DKDM / Safeguard config.xml :?:

Anything and everything to do with DCP-o-matic.
Guddu
Posts: 133
Joined: Wed Oct 04, 2017 4:49 am

DKDM / Safeguard config.xml :?:

Post by Guddu »

When i generate a DKDM, i get a message as in the image at http://prntscr.com/hw9t5v

So, if i were to generate a KDM using this DKDM on a different machine then just copying over the DKDM won't suffice?

Do i have to copy the config.xml on the other machine too or is DKDM alone supposed to be enough for future KDM generation on any machine?
Guddu
Posts: 133
Joined: Wed Oct 04, 2017 4:49 am

Re: DKDM / Safeguard config.xml :?:

Post by Guddu »

I took the DKDM to another machine and the KDM generation with that DKDM fails with this error

---------------------------
DCP-o-matic
---------------------------
Could not decrypt KDM (error:04065072:rsa routines:RSA_EAY_PRIVATE_DECRYPT:padding check failed) (256/33)
---------------------------
OK
---------------------------

How can I make it work between servers without breaking the setup on the new servers?
carl
Site Admin
Posts: 2550
Joined: Thu Nov 14, 2013 2:53 pm

Re: DKDM / Safeguard config.xml :?:

Post by carl »

Copying the config.xml is the easiest way. A DKDM is encrypted and can only be decrypted by a private key held in config.xml. To use a DKDM on a different machine they need to use the same private key.
Carsten
Posts: 2806
Joined: Tue Apr 15, 2014 9:11 pm
Location: Germany

Re: DKDM / Safeguard config.xml :?:

Post by Carsten »

Each DKDM is only targeted towards a specific installation of DCP-o-matic. If you create a DKDM with DCP-o-matics 'Make DKDM for DCP-o-matic', this DKDM will only work with this specific installation (even only with the current logged in user, as the config file and certificates/keys are user specific in a default installation).

In order to solve your issue, you have two choices - use the same certificates/keys or config file for both/all installations/users, or create a DKDM using DOMs 'Make KDM' dialog for your other workstations/users. You have to create a screen with your second workstations certificate to do that.
A KDM and a DKDM are the same. It is called 'DKDM' when it is targeted at a mastering or KDM management tool, but technically, they are the same, so, another DOM installation can act as a cinema screen in the 'Make KDM' dialog.

It may appear a bit complicated to set up your servers as screens, exchange certificates, etc, but it is very helpful in understanding the whole encryption issue and also for testing workflows, as your own second DOM workstation can act as a test screen for your encrypted content. If there is something wrong, you can see it on your own system. Therefore I suggest you do that, and your knowledge on encryption, KDM and certificates will improve a lot. It did for me.

You can still exchange config file and cinema database in parallel.

I suggest that in DCP-o-matic or KDM creator, you setup a cinema <mycompany> with your local time zone. Then create screens named <myPC1>, <myPC2>,... or <myPC1_GUDDU>, and set them up with their local certificates. You can then exchange/'sync' the cinema database between all your installations so every one has the same data (the location of the cinema database file could be on a network share).

Then each machine can create KDMs and DKDMs for every other installation or user, and you can try KDM creation, sending (email), decryption (player), etc all in your own little universe.

Keep in mind it is very important to create backups of your config files, certificates, and cinema database once you start working with encrypted DCPs!

- Carsten
Guddu
Posts: 133
Joined: Wed Oct 04, 2017 4:49 am

Re: DKDM / Safeguard config.xml :?:

Post by Guddu »

Cartsen, Thanks for the response but I have hit an issue again....This is what I did.

Infrastructure : Server A and Server B

DCP was generated on Server A.

I copied the config.xml from Server A to Server B.

The DKDM generated on Server A is now supposed to work for creating KDMs for Cinemas with the KDM Creator tool on Server B...Only that it doesn't.

I get the same error.

---------------------------
DCP-o-matic
---------------------------
Could not decrypt KDM (error:0407A079:rsa routines:RSA_padding_check_PKCS1_OAEP:oaep decoding error)
---------------------------
OK
---------------------------

Appreciate your help. We are releasing this movie on Thursday and unfortunately I will not have Server A starting later today as it was a rental and we cannot have it beyond today.
Guddu
Posts: 133
Joined: Wed Oct 04, 2017 4:49 am

Re: DKDM / Safeguard config.xml :?:

Post by Guddu »

I also noticed that the config.xml and cinemas.xml is getting overwritten each time i start the KDM Generation tool. This is on 2.10.5...I will now install the latest test version and see if that makes any difference.
carl
Site Admin
Posts: 2550
Joined: Thu Nov 14, 2013 2:53 pm

Re: DKDM / Safeguard config.xml :?:

Post by carl »

Are you copying config.xml onto server B with the KDM generation tool closed?

I wouldn't go into the test versions as you'll probably get a whole new set of problems! :)
carl
Site Admin
Posts: 2550
Joined: Thu Nov 14, 2013 2:53 pm

Re: DKDM / Safeguard config.xml :?:

Post by carl »

Make sure you've got a safe copy of the config.xml from Server A before you give it back!
Guddu
Posts: 133
Joined: Wed Oct 04, 2017 4:49 am

Re: DKDM / Safeguard config.xml :?:

Post by Guddu »

Yes. The KDM Tool was closed. I copied the config.xml over and then started the KDM tool.

Server B in this case is has Windows XP and the directory where I had to copy the config.xml was

C:\Documents and Settings\Guddu\Local Settings\Application Data\dcpomatic2
carl
Site Admin
Posts: 2550
Joined: Thu Nov 14, 2013 2:53 pm

Re: DKDM / Safeguard config.xml :?:

Post by carl »

Go to Preferences -> Keys on Server A and Server B. Are the thumbprints the same under "Decrypting KDMs"?