Tree - source-git/amanda - CentOS Git server

source-git / amanda

Files

Commit: 23ab0312a6b51e987b2093c2b80821dd01057d1e
Blob Blame History Raw
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"
                   "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"
[
  <!-- entities files to use -->
  <!ENTITY % global_entities SYSTEM 'global.entities'>
  %global_entities;
]>

<refentry id='amanda-auth-ssl.7'>

<refmeta>
  <refentrytitle>amanda-auth-ssl</refentrytitle>
  <manvolnum>7</manvolnum>
&rmi.source;
&rmi.version;
&rmi.manual.7;
</refmeta>
<refnamediv>
  <refname>amanda-auth-ssl</refname>
  <refpurpose>SSL Communication/Authentication methods between Amanda server and client</refpurpose>
</refnamediv>
<refentryinfo>
  &author.jlm;
  &author.dustin;
  &author.pby;
</refentryinfo>

<!-- body begins here -->

<refsect1><title>DESCRIPTION</title>
<para>This authenticate method use ssl certificate to authenticate host,
all transfer over the network is encrypted.</para>
<para>Each amanda client/server must have its own certificate signed by
the amanda CA certificate.</para>

</refsect1>

<refsect1><title>COMPILATION AND GENERAL INFORMATION</title>
  <para>Amanda must be configure with --with-ssl-security</para>

</refsect1>

<refsect1><title>SERVER/CLIENT CONFIGURATION</title>

<para> In <emphasis remap='B'>amanda.conf</emphasis> and
<emphasis remap='B'>amanda-client.conf</emphasis>.</para>
<variablelist remap='TP'>
  <varlistentry>
    <term><option>ssl-dir</option></term>
<listitem><para>The directoty where amanda store all the certificates.
A good value is <emphasis remap='B'>~/amanda-ssl</emphasis>.</para></listitem>
  </varlistentry>
  <varlistentry>
    <term><option>ssl-check-certificate-host</option></term>
<listitem><para>Check the peer hostname match the certificate host name.</para></listitem>
  </varlistentry>
  <varlistentry>
    <term><option>ssl-check-fingerprint</option></term>
<listitem><para>Check the fingerprint of the certificate is the same as the fingerprint we already have for that host.</para></listitem>
  </varlistentry>
  <varlistentry>
    <term><option>ssl-check-host</option></term>
<listitem><para>Do the bsd check, dns name of peer IP is the hostname we connect to.</para></listitem>
  </varlistentry>
</variablelist>

</refsect1>

<refsect1><title>FILESYSTEM LAYOUT FOR CERTIFICATES</title>
<programlisting>
$SSL_DIR/CA/crt.pem                   # CA certificate that signed
                                        all certificates.
$SSL_DIR/CA/private/key.pem           # CA private key
                                        (on server only)
$SSL_DIR/me/crt.pem                   # public certificate of the host
$SSL_DIR/me/private/key.pem           # private key of the host
$SSL_DIR/me/fingerprint               # fingerprint of my certificate
$SSL_DIR/remote/HOSTNAME/fingerprint  # fingerprint of the HOSTNAME
                                        certificate
</programlisting>

<para>On the <emphasis remap='B'>HOSTNAME</emphasis> host,
<emphasis remap='B'>$SSL_DIR/remote/HOSTNAME</emphasis>
is a symbolic link to <emphasis remap='B'>../me</emphasis>.</para>

</refsect1>

<refsect1><title>PROGRAM TO HELP CONFIGURATION</title>
<para>The <emphasis remap='B'>amssl</emphasis> program is a tool to manage the certificate.</para>

</refsect1>

<seealso>
<manref name="amanda.conf" vol="5" />
<manref name="amanda-client.conf" vol="5" />
<manref name="disklist" vol="5" />
<manref name="amdump" vol="8" />
<manref name="amrecover" vol="8" />
<manref name="amssl" vol="8" />
<manref name="amanda-auth" vol="7" />
</seealso>


</refentry>
source-git / amanda

Source Code

Files
