1pki-server-nuxwdog(8) PKI Nuxwdog Management Commands pki-server-nuxwdog(8)
2
6 pki-server-nuxwdog - Command-Line Interface for enabling CS instances
7 to start using nuxwdog.
8
11 pki-server [CLI options] nuxwdog
12 pki-server [CLI options] nuxwdog-enable
13 pki-server [CLI options] nuxwdog-disable
14
17 When a Certificate System (CS) instance starts, it reads a plain text
18 configuration file ( /etc/pki/<instance_name>/password.conf) to obtain
19 passwords needed to initialize the server. This could include pass‐
20 words needed to access server keys in hardware or software crypto‐
21 graphic modules, or passwords to establish database connections.
22 While this file is protected by file and SELinux permissions, it is
24 even more secure to remove this file entirely, and have the server
25 prompt for these passwords on startup. This means of course that it
26 will not be possible to start the CS instance unattended, including on
27 server reboots.
28 nuxwdog is a daemon that will launch the CS instance and prompt the
30 administrator for the relevant passwords. These passwords will be
31 cached securely in the kernel keyring. If the CS instance crashes
32 unexpectedly, nuxwdog will attempt to restart the instance using the
33 cached passwords.
34 CS instances need to be reconfigured to use nuxwdog to start. Not only
36 are changes required in instance configuration files, but instances
37 need to use a different systemd unit file to start. See details in the
38 Operations section.
39 pki-server nuxwdog commands provide a mechanism to reconfigure
41 instances to either start or not start with nuxwdog.
42 pki-server [CLI options] nuxwdog
44 This command is to list available nuxwdog commands.
45 pki-server [CLI options] nuxwdog-enable
47 This command is to reconfigure ALL local CS instances to start
48 using nuxwdog. To reconfigure a particular CS instance only, use
49 pki-server instance-nuxwdog-enable.
50 pki-server [CLI options] nuxwdog-disable
52 This command is to reconfigure ALL local CS instances to start
53 without using nuxwdog. To reconfigure a particular CS instance
54 only, use pki-server instance-nuxwdog-disable. Once this operation
55 is complete, instances will need to read a password.conf file in
56 order to start up.
57
60 The CLI options are described in pki-server(8).
61
64 Configuring a CS instance to start using nuxwdog requires changes to
65 instance configuration files such as server.xml. These changes are
66 performed by pki-server.
67 Once a subsystem has been converted to using nuxwdog, the password.conf
69 file is no longer needed. It can be removed from the filesystem. Be
70 sure, of course, to note all passwords contained therein - some of
71 which may be randomly generated during the install.
72 Note: If a subsystem stores any of its system certificates in a cryp‐
74 tographic token other than the internal NSS database, it will have
75 entries in password.conf that look like hardware-TOKEN_NAME=password.
76 In this case, an additional parameter must be added to CS.cfg.
77 cms.tokenList=TOKEN_NAME
79 When this parameter is added, nuxwdog will prompt the password for
81 hardware-TOKEN_NAME in addition to the other passwords.
82 An instance that is started by nuxwdog is started by a different sys‐
84 temd unit file (pki-tomcatd-nuxwdog). Therefore, to start/stop/restart
85 an instance using the following:
86 systemctl start/stop/restart pki-tomcatd-nuxwdog@<instance_id>.service
88 If the CS instance is converted back to not using nuxwdog to start,
90 then the usual systemd unit scripts can be invoked:
91 systemctl start/stop/restart pki-tomcatd@<instance_id>.service
93 All pki-server commands must be executed as the system administrator.
95
98 Ade Lee <alee@redhat.com>
99
102 Copyright (c) 2015 Red Hat, Inc. This is licensed under the GNU General
103 Public License, version 2 (GPLv2). A copy of this license is available
104 at http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
105version 10.2 July 15, 2015 pki-server-nuxwdog(8)