> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
>
> On 2011-11-17 09:18, Manuel Schleiffelder wrote:
> > On 2011-11-16 18:31, Oliver Hoffmann wrote:
> >> Hi list,
> >
> >> after I set up TLS successfully, I tried to get data encryption
> >> running.
> >
> >> I started with the official documentation:
> >
> >> http://www.bacula.org/en/dev-manual/main/main/Data_Encryption.html
> >
> >> ldd `which bacula-fd` shows:
> >
> >> ... libssl.so.0.9.8 => /lib/libssl.so.0.9.8 (0x00673000)
> >> libcrypto.so.0.9.8 => /lib/libcrypto.so.0.9.8 (0x00c6f000) ...
> >
> >> So, I made the master.cert and the pem file for the client (on
> >> the bacula server) and set the following in the FileDaemon stanza
> >> of the bacula-fd.conf:
> >
> >> PKI Signatures = Yes # Enable Data Signing PKI
> >> Encryption = Yes # Enable Data Encryption PKI Keypair
> >> = "/etc/bacula/certs/PKI/my-fd.pem" # Public and Private Keys
> >> PKI Master Key = "/etc/bacula/certs/PKI/master.cert" # ONLY the
> >> Public Key
> >
> >> Starting the bacula-fd gives me:
> >
> >> * Starting Bacula File daemon... 16-Nov 17:49 my-fd JobId 0:
> >> Error: crypto.c:462 Provided certificate does not include the
> >> required subjectKeyIdentifier extension.16-Nov 17:49 my-fd: Fatal
> >> Error at filed.c:415 because: Failed to load public certificate
> >> for File daemon "my-fd" in /etc/bacula/bacula-fd.conf. 16-Nov
> >> 17:49 d830-fd: ERROR in filed.c:221 Bitte die Konfigurationsdatei
> >> korrigieren: /etc/bacula/bacula-fd.conf *** glibc detected ***
> >> /usr/sbin/bacula-fd: double free or corruption (fasttop):
> >> 0x0908d1b8 ***
> >
> >> Then there follows a backtrace which ends with Kaboom!
> >
> >> Neither there was anything useful (in terms of setting a
> >> subjectKeyIdentifier extension) to be found, nor a better
> >> bacula-PKI-howto.
> >
> >> Could someone give me a hint?
> >
> >> Thanks and greetings,
> >
> >> Oliver
> >
> >
> > hi Oliver,
> >
> > basically this is what i do for PKI (as i assume TLS was already
> > working); maybe aes256 and 4096bit rsa is overkill ... anyhow:
> >
>
> sorry, the lines got messed up; so again:
>
> Generate a Master Key Pair with:
> - --------------------------------
>
> #> openssl genrsa -aes256 -out master.key 4096
> #> openssl req -new -key master.key -x509 -out master.cert
>
>
> Generate a File Daemon Key Pair for each FD:
> - --------------------------------------------
>
> 1. generate key:
> #> openssl genrsa -aes256 -out fd-example.key 4096
>
> 2. selfsign certificate:
> #> openssl req -new-key fd-example.key -x509 -out fd-example.cert
>
> 3. get rid of key-password (so bacula can read it!)
> #> openssl rsa -in fd-example.key -out fd-example.nopass.key
>
> 4. copy key and cert to pem-file
> #> cat fd-example.nopass.key fd-example.cert >fd-example.pem
>
>
>
> >
> > did you get rid of the my-fd.key password?
> >
> > manuel
> >
> >
> > ------------------------------------------------------------------------------
> >
> >
> All the data continuously generated in your IT infrastructure
> > contains a definitive record of customers, application performance,
> > security threats, fraudulent activity, and more. Splunk takes this
> > data and makes sense of it. IT sense. And common sense.
> > http://p.sf.net/sfu/splunk-novd2d
> > _______________________________________________ Bacula-users
> > mailing list Bacula-users AT lists.sourceforge DOT net
> > https://lists.sourceforge.net/lists/listinfo/bacula-users
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk7EyDIACgkQXYFIxKyMLDQ7IACgjhOuonPY7sb/NoxugcdzX1/u
> IDMAoMGR04VGR57zEV/uRa4Mn3vCFbiz
> =6/Cc
> -----END PGP SIGNATURE-----
>
> ------------------------------------------------------------------------------
> All the data continuously generated in your IT infrastructure
> contains a definitive record of customers, application performance,
> security threats, fraudulent activity, and more. Splunk takes this
> data and makes sense of it. IT sense. And common sense.
> http://p.sf.net/sfu/splunk-novd2d
> _______________________________________________
> Bacula-users mailing list
> Bacula-users AT lists.sourceforge DOT net
> https://lists.sourceforge.net/lists/listinfo/bacula-users
>
Thank you, that was very helpful! Now it works and I see where the
documentation is misleading. The step with getting rid of the password
isn't mentioned at all. Thus that was the mistake.
Cheers,
Oliver
------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure
contains a definitive record of customers, application performance,
security threats, fraudulent activity, and more. Splunk takes this
data and makes sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-novd2d
_______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users
|