3:47 p.m.
Aleksey,
Thanks for the instruction.
Would you be willing to file a PKI TRAC Ticket on this:
* https://fedorahosted.org/pki/newticket
In general, we triage these tickets on a weekly basis, and assign it to
an appropriate release.
For this specific ticket, although an actual fix may be a ways off, we
generally try to get this type of information documented as a workaround
in the near term.
Thanks,
-- Matt
On 09/02/15 02:43, Aleksey Chudov wrote:
Below is quick instruction of how to run
pki-tomcatd-nuxwdog(a)pki-tomcat.service as pkiuser:pkiuser in case it
will be useful for someone
systemctl stop pki-tomcatd-nuxwdog(a)pki-tomcat.service
groupadd -r systemd-ask-password
usermod -a -G systemd-ask-password pkiuser
echo "d /run/systemd/ask-password 0775 root systemd-ask-password -" >
/etc/tmpfiles.d/systemd-ask-password.conf
/usr/bin/systemd-tmpfiles --create systemd-ask-password.conf
mkdir /etc/systemd/system/pki-tomcatd-nuxwdog@.service.d/
cat << EOF >
/etc/systemd/system/pki-tomcatd-nuxwdog@.service.d/override.conf
[Service]
User=pkiuser
Group=pkiuser
EOF
systemctl daemon-reload
find /var/lib/pki/ /var/log/pki/ /etc/pki/pki-*/ -exec chown
pkiuser:pkiuser {} +
systemctl start pki-tomcatd-nuxwdog(a)pki-tomcat.service
On Wed, Sep 2, 2015 at 11:05 AM, Aleksey Chudov
<aleksey.chudov(a)gmail.com <mailto:aleksey.chudov@gmail.com>> wrote:
One big difference in starting PKI under nuxwdog control is that
pki-tomcatd(a)pki-tomcat.service starts PKI as pkiuser:pkiuser but
pki-tomcatd-nuxwdog(a)pki-tomcat.service starts PKI as root:root.
Running PKI as root user is bad idea.
On Thu, Aug 27, 2015 at 2:33 PM, Aleksey Chudov
<aleksey.chudov(a)gmail.com <mailto:aleksey.chudov@gmail.com>> wrote:
To begin with I have updated to version 10.2.6 from F22
testing to get pki-server man pages.
Enabling nuxwdog solves the problem. Thank you!
On Wed, Aug 26, 2015 at 10:06 PM, Ade Lee <alee(a)redhat.com
<mailto:alee@redhat.com>> wrote:
Aleksey,
password prompting in CS 8.1 worked because of a utility
program called nuxwdog which would prompt for passwords.
We have done some work to get nuxwdog working with the
latest Dogtag code, but there is some setup required.
Fortunately, all that setup has been encapsulated in the
pki-server utility.
For details, man pki-server , man pki-server-instance and
man pki-server-nuxwdog.
The specific command would be:
pki-server instance-nuxwdog-enable <instance_id ie.
pki-tomcat>
You should then be prompted for the passwords, and can
remove your password.conf file.
Ade
On Wed, 2015-08-26 at 21:49 +0300, Aleksey Chudov wrote:
> I'm looking at removing at least nss password but both
> nss and 389 passwords will be better.
>
> Actually PKI prompts for password but I don't see the
> prompt because of systemd.
>
> To reproduce
>
> systemctl stop pki-tomcatd(a)pki-tomcat.service
> sed -i.bak '/internal=/d' /etc/pki/pki-tomcat/password.conf
> systemctl start pki-tomcatd(a)pki-tomcat.service
>
> /var/log/messages
> Aug 26 21:37:33 srv333 server[8889]: Enter password for
> Internal Key Storage Token
>
> /var/log/pki/pki-tomcat/ca/debug
> [26/Aug/2015:21:37:52][localhost-startStop-1]: Got token
> Internal Key Storage Token by name
> [26/Aug/2015:21:37:52][localhost-startStop-1]:
> SigningUnit init: debug
> org.mozilla.jss.util.IncorrectPasswordException
> Invalid Password
> at
> com.netscape.ca.SigningUnit.init(SigningUnit.java:192)
> at
>
com.netscape.ca.CertificateAuthority.initSigUnit(CertificateAuthority.java:1229)
> at
> com.netscape.ca.CertificateAuthority.init(CertificateAuthority.java:342)
> at
> com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1107)
> at
> com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1013)
> at
> com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:520)
> at com.netscape.certsrv.apps.CMS.init(CMS.java:187)
> at com.netscape.certsrv.apps.CMS.start(CMS.java:1601)
> at
>
com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114)
> at
> javax.servlet.GenericServlet.init(GenericServlet.java:158)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
>
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
> at
>
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:606)
> at
> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)
> at
> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)
> at
> java.security.AccessController.doPrivileged(Native Method)
> at
> javax.security.auth.Subject.doAsPrivileged(Subject.java:536)
> at
> org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)
> at
>
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169)
> at
>
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:123)
> at
>
org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1272)
> at
>
org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1197)
> at
> org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1087)
> at
>
org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5210)
> at
>
org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5493)
> at
> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
> at
>
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901)
> at
>
org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133)
> at
>
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156)
> at
>
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145)
> at
> java.security.AccessController.doPrivileged(Native Method)
> at
> org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875)
> at
> org.apache.catalina.core.StandardHost.addChild(StandardHost.java:632)
> at
>
org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:672)
> at
>
org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1862)
> at
> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
> at
> java.util.concurrent.FutureTask.run(FutureTask.java:262)
> at
>
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> at
>
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> at java.lang.Thread.run(Thread.java:745)
> [26/Aug/2015:21:37:52][localhost-startStop-1]:
> CMSEngine.shutdown()
>
>
> On Wed, Aug 26, 2015 at 8:09 PM, Dave Sirrine
> <dsirrine(a)redhat.com <mailto:dsirrine@redhat.com>> wrote:
>>
>> Aleksey,
>>
>> Did removing the password from the file not cause the
>> system to prompt you for the password at startup. Also,
>> are you looking at doing both nss and 389 passwords?
>>
>> -- David
>>
>> On Aug 26, 2015 5:58 AM, "Aleksey Chudov"
>> <aleksey.chudov(a)gmail.com
>> <mailto:aleksey.chudov@gmail.com>> wrote:
>>> Hi,
>>>
>>> The |password.conf| file stores system passwords in
>>> plaintext, and I prefer to enter system passwords
>>> manually and to remove the password file.
>>>
>>> I have found original documentation
>>>
https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/....
>>> But it is for older version on PKI and does not work
>>> with systemd.
>>>
>>> How to setup PKI CA to ask for NSS DB password at startup?
>>>
>>> Packages versions (I have rebuilt F22 packages for
>>> CentOS 7):
>>> # rpm -qa | grep pki
>>> pki-base-10.2.5-1.el7.centos.noarch
>>> pki-server-10.2.5-1.el7.centos.noarch
>>> dogtag-pki-server-theme-10.2.5-1.el7.centos.noarch
>>> pki-ca-10.2.5-1.el7.centos.noarch
>>> pki-tools-10.2.5-1.el7.centos.x86_64
>>> dogtag-pki-console-theme-10.2.5-1.el7.centos.noarch
>>>
>>> Aleksey
>>>
>>> _______________________________________________
>>> Pki-users mailing list
>>> Pki-users(a)redhat.com <mailto:Pki-users@redhat.com>
>>> https://www.redhat.com/mailman/listinfo/pki-users
>>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users(a)redhat.com <mailto:Pki-users@redhat.com>
> https://www.redhat.com/mailman/listinfo/pki-users
_______________________________________________
Pki-users mailing list
Pki-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-users