> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > On 2011-11-17 09:18, Manuel Schleiffelder wrote: > > On 2011-11-16 18:31, Oliver Hoffmann wrote: > >> Hi list, > > > >> after I set up TLS successfully, I tried to get data encryption > >> running. > > > >> I started with the official documentation: > > > >> http://www.bacula.org/en/dev-manual/main/main/Data_Encryption.html > > > >> ldd `which bacula-fd` shows: > > > >> ... libssl.so.0.9.8 => /lib/libssl.so.0.9.8 (0x00673000) > >> libcrypto.so.0.9.8 => /lib/libcrypto.so.0.9.8 (0x00c6f000) ... > > > >> So, I made the master.cert and the pem file for the client (on > >> the bacula server) and set the following in the FileDaemon stanza > >> of the bacula-fd.conf: > > > >> PKI Signatures = Yes # Enable Data Signing PKI > >> Encryption = Yes # Enable Data Encryption PKI Keypair > >> = "/etc/bacula/certs/PKI/my-fd.pem" # Public and Private Keys > >> PKI Master Key = "/etc/bacula/certs/PKI/master.cert" # ONLY the > >> Public Key > > > >> Starting the bacula-fd gives me: > > > >> * Starting Bacula File daemon... 16-Nov 17:49 my-fd JobId 0: > >> Error: crypto.c:462 Provided certificate does not include the > >> required subjectKeyIdentifier extension.16-Nov 17:49 my-fd: Fatal > >> Error at filed.c:415 because: Failed to load public certificate > >> for File daemon "my-fd" in /etc/bacula/bacula-fd.conf. 16-Nov > >> 17:49 d830-fd: ERROR in filed.c:221 Bitte die Konfigurationsdatei > >> korrigieren: /etc/bacula/bacula-fd.conf *** glibc detected *** > >> /usr/sbin/bacula-fd: double free or corruption (fasttop): > >> 0x0908d1b8 *** > > > >> Then there follows a backtrace which ends with Kaboom! > > > >> Neither there was anything useful (in terms of setting a > >> subjectKeyIdentifier extension) to be found, nor a better > >> bacula-PKI-howto. > > > >> Could someone give me a hint? > > > >> Thanks and greetings, > > > >> Oliver > > > > > > hi Oliver, > > > > basically this is what i do for PKI (as i assume TLS was already > > working); maybe aes256 and 4096bit rsa is overkill ... anyhow: > > > > sorry, the lines got messed up; so again: > > Generate a Master Key Pair with: > - -------------------------------- > > #> openssl genrsa -aes256 -out master.key 4096 > #> openssl req -new -key master.key -x509 -out master.cert > > > Generate a File Daemon Key Pair for each FD: > - -------------------------------------------- > > 1. generate key: > #> openssl genrsa -aes256 -out fd-example.key 4096 > > 2. selfsign certificate: > #> openssl req -new-key fd-example.key -x509 -out fd-example.cert > > 3. get rid of key-password (so bacula can read it!) > #> openssl rsa -in fd-example.key -out fd-example.nopass.key > > 4. copy key and cert to pem-file > #> cat fd-example.nopass.key fd-example.cert >fd-example.pem > > > > > > > did you get rid of the my-fd.key password? > > > > manuel > > > > > > ------------------------------------------------------------------------------ > > > > > All the data continuously generated in your IT infrastructure > > contains a definitive record of customers, application performance, > > security threats, fraudulent activity, and more. Splunk takes this > > data and makes sense of it. IT sense. And common sense. > > http://p.sf.net/sfu/splunk-novd2d > > _______________________________________________ Bacula-users > > mailing list Bacula-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/bacula-users > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.11 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iEYEARECAAYFAk7EyDIACgkQXYFIxKyMLDQ7IACgjhOuonPY7sb/NoxugcdzX1/u > IDMAoMGR04VGR57zEV/uRa4Mn3vCFbiz > =6/Cc > -----END PGP SIGNATURE----- > > ------------------------------------------------------------------------------ > All the data continuously generated in your IT infrastructure > contains a definitive record of customers, application performance, > security threats, fraudulent activity, and more. Splunk takes this > data and makes sense of it. IT sense. And common sense. > http://p.sf.net/sfu/splunk-novd2d > _______________________________________________ > Bacula-users mailing list > Bacula-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/bacula-users >
Thank you, that was very helpful! Now it works and I see where the documentation is misleading. The step with getting rid of the password isn't mentioned at all. Thus that was the mistake. Cheers, Oliver ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-novd2d _______________________________________________ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
