Begin forwarded message:
> From: Oliver Hoffmann <oh@...>
> Subject: Re: [Bacula-users] Data Encryption - subjectKeyIdentifier extension?
> Date: November 17, 2011 9:10:51 AM EST
> To: bacula-users@...
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>>
>>
>> On 2011-11-17 09:18, Manuel Schleiffelder wrote:
>>> On 2011-11-16 18:31, Oliver Hoffmann wrote:
>>>> Hi list,
>>>
>>>> after I set up TLS successfully, I tried to get data encryption
>>>> running.
>>>
>>>> I started with the official documentation:
>>>
>>>> http://www.bacula.org/en/dev-manual/main/main/Data_Encryption.html
>>>
>>>> ldd `which bacula-fd` shows:
>>>
>>>> ... libssl.so.0.9.8 => /lib/libssl.so.0.9.8 (0x00673000)
>>>> libcrypto.so.0.9.8 => /lib/libcrypto.so.0.9.8 (0x00c6f000) ...
>>>
>>>> So, I made the master.cert and the pem file for the client (on
>>>> the bacula server) and set the following in the FileDaemon stanza
>>>> of the bacula-fd.conf:
>>>
>>>> PKI Signatures = Yes # Enable Data Signing PKI
>>>> Encryption = Yes # Enable Data Encryption PKI Keypair
>>>> = "/etc/bacula/certs/PKI/my-fd.pem" # Public and Private Keys
>>>> PKI Master Key = "/etc/bacula/certs/PKI/master.cert" # ONLY the
>>>> Public Key
>>>
>>>> Starting the bacula-fd gives me:
>>>
>>>> * Starting Bacula File daemon... 16-Nov 17:49 my-fd JobId 0:
>>>> Error: crypto.c:462 Provided certificate does not include the
>>>> required subjectKeyIdentifier extension.16-Nov 17:49 my-fd: Fatal
>>>> Error at filed.c:415 because: Failed to load public certificate
>>>> for File daemon "my-fd" in /etc/bacula/bacula-fd.conf. 16-Nov
>>>> 17:49 d830-fd: ERROR in filed.c:221 Bitte die Konfigurationsdatei
>>>> korrigieren: /etc/bacula/bacula-fd.conf *** glibc detected ***
>>>> /usr/sbin/bacula-fd: double free or corruption (fasttop):
>>>> 0x0908d1b8 ***
>>>
>>>> Then there follows a backtrace which ends with Kaboom!
>>>
>>>> Neither there was anything useful (in terms of setting a
>>>> subjectKeyIdentifier extension) to be found, nor a better
>>>> bacula-PKI-howto.
>>>
>>>> Could someone give me a hint?
>>>
>>>> Thanks and greetings,
>>>
>>>> Oliver
>>>
>>>
>>> hi Oliver,
>>>
>>> basically this is what i do for PKI (as i assume TLS was already
>>> working); maybe aes256 and 4096bit rsa is overkill ... anyhow:
>>>
>>
>> sorry, the lines got messed up; so again:
>>
>> Generate a Master Key Pair with:
>> - --------------------------------
>>
>> #> openssl genrsa -aes256 -out master.key 4096
>> #> openssl req -new -key master.key -x509 -out master.cert
>>
>>
>> Generate a File Daemon Key Pair for each FD:
>> - --------------------------------------------
>>
>> 1. generate key:
>> #> openssl genrsa -aes256 -out fd-example.key 4096
>>
>> 2. selfsign certificate:
>> #> openssl req -new-key fd-example.key -x509 -out fd-example.cert
>>
>> 3. get rid of key-password (so bacula can read it!)
>> #> openssl rsa -in fd-example.key -out fd-example.nopass.key
>>
>> 4. copy key and cert to pem-file
>> #> cat fd-example.nopass.key fd-example.cert >fd-example.pem
>>
>>
>>
>>>
>>> did you get rid of the my-fd.key password?
>>>
>>> manuel
>>>
>>>
>>> ------------------------------------------------------------------------------
>>>
>>>
>> All the data continuously generated in your IT infrastructure
>>> contains a definitive record of customers, application performance,
>>> security threats, fraudulent activity, and more. Splunk takes this
>>> data and makes sense of it. IT sense. And common sense.
>>> http://p.sf.net/sfu/splunk-novd2d
>>> _______________________________________________ Bacula-users
>>> mailing list Bacula-users@...
>>> https://lists.sourceforge.net/lists/listinfo/bacula-users
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.11 (GNU/Linux)
>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>>
>> iEYEARECAAYFAk7EyDIACgkQXYFIxKyMLDQ7IACgjhOuonPY7sb/NoxugcdzX1/u
>> IDMAoMGR04VGR57zEV/uRa4Mn3vCFbiz
>> =6/Cc
>> -----END PGP SIGNATURE-----
>>
>> ------------------------------------------------------------------------------
>> All the data continuously generated in your IT infrastructure
>> contains a definitive record of customers, application performance,
>> security threats, fraudulent activity, and more. Splunk takes this
>> data and makes sense of it. IT sense. And common sense.
>> http://p.sf.net/sfu/splunk-novd2d
>> _______________________________________________
>> Bacula-users mailing list
>> Bacula-users@...
>> https://lists.sourceforge.net/lists/listinfo/bacula-users
>>
>
> Thank you, that was very helpful! Now it works and I see where the
> documentation is misleading. The step with getting rid of the password
> isn't mentioned at all. Thus that was the mistake.
>
> Cheers,
>
> Oliver
>
>
>
>
>
>
>
>
>
>
>
> ------------------------------------------------------------------------------
> All the data continuously generated in your IT infrastructure
> contains a definitive record of customers, application performance,
> security threats, fraudulent activity, and more. Splunk takes this
> data and makes sense of it. IT sense. And common sense.
> http://p.sf.net/sfu/splunk-novd2d
> _______________________________________________
> Bacula-users mailing list
> Bacula-users@...
> https://lists.sourceforge.net/lists/listinfo/bacula-users
--
Dan Langille - http://langille.org
|