1MODUTIL(1)                    NSS Security Tools                    MODUTIL(1)
2
3
4

NAME

6       modutil - Manage PKCS #11 module information within the security module
7       database.
8

SYNOPSIS

10       modutil [options] [[arguments]]
11

STATUS

13       This documentation is still work in progress. Please contribute to the
14       initial review in Mozilla NSS bug 836477[1]
15

DESCRIPTION

17       The Security Module Database Tool, modutil, is a command-line utility
18       for managing PKCS #11 module information both within secmod.db files
19       and within hardware tokens.  modutil can add and delete PKCS #11
20       modules, change passwords on security databases, set defaults, list
21       module contents, enable or disable slots, enable or disable FIPS 140-2
22       compliance, and assign default providers for cryptographic operations.
23       This tool can also create certificate, key, and module security
24       database files.
25
26       The tasks associated with security module database management are part
27       of a process that typically also involves managing key databases and
28       certificate databases.
29

OPTIONS

31       Running modutil always requires one (and only one) option to specify
32       the type of module operation. Each option may take arguments, anywhere
33       from none to multiple arguments.
34
35       Options
36
37       -add modulename
38           Add the named PKCS #11 module to the database. Use this option with
39           the -libfile, -ciphers, and -mechanisms arguments.
40
41       -changepw tokenname
42           Change the password on the named token. If the token has not been
43           initialized, this option initializes the password. Use this option
44           with the -pwfile and -newpwfile arguments. A password is equivalent
45           to a personal identification number (PIN).
46
47       -chkfips
48           Verify whether the module is in the given FIPS mode.  true means to
49           verify that the module is in FIPS mode, while false means to verify
50           that the module is not in FIPS mode.
51
52       -create
53           Create new certificate, key, and module databases. Use the -dbdir
54           directory argument to specify a directory. If any of these
55           databases already exist in a specified directory, modutil returns
56           an error message.
57
58       -default modulename
59           Specify the security mechanisms for which the named module will be
60           a default provider. The security mechanisms are specified with the
61           -mechanisms argument.
62
63       -delete modulename
64           Delete the named module. The default NSS PKCS #11 module cannot be
65           deleted.
66
67       -disable modulename
68           Disable all slots on the named module. Use the -slot argument to
69           disable a specific slot.
70
71           The internal NSS PKCS #11 module cannot be disabled.
72
73       -enable modulename
74           Enable all slots on the named module. Use the -slot argument to
75           enable a specific slot.
76
77       -fips [true | false]
78           Enable (true) or disable (false) FIPS 140-2 compliance for the
79           default NSS module.
80
81       -force
82           Disable modutil's interactive prompts so it can be run from a
83           script. Use this option only after manually testing each planned
84           operation to check for warnings and to ensure that bypassing the
85           prompts will cause no security lapses or loss of database
86           integrity.
87
88       -jar JAR-file
89           Add a new PKCS #11 module to the database using the named JAR file.
90           Use this command with the -installdir and -tempdir arguments. The
91           JAR file uses the NSS PKCS #11 JAR format to identify all the files
92           to be installed, the module's name, the mechanism flags, and the
93           cipher flags, as well as any files to be installed on the target
94           machine, including the PKCS #11 module library file and other files
95           such as documentation. This is covered in the JAR installation file
96           section in the man page, which details the special script needed to
97           perform an installation through a server or with modutil.
98
99       -list [modulename]
100           Display basic information about the contents of the secmod.db file.
101           Specifying a modulename displays detailed information about a
102           particular module and its slots and tokens.
103
104       -rawadd
105           Add the module spec string to the secmod.db database.
106
107       -rawlist
108           Display the module specs for a specified module or for all loadable
109           modules.
110
111       -undefault modulename
112           Specify the security mechanisms for which the named module will not
113           be a default provider. The security mechanisms are specified with
114           the -mechanisms argument.
115
116       Arguments
117
118       MODULE
119           Give the security module to access.
120
121       MODULESPEC
122           Give the security module spec to load into the security database.
123
124       -ciphers cipher-enable-list
125           Enable specific ciphers in a module that is being added to the
126           database. The cipher-enable-list is a colon-delimited list of
127           cipher names. Enclose this list in quotation marks if it contains
128           spaces.
129
130       -dbdir directory
131           Specify the database directory in which to access or create
132           security module database files.
133
134           modutil supports two types of databases: the legacy security
135           databases (cert8.db, key3.db, and secmod.db) and SQLite databases
136           (cert9.db, key4.db, and pkcs11.txt). If the prefix dbm: is not
137           used, then the tool assumes that the given databases are in SQLite
138           format.
139
140       --dbprefix prefix
141           Specify the prefix used on the database files, such as my_ for
142           my_cert9.db. This option is provided as a special case. Changing
143           the names of the certificate and key databases is not recommended.
144
145       -installdir root-installation-directory
146           Specify the root installation directory relative to which files
147           will be installed by the -jar option. This directory should be one
148           below which it is appropriate to store dynamic library files, such
149           as a server's root directory.
150
151       -libfile library-file
152           Specify a path to a library file containing the implementation of
153           the PKCS #11 interface module that is being added to the database.
154
155       -mechanisms mechanism-list
156           Specify the security mechanisms for which a particular module will
157           be flagged as a default provider. The mechanism-list is a
158           colon-delimited list of mechanism names. Enclose this list in
159           quotation marks if it contains spaces.
160
161           The module becomes a default provider for the listed mechanisms
162           when those mechanisms are enabled. If more than one module claims
163           to be a particular mechanism's default provider, that mechanism's
164           default provider is undefined.
165
166           modutil supports several mechanisms: RSA, DSA, RC2, RC4, RC5, AES,
167           DES, DH, SHA1, SHA256, SHA512, SSL, TLS, MD5, MD2, RANDOM (for
168           random number generation), and FRIENDLY (meaning certificates are
169           publicly readable).
170
171       -newpwfile new-password-file
172           Specify a text file containing a token's new or replacement
173           password so that a password can be entered automatically with the
174           -changepw option.
175
176       -nocertdb
177           Do not open the certificate or key databases. This has several
178           effects:
179
180           •   With the -create command, only a module security file is
181               created; certificate and key databases are not created.
182
183           •   With the -jar command, signatures on the JAR file are not
184               checked.
185
186           •   With the -changepw command, the password on the NSS internal
187               module cannot be set or changed, since this password is stored
188               in the key database.
189
190       -pwfile old-password-file
191           Specify a text file containing a token's existing password so that
192           a password can be entered automatically when the -changepw option
193           is used to change passwords.
194
195       -secmod secmodname
196           Give the name of the security module database (like secmod.db) to
197           load.
198
199       -slot slotname
200           Specify a particular slot to be enabled or disabled with the
201           -enable or -disable options.
202
203       -string CONFIG_STRING
204           Pass a configuration string for the module being added to the
205           database.
206
207       -tempdir temporary-directory
208           Give a directory location where temporary files are created during
209           the installation by the -jar option. If no temporary directory is
210           specified, the current directory is used.
211

USAGE AND EXAMPLES

213       Creating Database Files
214
215       Before any operations can be performed, there must be a set of security
216       databases available.  modutil can be used to create these files. The
217       only required argument is the database that where the databases will be
218       located.
219
220           modutil -create -dbdir directory
221
222       Adding a Cryptographic Module
223
224       Adding a PKCS #11 module means submitting a supporting library file,
225       enabling its ciphers, and setting default provider status for various
226       security mechanisms. This can be done by supplying all of the
227       information through modutil directly or by running a JAR file and
228       install script. For the most basic case, simply upload the library:
229
230           modutil -add modulename -libfile library-file [-ciphers cipher-enable-list] [-mechanisms mechanism-list]
231
232       For example:
233
234           modutil -dbdir /home/my/sharednssdb -add "Example PKCS #11 Module" -libfile "/tmp/crypto.so" -mechanisms RSA:DSA:RC2:RANDOM
235
236           Using database directory ...
237           Module "Example PKCS #11 Module" added to database.
238
239       Installing a Cryptographic Module from a JAR File
240
241       PKCS #11 modules can also be loaded using a JAR file, which contains
242       all of the required libraries and an installation script that describes
243       how to install the module. The JAR install script is described in more
244       detail in the section called “JAR INSTALLATION FILE FORMAT”.
245
246       The JAR installation script defines the setup information for each
247       platform that the module can be installed on. For example:
248
249           Platforms {
250              Linux:5.4.08:x86 {
251                 ModuleName { "Example PKCS #11 Module" }
252                 ModuleFile { crypto.so }
253                 DefaultMechanismFlags{0x0000}
254                 CipherEnableFlags{0x0000}
255                 Files {
256                    crypto.so {
257                       Path{ /tmp/crypto.so }
258                    }
259                    setup.sh {
260                       Executable
261                       Path{ /tmp/setup.sh }
262                    }
263                 }
264              }
265              Linux:6.0.0:x86 {
266                 EquivalentPlatform { Linux:5.4.08:x86 }
267              }
268           }
269
270       Both the install script and the required libraries must be bundled in a
271       JAR file, which is specified with the -jar argument.
272
273           modutil -dbdir /home/mt"jar-install-filey/sharednssdb -jar install.jar -installdir /home/my/sharednssdb
274
275           This installation JAR file was signed by:
276           ----------------------------------------------
277
278           **SUBJECT NAME**
279
280           C=US, ST=California, L=Mountain View, CN=Cryptorific Inc., OU=Digital ID
281           Class 3 - Netscape Object Signing, OU="www.verisign.com/repository/CPS
282           Incorp. by Ref.,LIAB.LTD(c)9 6", OU=www.verisign.com/CPS Incorp.by Ref
283           . LIABILITY LTD.(c)97 VeriSign, OU=VeriSign Object Signing CA - Class 3
284           Organization, OU="VeriSign, Inc.", O=VeriSign Trust Network **ISSUER
285           NAME**, OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97
286           VeriSign, OU=VeriSign Object Signing CA - Class 3 Organization,
287           OU="VeriSign, Inc.", O=VeriSign Trust Network
288           ----------------------------------------------
289
290           Do you wish to continue this installation? (y/n) y
291           Using installer script "installer_script"
292           Successfully parsed installation script
293           Current platform is Linux:5.4.08:x86
294           Using installation parameters for platform Linux:5.4.08:x86
295           Installed file crypto.so to /tmp/crypto.so
296           Installed file setup.sh to ./pk11inst.dir/setup.sh
297           Executing "./pk11inst.dir/setup.sh"...
298           "./pk11inst.dir/setup.sh" executed successfully
299           Installed module "Example PKCS #11 Module" into module database
300
301           Installation completed successfully
302
303       Adding Module Spec
304
305       Each module has information stored in the security database about its
306       configuration and parameters. These can be added or edited using the
307       -rawadd command. For the current settings or to see the format of the
308       module spec in the database, use the -rawlist option.
309
310           modutil -rawadd modulespec
311
312       Deleting a Module
313
314       A specific PKCS #11 module can be deleted from the secmod.db database:
315
316           modutil -delete modulename -dbdir directory
317
318       Displaying Module Information
319
320       The secmod.db database contains information about the PKCS #11 modules
321       that are available to an application or server to use. The list of all
322       modules, information about specific modules, and database configuration
323       specs for modules can all be viewed.
324
325       To simply get a list of modules in the database, use the -list command.
326
327           modutil -list [modulename] -dbdir directory
328
329       Listing the modules shows the module name, their status, and other
330       associated security databases for certificates and keys. For example:
331
332           modutil -list -dbdir /home/my/sharednssdb
333
334           Listing of PKCS #11 Modules
335           -----------------------------------------------------------
336             1. NSS Internal PKCS #11 Module
337                    slots: 2 slots attached
338                   status: loaded
339
340                    slot: NSS Internal Cryptographic Services
341                   token: NSS Generic Crypto Services
342                  uri: pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203
343
344                    slot: NSS User Private Key and Certificate Services
345                   token: NSS Certificate DB
346                  uri: pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203
347           -----------------------------------------------------------
348
349       Passing a specific module name with the -list returns details
350       information about the module itself, like supported cipher mechanisms,
351       version numbers, serial numbers, and other information about the module
352       and the token it is loaded on. For example:
353
354            modutil -list "NSS Internal PKCS #11 Module" -dbdir /home/my/sharednssdb
355
356           -----------------------------------------------------------
357           Name: NSS Internal PKCS #11 Module
358           Library file: **Internal ONLY module**
359           Manufacturer: Mozilla Foundation
360           Description: NSS Internal Crypto Services
361           PKCS #11 Version 2.20
362           Library Version: 3.11
363           Cipher Enable Flags: None
364           Default Mechanism Flags: RSA:RC2:RC4:DES:DH:SHA1:MD5:MD2:SSL:TLS:AES
365
366             Slot: NSS Internal Cryptographic Services
367             Slot Mechanism Flags: RSA:RC2:RC4:DES:DH:SHA1:MD5:MD2:SSL:TLS:AES
368             Manufacturer: Mozilla Foundation
369             Type: Software
370             Version Number: 3.11
371             Firmware Version: 0.0
372             Status: Enabled
373             Token Name: NSS Generic Crypto Services
374             Token Manufacturer: Mozilla Foundation
375             Token Model: NSS 3
376             Token Serial Number: 0000000000000000
377             Token Version: 4.0
378             Token Firmware Version: 0.0
379             Access: Write Protected
380             Login Type: Public (no login required)
381             User Pin: NOT Initialized
382
383             Slot: NSS User Private Key and Certificate Services
384             Slot Mechanism Flags: None
385             Manufacturer: Mozilla Foundation
386             Type: Software
387             Version Number: 3.11
388             Firmware Version: 0.0
389             Status: Enabled
390             Token Name: NSS Certificate DB
391             Token Manufacturer: Mozilla Foundation
392             Token Model: NSS 3
393             Token Serial Number: 0000000000000000
394             Token Version: 8.3
395             Token Firmware Version: 0.0
396             Access: NOT Write Protected
397             Login Type: Login required
398             User Pin: Initialized
399
400       A related command, -rawlist returns information about the database
401       configuration for the modules. (This information can be edited by
402       loading new specs using the -rawadd command.)
403
404            modutil -rawlist -dbdir /home/my/sharednssdb
405            name="NSS Internal PKCS #11 Module" parameters="configdir=. certPrefix= keyPrefix= secmod=secmod.db flags=readOnly " NSS="trustOrder=75 cipherOrder=100 slotParams={0x00000001=[slotFlags=RSA,RC4,RC2,DES,DH,SHA1,MD5,MD2,SSL,TLS,AES,RANDOM askpw=any timeout=30 ] }  Flags=internal,critical"
406
407       Setting a Default Provider for Security Mechanisms
408
409       Multiple security modules may provide support for the same security
410       mechanisms. It is possible to set a specific security module as the
411       default provider for a specific security mechanism (or, conversely, to
412       prohibit a provider from supplying those mechanisms).
413
414           modutil -default modulename -mechanisms mechanism-list
415
416       To set a module as the default provider for mechanisms, use the
417       -default command with a colon-separated list of mechanisms. The
418       available mechanisms depend on the module; NSS supplies almost all
419       common mechanisms. For example:
420
421           modutil -default "NSS Internal PKCS #11 Module" -dbdir -mechanisms RSA:DSA:RC2
422
423           Using database directory c:\databases...
424
425           Successfully changed defaults.
426
427       Clearing the default provider has the same format:
428
429           modutil -undefault "NSS Internal PKCS #11 Module" -dbdir -mechanisms MD2:MD5
430
431       Enabling and Disabling Modules and Slots
432
433       Modules, and specific slots on modules, can be selectively enabled or
434       disabled using modutil. Both commands have the same format:
435
436           modutil -enable|-disable modulename [-slot slotname]
437
438       For example:
439
440           modutil -enable "NSS Internal PKCS #11 Module" -slot "NSS Internal Cryptographic Services                            " -dbdir .
441
442           Slot "NSS Internal Cryptographic Services                            " enabled.
443
444       Be sure that the appropriate amount of trailing whitespace is after the
445       slot name. Some slot names have a significant amount of whitespace that
446       must be included, or the operation will fail.
447
448       Enabling and Verifying FIPS Compliance
449
450       The NSS modules can have FIPS 140-2 compliance enabled or disabled
451       using modutil with the -fips option. For example:
452
453           modutil -fips true -dbdir /home/my/sharednssdb/
454
455           FIPS mode enabled.
456
457       To verify that status of FIPS mode, run the -chkfips command with
458       either a true or false flag (it doesn't matter which). The tool returns
459       the current FIPS setting.
460
461           modutil -chkfips false -dbdir /home/my/sharednssdb/
462
463           FIPS mode enabled.
464
465       Changing the Password on a Token
466
467       Initializing or changing a token's password:
468
469           modutil -changepw tokenname [-pwfile old-password-file] [-newpwfile new-password-file]
470
471           modutil -dbdir /home/my/sharednssdb -changepw "NSS Certificate DB"
472
473           Enter old password:
474           Incorrect password, try again...
475           Enter old password:
476           Enter new password:
477           Re-enter new password:
478           Token "Communicator Certificate DB" password changed successfully.
479

JAR INSTALLATION FILE FORMAT

481       When a JAR file is run by a server, by modutil, or by any program that
482       does not interpret JavaScript, a special information file must be
483       included to install the libraries. There are several things to keep in
484       mind with this file:
485
486       •   It must be declared in the JAR archive's manifest file.
487
488       •   The script can have any name.
489
490       •   The metainfo tag for this is Pkcs11_install_script. To declare
491           meta-information in the manifest file, put it in a file that is
492           passed to signtool.
493
494       Sample Script
495
496       For example, the PKCS #11 installer script could be in the file
497       pk11install. If so, the metainfo file for signtool includes a line such
498       as this:
499
500           + Pkcs11_install_script: pk11install
501
502       The script must define the platform and version number, the module name
503       and file, and any optional information like supported ciphers and
504       mechanisms. Multiple platforms can be defined in a single install file.
505
506           ForwardCompatible { IRIX:6.2:mips SUNOS:5.5.1:sparc }
507           Platforms {
508              WINNT::x86 {
509                 ModuleName { "Example Module" }
510                 ModuleFile { win32/fort32.dll }
511                 DefaultMechanismFlags{0x0001}
512                 DefaultCipherFlags{0x0001}
513                 Files {
514                    win32/setup.exe {
515                       Executable
516                       RelativePath { %temp%/setup.exe }
517                    }
518                    win32/setup.hlp {
519                       RelativePath { %temp%/setup.hlp }
520                    }
521                    win32/setup.cab {
522                       RelativePath { %temp%/setup.cab }
523                    }
524                 }
525              }
526              WIN95::x86 {
527                 EquivalentPlatform {WINNT::x86}
528              }
529              SUNOS:5.5.1:sparc {
530                 ModuleName { "Example UNIX Module" }
531                 ModuleFile { unix/fort.so }
532                 DefaultMechanismFlags{0x0001}
533                 CipherEnableFlags{0x0001}
534                 Files {
535                    unix/fort.so {
536                       RelativePath{%root%/lib/fort.so}
537                       AbsolutePath{/usr/local/netscape/lib/fort.so}
538                       FilePermissions{555}
539                    }
540                    xplat/instr.html {
541                       RelativePath{%root%/docs/inst.html}
542                       AbsolutePath{/usr/local/netscape/docs/inst.html}
543                       FilePermissions{555}
544                    }
545                 }
546              }
547              IRIX:6.2:mips {
548                 EquivalentPlatform { SUNOS:5.5.1:sparc }
549              }
550           }
551
552       Script Grammar
553
554       The script is basic Java, allowing lists, key-value pairs, strings, and
555       combinations of all of them.
556
557           --> valuelist
558
559           valuelist --> value valuelist
560                          <null>
561
562           value ---> key_value_pair
563                       string
564
565           key_value_pair --> key { valuelist }
566
567           key --> string
568
569           string --> simple_string
570                       "complex_string"
571
572           simple_string --> [^ \t\n\""{""}"]+
573
574           complex_string --> ([^\"\\\r\n]|(\\\")|(\\\\))+
575
576       Quotes and backslashes must be escaped with a backslash. A complex
577       string must not include newlines or carriage returns.Outside of complex
578       strings, all white space (for example, spaces, tabs, and carriage
579       returns) is considered equal and is used only to delimit tokens.
580
581       Keys
582
583       The Java install file uses keys to define the platform and module
584       information.
585
586       ForwardCompatible gives a list of platforms that are forward
587       compatible. If the current platform cannot be found in the list of
588       supported platforms, then the ForwardCompatible list is checked for any
589       platforms that have the same OS and architecture in an earlier version.
590       If one is found, its attributes are used for the current platform.
591
592       Platforms (required) Gives a list of platforms. Each entry in the list
593       is itself a key-value pair: the key is the name of the platform and the
594       value list contains various attributes of the platform. The platform
595       string is in the format system name:OS release:architecture. The
596       installer obtains these values from NSPR. OS release is an empty string
597       on non-Unix operating systems. NSPR supports these platforms:
598
599       •   AIX (rs6000)
600
601       •   BSDI (x86)
602
603       •   FREEBSD (x86)
604
605       •   HPUX (hppa1.1)
606
607       •   IRIX (mips)
608
609       •   LINUX (ppc, alpha, x86)
610
611       •   MacOS (PowerPC)
612
613       •   NCR (x86)
614
615       •   NEC (mips)
616
617       •   OS2 (x86)
618
619       •   OSF (alpha)
620
621       •   ReliantUNIX (mips)
622
623       •   SCO (x86)
624
625       •   SOLARIS (sparc)
626
627       •   SONY (mips)
628
629       •   SUNOS (sparc)
630
631       •   UnixWare (x86)
632
633       •   WIN16 (x86)
634
635       •   WIN95 (x86)
636
637       •   WINNT (x86)
638
639       For example:
640
641           IRIX:6.2:mips
642           SUNOS:5.5.1:sparc
643           Linux:2.0.32:x86
644           WIN95::x86
645
646       The module information is defined independently for each platform in
647       the ModuleName, ModuleFile, and Files attributes. These attributes must
648       be given unless an EquivalentPlatform attribute is specified.
649
650       Per-Platform Keys
651
652       Per-platform keys have meaning only within the value list of an entry
653       in the Platforms list.
654
655       ModuleName (required) gives the common name for the module. This name
656       is used to reference the module by servers and by the modutil tool.
657
658       ModuleFile (required) names the PKCS #11 module file for this platform.
659       The name is given as the relative path of the file within the JAR
660       archive.
661
662       Files (required) lists the files that need to be installed for this
663       module. Each entry in the file list is a key-value pair. The key is the
664       path of the file in the JAR archive, and the value list contains
665       attributes of the file. At least RelativePath or AbsolutePath must be
666       specified for each file.
667
668       DefaultMechanismFlags specifies mechanisms for which this module is the
669       default provider; this is equivalent to the -mechanism option with the
670       -add command. This key-value pair is a bitstring specified in
671       hexadecimal (0x) format. It is constructed as a bitwise OR. If the
672       DefaultMechanismFlags entry is omitted, the value defaults to 0x0.
673
674           RSA:                   0x00000001
675           DSA:                   0x00000002
676           RC2:                   0x00000004
677           RC4:                   0x00000008
678           DES:                   0x00000010
679           DH:                    0x00000020
680           FORTEZZA:              0x00000040
681           RC5:                   0x00000080
682           SHA1:                  0x00000100
683           MD5:                   0x00000200
684           MD2:                   0x00000400
685           RANDOM:                0x08000000
686           FRIENDLY:              0x10000000
687           OWN_PW_DEFAULTS:       0x20000000
688           DISABLE:               0x40000000
689
690       CipherEnableFlags specifies ciphers that this module provides that NSS
691       does not provide (so that the module enables those ciphers for NSS).
692       This is equivalent to the -cipher argument with the -add command. This
693       key is a bitstring specified in hexadecimal (0x) format. It is
694       constructed as a bitwise OR. If the CipherEnableFlags entry is omitted,
695       the value defaults to 0x0.
696
697       EquivalentPlatform specifies that the attributes of the named platform
698       should also be used for the current platform. This makes it easier when
699       more than one platform uses the same settings.
700
701       Per-File Keys
702
703       Some keys have meaning only within the value list of an entry in a
704       Files list.
705
706       Each file requires a path key the identifies where the file is. Either
707       RelativePath or AbsolutePath must be specified. If both are specified,
708       the relative path is tried first, and the absolute path is used only if
709       no relative root directory is provided by the installer program.
710
711       RelativePath specifies the destination directory of the file, relative
712       to some directory decided at install time. Two variables can be used in
713       the relative path: %root% and %temp%.  %root% is replaced at run time
714       with the directory relative to which files should be installed; for
715       example, it may be the server's root directory. The %temp% directory is
716       created at the beginning of the installation and destroyed at the end.
717       The purpose of %temp% is to hold executable files (such as setup
718       programs) or files that are used by these programs. Files destined for
719       the temporary directory are guaranteed to be in place before any
720       executable file is run; they are not deleted until all executable files
721       have finished.
722
723       AbsolutePath specifies the destination directory of the file as an
724       absolute path.
725
726       Executable specifies that the file is to be executed during the course
727       of the installation. Typically, this string is used for a setup program
728       provided by a module vendor, such as a self-extracting setup
729       executable. More than one file can be specified as executable, in which
730       case the files are run in the order in which they are specified in the
731       script file.
732
733       FilePermissions sets permissions on any referenced files in a string of
734       octal digits, according to the standard Unix format. This string is a
735       bitwise OR.
736
737           user read:                0400
738           user write:               0200
739           user execute:             0100
740           group read:               0040
741           group write:              0020
742           group execute:            0010
743           other read:               0004
744           other write:              0002
745           other execute:            0001
746
747       Some platforms may not understand these permissions. They are applied
748       only insofar as they make sense for the current platform. If this
749       attribute is omitted, a default of 777 is assumed.
750

NSS DATABASE TYPES

752       NSS originally used BerkeleyDB databases to store security information.
753       The last versions of these legacy databases are:
754
755       •   cert8.db for certificates
756
757       •   key3.db for keys
758
759       •   secmod.db for PKCS #11 module information
760
761       BerkeleyDB has performance limitations, though, which prevent it from
762       being easily used by multiple applications simultaneously. NSS has some
763       flexibility that allows applications to use their own, independent
764       database engine while keeping a shared database and working around the
765       access issues. Still, NSS requires more flexibility to provide a truly
766       shared security database.
767
768       In 2009, NSS introduced a new set of databases that are SQLite
769       databases rather than BerkleyDB. These new databases provide more
770       accessibility and performance:
771
772       •   cert9.db for certificates
773
774       •   key4.db for keys
775
776       •   pkcs11.txt, which is listing of all of the PKCS #11 modules
777           contained in a new subdirectory in the security databases directory
778
779       Because the SQLite databases are designed to be shared, these are the
780       shared database type. The shared database type is preferred; the legacy
781       format is included for backward compatibility.
782
783       By default, the tools (certutil, pk12util, modutil) assume that the
784       given security databases use the SQLite type. Using the legacy
785       databases must be manually specified by using the dbm: prefix with the
786       given security directory. For example:
787
788           modutil -create -dbdir dbm:/home/my/sharednssdb
789
790       To set the legacy database type as the default type for the tools, set
791       the NSS_DEFAULT_DB_TYPE environment variable to dbm:
792
793           export NSS_DEFAULT_DB_TYPE="dbm"
794
795       This line can be added to the ~/.bashrc file to make the change
796       permanent for the user.
797
798https://wiki.mozilla.org/NSS_Shared_DB_Howto
799
800       For an engineering draft on the changes in the shared NSS databases,
801       see the NSS project wiki:
802
803https://wiki.mozilla.org/NSS_Shared_DB
804

SEE ALSO

806       certutil (1)
807
808       pk12util (1)
809
810       signtool (1)
811
812       The NSS wiki has information on the new database design and how to
813       configure applications to use it.
814
815https://wiki.mozilla.org/NSS_Shared_DB_Howto
816
817https://wiki.mozilla.org/NSS_Shared_DB
818

ADDITIONAL RESOURCES

820       For information about NSS and other tools related to NSS (like JSS),
821       check out the NSS project wiki at
822       http://www.mozilla.org/projects/security/pki/nss/. The NSS site relates
823       directly to NSS code changes and releases.
824
825       Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto
826
827       IRC: Freenode at #dogtag-pki
828

AUTHORS

830       The NSS tools were written and maintained by developers with Netscape,
831       Red Hat, Sun, Oracle, Mozilla, and Google.
832
833       Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey
834       <dlackey@redhat.com>.
835

LICENSE

837       Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL
838       was not distributed with this file, You can obtain one at
839       http://mozilla.org/MPL/2.0/.
840

NOTES

842        1. Mozilla NSS bug 836477
843           https://bugzilla.mozilla.org/show_bug.cgi?id=836477
844
845
846
847nss-tools                         29 May 2021                       MODUTIL(1)
Impressum