Menu
▾
▴
[Bacula-commits] bacula/doc/latex tls.tex,NONE,1.1 bacula.tex,1.40,1.41 faq.tex,1.28,1.29 python.tex,1.1,1.2 state.tex,1.22,1.23 stunnel.tex,1.21,1.22
|
From: Kern S. <ke...@us...> - 2005-05-02 13:24:05
|
Update of /cvsroot/bacula/bacula/doc/latex In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv25611/doc/latex Modified Files: bacula.tex faq.tex python.tex state.tex stunnel.tex Added Files: tls.tex Log Message: - Fix lib/fnmatch.c so that it does proper testing before folding. - More documentation -- at tls and ansi labels chapters. - Fix fileset_convert.pl to handle empty Exclude statements. - Turn regex back off in Win32 Index: python.tex =================================================================== RCS file: /cvsroot/bacula/bacula/doc/latex/python.tex,v retrieving revision 1.1 retrieving revision 1.2 diff -u -d -r1.1 -r1.2 --- python.tex 30 Apr 2005 19:39:49 -0000 1.1 +++ python.tex 2 May 2005 13:23:18 -0000 1.2 @@ -17,10 +17,10 @@ a scripting language such as Python, you can generate any name you want, based on the current state of Bacula. -\subsection*{Python Installation} -\index[general]{Python Installation} -\index[general]{Installation!Python} -\addcontentsline{toc}{subsection}{Python Installation} +\subsection*{Python Configuration} +\index[general]{Python Configuration} +\index[general]{Configuration!Python} +\addcontentsline{toc}{subsection}{Python Configuration} Python must be enabled during the configuration process by adding a \verb?--?enable-python, and possibly specifying an alternate Index: bacula.tex =================================================================== RCS file: /cvsroot/bacula/bacula/doc/latex/bacula.tex,v retrieving revision 1.40 retrieving revision 1.41 diff -u -d -r1.40 -r1.41 --- bacula.tex 30 Apr 2005 19:39:49 -0000 1.40 +++ bacula.tex 2 May 2005 13:23:15 -0000 1.41 @@ -82,6 +82,7 @@ \include{supportedchangers} \include{spooling} \include{python} +\include{ansi-labels} \include{faq} \include{tips} \include{progs} @@ -89,6 +90,7 @@ \include{kaboom} \include{win32} \include{rescue} +\include{tls} \include{stunnel} \include{security} \include{firewalls} Index: faq.tex =================================================================== RCS file: /cvsroot/bacula/bacula/doc/latex/faq.tex,v retrieving revision 1.28 retrieving revision 1.29 diff -u -d -r1.28 -r1.29 --- faq.tex 28 Apr 2005 19:28:58 -0000 1.28 +++ faq.tex 2 May 2005 13:23:17 -0000 1.29 @@ -7,10 +7,16 @@ \index[general]{Bacula Frequently Asked Questions } \addcontentsline{toc}{section}{Bacula Frequently Asked Questions} -See +These are questions that have been submitted over time by the +Bacula users. + +Please also see \ilink{the bugs section}{_ChapterStart4} of this document for a list of known bugs and solutions. +\subsection*{Frequently Asked Questions} +\addcontentsline{toc}{section}{Frequently Asked Questions} + \begin{description} \label{what} Index: stunnel.tex =================================================================== RCS file: /cvsroot/bacula/bacula/doc/latex/stunnel.tex,v retrieving revision 1.21 retrieving revision 1.22 diff -u -d -r1.21 -r1.22 --- stunnel.tex 19 Apr 2005 15:02:21 -0000 1.21 +++ stunnel.tex 2 May 2005 13:23:18 -0000 1.22 @@ -1,15 +1,17 @@ %% %% -\section*{Using Bacula to Encrypt Communications to Clients} +\section*{Using stunnel to Encrypt Communications to Clients} \label{_ChapterStart6} \index[general]{Clients!Using Bacula to Encrypt Communications to } \index[general]{Using Bacula to Encrypt Communications to Clients } \addcontentsline{toc}{section}{Using Bacula to Encrypt Communications to Clients} -At the current time, Bacula does not have built-in communications encryption. -However, without too much effort, it is possible to encrypt the communications +Prior to verion 1.37, Bacula did not have built-in communications encryption. +Please see the TLS chapter if you are using Bacula 1.37 or greater. + +Without too much effort, it is possible to encrypt the communications between any of the daemons. This chapter will show you how to use {\bf stunnel} to encrypt communications to your client programs. We assume the Director and the Storage daemon are running on one machine that will be called @@ -519,7 +521,7 @@ \addcontentsline{toc}{subsection}{Creating a Self-signed Certificate} You may create a self-signed certificate for use with stunnel that will permit -you to make it function, but will now allow certificate validation. The .pem +you to make it function, but will not allow certificate validation. The .pem file containing both the certificate and the key can be made with the following, which I put in a file named {\bf makepem}: --- NEW FILE: tls.tex --- \section*{Bacula TLS} \label{_ChapterStart61} \index[general]{Bacula TLS} \index[general]{TLS} \addcontentsline{toc}{section}{Bacula TLS} Bacula TLS (Transport Layer Security) is built-in network encryption code to provide secure network transport similar to that offered by {\bf stunnel} or {\bs ssh}. The Bacula code was written by Landon Fuller. Supported features of this code include: \begin{itemize} \item Client/Server TLS Requirement Negotiation \item TLSv1 Connections with Server and Client Certificate Validation \item Forward Secrecy Support via Diffie-Hellman Ephemeral Keying \end{itemize} This document will refer to both ``server'' and ``client'' contexts. These terms refer to the accepting and initiating peer, respectively. Diffie-Hellman anonymous ciphers are not supported by this code. The use of DH anonymous ciphers increases the code complexity and places explicit trust upon the two-way Cram-MD5 implementation. Cram-MD5 is subject to known plaintext attacks, and is should be considered considerably less secure than PKI certificate-based authentication. Appropriate autoconf macros have been added to detect and use OpenSSL if enabled on the {\bf ./configure} line with {\bf \verb?--?enable-openssl} \subsection*{TLS Configuration Directives} \addcontentsline{toc}{section}{TLS Configuration Directives} Additional configuration directives have been added to all the daemons (Director, File daemon, and Storage daemon) as well as the various different Console programs. These new directives are defined as follows: \begin{description} \item [TLS Enable = \lt{}yes|no\gt{}] Enable TLS support. \item [TLS Require = \lt{}yes|no\gt{}] Require TLS connections. \item [TLS Certificate = \lt{}Directory\gt{}] Path to PEM encoded TLS certificate. Used as either a client or server certificate. \item [TLS Key = \lt{}Directory\gt{}] Path to PEM encoded TLS private key. Must correspond with the TLS certificate. \item [TLS Verify Peer = \lt{}yes|no\gt{}] Verify peer certificate. Instructs server to request and verify the client's x509 certificate. Any client certificate signed by a known-CA will be accepted unless the TLS Allowed CN configuration directive is used. Not valid in a client context. \item [TLS Allowed CN = \lt{}string list\gt{}] Common name attribute of allowed peer certificates. If directive is specified, all client certificates will be verified against this list. This directive may be specified more than once. Not valid in a client context. \item [TLS CA Certificate File = \lt{}Directory\gt{}] Path to PEM encoded TLS CA certificate(s). Multiple certificates are permitted in the file. One of \emph{TLS CA Certificate File} or \emph{TLS CA Certificate Dir} are required in a server context if \emph{TLS Verify Peer} (see above) is also specified, and are always required in a client context. \item [TLS CA Certificate Dir = \lt{}Directory\gt{}] Path to TLS CA certificate directory. In the current implementation, certificates must be stored PEM encoded with OpenSSL-compatible hashes. One of \emph{TLS CA Certificate File} or \emph{TLS CA Certificate Dir} are required in a server context if \emph{TLS Verify Peer} is also specified, and are always required in a client context. \item [TLS DH File = \lt{}Directory\gt{}] Path to PEM encoded Diffie-Hellman parameter file. If this directive is specified, DH ephemeral keying will be enabled, allowing for forward secrecy of communications. This directive is only valid within a server context. To generate the parameter file, you may use openssl: \begin{verbatim} openssl dhparam -out dh1024.pem -5 1024 \end{verbatim} \end{itemize} \subsection*{Creating a Self-signed Certificate} \index[general]{Creating a Self-signed Certificate } \index[general]{Certificate!Creating a Self-signed } \addcontentsline{toc}{subsection}{Creating a Self-signed Certificate} You may create a self-signed certificate for use with the Bacula TLS that will permit you to make it function, but will not allow certificate validation. The .pem file containing both the certificate and the key can be made with the following, which I put in a file named {\bf makepem}: \footnotesize \begin{verbatim} #!/bin/sh # # Simple shell script to make a .pem file that can be used # with stunnel and Bacula # OPENSSL=openssl umask 77 PEM1=`/bin/mktemp openssl.XXXXXX` PEM2=`/bin/mktemp openssl.XXXXXX` ${OPENSSL} req -newkey rsa:1024 -keyout $PEM1 -nodes \ -x509 -days 365 -out $PEM2 cat $PEM1 > stunnel.pem echo "" >>stunnel.pem cat $PEM2 >>stunnel.pem rm $PEM1 $PEM2 \end{verbatim} \normalsize The above script will ask you a number of questions. You may simply answer each of them by entering a return, or if you wish you may enter your own data. \subsection*{Getting a CA Signed Certificate} \index[general]{Certificate!Getting a CA Signed } \index[general]{Getting a CA Signed Certificate } \addcontentsline{toc}{subsection}{Getting a CA Signed Certificate} The process of getting a certificate that is signed by a CA is quite a bit more complicated. You can purchase one from quite a number of PKI vendors, but that is not at all necessary for use with Bacula. To get a CA signed certificate, you will either need to find a friend that has setup his own CA or to become a CA yourself, and thus you can sign all your own certificates. The book OpenSSL by John Viega, Matt Mesier \& Pravir Chandra from O'Reilly explains how to do it, or you can read the documentation provided in the Open-source PKI Book project at Source Forge: \elink{ http://ospkibook.sourceforge.net/docs/OSPKI-2.4.7/OSPKI-html/ospki-book.htm} {http://ospkibook.sourceforge.net/docs/OSPKI-2.4.7/OSPKI-html/ospki-book.htm}. Note, this link may change. Index: state.tex =================================================================== RCS file: /cvsroot/bacula/bacula/doc/latex/state.tex,v retrieving revision 1.22 retrieving revision 1.23 diff -u -d -r1.22 -r1.23 --- state.tex 19 Apr 2005 15:02:06 -0000 1.22 +++ state.tex 2 May 2005 13:23:18 -0000 1.23 @@ -40,7 +40,9 @@ additional features over the shell program. \item Verification of files previously cataloged, permitting a Tripwire like capability (system break-in detection). -\item CRAM-MD5 password authentication between each component (daemon). +\item CRAM-MD5 password authentication between each component (daemon). +\item Configurable + \ilink{TLS (ssl) encryption}{_ChapterStart61} between each component. \item A comprehensive and extensible \ilink{configuration file}{_ChapterStart40} for each daemon. \item Catalog database facility for remembering Volumes, Pools, Jobs, and @@ -78,15 +80,18 @@ barcodes or by reading the tapes. \item Raw device backup/restore. Restore must be to the same device. \item All Volume blocks (approx 64K bytes) contain a data checksum. -\item Access control lists for Consoles that permit restricting user access +\item Access control lists for Consoles that permit restricting user access to only their data. -\item Data spooling to disk during backup with subsequent write to tape from +\item Data spooling to disk during backup with subsequent write to tape from the spooled disk files. This prevents tape ``shoe shine'' during Incremental/Differential backups. \item Support for save/restore of files larger than 2GB. \item Support for 64 bit machines, e.g. amd64. \item Ability to encrypt communications between daemons using stunnel. - \end{itemize} +\item Support ANSI and IBM tape labels. +\item Support for Unicode filenames (e.g. Chinese) on Win32 machines. + +\end{itemize} \subsection*{Advantages of Bacula Over Other Backup Programs} \index[general]{Advantages of Bacula Over Other Backup Programs } @@ -116,7 +121,7 @@ \item Bacula has a built-in Job scheduler. \item The Volume format is documented and there are simple C programs to read/write it. -\item Bacula uses well defined (registered) TCP/IP ports -- no rpcs, no +\item Bacula uses well defined (IANA registered) TCP/IP ports -- no rpcs, no shared memory. \item Bacula installation and configuration is relatively simple compared to other comparable products. @@ -154,14 +159,10 @@ \addcontentsline{toc}{subsection}{Current Implementation Restrictions} \begin{itemize} -\item It doesn't currently support ANSI and IBM tape labels. \item Typical of Microsoft, not all files can always be saved on WinNT, Win2K and WinXP when they are in use by another program. Anyone knowing the magic incantations please step forward. The files that are skipped seem to be in exclusive use by some other process, and don't appear to be too important. -\item Unicode filenames (e.g. Chinese) cannot be saved or restored. This - appears to be a problem only on Mac machines that are using remote mounted - Windows volumes. \item If you have over 4 billion file entries stored in your database, the database FileId is likely to overflow. This is a monster database, but still possible. At some point, Bacula's FileId fields will be upgraded from 32 bits |