Console resource

Este conteúdo não está disponível em sua língua ainda.

Configuration directives for the Console resource. Every directive is listed; value types and defaults are noted where the source provides them.

AuthenticationPlugin

AuthenticationPlugin = <plugin-definition>

Specifies the a plugin to use the authentication API framework which allows to configure a different set of authentication mechanisms (user credentials verification) using a dedicated Director plugins. It is called BPAM (NGBackup Pluggable Authentication Modules). The first plugin available is a LDAP connector that is suitable to connect OpenLDAP or ActiveDirectory.

The new framework support standard user/password and MFA authentication schemes which are fully driven by external plugins. On the client side backup-console when noticied will perform user interaction to collect required credentials. NGBackup will still support all previous authentication schemas including CRAM-MD5 and TLS. You can even configure TLS Authentication together with new BPAM authentication raising required security level. BPAM authentication is available for named Console resources only.

To use this feature you have to load dedicated Director plugin from directory pointed by Plugin Directory Director resource configuration. This plugin should be listed in director status command. Then you should configure the Console resource to use this plugin for authentication with the Authentication Plugin directive together with a named Console configuration in backup-console.conf as described in Console Configuration chapter of this manual.

Console { Name = “ldapconsole” Password = “xxx”

Authentication Plugin = “ldap:” }

where parameters are the space separated list of one or more plugin parameters:

url

LDAP Directory service location, i.e. “url=ldap://10.0.0.1/“

BackupClientACL

BackupClientACL = <name-list>

This directive is used to specify a list of Client resource names that can be used by the console to backup files. The ClientAcl is not affected by the RestoreClientACL directive.

CatalogACL

CatalogACL = <name-list>

This directive is used to specify a list of Catalog resource names that can be accessed by the console.

ClientACL

ClientACL = <name-list>

This directive is used to specify a list of Client resource names that can be accessed by the console.

CommandACL

CommandACL = <name-list>

This directive is used to specify a list of console commands that can be executed by the console.

CommCompression

CommCompression = <yes|no>

If the two NGBackup components (DIR, FD, SD, backup-console) have the comm line compression enabled, the line compression will be enabled. The default value is yes.

In many cases, the volume of data transmitted across the communications line can be reduced by a factor of three when this directive is enabled. In the case that the compression is not effective, NGBackup turns it off on a record by record basis.

If you are backing up data that is already compressed the comm line compression will not be effective, and you are likely to end up with an average compression ratio that is very small. In this case, NGBackup reports None in the Job report.

Console

Start of the Console resource.

Director

Director = <director-resource-name>

If this directive is specified, this Console resource will be used by backup-console when that particular director is selected when first starting backup-console. I.e. it binds a particular console resource with its name and password to a particular director.

DirectoryACL

DirectoryACL = <name-list>

This directive is used to specify a list of directories that can be accessed by a restore session. Without this directive, the console cannot restore any file. Multiple directories names may be specified by separating them with commas, and/or by specifying multiple DirectoryACL directives.

FileSetACL

FileSetACL = <name-list>

This directive is used to specify a list of FileSet resource names that can be accessed by the console.

Heartbeat Interval

Heartbeat Interval = <time-interval>

This directive is optional and if specified will cause the Console to set a keepalive interval (heartbeat) in seconds on each of the sockets to communicate with the Director. It is implemented only on systems (Linux, …) that provide the setsockopt TCP_KEEPIDLE function. The default value is zero, which means no change is made to the socket.

JobACL

JobACL = <name-list>

This directive is used to specify a list of Job resource names that can be accessed by the console. Without this directive, the console cannot access any of the Director’s Job resources. Multiple Job resource names may be specified by separating them with commas, and/or by specifying multiple JobACL directives. For example, the directive may be specified as:

JobACL = kernsave, “Backup client 1”, “Backup client 2” JobACL = “RestoreFiles”

With the above specification, the console can access the Director’s resources for the four jobs named on the JobACL directives, but for no others.

Name

Name = <name>

The Console name used to allow a restricted console to change its IP address using the SetIP command. The SetIP command must also be defined in the Director’s conf CommandACL list.

Password

Password = <password>

Specifies the password that must be supplied for a named NGBackup Console to be authorized. The same password must appear in the Console resource of the Console configuration file. For added security, the password is never actually passed across the network but rather a challenge response hash code created with the password. This directive is required. If you have either /dev/random or bc on your machine, NGBackup will generate a random password during the configuration process, otherwise it will be left blank. The password is plain text. It is not generated through any special process. However, it is preferable for security reasons to choose random text.

PoolACL

PoolACL = <name-list>

This directive is used to specify a list of Pool resource names that can be accessed by the console.

RestoreClientACL

RestoreClientACL = <name-list>

This directive is used to specify a list of Client resource names that can be used by the console to restore files. The ClientAcl is not affected by the RestoreClientACL directive.

ClientAcl = localhost-fd # backup and restore RestoreClientAcl = test-fd # restore only BackupClientAcl = production-fd # backup only

ScheduleACL

ScheduleACL = <name-list>

This directive is used to specify a list of Schedule resource names that can be accessed by the console.

StorageACL

StorageACL = <name-list>

This directive is used to specify a list of Storage resource names that can be accessed by the console.

TLS Allowed CN

TLS Allowed CN = <string list>

Common name attribute of allowed peer certificates. This directive is valid for a server and in a client context. If this directive is specified, the peer certificate will be verified against this list. In the case this directive is configured on a server side, the allowed CN list will not be checked if TLS Verify Peer is set to no (TLS Verify Peer is yes by default). This can be used to ensure that only the CN-approved component may connect. This directive may be specified more than once. In the case this directive is configured in a server side, the allowed CN list will only be checked if TLS Verify Peer = yes (default). For example, in backup-fd.conf, Director resource definition:

Director { Name = backup-dir Password = “password” Address = director.example.com

TLS configuration directives

TLS Enable = yes TLS Require = yes

if TLS Verify Peer = no, then TLS Allowed CN will not be checked.

TLS Verify Peer = yes TLS Allowed CN = director.example.com TLS CA Certificate File = /opt/backup/ssl/certs/root_cert.pem TLS Certificate = /opt/backup/ssl/certs/client1_cert.pem TLS Key = /opt/backup/ssl/keys/client1_key.pem }

In the case this directive is configured in a client side, the allowed CN list will always be checked.

Client { Name = client1-fd Address = client1.example.com FDPort = 9102 Catalog = MyCatalog Password = “password” …

TLS configuration directives

TLS Enable = yes TLS Require = yes

the Allowed CN will be checked for this client by director

the client’s certificate Common Name must match any of

the values of the Allowed CN list

TLS Allowed CN = client1.example.com TLS CA Certificate File = /opt/backup/ssl/certs/ca_client1_cert.pem TLS Certificate = /opt/backup/ssl/certs/director_cert.pem TLS Key = /opt/backup/ssl/keys/director_key.pem }

If the client doesnât provide a certificate with a Common Name that meets any value in the TLS Allowed CN list, an error message will be issued:

16-Nov 17:30 backup-dir JobId 0: Fatal error: bnet.c:273 TLS certificate verification failed. Peer certificate did not match a required commonName 16-Nov 17:30 backup-dir JobId 0: Fatal error: TLS negotiation failed with FD at “192.168.100.2:9102”.

TLS Authenticate

TLS Authenticate = <yes|no>

When TLS Authenticate is enabled, after doing the CRAM-MD5 authentication, NGBackup will also do TLS authentication, then TLS encryption will be turned off, and the rest of the communication between the two NGBackup components will be done without encryption. If TLS-PSK is used instead of the regular TLS, the encryption is turned off after the TLS-PSK authentication step. If you want to encrypt communications data, use the normal TLS directives but do not turn on TLS Authenticate.

TLS CA Certificate Dir

TLS CA Certificate Dir = <Directory>

Full path to TLS CA certificate directory. In the current implementation, certificates must be stored PEM encoded with OpenSSL-compatible hashes, which is the subject name’s hash and an extension of .0. One of TLS CA Certificate File or TLS CA Certificate Dir are required in a server context, unless TLS Verify Peer is set to no, and are always required in a client context.

TLS CA Certificate File

TLS CA Certificate File = <Filename>

The full path and filename specifying a PEM encoded TLS CA certificate(s). Multiple certificates are permitted in the file. One of TLS CA Certificate File or TLS CA Certificate Dir are required in a server context, unless TLS Verify Peer (see above) is set to no, and are always required in a client context.

TLS Certificate

TLS Certificate = <Filename>

The full path and filename of a PEM encoded TLS certificate. It will be used as either a client or server certificate, depending on the connection direction. PEM stands for Privacy Enhanced Mail, but in this context refers to how the certificates are encoded. This format is used because PEM files are base64 encoded and hence ASCII text based rather than binary. They may also contain encrypted information. This directive is required in a server context, but it may not be specified in a client context if TLS Verify Peer is set to no in the corresponding server context.

Example:

File Daemon configuration file (backup-fd.conf), Director resource configuration has TLS Verify Peer = no:

Director { Name = backup-dir Password = “password” Address = director.example.com

TLS configuration directives

TLS Enable = yes TLS Require = yes TLS Verify Peer = no TLS CA Certificate File = /opt/backup/ssl/certs/root_cert.pem TLS Certificate = /opt/backup/ssl/certs/client1_cert.pem TLS Key = /opt/backup/ssl/keys/client1_key.pem }

Having TLS Verify Peer = no, means the File Daemon, server context, will not check Directorâs public certificate, client context. There is no need to specify TLS Certificate File neither TLS Key directives in the Client resource, director configuration file. We can have the below client configuration in backup-dir.conf:

Client { Name = client1-fd Address = client1.example.com FDPort = 9102 Catalog = MyCatalog Password = “password” …

TLS configuration directives

TLS Enable = yes TLS Require = yes TLS CA Certificate File = /opt/backup/ssl/certs/ca_client1_cert.pem }

TLS DH File

TLS DH File = <Directory>

Path to PEM encoded Diffie-Hellman parameter file. If this directive is specified, DH key exchange will be used for the ephemeral keying, allowing for forward secrecy of communications. DH key exchange adds an additional level of security because the key used for encryption/decryption by the server and the client is computed on each end and thus is never passed over the network if Diffie-Hellman key exchange is used. Even if DH key exchange is not used, the encryption/decryption key is always passed encrypted. This directive is only valid within a server context. To generate the parameter file, you may use openssl:

openssl dhparam -out dh4096.pem -5 4096

TLS Enable

TLS Enable = <yes|no>

Enable TLS support. If TLS is not enabled, none of the other TLS directives have any effect. In other words, even if you set TLS Require = yes you need to have TLS enabled or TLS will not be used.

TLS Key

TLS Key = <Filename>

The full path and filename of a PEM encoded TLS private key. It must correspond to the TLS certificate.

TLS PSK Enable

TLS PSK Enable = <yes|no>

Enable or Disable automatic TLS PSK support. TLS PSK is enabled by default between all NGBackup components. The Pre-Shared Key used between the programs is the NGBackup password. If both TLS Enable and TLS PSK Enable are enabled, the system will use TLS certificates.

TLS Require

TLS Require = <yes|no>

Require TLS or TLS-PSK encryption. This directive is ignored unless one of TLS Enable or TLS PSK Enable is set to yes. If TLS is not required while TLS or TLS-PSK are enabled, then the NGBackup component will connect with other components either with or without TLS or TLS-PSK

If TLS or TLS-PSK is enabled and TLS is required, then the NGBackup component will refuse any connection request that does not use TLS.

TLS Verify Peer

TLS Verify Peer = <yes|no>

Verify peer certificate. Instructs server to request and verify the client’s X.509 certificate. Any client certificate signed by a known-CA will be accepted. Additionally, the client’s X509 certificate Common Name must meet the value of the Address directive. If the TLSAllowed CN onfiguration directive is used, the client’s x509 certificate Common Name must also correspond to one of the CN specified in the TLS Allowed CN directive. This directive is valid only for a server and not in client context. The default is yes.

UserIdACL

UserIdACL = <name-list>

This directive is used to specify a list of UID/GID that can be accessed from a restore session. Without this directive, the console cannot restore any file. During the restore session, the Director will compute the restore list and will exclude files and directories that cannot be accessed. NGBackup uses the LStat database field to retrieve st_mode, st_uid and st_gid information for each file and compare them with the UserIdACL elements. If a parent directory doesn’t have a proper catalog entry, the access to this directory will be automatically granted.

UID/GID names are resolved with getpwnam() function within the Director. The User UID/GID mapping might be different from one system to an other.

Windows systems are not compatible with the UserIdACL feature. The use of UserIdACL = all is required to restore Windows systems from a restricted Console.

Multiple UID/GID names may be specified by separating them with commas, and/or by specifying multiple UserIdACL directives.

WhereACL

WhereACL = <string>

This directive permits you to specify where a restricted console can restore files. If this directive is not specified, only the default restore location is permitted (normally /tmp/bacula-restores). If all is specified any path the user enters will be accepted (not very secure), any other value specified (there may be multiple WhereACL directives) will restrict the user to use that path. For example, on a Unix system, if you specify “/”, the file will be restored to the original location. This directive is untested.