-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2011-11-16 18:31, Oliver Hoffmann wrote: > Hi list, > > after I set up TLS successfully, I tried to get data encryption > running. > > I started with the official documentation: > > http://www.bacula.org/en/dev-manual/main/main/Data_Encryption.html > > ldd `which bacula-fd` shows: > > ... libssl.so.0.9.8 => /lib/libssl.so.0.9.8 (0x00673000) > libcrypto.so.0.9.8 => /lib/libcrypto.so.0.9.8 (0x00c6f000) ... > > So, I made the master.cert and the pem file for the client (on the > bacula server) and set the following in the FileDaemon stanza of > the bacula-fd.conf: > > PKI Signatures = Yes # Enable Data Signing PKI > Encryption = Yes # Enable Data Encryption PKI Keypair = > "/etc/bacula/certs/PKI/my-fd.pem" # Public and Private Keys PKI > Master Key = "/etc/bacula/certs/PKI/master.cert" # ONLY the Public > Key > > Starting the bacula-fd gives me: > > * Starting Bacula File daemon... 16-Nov 17:49 my-fd JobId 0: Error: > crypto.c:462 Provided certificate does not include the required > subjectKeyIdentifier extension.16-Nov 17:49 my-fd: Fatal Error at > filed.c:415 because: Failed to load public certificate for File > daemon "my-fd" in /etc/bacula/bacula-fd.conf. 16-Nov 17:49 d830-fd: > ERROR in filed.c:221 Bitte die Konfigurationsdatei korrigieren: > /etc/bacula/bacula-fd.conf *** glibc detected *** > /usr/sbin/bacula-fd: double free or corruption (fasttop): > 0x0908d1b8 *** > > Then there follows a backtrace which ends with Kaboom! > > Neither there was anything useful (in terms of setting a > subjectKeyIdentifier extension) to be found, nor a better > bacula-PKI-howto. > > Could someone give me a hint? > > Thanks and greetings, > > Oliver
hi Oliver, basically this is what i do for PKI (as i assume TLS was already working); maybe aes256 and 4096bit rsa is overkill ... anyhow: Generate a Master Key Pair with: > openssl genrsa -aes256 -out master.key 4096 openssl req -new -key > master.key -x509 -out master.cert Generate a File Daemon Key Pair for each FD: > openssl genrsa -aes256 -out fd-example.key 4096 openssl req -new > -key fd-example.key -x509 -out fd-example.cert openssl rsa -in > fd-example.key -out fd-example.nopass.key cat fd-example.nopass.key > fd-example.cert >fd-example.pem did you get rid of the my-fd.key password? manuel -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7Ew2UACgkQXYFIxKyMLDSjOwCfULMuXOx1/fbOXcWV6HQGvAQR UpIAoLdnB1qEG9YRp0OUB3eV07ToW4Pc =GCIw -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-novd2d _______________________________________________ Bacula-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/bacula-users
