1pki-server-nuxwdog(8) PKI Nuxwdog Management Commands pki-server-nuxwdog(8)
2
3
4
6 pki-server-nuxwdog - Command-line interface for enabling PKI server
7 instances to start using nuxwdog.
8
9
11 pki-server [CLI-options] nuxwdog
12 pki-server [CLI-options] nuxwdog-enable
13 pki-server [CLI-options] nuxwdog-disable
14
15
17 When a PKI server instance starts, it reads a plain text configuration
18 file (i.e. /etc/pki/instance_name/password.conf) to obtain passwords
19 needed to initialize the server. This could include passwords needed
20 to access server keys in hardware or software cryptographic modules, or
21 passwords to establish database connections.
22
23
24 While this file is protected by file and SELinux permissions, it is
25 even more secure to remove this file entirely, and have the server
26 prompt for these passwords on startup. This means of course that it
27 will not be possible to start the PKI server instance unattended,
28 including on server reboots.
29
30
31 nuxwdog is a mechanism to start PKI server without storing passwords in
32 file (i.e. password.conf); but prompt the administrator for the rele‐
33 vant passwords. These passwords will be cached securely in the kernel
34 keyring. If the CS instance crashes unexpectedly, systemd will attempt
35 to restart the instance using the cached passwords.
36
37
38 PKI server instances need to be reconfigured to use nuxwdog to start.
39 Not only are changes required in instance configuration files, but
40 instances need to use a different systemd unit file to start. See
41 details in the Operations section.
42
43
44 pki-server nuxwdog commands provide a mechanism to reconfigure
45 instances to either start or not start with nuxwdog.
46
47
48 pki-server [CLI-options] nuxwdog
49 This command is to list available nuxwdog commands.
50
51
52 pki-server [CLI-options] nuxwdog-enable
53 This command is to reconfigure ALL local PKI server instances to
54 start using nuxwdog.
55 To reconfigure a particular PKI server instance only, use
56 pki-server instance-nuxwdog-enable.
57
58
59 pki-server [CLI-options] nuxwdog-disable
60 This command is to reconfigure ALL local PKI server instances to
61 start without using nuxwdog.
62 To reconfigure a particular PKI server instance only, use
63 pki-server instance-nuxwdog-disable.
64 Once this operation is complete, instances will need to read a
65 password.conf file in order to start up.
66
67
69 The CLI options are described in pki-server(8).
70
71
73 Configuring a PKI server instance to start using nuxwdog requires
74 changes to instance configuration files such as server.xml. These
75 changes are performed by pki-server.
76
77
78 Once a subsystem has been converted to using nuxwdog, the password.conf
79 file is no longer needed. It can be removed from the filesystem. Be
80 sure, of course, to note all passwords contained therein - some of
81 which may be randomly generated during the install.
82
83
84 Note: If a subsystem stores any of its system certificates in a crypto‐
85 graphic token other than the internal NSS database, it will have
86 entries in password.conf that look like hardware-TOKEN_NAME=password.
87 In this case, an additional parameter must be added to CS.cfg.
88
89
90 cms.tokenList=TOKEN_NAME
91
92
93
94 When this parameter is added, nuxwdog will prompt the password for
95 hardware-TOKEN_NAME in addition to the other passwords.
96
97
98 An instance that is started by nuxwdog is started by a different sys‐
99 temd unit file (pki-tomcatd-nuxwdog). Therefore, to start/stop/restart
100 an instance using the following:
101
102
103 $ systemctl <start/stop/restart> pki-tomcatd-nuxwdog@<instance_id>.service
104
105
106
107 If the PKI server instance is converted back to not using nuxwdog to
108 start, then the usual systemd unit scripts can be invoked:
109
110
111 $ systemctl <start/stop/restart> pki-tomcatd@<instance_id>.service
112
113
114
116 pki-server(8)
117 PKI server management commands
118
119
121 Ade Lee lt;alee@redhat.comgt; and Dinesh Prasanth M K lt;dmoluguw@red‐
122 hat.comgt;
123
124
126 Copyright (c) 2018 Red Hat, Inc. This is licensed under the GNU Gen‐
127 eral Public License, version 2 (GPLv2). A copy of this license is
128 available at http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
129
130
131
132PKI December 20, 2018 pki-server-nuxwdog(8)