I'm looking at removing at least nss password but both nss and 389
passwords will be better.
Actually PKI prompts for password but I don't see the prompt because of
systemd.
To reproduce
systemctl stop pki-tomcatd(a)pki-tomcat.service
sed -i.bak '/internal=/d' /etc/pki/pki-tomcat/password.conf
systemctl start pki-tomcatd(a)pki-tomcat.service
/var/log/messages
Aug 26 21:37:33 srv333 server[8889]: Enter password for Internal Key
Storage Token
/var/log/pki/pki-tomcat/ca/debug
[26/Aug/2015:21:37:52][localhost-startStop-1]: Got token Internal Key
Storage Token by name
[26/Aug/2015:21:37:52][localhost-startStop-1]: SigningUnit init: debug
org.mozilla.jss.util.IncorrectPasswordException
Invalid Password
at com.netscape.ca.SigningUnit.init(SigningUnit.java:192)
at
com.netscape.ca.CertificateAuthority.initSigUnit(CertificateAuthority.java:1229)
at
com.netscape.ca.CertificateAuthority.init(CertificateAuthority.java:342)
at
com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1107)
at
com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1013)
at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:520)
at com.netscape.certsrv.apps.CMS.init(CMS.java:187)
at com.netscape.certsrv.apps.CMS.start(CMS.java:1601)
at
com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114)
at javax.servlet.GenericServlet.init(GenericServlet.java:158)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)
at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:536)
at
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)
at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169)
at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:123)
at
org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1272)
at
org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1197)
at
org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1087)
at
org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5210)
at
org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5493)
at
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
at
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901)
at
org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133)
at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156)
at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145)
at java.security.AccessController.doPrivileged(Native Method)
at
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875)
at
org.apache.catalina.core.StandardHost.addChild(StandardHost.java:632)
at
org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:672)
at
org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1862)
at
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
at java.util.concurrent.FutureTask.run(FutureTask.java:262)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)
[26/Aug/2015:21:37:52][localhost-startStop-1]: CMSEngine.shutdown()
On Wed, Aug 26, 2015 at 8:09 PM, Dave Sirrine <dsirrine(a)redhat.com> wrote:
Aleksey,
Did removing the password from the file not cause the system to prompt you
for the password at startup. Also, are you looking at doing both nss and
389 passwords?
-- David
On Aug 26, 2015 5:58 AM, "Aleksey Chudov" <aleksey.chudov(a)gmail.com>
wrote:
> Hi,
>
> The password.conf file stores system passwords in plaintext, and I
> prefer to enter system passwords manually and to remove the password file.
>
> I have found original documentation
>
https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/....
> But it is for older version on PKI and does not work with systemd.
>
> How to setup PKI CA to ask for NSS DB password at startup?
>
> Packages versions (I have rebuilt F22 packages for CentOS 7):
> # rpm -qa | grep pki
> pki-base-10.2.5-1.el7.centos.noarch
> pki-server-10.2.5-1.el7.centos.noarch
> dogtag-pki-server-theme-10.2.5-1.el7.centos.noarch
> pki-ca-10.2.5-1.el7.centos.noarch
> pki-tools-10.2.5-1.el7.centos.x86_64
> dogtag-pki-console-theme-10.2.5-1.el7.centos.noarch
>
> Aleksey
>
> _______________________________________________
> Pki-users mailing list
> Pki-users(a)redhat.com
>
https://www.redhat.com/mailman/listinfo/pki-users
>