|
Re: [Bacula-users] Data Encryption - subjectKeyIdentifier extension?
2011-11-17 03:20:48
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 2011-11-16 18:31, Oliver Hoffmann wrote:
> Hi list,
>
> after I set up TLS successfully, I tried to get data encryption
> running.
>
> I started with the official documentation:
>
> http://www.bacula.org/en/dev-manual/main/main/Data_Encryption.html
>
> ldd `which bacula-fd` shows:
>
> ... libssl.so.0.9.8 => /lib/libssl.so.0.9.8 (0x00673000)
> libcrypto.so.0.9.8 => /lib/libcrypto.so.0.9.8 (0x00c6f000) ...
>
> So, I made the master.cert and the pem file for the client (on the
> bacula server) and set the following in the FileDaemon stanza of
> the bacula-fd.conf:
>
> PKI Signatures = Yes # Enable Data Signing PKI
> Encryption = Yes # Enable Data Encryption PKI Keypair =
> "/etc/bacula/certs/PKI/my-fd.pem" # Public and Private Keys PKI
> Master Key = "/etc/bacula/certs/PKI/master.cert" # ONLY the Public
> Key
>
> Starting the bacula-fd gives me:
>
> * Starting Bacula File daemon... 16-Nov 17:49 my-fd JobId 0: Error:
> crypto.c:462 Provided certificate does not include the required
> subjectKeyIdentifier extension.16-Nov 17:49 my-fd: Fatal Error at
> filed.c:415 because: Failed to load public certificate for File
> daemon "my-fd" in /etc/bacula/bacula-fd.conf. 16-Nov 17:49 d830-fd:
> ERROR in filed.c:221 Bitte die Konfigurationsdatei korrigieren:
> /etc/bacula/bacula-fd.conf *** glibc detected ***
> /usr/sbin/bacula-fd: double free or corruption (fasttop):
> 0x0908d1b8 ***
>
> Then there follows a backtrace which ends with Kaboom!
>
> Neither there was anything useful (in terms of setting a
> subjectKeyIdentifier extension) to be found, nor a better
> bacula-PKI-howto.
>
> Could someone give me a hint?
>
> Thanks and greetings,
>
> Oliver
hi Oliver,
basically this is what i do for PKI (as i assume TLS was already
working); maybe aes256 and 4096bit rsa is overkill ... anyhow:
Generate a Master Key Pair with:
> openssl genrsa -aes256 -out master.key 4096 openssl req -new -key
> master.key -x509 -out master.cert
Generate a File Daemon Key Pair for each FD:
> openssl genrsa -aes256 -out fd-example.key 4096 openssl req -new
> -key fd-example.key -x509 -out fd-example.cert openssl rsa -in
> fd-example.key -out fd-example.nopass.key cat fd-example.nopass.key
> fd-example.cert >fd-example.pem
did you get rid of the my-fd.key password?
manuel
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk7Ew2UACgkQXYFIxKyMLDSjOwCfULMuXOx1/fbOXcWV6HQGvAQR
UpIAoLdnB1qEG9YRp0OUB3eV07ToW4Pc
=GCIw
-----END PGP SIGNATURE-----
------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure
contains a definitive record of customers, application performance,
security threats, fraudulent activity, and more. Splunk takes this
data and makes sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-novd2d
_______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users
|
|
|
