1pki-server-nuxwdog(8)   PKI Nuxwdog Management Commands  pki-server-nuxwdog(8)
2
3
4

NAME

6       pki-server-nuxwdog  -  Command-line  interface  for enabling PKI server
7       instances to start using nuxwdog.
8
9

SYNOPSIS

11       pki-server [CLI-options] nuxwdog
12       pki-server [CLI-options] nuxwdog-enable
13       pki-server [CLI-options] nuxwdog-disable
14
15

DESCRIPTION

17       When a PKI server instance starts, it reads a plain text  configuration
18       file  (i.e.  /etc/pki/instance_name/password.conf)  to obtain passwords
19       needed to initialize the server.  This could include  passwords  needed
20       to access server keys in hardware or software cryptographic modules, or
21       passwords to establish database connections.
22
23
24       While this file is protected by file and  SELinux  permissions,  it  is
25       even  more  secure  to  remove  this file entirely, and have the server
26       prompt for these passwords on startup.  This means of  course  that  it
27       will  not  be  possible  to  start  the PKI server instance unattended,
28       including on server reboots.
29
30
31       nuxwdog is a mechanism to start PKI server without storing passwords in
32       file  (i.e.  password.conf); but prompt the administrator for the rele‐
33       vant passwords.  These passwords will be cached securely in the  kernel
34       keyring.  If the CS instance crashes unexpectedly, systemd will attempt
35       to restart the instance using the cached passwords.
36
37
38       PKI server instances need to be reconfigured to use nuxwdog  to  start.
39       Not  only  are  changes  required  in instance configuration files, but
40       instances need to use a different systemd  unit  file  to  start.   See
41       details in the Operations section.
42
43
44       pki-server   nuxwdog   commands  provide  a  mechanism  to  reconfigure
45       instances to either start or not start with nuxwdog.
46
47
48       pki-server [CLI-options] nuxwdog
49           This command is to list available nuxwdog commands.
50
51
52       pki-server [CLI-options] nuxwdog-enable
53           This command is to reconfigure ALL local PKI  server  instances  to
54       start using nuxwdog.
55           To   reconfigure   a  particular  PKI  server  instance  only,  use
56       pki-server instance-nuxwdog-enable.
57
58
59       pki-server [CLI-options] nuxwdog-disable
60           This command is to reconfigure ALL local PKI  server  instances  to
61       start without using nuxwdog.
62           To   reconfigure   a  particular  PKI  server  instance  only,  use
63       pki-server instance-nuxwdog-disable.
64           Once this operation is complete, instances  will  need  to  read  a
65       password.conf file in order to start up.
66
67

OPTIONS

69       The CLI options are described in pki-server(8).
70
71

OPERATIONS

73       Configuring  a  PKI  server  instance  to  start using nuxwdog requires
74       changes to instance configuration  files  such  as  server.xml.   These
75       changes are performed by pki-server.
76
77
78       Once a subsystem has been converted to using nuxwdog, the password.conf
79       file is no longer needed.  It can be removed from the  filesystem.   Be
80       sure,  of  course,  to  note  all passwords contained therein - some of
81       which may be randomly generated during the install.
82
83
84       Note: If a subsystem stores any of its system certificates in a crypto‐
85       graphic  token  other  than  the  internal  NSS  database, it will have
86       entries in password.conf that look  like  hardware-TOKEN_NAME=password.
87       In this case, an additional parameter must be added to CS.cfg.
88
89
90              cms.tokenList=TOKEN_NAME
91
92
93
94       When  this  parameter  is  added,  nuxwdog will prompt the password for
95       hardware-TOKEN_NAME in addition to the other passwords.
96
97
98       An instance that is started by nuxwdog is started by a  different  sys‐
99       temd unit file (pki-tomcatd-nuxwdog).  Therefore, to start/stop/restart
100       an instance using the following:
101
102
103              $ systemctl <start/stop/restart> pki-tomcatd-nuxwdog@<instance_id>.service
104
105
106
107       If the PKI server instance is converted back to not  using  nuxwdog  to
108       start, then the usual systemd unit scripts can be invoked:
109
110
111              $ systemctl <start/stop/restart> pki-tomcatd@<instance_id>.service
112
113
114

SEE ALSO

116       pki-server(8)
117           PKI server management commands
118
119

AUTHORS

121       Ade  Lee lt;alee@redhat.comgt; and Dinesh Prasanth M K lt;dmoluguw@red‐
122       hat.comgt;
123
124

COPYRIGHT

126       Copyright (c) 2018 Red Hat, Inc.  This is licensed under the  GNU  Gen‐
127       eral  Public  License,  version  2  (GPLv2).  A copy of this license is
128       available at http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
129
130
131
132PKI                            December 20, 2018         pki-server-nuxwdog(8)