[Bacula-users] Brief question about TLS example from User's Guide

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Hello all,

I'm reading through the TLS section of the current version of the Bacula
User's Guide. Thanks to everyone including Landon Fuller for the TLS and TLS
documentation contributations.

In the Chapter titled, "Bacula TLS -- Communications
Encryption<http://www.bacula.org/en/rel-manual/Bacula_TLS_Communication.html#24629>"
there is a subchapter titled "Example TLS Configuration
Files<http://www.bacula.org/en/rel-manual/Bacula_TLS_Communication.html#SECTION004440000000000000000>"
and for the Bacula Director configuration file, this excerpt:

Director {                            # define myself
>   Name = backup1-dir
>   ...
>   TLS Enable = yes
>   TLS Require = yes
>   TLS Verify Peer = yes
>   TLS Allowed CN = "ba...@ba..."
>   TLS Allowed CN = "adm...@ex..."
>   TLS CA Certificate File = /usr/local/etc/ssl/ca.pem
>   # This is a server certificate, used for incoming
>   # console connections.
>   TLS Certificate = /usr/local/etc/ssl/backup1/cert.pem
>   TLS Key = /usr/local/etc/ssl/backup1/key.pem
> }
>

I understand that multiple instances of the "TLS Allowed CN" directive are
allowed an in fact the example above shows two such instances. Further in
the example section there is seemingly a logical link to public, private key
files that map to certificates with a CN that is probably named "
ba...@ba...", but I wasn't able to make a logical connection
with a certificate whose CN is named "adm...@ex...". Does
anyone know, in this example context, which of the above CNs link to which
specific certificate? For example, is the CN with name "
adm...@ex..." the CN of the server certificate used in the
example (and the CN named "ba...@ba..." is the CN of the
client or "peer" certificate referred to)?

Thank you for any suggestions ... I just want to make sure that I create the
necessary certificates in what at first appears to be somewhat of a
non-trivial process (I have set up my own CA so I can self-sign but I want
TLS communications to work between all components meaning File, Storage and
Director Daemons as well as comms from the Bacula Console). Once I get the
hang of how this all works in Bacula I'm sure it will look very simple and
easy :-)

Cheers,

Hydro