1MODUTIL(1) NSS Security Tools MODUTIL(1)
2
3
4
6 modutil - Manage PKCS #11 module information within the security module
7 database.
8
10 modutil [options] [[arguments]]
11
13 This documentation is still work in progress. Please contribute to the
14 initial review in Mozilla NSS bug 836477[1]
15
17 The Security Module Database Tool, modutil, is a command-line utility
18 for managing PKCS #11 module information both within secmod.db files
19 and within hardware tokens. modutil can add and delete PKCS #11
20 modules, change passwords on security databases, set defaults, list
21 module contents, enable or disable slots, enable or disable FIPS 140-2
22 compliance, and assign default providers for cryptographic operations.
23 This tool can also create certificate, key, and module security
24 database files.
25
26 The tasks associated with security module database management are part
27 of a process that typically also involves managing key databases and
28 certificate databases.
29
31 Running modutil always requires one (and only one) option to specify
32 the type of module operation. Each option may take arguments, anywhere
33 from none to multiple arguments.
34
35 Options
36
37 -add modulename
38 Add the named PKCS #11 module to the database. Use this option with
39 the -libfile, -ciphers, and -mechanisms arguments.
40
41 -changepw tokenname
42 Change the password on the named token. If the token has not been
43 initialized, this option initializes the password. Use this option
44 with the -pwfile and -newpwfile arguments. A password is equivalent
45 to a personal identification number (PIN).
46
47 -chkfips
48 Verify whether the module is in the given FIPS mode. true means to
49 verify that the module is in FIPS mode, while false means to verify
50 that the module is not in FIPS mode.
51
52 -create
53 Create new certificate, key, and module databases. Use the -dbdir
54 directory argument to specify a directory. If any of these
55 databases already exist in a specified directory, modutil returns
56 an error message.
57
58 -default modulename
59 Specify the security mechanisms for which the named module will be
60 a default provider. The security mechanisms are specified with the
61 -mechanisms argument.
62
63 -delete modulename
64 Delete the named module. The default NSS PKCS #11 module cannot be
65 deleted.
66
67 -disable modulename
68 Disable all slots on the named module. Use the -slot argument to
69 disable a specific slot.
70
71 The internal NSS PKCS #11 module cannot be disabled.
72
73 -enable modulename
74 Enable all slots on the named module. Use the -slot argument to
75 enable a specific slot.
76
77 -fips [true | false]
78 Enable (true) or disable (false) FIPS 140-2 compliance for the
79 default NSS module.
80
81 -force
82 Disable modutil's interactive prompts so it can be run from a
83 script. Use this option only after manually testing each planned
84 operation to check for warnings and to ensure that bypassing the
85 prompts will cause no security lapses or loss of database
86 integrity.
87
88 -jar JAR-file
89 Add a new PKCS #11 module to the database using the named JAR file.
90 Use this command with the -installdir and -tempdir arguments. The
91 JAR file uses the NSS PKCS #11 JAR format to identify all the files
92 to be installed, the module's name, the mechanism flags, and the
93 cipher flags, as well as any files to be installed on the target
94 machine, including the PKCS #11 module library file and other files
95 such as documentation. This is covered in the JAR installation file
96 section in the man page, which details the special script needed to
97 perform an installation through a server or with modutil.
98
99 -list [modulename]
100 Display basic information about the contents of the secmod.db file.
101 Specifying a modulename displays detailed information about a
102 particular module and its slots and tokens.
103
104 -rawadd
105 Add the module spec string to the secmod.db database.
106
107 -rawlist
108 Display the module specs for a specified module or for all loadable
109 modules.
110
111 -undefault modulename
112 Specify the security mechanisms for which the named module will not
113 be a default provider. The security mechanisms are specified with
114 the -mechanisms argument.
115
116 Arguments
117
118 MODULE
119 Give the security module to access.
120
121 MODULESPEC
122 Give the security module spec to load into the security database.
123
124 -ciphers cipher-enable-list
125 Enable specific ciphers in a module that is being added to the
126 database. The cipher-enable-list is a colon-delimited list of
127 cipher names. Enclose this list in quotation marks if it contains
128 spaces.
129
130 -dbdir directory
131 Specify the database directory in which to access or create
132 security module database files.
133
134 modutil supports SQLite databases (cert9.db, key4.db, and
135 pkcs11.txt).
136
137 --dbprefix prefix
138 Specify the prefix used on the database files, such as my_ for
139 my_cert9.db. This option is provided as a special case. Changing
140 the names of the certificate and key databases is not recommended.
141
142 -installdir root-installation-directory
143 Specify the root installation directory relative to which files
144 will be installed by the -jar option. This directory should be one
145 below which it is appropriate to store dynamic library files, such
146 as a server's root directory.
147
148 -libfile library-file
149 Specify a path to a library file containing the implementation of
150 the PKCS #11 interface module that is being added to the database.
151
152 -mechanisms mechanism-list
153 Specify the security mechanisms for which a particular module will
154 be flagged as a default provider. The mechanism-list is a
155 colon-delimited list of mechanism names. Enclose this list in
156 quotation marks if it contains spaces.
157
158 The module becomes a default provider for the listed mechanisms
159 when those mechanisms are enabled. If more than one module claims
160 to be a particular mechanism's default provider, that mechanism's
161 default provider is undefined.
162
163 modutil supports several mechanisms: RSA, DSA, RC2, RC4, RC5, AES,
164 DES, DH, SHA1, SHA256, SHA512, SSL, TLS, MD5, MD2, RANDOM (for
165 random number generation), and FRIENDLY (meaning certificates are
166 publicly readable).
167
168 -newpwfile new-password-file
169 Specify a text file containing a token's new or replacement
170 password so that a password can be entered automatically with the
171 -changepw option.
172
173 -nocertdb
174 Do not open the certificate or key databases. This has several
175 effects:
176
177 • With the -create command, only a module security file is
178 created; certificate and key databases are not created.
179
180 • With the -jar command, signatures on the JAR file are not
181 checked.
182
183 • With the -changepw command, the password on the NSS internal
184 module cannot be set or changed, since this password is stored
185 in the key database.
186
187 -pwfile old-password-file
188 Specify a text file containing a token's existing password so that
189 a password can be entered automatically when the -changepw option
190 is used to change passwords.
191
192 -secmod secmodname
193 Give the name of the security module database (like secmod.db) to
194 load.
195
196 -slot slotname
197 Specify a particular slot to be enabled or disabled with the
198 -enable or -disable options.
199
200 -string CONFIG_STRING
201 Pass a configuration string for the module being added to the
202 database.
203
204 -tempdir temporary-directory
205 Give a directory location where temporary files are created during
206 the installation by the -jar option. If no temporary directory is
207 specified, the current directory is used.
208
210 Creating Database Files
211
212 Before any operations can be performed, there must be a set of security
213 databases available. modutil can be used to create these files. The
214 only required argument is the database that where the databases will be
215 located.
216
217 modutil -create -dbdir directory
218
219 Adding a Cryptographic Module
220
221 Adding a PKCS #11 module means submitting a supporting library file,
222 enabling its ciphers, and setting default provider status for various
223 security mechanisms. This can be done by supplying all of the
224 information through modutil directly or by running a JAR file and
225 install script. For the most basic case, simply upload the library:
226
227 modutil -add modulename -libfile library-file [-ciphers cipher-enable-list] [-mechanisms mechanism-list]
228
229 For example:
230
231 modutil -dbdir /home/my/sharednssdb -add "Example PKCS #11 Module" -libfile "/tmp/crypto.so" -mechanisms RSA:DSA:RC2:RANDOM
232
233 Using database directory ...
234 Module "Example PKCS #11 Module" added to database.
235
236 Installing a Cryptographic Module from a JAR File
237
238 PKCS #11 modules can also be loaded using a JAR file, which contains
239 all of the required libraries and an installation script that describes
240 how to install the module. The JAR install script is described in more
241 detail in the section called “JAR INSTALLATION FILE FORMAT”.
242
243 The JAR installation script defines the setup information for each
244 platform that the module can be installed on. For example:
245
246 Platforms {
247 Linux:5.4.08:x86 {
248 ModuleName { "Example PKCS #11 Module" }
249 ModuleFile { crypto.so }
250 DefaultMechanismFlags{0x0000}
251 CipherEnableFlags{0x0000}
252 Files {
253 crypto.so {
254 Path{ /tmp/crypto.so }
255 }
256 setup.sh {
257 Executable
258 Path{ /tmp/setup.sh }
259 }
260 }
261 }
262 Linux:6.0.0:x86 {
263 EquivalentPlatform { Linux:5.4.08:x86 }
264 }
265 }
266
267 Both the install script and the required libraries must be bundled in a
268 JAR file, which is specified with the -jar argument.
269
270 modutil -dbdir /home/mt"jar-install-filey/sharednssdb -jar install.jar -installdir /home/my/sharednssdb
271
272 This installation JAR file was signed by:
273 ----------------------------------------------
274
275 **SUBJECT NAME**
276
277 C=US, ST=California, L=Mountain View, CN=Cryptorific Inc., OU=Digital ID
278 Class 3 - Netscape Object Signing, OU="www.verisign.com/repository/CPS
279 Incorp. by Ref.,LIAB.LTD(c)9 6", OU=www.verisign.com/CPS Incorp.by Ref
280 . LIABILITY LTD.(c)97 VeriSign, OU=VeriSign Object Signing CA - Class 3
281 Organization, OU="VeriSign, Inc.", O=VeriSign Trust Network **ISSUER
282 NAME**, OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97
283 VeriSign, OU=VeriSign Object Signing CA - Class 3 Organization,
284 OU="VeriSign, Inc.", O=VeriSign Trust Network
285 ----------------------------------------------
286
287 Do you wish to continue this installation? (y/n) y
288 Using installer script "installer_script"
289 Successfully parsed installation script
290 Current platform is Linux:5.4.08:x86
291 Using installation parameters for platform Linux:5.4.08:x86
292 Installed file crypto.so to /tmp/crypto.so
293 Installed file setup.sh to ./pk11inst.dir/setup.sh
294 Executing "./pk11inst.dir/setup.sh"...
295 "./pk11inst.dir/setup.sh" executed successfully
296 Installed module "Example PKCS #11 Module" into module database
297
298 Installation completed successfully
299
300 Adding Module Spec
301
302 Each module has information stored in the security database about its
303 configuration and parameters. These can be added or edited using the
304 -rawadd command. For the current settings or to see the format of the
305 module spec in the database, use the -rawlist option.
306
307 modutil -rawadd modulespec
308
309 Deleting a Module
310
311 A specific PKCS #11 module can be deleted from the secmod.db database:
312
313 modutil -delete modulename -dbdir directory
314
315 Displaying Module Information
316
317 The secmod.db database contains information about the PKCS #11 modules
318 that are available to an application or server to use. The list of all
319 modules, information about specific modules, and database configuration
320 specs for modules can all be viewed.
321
322 To simply get a list of modules in the database, use the -list command.
323
324 modutil -list [modulename] -dbdir directory
325
326 Listing the modules shows the module name, their status, and other
327 associated security databases for certificates and keys. For example:
328
329 modutil -list -dbdir /home/my/sharednssdb
330
331 Listing of PKCS #11 Modules
332 -----------------------------------------------------------
333 1. NSS Internal PKCS #11 Module
334 slots: 2 slots attached
335 status: loaded
336
337 slot: NSS Internal Cryptographic Services
338 token: NSS Generic Crypto Services
339 uri: pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203
340
341 slot: NSS User Private Key and Certificate Services
342 token: NSS Certificate DB
343 uri: pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203
344 -----------------------------------------------------------
345
346 Passing a specific module name with the -list returns details
347 information about the module itself, like supported cipher mechanisms,
348 version numbers, serial numbers, and other information about the module
349 and the token it is loaded on. For example:
350
351 modutil -list "NSS Internal PKCS #11 Module" -dbdir /home/my/sharednssdb
352
353 -----------------------------------------------------------
354 Name: NSS Internal PKCS #11 Module
355 Library file: **Internal ONLY module**
356 Manufacturer: Mozilla Foundation
357 Description: NSS Internal Crypto Services
358 PKCS #11 Version 2.20
359 Library Version: 3.11
360 Cipher Enable Flags: None
361 Default Mechanism Flags: RSA:RC2:RC4:DES:DH:SHA1:MD5:MD2:SSL:TLS:AES
362
363 Slot: NSS Internal Cryptographic Services
364 Slot Mechanism Flags: RSA:RC2:RC4:DES:DH:SHA1:MD5:MD2:SSL:TLS:AES
365 Manufacturer: Mozilla Foundation
366 Type: Software
367 Version Number: 3.11
368 Firmware Version: 0.0
369 Status: Enabled
370 Token Name: NSS Generic Crypto Services
371 Token Manufacturer: Mozilla Foundation
372 Token Model: NSS 3
373 Token Serial Number: 0000000000000000
374 Token Version: 4.0
375 Token Firmware Version: 0.0
376 Access: Write Protected
377 Login Type: Public (no login required)
378 User Pin: NOT Initialized
379
380 Slot: NSS User Private Key and Certificate Services
381 Slot Mechanism Flags: None
382 Manufacturer: Mozilla Foundation
383 Type: Software
384 Version Number: 3.11
385 Firmware Version: 0.0
386 Status: Enabled
387 Token Name: NSS Certificate DB
388 Token Manufacturer: Mozilla Foundation
389 Token Model: NSS 3
390 Token Serial Number: 0000000000000000
391 Token Version: 8.3
392 Token Firmware Version: 0.0
393 Access: NOT Write Protected
394 Login Type: Login required
395 User Pin: Initialized
396
397 A related command, -rawlist returns information about the database
398 configuration for the modules. (This information can be edited by
399 loading new specs using the -rawadd command.)
400
401 modutil -rawlist -dbdir /home/my/sharednssdb
402 name="NSS Internal PKCS #11 Module" parameters="configdir=. certPrefix= keyPrefix= secmod=secmod.db flags=readOnly " NSS="trustOrder=75 cipherOrder=100 slotParams={0x00000001=[slotFlags=RSA,RC4,RC2,DES,DH,SHA1,MD5,MD2,SSL,TLS,AES,RANDOM askpw=any timeout=30 ] } Flags=internal,critical"
403
404 Setting a Default Provider for Security Mechanisms
405
406 Multiple security modules may provide support for the same security
407 mechanisms. It is possible to set a specific security module as the
408 default provider for a specific security mechanism (or, conversely, to
409 prohibit a provider from supplying those mechanisms).
410
411 modutil -default modulename -mechanisms mechanism-list
412
413 To set a module as the default provider for mechanisms, use the
414 -default command with a colon-separated list of mechanisms. The
415 available mechanisms depend on the module; NSS supplies almost all
416 common mechanisms. For example:
417
418 modutil -default "NSS Internal PKCS #11 Module" -dbdir -mechanisms RSA:DSA:RC2
419
420 Using database directory c:\databases...
421
422 Successfully changed defaults.
423
424 Clearing the default provider has the same format:
425
426 modutil -undefault "NSS Internal PKCS #11 Module" -dbdir -mechanisms MD2:MD5
427
428 Enabling and Disabling Modules and Slots
429
430 Modules, and specific slots on modules, can be selectively enabled or
431 disabled using modutil. Both commands have the same format:
432
433 modutil -enable|-disable modulename [-slot slotname]
434
435 For example:
436
437 modutil -enable "NSS Internal PKCS #11 Module" -slot "NSS Internal Cryptographic Services " -dbdir .
438
439 Slot "NSS Internal Cryptographic Services " enabled.
440
441 Be sure that the appropriate amount of trailing whitespace is after the
442 slot name. Some slot names have a significant amount of whitespace that
443 must be included, or the operation will fail.
444
445 Enabling and Verifying FIPS Compliance
446
447 The NSS modules can have FIPS 140-2 compliance enabled or disabled
448 using modutil with the -fips option. For example:
449
450 modutil -fips true -dbdir /home/my/sharednssdb/
451
452 FIPS mode enabled.
453
454 To verify that status of FIPS mode, run the -chkfips command with
455 either a true or false flag (it doesn't matter which). The tool returns
456 the current FIPS setting.
457
458 modutil -chkfips false -dbdir /home/my/sharednssdb/
459
460 FIPS mode enabled.
461
462 Changing the Password on a Token
463
464 Initializing or changing a token's password:
465
466 modutil -changepw tokenname [-pwfile old-password-file] [-newpwfile new-password-file]
467
468 modutil -dbdir /home/my/sharednssdb -changepw "NSS Certificate DB"
469
470 Enter old password:
471 Incorrect password, try again...
472 Enter old password:
473 Enter new password:
474 Re-enter new password:
475 Token "Communicator Certificate DB" password changed successfully.
476
478 When a JAR file is run by a server, by modutil, or by any program that
479 does not interpret JavaScript, a special information file must be
480 included to install the libraries. There are several things to keep in
481 mind with this file:
482
483 • It must be declared in the JAR archive's manifest file.
484
485 • The script can have any name.
486
487 • The metainfo tag for this is Pkcs11_install_script. To declare
488 meta-information in the manifest file, put it in a file that is
489 passed to signtool.
490
491 Sample Script
492
493 For example, the PKCS #11 installer script could be in the file
494 pk11install. If so, the metainfo file for signtool includes a line such
495 as this:
496
497 + Pkcs11_install_script: pk11install
498
499 The script must define the platform and version number, the module name
500 and file, and any optional information like supported ciphers and
501 mechanisms. Multiple platforms can be defined in a single install file.
502
503 ForwardCompatible { IRIX:6.2:mips SUNOS:5.5.1:sparc }
504 Platforms {
505 WINNT::x86 {
506 ModuleName { "Example Module" }
507 ModuleFile { win32/fort32.dll }
508 DefaultMechanismFlags{0x0001}
509 DefaultCipherFlags{0x0001}
510 Files {
511 win32/setup.exe {
512 Executable
513 RelativePath { %temp%/setup.exe }
514 }
515 win32/setup.hlp {
516 RelativePath { %temp%/setup.hlp }
517 }
518 win32/setup.cab {
519 RelativePath { %temp%/setup.cab }
520 }
521 }
522 }
523 WIN95::x86 {
524 EquivalentPlatform {WINNT::x86}
525 }
526 SUNOS:5.5.1:sparc {
527 ModuleName { "Example UNIX Module" }
528 ModuleFile { unix/fort.so }
529 DefaultMechanismFlags{0x0001}
530 CipherEnableFlags{0x0001}
531 Files {
532 unix/fort.so {
533 RelativePath{%root%/lib/fort.so}
534 AbsolutePath{/usr/local/netscape/lib/fort.so}
535 FilePermissions{555}
536 }
537 xplat/instr.html {
538 RelativePath{%root%/docs/inst.html}
539 AbsolutePath{/usr/local/netscape/docs/inst.html}
540 FilePermissions{555}
541 }
542 }
543 }
544 IRIX:6.2:mips {
545 EquivalentPlatform { SUNOS:5.5.1:sparc }
546 }
547 }
548
549 Script Grammar
550
551 The script is basic Java, allowing lists, key-value pairs, strings, and
552 combinations of all of them.
553
554 --> valuelist
555
556 valuelist --> value valuelist
557 <null>
558
559 value ---> key_value_pair
560 string
561
562 key_value_pair --> key { valuelist }
563
564 key --> string
565
566 string --> simple_string
567 "complex_string"
568
569 simple_string --> [^ \t\n\""{""}"]+
570
571 complex_string --> ([^\"\\\r\n]|(\\\")|(\\\\))+
572
573 Quotes and backslashes must be escaped with a backslash. A complex
574 string must not include newlines or carriage returns.Outside of complex
575 strings, all white space (for example, spaces, tabs, and carriage
576 returns) is considered equal and is used only to delimit tokens.
577
578 Keys
579
580 The Java install file uses keys to define the platform and module
581 information.
582
583 ForwardCompatible gives a list of platforms that are forward
584 compatible. If the current platform cannot be found in the list of
585 supported platforms, then the ForwardCompatible list is checked for any
586 platforms that have the same OS and architecture in an earlier version.
587 If one is found, its attributes are used for the current platform.
588
589 Platforms (required) Gives a list of platforms. Each entry in the list
590 is itself a key-value pair: the key is the name of the platform and the
591 value list contains various attributes of the platform. The platform
592 string is in the format system name:OS release:architecture. The
593 installer obtains these values from NSPR. OS release is an empty string
594 on non-Unix operating systems. NSPR supports these platforms:
595
596 • AIX (rs6000)
597
598 • BSDI (x86)
599
600 • FREEBSD (x86)
601
602 • HPUX (hppa1.1)
603
604 • IRIX (mips)
605
606 • LINUX (ppc, alpha, x86)
607
608 • MacOS (PowerPC)
609
610 • NCR (x86)
611
612 • NEC (mips)
613
614 • OS2 (x86)
615
616 • OSF (alpha)
617
618 • ReliantUNIX (mips)
619
620 • SCO (x86)
621
622 • SOLARIS (sparc)
623
624 • SONY (mips)
625
626 • SUNOS (sparc)
627
628 • UnixWare (x86)
629
630 • WIN16 (x86)
631
632 • WIN95 (x86)
633
634 • WINNT (x86)
635
636 For example:
637
638 IRIX:6.2:mips
639 SUNOS:5.5.1:sparc
640 Linux:2.0.32:x86
641 WIN95::x86
642
643 The module information is defined independently for each platform in
644 the ModuleName, ModuleFile, and Files attributes. These attributes must
645 be given unless an EquivalentPlatform attribute is specified.
646
647 Per-Platform Keys
648
649 Per-platform keys have meaning only within the value list of an entry
650 in the Platforms list.
651
652 ModuleName (required) gives the common name for the module. This name
653 is used to reference the module by servers and by the modutil tool.
654
655 ModuleFile (required) names the PKCS #11 module file for this platform.
656 The name is given as the relative path of the file within the JAR
657 archive.
658
659 Files (required) lists the files that need to be installed for this
660 module. Each entry in the file list is a key-value pair. The key is the
661 path of the file in the JAR archive, and the value list contains
662 attributes of the file. At least RelativePath or AbsolutePath must be
663 specified for each file.
664
665 DefaultMechanismFlags specifies mechanisms for which this module is the
666 default provider; this is equivalent to the -mechanism option with the
667 -add command. This key-value pair is a bitstring specified in
668 hexadecimal (0x) format. It is constructed as a bitwise OR. If the
669 DefaultMechanismFlags entry is omitted, the value defaults to 0x0.
670
671 RSA: 0x00000001
672 DSA: 0x00000002
673 RC2: 0x00000004
674 RC4: 0x00000008
675 DES: 0x00000010
676 DH: 0x00000020
677 FORTEZZA: 0x00000040
678 RC5: 0x00000080
679 SHA1: 0x00000100
680 MD5: 0x00000200
681 MD2: 0x00000400
682 RANDOM: 0x08000000
683 FRIENDLY: 0x10000000
684 OWN_PW_DEFAULTS: 0x20000000
685 DISABLE: 0x40000000
686
687 CipherEnableFlags specifies ciphers that this module provides that NSS
688 does not provide (so that the module enables those ciphers for NSS).
689 This is equivalent to the -cipher argument with the -add command. This
690 key is a bitstring specified in hexadecimal (0x) format. It is
691 constructed as a bitwise OR. If the CipherEnableFlags entry is omitted,
692 the value defaults to 0x0.
693
694 EquivalentPlatform specifies that the attributes of the named platform
695 should also be used for the current platform. This makes it easier when
696 more than one platform uses the same settings.
697
698 Per-File Keys
699
700 Some keys have meaning only within the value list of an entry in a
701 Files list.
702
703 Each file requires a path key the identifies where the file is. Either
704 RelativePath or AbsolutePath must be specified. If both are specified,
705 the relative path is tried first, and the absolute path is used only if
706 no relative root directory is provided by the installer program.
707
708 RelativePath specifies the destination directory of the file, relative
709 to some directory decided at install time. Two variables can be used in
710 the relative path: %root% and %temp%. %root% is replaced at run time
711 with the directory relative to which files should be installed; for
712 example, it may be the server's root directory. The %temp% directory is
713 created at the beginning of the installation and destroyed at the end.
714 The purpose of %temp% is to hold executable files (such as setup
715 programs) or files that are used by these programs. Files destined for
716 the temporary directory are guaranteed to be in place before any
717 executable file is run; they are not deleted until all executable files
718 have finished.
719
720 AbsolutePath specifies the destination directory of the file as an
721 absolute path.
722
723 Executable specifies that the file is to be executed during the course
724 of the installation. Typically, this string is used for a setup program
725 provided by a module vendor, such as a self-extracting setup
726 executable. More than one file can be specified as executable, in which
727 case the files are run in the order in which they are specified in the
728 script file.
729
730 FilePermissions sets permissions on any referenced files in a string of
731 octal digits, according to the standard Unix format. This string is a
732 bitwise OR.
733
734 user read: 0400
735 user write: 0200
736 user execute: 0100
737 group read: 0040
738 group write: 0020
739 group execute: 0010
740 other read: 0004
741 other write: 0002
742 other execute: 0001
743
744 Some platforms may not understand these permissions. They are applied
745 only insofar as they make sense for the current platform. If this
746 attribute is omitted, a default of 777 is assumed.
747
749 NSS originally used BerkeleyDB databases to store security information.
750 The last versions of these legacy databases are:
751
752 • cert8.db for certificates
753
754 • key3.db for keys
755
756 • secmod.db for PKCS #11 module information
757
758 BerkeleyDB has performance limitations, though, which prevent it from
759 being easily used by multiple applications simultaneously. NSS has some
760 flexibility that allows applications to use their own, independent
761 database engine while keeping a shared database and working around the
762 access issues. Still, NSS requires more flexibility to provide a truly
763 shared security database.
764
765 In 2009, NSS introduced a new set of databases that are SQLite
766 databases rather than BerkleyDB. These new databases provide more
767 accessibility and performance:
768
769 • cert9.db for certificates
770
771 • key4.db for keys
772
773 • pkcs11.txt, which is listing of all of the PKCS #11 modules
774 contained in a new subdirectory in the security databases directory
775
776 Because the SQLite databases are designed to be shared, these are the
777 shared database type. The shared database type is preferred; the legacy
778 format is included for backward compatibility.
779
780 By default, the tools (certutil, pk12util, modutil) assume that the
781 given security databases use the SQLite type.
782
783 • https://wiki.mozilla.org/NSS_Shared_DB_Howto
784
785 For an engineering draft on the changes in the shared NSS databases,
786 see the NSS project wiki:
787
788 • https://wiki.mozilla.org/NSS_Shared_DB
789
791 certutil (1)
792
793 pk12util (1)
794
795 signtool (1)
796
797 The NSS wiki has information on the new database design and how to
798 configure applications to use it.
799
800 • https://wiki.mozilla.org/NSS_Shared_DB_Howto
801
802 • https://wiki.mozilla.org/NSS_Shared_DB
803
805 For information about NSS and other tools related to NSS (like JSS),
806 check out the NSS project wiki at
807 http://www.mozilla.org/projects/security/pki/nss/. The NSS site relates
808 directly to NSS code changes and releases.
809
810 Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto
811
812 IRC: Freenode at #dogtag-pki
813
815 The NSS tools were written and maintained by developers with Netscape,
816 Red Hat, Sun, Oracle, Mozilla, and Google.
817
818 Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey
819 <dlackey@redhat.com>.
820
822 Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL
823 was not distributed with this file, You can obtain one at
824 http://mozilla.org/MPL/2.0/.
825
827 1. Mozilla NSS bug 836477
828 https://bugzilla.mozilla.org/show_bug.cgi?id=836477
829
830
831
832nss-tools 31 May 2022 MODUTIL(1)