and places @@ -39,82 +39,76 @@ \section{TLS Configuration Directives} Additional configuration directives have been added to all the daemons (Director, File daemon, and Storage daemon) as well as the various different Console programs. -These new directives are defined as follows: +These directives are defined as follows: \begin{description} -\directive{dir}{TLS Enable}{yes{\textbar}no}{}{no}{} -Enable TLS support. If TLS is not enabled, none of the other TLS directives -have any effect. In other words, even if you set {\bf TLS Require = yes} -you need to have TLS enabled or TLS will not be used. - -\directive{dir}{TLS Require}{yes{\textbar}no}{}{no}{} -Require TLS connections. This directive is ignored unless {\bf TLS Enable} -is set to {\bf yes}. If TLS is not required, and TLS is enabled, then -Bareos will connect with other daemons either with or without TLS depending -on what the other daemon requests. If TLS is enabled and TLS is required, +\directive{dir}{TLS Enable}{yes{\textbar}no}{}{no}{}% +Enable TLS support. Without setting \configdirective{TLS Require}=yes, +the connection can fall back to unencrypted connection, +if the other side does not support TLS. + +\directive{dir}{TLS Require}{yes{\textbar}no}{}{no}{}% +Require TLS connections. +If TLS is not required, +then Bareos will connect with other daemons either with or without TLS depending +on what the other daemon requests. +If TLS is required, then Bareos will refuse any connection that does not use TLS. +\configdirective{TLS Require}=yes implicitly sets \configdirective{TLS Enable}=yes. -\directive{dir}{TLS Certificate}{filename}{}{}{} +\directive{dir}{TLS Certificate}{filename}{}{}{}% The full path and filename of a PEM encoded TLS certificate. It can be -used as either a client or server certificate. PEM stands for Privacy -Enhanced Mail, but in this context refers to how the certificates are -encoded. It is used because PEM files are base64 encoded and hence ASCII -text based rather than binary. They may also contain encrypted -information. +used as either a client or server certificate. +It is used because PEM files are base64 encoded and hence ASCII +text based rather than binary. +They may also contain encrypted information. -\directive{dir}{TLS Key}{filename}{}{}{} +\directive{dir}{TLS Key}{filename}{}{}{}% The full path and filename of a PEM encoded TLS private key. It must -correspond to the TLS certificate. +correspond to the certificate specified in the \configdirective{TLS Certificate} configuration directive. -\directive{dir}{TLS Verify Peer}{yes{\textbar}no}{}{}{} -Verify peer certificate. Instructs server to request and verify the -client's x509 certificate. Any client certificate signed by a known-CA -will be accepted unless the TLS Allowed CN configuration directive is used, -in which case the client certificate must correspond to the Allowed -Common Name specified. This directive is valid only for a server -and not in a client context. +\directive{dir}{TLS Verify Peer}{yes{\textbar}no}{}{}{}% +Request and verify the peers certificate. -You can set \parameter{TLS Verify Peer = No} in the +In server context, unless the \configdirective{TLS Allowed CN} configuration directive is specified, +any client certificate signed by a known-CA will be accepted. -\begin{itemize} -\item bconsole.conf -\item bat.conf and -\item bareos-fd.conf -\end{itemize} +In client context, the server certificate common name attribute is checked against +the \configdirective{Address} and \configdirective{TLS Allowed CN} configuration directives. -configuration files when using TLS. - -\begin{bconfig}{Relaxed TLS Configuration} -# relaxed tls configuration -# has security implications, attention -TLS Verify Peer = No -\end{bconfig} +\directive{dir}{TLS Allowed CN}{stringlist}{}{}{}% +Common name attribute of allowed peer certificates. +If \configdirective{TLS Verify Peer}=yes, all connection request certificates +will be checked against this list. - -\directive{dir}{TLS Allowed CN}{stringlist}{}{}{} -Common name attribute of allowed peer certificates. If this directive is -specified, all server certificates will be verified against this list. This -can be used to ensure that only the CA-approved Director may connect. This directive may be specified more than once. -\directive{dir}{TLS CA Certificate File}{filename}{}{}{} + +\directive{dir}{TLS CA Certificate File}{filename}{}{}{}% The full path and filename specifying a PEM encoded TLS CA certificate(s). Multiple certificates are -permitted in the file. One of \emph{TLS CA Certificate File} or \emph{TLS -CA Certificate Dir} are required in a server context if \emph{TLS -Verify Peer} (see above) is also specified, and are always required in a client -context. +permitted in the file. + +In a client context, one of +\configdirective{TLS CA Certificate File} or \configdirective{TLS CA Certificate Dir} +is required. -\directive{dir}{TLS CA Certificate Dir}{directory}{}{}{} +In a server context, it is only required if \configdirective{TLS Verify Peer} is used. + +\directive{dir}{TLS CA Certificate Dir}{directory}{}{}{}% Full path to TLS CA certificate directory. In the current implementation, certificates must be stored PEM encoded with OpenSSL-compatible hashes, which is the subject name's hash and an extension of {\bf .0}. -One of \emph{TLS CA Certificate File} or \emph{TLS CA Certificate Dir} are -required in a server context if \emph{TLS Verify Peer} is also specified, -and are always required in a client context. -\directive{dir}{TLS DH File}{filename}{}{}{} +In a client context, one of +\configdirective{TLS CA Certificate File} or \configdirective{TLS CA Certificate Dir} +is required. + +In a server context, it is only required if \configdirective{TLS Verify Peer} is used. + + +\directive{dir}{TLS DH File}{filename}{}{}{}% Path to PEM encoded Diffie-Hellman parameter file. If this directive is specified, DH key exchange will be used for the ephemeral keying, allowing for forward secrecy of communications. DH key exchange adds an additional @@ -127,55 +121,57 @@ \section{TLS Configuration Directives} To generate the parameter file, you may use openssl: -\begin{verbatim} - openssl dhparam -out dh1024.pem -5 1024 -\end{verbatim} +\begin{commands}{create DH key} +openssl dhparam -out dh1024.pem -5 1024 +\end{commands} \end{description} -\section{Creating a Self-signed Certificate} -\index[general]{Creating a Self-signed Certificate} -\index[general]{Certificate!Creating a Self-signed} - -You may create a self-signed certificate for use with the Bareos TLS that -will permit you to make it function, but will not allow certificate -validation. The .pem file containing both the certificate and the key -valid for ten years can be made with the following: - -\footnotesize -\begin{verbatim} - openssl req -new -x509 -nodes -out bareos.pem -keyout bareos.pem -days 3650 -\end{verbatim} -\normalsize - -The above script will ask you a number of questions. You may simply answer -each of them by entering a return, or if you wish you may enter your own data. - -Note, however, that self-signed certificates will only work for the -outgoing end of connections. For example, in the case of the Director -making a connection to a File Daemon, the File Daemon may be configured to -allow self-signed certificates, but the certificate used by the -Director must be signed by a certificate that is explicitly trusted on the -File Daemon end. - -This is necessary to prevent ``man in the middle'' attacks from tools such -as \elink{ettercap}{http://ettercap.sourceforge.net/}. Essentially, if the -Director does not verify that it is talking to a trusted remote endpoint, -it can be tricked into talking to a malicious 3rd party who is relaying and -capturing all traffic by presenting its own certificates to the Director -and File Daemons. The only way to prevent this is by using trusted -certificates, so that the man in the middle is incapable of spoofing the -connection using his own. +\section{Getting TLS Certificates} To get a trusted certificate (CA or Certificate Authority signed certificate), you will either need to purchase certificates signed by a commercial CA or become a CA yourself, and thus you can sign all your own certificates. -The program TinyCA has a very nice Graphical User Interface -that allows you to easily setup and maintain your own CA. -TinyCA can be found at -\elink{http://tinyca.sm-zone.net/}{http://tinyca.sm-zone.net/}. +Bareos is known to work well with RSA certificates. + +You can use programs like \elink{xca}{http://xca.sourceforge.net/} or TinyCA +to easily manage your own CA with a Graphical User Interface. + + + +% \section{Creating a Self-signed Certificate} +% \index[general]{Certificate!Creating a Self-signed} +% +% You may create a self-signed certificate for use with the Bareos TLS that +% will permit you to make it function, but will not allow certificate +% validation. The .pem file containing both the certificate and the key +% valid for ten years can be made with the following: +% +% \begin{commands}{Create a Self-signed Certificate} +% openssl req -new -x509 -nodes -out bareos.pem -keyout bareos.pem -days 3650 +% \end{commands} +% +% The above script will ask you a number of questions. You may simply answer +% each of them by entering a return, or if you wish you may enter your own data. +% +% Note, however, that self-signed certificates will only work for the +% outgoing end of connections. For example, in the case of the \bareosDir +% making a connection to a \bareosFd, the \bareosFd may be configured to +% allow self-signed certificates, but the certificate used by the +% Director must be signed by a certificate that is explicitly trusted on the +% \bareosFd end. +% +% This is necessary to prevent ``man in the middle'' attacks from tools such +% as \elink{ettercap}{http://ettercap.sourceforge.net/}. Essentially, if the +% Director does not verify that it is talking to a trusted remote endpoint, +% it can be tricked into talking to a malicious 3rd party who is relaying and +% capturing all traffic by presenting its own certificates to the Director +% and File Daemons. The only way to prevent this is by using trusted +% certificates, so that the man in the middle is incapable of spoofing the +% connection using his own. + \section{Example TLS Configuration Files} \index[general]{Example!TLS Configuration Files} @@ -184,121 +180,112 @@ \section{Example TLS Configuration Files} An example of the TLS portions of the configuration files are listed below: -{\bf bareos-dir.conf} -\footnotesize -\begin{verbatim} - Director { # define myself - Name = backup1-dir - ... - TLS Enable = yes - TLS Require = yes - TLS Verify Peer = yes - TLS Allowed CN = "bareos@backup1.example.com" - TLS Allowed CN = "administrator@example.com" - TLS CA Certificate File = /usr/local/etc/ssl/ca.pem - # This is a server certificate, used for incoming - # console connections. - TLS Certificate = /usr/local/etc/ssl/backup1/cert.pem - TLS Key = /usr/local/etc/ssl/backup1/key.pem - } - - Storage { - Name = File - Address = backup1.example.com - ... - TLS Require = yes - TLS CA Certificate File = /usr/local/etc/ssl/ca.pem - # This is a client certificate, used by the director to - # connect to the storage daemon - TLS Certificate = /usr/local/etc/ssl/bareos@backup1/cert.pem - TLS Key = /usr/local/etc/ssl/bareos@backup1/key.pem - } - - Client { - Name = backup1-fd - Address = server1.example.com - ... - - TLS Enable = yes - TLS Require = yes - TLS CA Certificate File = /usr/local/etc/ssl/ca.pem - } - -\end{verbatim} -\normalsize - -{\bf bareos-fd.conf} -\footnotesize -\begin{verbatim} - Director { - Name = backup1-dir - ... - TLS Enable = yes - TLS Require = yes - TLS Verify Peer = yes - # Allow only the Director to connect - TLS Allowed CN = "bareos@backup1.example.com" - TLS CA Certificate File = /usr/local/etc/ssl/ca.pem - # This is a server certificate. It is used by connecting - # directors to verify the authenticity of this file daemon - TLS Certificate = /usr/local/etc/ssl/server1/cert.pem - TLS Key = /usr/local/etc/ssl/server1/key.pem - } - - FileDaemon { - Name = backup1-fd - ... - # you need these TLS entries so the SD and FD can - # communicate - TLS Enable = yes - TLS Require = yes - - TLS CA Certificate File = /usr/local/etc/ssl/ca.pem - TLS Certificate = /usr/local/etc/ssl/server1/cert.pem - TLS Key = /usr/local/etc/ssl/server1/key.pem +\begin{bconfig}{bareos-dir.conf} +Director { # define myself + Name = backup1-dir + ... + TLS Enable = yes + TLS Require = yes + TLS Verify Peer = yes + TLS Allowed CN = "bareos@backup1.example.com" + TLS Allowed CN = "administrator@example.com" + TLS CA Certificate File = /etc/bareos/tls/ca.pem + # This is a server certificate, used for incoming + # console connections. + TLS Certificate = /etc/bareos/tls/backup1/cert.pem + TLS Key = /etc/bareos/tls/backup1/key.pem +} + +Storage { + Name = File + Address = backup1.example.com + ... + TLS Require = yes + TLS CA Certificate File = /etc/bareos/tls/ca.pem + # This is a client certificate, used by the director to + # connect to the storage daemon + TLS Certificate = /etc/bareos/tls/backup1/cert.pem + TLS Key = /etc/bareos/tls/backup1/key.pem } -\end{verbatim} -\normalsize - -{\bf bareos-sd.conf} -\footnotesize -\begin{verbatim} - Storage { # definition of myself - Name = backup1-sd - ... - # These TLS configuration options are used for incoming - # file daemon connections. Director TLS settings are handled - # below. - TLS Enable = yes - TLS Require = yes - # Peer certificate is not required/requested -- peer validity - # is verified by the storage connection cookie provided to the - # File Daemon by the director. - TLS Verify Peer = no - TLS CA Certificate File = /usr/local/etc/ssl/ca.pem - # This is a server certificate. It is used by connecting - # file daemons to verify the authenticity of this storage daemon - TLS Certificate = /usr/local/etc/ssl/backup1/cert.pem - TLS Key = /usr/local/etc/ssl/backup1/key.pem - } - - # - # List Directors who are permitted to contact Storage daemon - # - Director { - Name = backup1-dir - ... - TLS Enable = yes - TLS Require = yes - # Require the connecting director to provide a certificate - # with the matching CN. - TLS Verify Peer = yes - TLS Allowed CN = "bareos@backup1.example.com" - TLS CA Certificate File = /usr/local/etc/ssl/ca.pem - # This is a server certificate. It is used by the connecting - # director to verify the authenticity of this storage daemon - TLS Certificate = /usr/local/etc/ssl/backup1/cert.pem - TLS Key = /usr/local/etc/ssl/backup1/key.pem - } -\end{verbatim} -\normalsize + +Client { + Name = backup1-fd + Address = client1.example.com + ... + TLS Enable = yes + TLS Require = yes + TLS CA Certificate File = /etc/bareos/tls/ca.pem + TLS Certificate = /etc/bareos/tls/backup1/cert.pem + TLS Key = /etc/bareos/tls/backup1/key.pem +} +\end{bconfig} + +\begin{bconfig}{bareos-fd.conf} +Director { + Name = backup1-dir + ... + TLS Enable = yes + TLS Require = yes + TLS Verify Peer = yes + # Allow only the Director to connect + TLS Allowed CN = "bareos@backup1.example.com" + TLS CA Certificate File = /etc/bareos/tls/ca.pem + # This is a server certificate. It is used by connecting + # directors to verify the authenticity of this file daemon + TLS Certificate = /etc/bareos/tls/client11/cert.pem + TLS Key = /etc/bareos/tls/client1/key.pem +} + +FileDaemon { + Name = backup1-fd + ... + # you need these TLS entries so the SD and FD can + # communicate + TLS Enable = yes + TLS Require = yes + + TLS CA Certificate File = /etc/bareos/tls/ca.pem + TLS Certificate = /etc/bareos/tls/client1/cert.pem + TLS Key = /etc/bareos/tls/client1/key.pem +} +\end{bconfig} + +\begin{bconfig}{bareos-sd.conf} +Storage { # definition of myself + Name = backup1-sd + ... + # These TLS configuration options are used for incoming + # file daemon connections. Director TLS settings are handled + # below. + TLS Enable = yes + TLS Require = yes + # Peer certificate is not required/requested -- peer validity + # is verified by the storage connection cookie provided to the + # File Daemon by the director. + TLS Verify Peer = no + TLS CA Certificate File = /etc/bareos/tls/ca.pem + # This is a server certificate. It is used by connecting + # file daemons to verify the authenticity of this storage daemon + TLS Certificate = /etc/bareos/tls/backup1/cert.pem + TLS Key = /usr/local/etc/ssl/backup1/key.pem +} + +# +# List Directors who are permitted to contact Storage daemon +# +Director { + Name = backup1-dir + ... + TLS Enable = yes + TLS Require = yes + # Require the connecting director to provide a certificate + # with the matching CN. + TLS Verify Peer = yes + TLS Allowed CN = "bareos@backup1.example.com" + TLS CA Certificate File = /etc/bareos/tls/ca.pem + # This is a server certificate. It is used by the connecting + # director to verify the authenticity of this storage daemon + TLS Certificate = /etc/bareos/tls/backup1/cert.pem + TLS Key = /etc/bareos/tls/backup1/key.pem +} +\end{bconfig} diff --git a/manuals/en/main/webui.tex b/manuals/en/main/webui.tex index 3dad5cd..27d6cd2 100644 --- a/manuals/en/main/webui.tex +++ b/manuals/en/main/webui.tex @@ -183,17 +183,6 @@ \subsection{Configure your /etc/bareos-webui/directors.ini} ; Default value is 9101 dirport = 9101 -; Note: TLS has not been tested and documented, yet. -;tls_verify_peer = false -;server_can_do_tls = false -;server_requires_tls = false -;client_can_do_tls = false -;client_requires_tls = false -;ca_file = "" -;cert_file = "" -;cert_file_passphrase = "" -;allowed_cns = "" - ; ; Section remote-dir ; @@ -201,7 +190,6 @@ \subsection{Configure your /etc/bareos-webui/directors.ini} enabled = "no" diraddress = "hostname" dirport = 9101 -; Note: TLS has not been tested and documented, yet. ;tls_verify_peer = false ;server_can_do_tls = false ;server_requires_tls = false