Hello Community,
I'm attempting to configure AES256 data encryption using PKI and simultaneously
upgrade the data integrity signature from MD5 to SHA256. I am using Bacula
Community version 11.0.6 on CentOS 7. My Bacula Catalog uses a PL/SQL-based
(Oracle) database.
I have completed the generation and exchange of OpenSSL certificates
successfully, but the Bacula parser consistently throws a Keyword not permitted
in this resource error on the PKI directives. This suggests a syntax breakdown
that I cannot resolve.
Below, I detail the configuration and the errors encountered:
________________________________
1. ⚙️ Implemented Configuration Changes
I have modified two key files on the Director and File Daemon.
A. bacula-dir.conf (Director)
I added the PKI directives within their respective resources. The error is
reported on the line where I start using PkiDirectory in the Director resource.
Fragmento de código
Director {
Name = bacula-dir
DIRport = 9101
QueryFile = "[PATH]/query.sql"
WorkingDirectory = "[PATH]/working"
Password = "[DIR_PASSWORD]"
Messages = Daemon
PkiDirectory = /etc/bacula/ssl # <--- ERROR REPORTED HERE
PkiMasterKey = /etc/bacula/ssl/master.keypair
}
Client {
Name = [CLIENT]-fd
Address = [CLIENT_IP]
...
PkiDirectory = /etc/bacula/ssl
PkiClient = /etc/bacula/ssl/client.pem
}
FileSet {
Name = "MiFileSet"
Include {
Options {
signature = SHA256 # Updated from MD5 to SHA256 for integrity check.
compression = GZIP
}
}
}
B. bacula-fd.conf (File Daemon/Client)
I added the activation directives and key paths within the FileDaemon resource.
Code lines:
FileDaemon {
Name = bacula-fd
FDport = 9102
WorkingDirectory = "[PATH]/working"
Maximum Concurrent Jobs = 20
PkiEnable = yes # <--- ERROR REPORTED HERE
PkiCipher = AES256 # Intent: AES256 Encryption
PkiDigest = SHA256
PkiDirectory = /etc/bacula/ssl
PkiCert = /etc/bacula/ssl/client.pem
PkiKey = /etc/bacula/ssl/client.key
PkiMasterKey = /etc/bacula/ssl/master.cert
}
________________________________
2. 🚨 Persistent Errors (Syntax Breakdown)
Both daemons fail to validate the configuration files. The error line shifts
when lines are added/removed, strongly indicating a parser breakdown of the
preceding configuration block.
Daemon
Validation Command
Error (Reported)
Director
bacula-dir -t -c bacula-dir.conf
Config error: Keyword "PkiDirectory" not permitted in this resource. Perhaps
you left the trailing brace off of the previous resource. : line 11, col 15
File Daemon
bacula-fd -t -c bacula-fd.conf
Config error: Keyword "PkiEnable" not permitted in this resource. Perhaps you
left the trailing brace off of the previous resource. : line 21, col 12
Attempted Fixes:
* Confirmed file encoding is UTF-8 Unicode text (not CRLF/DOS format).
* Performed strict manual rewriting of the resources without comments or
empty lines to eliminate hidden characters, but the errors persist on the PKI
activation line.
Has anyone in the community experienced this extreme parser sensitivity on
version 11.0.6 with PKI directives, or do you see a subtle syntax error in the
order of directives within the Director and FileDaemon blocks?
Thank you very much in advance for any assistance.
Before printing this e-mail or attachments, be sure it is necessary.
It is in our hands to protect the environment.
**********************DISCLAIMER*****************
THIS MESSAGE IS PRIVATE AND CONFIDENTIAL AND IT IS INTENDED EXCLUSIVELY FOR THE
ADDRESSEE. IF YOU RECEIVE THIS MESSAGE BY MISTAKE, YOU SHOULD NOT DISSEMINATE,
DISTRIBUTE OR COPY THIS E-MAIL. PLEASE INFORM THE SENDER AND DELETE THE MESSAGE
AND ATTACHMENTS FROM YOUR SYSTEM. NO CONFIDENTIALITY NOR ANY PRIVILEGE
REGARDING THE INFORMATION IS WAIVED OR LOST BY ANY MISTRANSMISSION OR
MALFUNCTION.
ANY VIEWS OR OPINIONS CONTAINED IN THIS MESSAGE ARE SOLELY THOSE OF THE AUTHOR,
AND DO NOT NECESSARILY REPRESENT THOSE OF ALLFUNDS, UNLESS OTHERWISE
SPECIFICALLY STATED AND THE SENDER IS AUTHORIZED TO DO SO. E-MAIL TRANSMISSION
CANNOT BE GUARANTEED TO BE SECURE, CONFIDENTIAL, OR ERROR-FREE, AS INFORMATION
COULD BE INTERCEPTED, CORRUPTED, LOST, DESTROYED, ARRIVE LATE OR INCOMPLETE, OR
CONTAIN VIRUSES.
ALLFUNDS DOES NOT ACCEPT RESPONSIBILITY FOR ANY CHANGES, ERRORS OR OMISSIONS IN
THE CONTENTS OF THIS MESSAGE AFTER IT HAS BEEN SENT.
THIS MESSAGE IS PROVIDED FOR INFORMATIONAL PURPOSES AND SHOULD NOT BE CONSTRUED
AS A SOLICITATION OR OFFER TO BUY OR SELL ANY SECURITIES OR RELATED FINANCIAL
INSTRUMENTS.
_______________________________________________
Bacula-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/bacula-users
