-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 2011-11-17 09:18, Manuel Schleiffelder wrote:
> On 2011-11-16 18:31, Oliver Hoffmann wrote:
>> Hi list,
>
>> after I set up TLS successfully, I tried to get data encryption
>> running.
>
>> I started with the official documentation:
>
>> http://www.bacula.org/en/dev-manual/main/main/Data_Encryption.html
>
>> ldd `which bacula-fd` shows:
>
>> ... libssl.so.0.9.8 => /lib/libssl.so.0.9.8 (0x00673000)
>> libcrypto.so.0.9.8 => /lib/libcrypto.so.0.9.8 (0x00c6f000) ...
>
>> So, I made the master.cert and the pem file for the client (on
>> the bacula server) and set the following in the FileDaemon stanza
>> of the bacula-fd.conf:
>
>> PKI Signatures = Yes # Enable Data Signing PKI
>> Encryption = Yes # Enable Data Encryption PKI Keypair
>> = "/etc/bacula/certs/PKI/my-fd.pem" # Public and Private Keys
>> PKI Master Key = "/etc/bacula/certs/PKI/master.cert" # ONLY the
>> Public Key
>
>> Starting the bacula-fd gives me:
>
>> * Starting Bacula File daemon... 16-Nov 17:49 my-fd JobId 0:
>> Error: crypto.c:462 Provided certificate does not include the
>> required subjectKeyIdentifier extension.16-Nov 17:49 my-fd: Fatal
>> Error at filed.c:415 because: Failed to load public certificate
>> for File daemon "my-fd" in /etc/bacula/bacula-fd.conf. 16-Nov
>> 17:49 d830-fd: ERROR in filed.c:221 Bitte die Konfigurationsdatei
>> korrigieren: /etc/bacula/bacula-fd.conf *** glibc detected ***
>> /usr/sbin/bacula-fd: double free or corruption (fasttop):
>> 0x0908d1b8 ***
>
>> Then there follows a backtrace which ends with Kaboom!
>
>> Neither there was anything useful (in terms of setting a
>> subjectKeyIdentifier extension) to be found, nor a better
>> bacula-PKI-howto.
>
>> Could someone give me a hint?
>
>> Thanks and greetings,
>
>> Oliver
>
>
> hi Oliver,
>
> basically this is what i do for PKI (as i assume TLS was already
> working); maybe aes256 and 4096bit rsa is overkill ... anyhow:
>
sorry, the lines got messed up; so again:
Generate a Master Key Pair with:
- --------------------------------
#> openssl genrsa -aes256 -out master.key 4096
#> openssl req -new -key master.key -x509 -out master.cert
Generate a File Daemon Key Pair for each FD:
- --------------------------------------------
1. generate key:
#> openssl genrsa -aes256 -out fd-example.key 4096
2. selfsign certificate:
#> openssl req -new-key fd-example.key -x509 -out fd-example.cert
3. get rid of key-password (so bacula can read it!)
#> openssl rsa -in fd-example.key -out fd-example.nopass.key
4. copy key and cert to pem-file
#> cat fd-example.nopass.key fd-example.cert >fd-example.pem
>
> did you get rid of the my-fd.key password?
>
> manuel
>
>
> ------------------------------------------------------------------------------
>
>
All the data continuously generated in your IT infrastructure
> contains a definitive record of customers, application performance,
> security threats, fraudulent activity, and more. Splunk takes this
> data and makes sense of it. IT sense. And common sense.
> http://p.sf.net/sfu/splunk-novd2d
> _______________________________________________ Bacula-users
> mailing list Bacula-users AT lists.sourceforge DOT net
> https://lists.sourceforge.net/lists/listinfo/bacula-users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk7EyDIACgkQXYFIxKyMLDQ7IACgjhOuonPY7sb/NoxugcdzX1/u
IDMAoMGR04VGR57zEV/uRa4Mn3vCFbiz
=6/Cc
-----END PGP SIGNATURE-----
------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure
contains a definitive record of customers, application performance,
security threats, fraudulent activity, and more. Splunk takes this
data and makes sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-novd2d
_______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users
|