Re: [Bacula-users] Data Encryption - subjectKeyIdentifier extension?

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
> 
> On 2011-11-17 09:18, Manuel Schleiffelder wrote:
> > On 2011-11-16 18:31, Oliver Hoffmann wrote:
> >> Hi list,
> > 
> >> after I set up TLS successfully, I tried to get data encryption 
> >> running.
> > 
> >> I started with the official documentation:
> > 
> >> http://www.bacula.org/en/dev-manual/main/main/Data_Encryption.html
> >
> >>  ldd `which bacula-fd` shows:
> > 
> >> ... libssl.so.0.9.8 => /lib/libssl.so.0.9.8 (0x00673000) 
> >> libcrypto.so.0.9.8 => /lib/libcrypto.so.0.9.8 (0x00c6f000) ...
> > 
> >> So, I made the master.cert and the pem file for the client (on
> >> the bacula server) and set the following in the FileDaemon stanza
> >> of the bacula-fd.conf:
> > 
> >> PKI Signatures = Yes            # Enable Data Signing PKI 
> >> Encryption = Yes            # Enable Data Encryption PKI Keypair
> >> = "/etc/bacula/certs/PKI/my-fd.pem" # Public and Private Keys
> >> PKI Master Key = "/etc/bacula/certs/PKI/master.cert"  # ONLY the
> >> Public Key
> > 
> >> Starting the bacula-fd gives me:
> > 
> >> * Starting Bacula File daemon... 16-Nov 17:49 my-fd JobId 0:
> >> Error: crypto.c:462 Provided certificate does not include the
> >> required subjectKeyIdentifier extension.16-Nov 17:49 my-fd: Fatal
> >> Error at filed.c:415 because: Failed to load public certificate
> >> for File daemon "my-fd" in /etc/bacula/bacula-fd.conf. 16-Nov
> >> 17:49 d830-fd: ERROR in filed.c:221 Bitte die Konfigurationsdatei
> >> korrigieren: /etc/bacula/bacula-fd.conf *** glibc detected *** 
> >> /usr/sbin/bacula-fd: double free or corruption (fasttop): 
> >> 0x0908d1b8 ***
> > 
> >> Then there follows a backtrace which ends with Kaboom!
> > 
> >> Neither there was anything useful (in terms of setting a 
> >> subjectKeyIdentifier extension) to be found, nor a better 
> >> bacula-PKI-howto.
> > 
> >> Could someone give me a hint?
> > 
> >> Thanks and greetings,
> > 
> >> Oliver
> > 
> > 
> > hi Oliver,
> > 
> > basically this is what i do for PKI (as i assume TLS was already 
> > working); maybe aes256 and 4096bit rsa is overkill ... anyhow:
> > 
> 
> sorry, the lines got messed up; so again:
> 
> Generate a Master Key Pair with:
> - --------------------------------
> 
> #> openssl genrsa -aes256 -out master.key 4096
> #> openssl req -new -key master.key -x509 -out master.cert
> 
> 
> Generate a File Daemon Key Pair for each FD:
> - --------------------------------------------
> 
> 1. generate key:
> #> openssl genrsa -aes256 -out fd-example.key 4096
> 
> 2. selfsign certificate:
> #> openssl req -new-key fd-example.key -x509 -out fd-example.cert
> 
> 3. get rid of key-password (so bacula can read it!)
> #> openssl rsa -in fd-example.key -out fd-example.nopass.key
> 
> 4. copy key and cert to pem-file
> #> cat fd-example.nopass.key fd-example.cert >fd-example.pem
> 
> 
> 
> > 
> > did you get rid of the my-fd.key password?
> > 
> > manuel
> > 
> > 
> > ------------------------------------------------------------------------------
> >
> > 
> All the data continuously generated in your IT infrastructure
> > contains a definitive record of customers, application performance,
> >  security threats, fraudulent activity, and more. Splunk takes this
> >  data and makes sense of it. IT sense. And common sense. 
> > http://p.sf.net/sfu/splunk-novd2d 
> > _______________________________________________ Bacula-users
> > mailing list Bacula-users AT lists.sourceforge DOT net 
> > https://lists.sourceforge.net/lists/listinfo/bacula-users
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> 
> iEYEARECAAYFAk7EyDIACgkQXYFIxKyMLDQ7IACgjhOuonPY7sb/NoxugcdzX1/u
> IDMAoMGR04VGR57zEV/uRa4Mn3vCFbiz
> =6/Cc
> -----END PGP SIGNATURE-----
> 
> ------------------------------------------------------------------------------
> All the data continuously generated in your IT infrastructure 
> contains a definitive record of customers, application performance, 
> security threats, fraudulent activity, and more. Splunk takes this 
> data and makes sense of it. IT sense. And common sense.
> http://p.sf.net/sfu/splunk-novd2d
> _______________________________________________
> Bacula-users mailing list
> Bacula-users AT lists.sourceforge DOT net
> https://lists.sourceforge.net/lists/listinfo/bacula-users
> 

Thank you, that was very helpful! Now it works and I see where the
documentation is misleading. The step with getting rid of the password
isn't mentioned at all. Thus that was the mistake.

Cheers,

Oliver











------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure 
contains a definitive record of customers, application performance, 
security threats, fraudulent activity, and more. Splunk takes this 
data and makes sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-novd2d
_______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users