1MODUTIL(1)                    NSS Security Tools                    MODUTIL(1)
2
3
4

NAME

6       modutil - Manage PKCS #11 module information within the security module
7       database.
8

SYNOPSIS

10       modutil [options] [[arguments]]
11

STATUS

13       This documentation is still work in progress. Please contribute to the
14       initial review in Mozilla NSS bug 836477[1]
15

DESCRIPTION

17       The Security Module Database Tool, modutil, is a command-line utility
18       for managing PKCS #11 module information both within secmod.db files
19       and within hardware tokens.  modutil can add and delete PKCS #11
20       modules, change passwords on security databases, set defaults, list
21       module contents, enable or disable slots, enable or disable FIPS 140-2
22       compliance, and assign default providers for cryptographic operations.
23       This tool can also create certificate, key, and module security
24       database files.
25
26       The tasks associated with security module database management are part
27       of a process that typically also involves managing key databases and
28       certificate databases.
29

OPTIONS

31       Running modutil always requires one (and only one) option to specify
32       the type of module operation. Each option may take arguments, anywhere
33       from none to multiple arguments.
34
35       Options
36
37       -add modulename
38           Add the named PKCS #11 module to the database. Use this option with
39           the -libfile, -ciphers, and -mechanisms arguments.
40
41       -changepw tokenname
42           Change the password on the named token. If the token has not been
43           initialized, this option initializes the password. Use this option
44           with the -pwfile and -newpwfile arguments. A password is equivalent
45           to a personal identification number (PIN).
46
47       -chkfips
48           Verify whether the module is in the given FIPS mode.  true means to
49           verify that the module is in FIPS mode, while false means to verify
50           that the module is not in FIPS mode.
51
52       -create
53           Create new certificate, key, and module databases. Use the -dbdir
54           directory argument to specify a directory. If any of these
55           databases already exist in a specified directory, modutil returns
56           an error message.
57
58       -default modulename
59           Specify the security mechanisms for which the named module will be
60           a default provider. The security mechanisms are specified with the
61           -mechanisms argument.
62
63       -delete modulename
64           Delete the named module. The default NSS PKCS #11 module cannot be
65           deleted.
66
67       -disable modulename
68           Disable all slots on the named module. Use the -slot argument to
69           disable a specific slot.
70
71           The internal NSS PKCS #11 module cannot be disabled.
72
73       -enable modulename
74           Enable all slots on the named module. Use the -slot argument to
75           enable a specific slot.
76
77       -fips [true | false]
78           Enable (true) or disable (false) FIPS 140-2 compliance for the
79           default NSS module.
80
81       -force
82           Disable modutil's interactive prompts so it can be run from a
83           script. Use this option only after manually testing each planned
84           operation to check for warnings and to ensure that bypassing the
85           prompts will cause no security lapses or loss of database
86           integrity.
87
88       -jar JAR-file
89           Add a new PKCS #11 module to the database using the named JAR file.
90           Use this command with the -installdir and -tempdir arguments. The
91           JAR file uses the NSS PKCS #11 JAR format to identify all the files
92           to be installed, the module's name, the mechanism flags, and the
93           cipher flags, as well as any files to be installed on the target
94           machine, including the PKCS #11 module library file and other files
95           such as documentation. This is covered in the JAR installation file
96           section in the man page, which details the special script needed to
97           perform an installation through a server or with modutil.
98
99       -list [modulename]
100           Display basic information about the contents of the secmod.db file.
101           Specifying a modulename displays detailed information about a
102           particular module and its slots and tokens.
103
104       -rawadd
105           Add the module spec string to the secmod.db database.
106
107       -rawlist
108           Display the module specs for a specified module or for all loadable
109           modules.
110
111       -undefault modulename
112           Specify the security mechanisms for which the named module will not
113           be a default provider. The security mechanisms are specified with
114           the -mechanisms argument.
115
116       Arguments
117
118       MODULE
119           Give the security module to access.
120
121       MODULESPEC
122           Give the security module spec to load into the security database.
123
124       -ciphers cipher-enable-list
125           Enable specific ciphers in a module that is being added to the
126           database. The cipher-enable-list is a colon-delimited list of
127           cipher names. Enclose this list in quotation marks if it contains
128           spaces.
129
130       -dbdir directory
131           Specify the database directory in which to access or create
132           security module database files.
133
134           modutil supports SQLite databases (cert9.db, key4.db, and
135           pkcs11.txt).
136
137       --dbprefix prefix
138           Specify the prefix used on the database files, such as my_ for
139           my_cert9.db. This option is provided as a special case. Changing
140           the names of the certificate and key databases is not recommended.
141
142       -installdir root-installation-directory
143           Specify the root installation directory relative to which files
144           will be installed by the -jar option. This directory should be one
145           below which it is appropriate to store dynamic library files, such
146           as a server's root directory.
147
148       -libfile library-file
149           Specify a path to a library file containing the implementation of
150           the PKCS #11 interface module that is being added to the database.
151
152       -mechanisms mechanism-list
153           Specify the security mechanisms for which a particular module will
154           be flagged as a default provider. The mechanism-list is a
155           colon-delimited list of mechanism names. Enclose this list in
156           quotation marks if it contains spaces.
157
158           The module becomes a default provider for the listed mechanisms
159           when those mechanisms are enabled. If more than one module claims
160           to be a particular mechanism's default provider, that mechanism's
161           default provider is undefined.
162
163           modutil supports several mechanisms: RSA, DSA, RC2, RC4, RC5, AES,
164           DES, DH, SHA1, SHA256, SHA512, SSL, TLS, MD5, MD2, RANDOM (for
165           random number generation), and FRIENDLY (meaning certificates are
166           publicly readable).
167
168       -newpwfile new-password-file
169           Specify a text file containing a token's new or replacement
170           password so that a password can be entered automatically with the
171           -changepw option.
172
173       -nocertdb
174           Do not open the certificate or key databases. This has several
175           effects:
176
177           •   With the -create command, only a module security file is
178               created; certificate and key databases are not created.
179
180           •   With the -jar command, signatures on the JAR file are not
181               checked.
182
183           •   With the -changepw command, the password on the NSS internal
184               module cannot be set or changed, since this password is stored
185               in the key database.
186
187       -pwfile old-password-file
188           Specify a text file containing a token's existing password so that
189           a password can be entered automatically when the -changepw option
190           is used to change passwords.
191
192       -secmod secmodname
193           Give the name of the security module database (like secmod.db) to
194           load.
195
196       -slot slotname
197           Specify a particular slot to be enabled or disabled with the
198           -enable or -disable options.
199
200       -string CONFIG_STRING
201           Pass a configuration string for the module being added to the
202           database.
203
204       -tempdir temporary-directory
205           Give a directory location where temporary files are created during
206           the installation by the -jar option. If no temporary directory is
207           specified, the current directory is used.
208

USAGE AND EXAMPLES

210       Creating Database Files
211
212       Before any operations can be performed, there must be a set of security
213       databases available.  modutil can be used to create these files. The
214       only required argument is the database that where the databases will be
215       located.
216
217           modutil -create -dbdir directory
218
219       Adding a Cryptographic Module
220
221       Adding a PKCS #11 module means submitting a supporting library file,
222       enabling its ciphers, and setting default provider status for various
223       security mechanisms. This can be done by supplying all of the
224       information through modutil directly or by running a JAR file and
225       install script. For the most basic case, simply upload the library:
226
227           modutil -add modulename -libfile library-file [-ciphers cipher-enable-list] [-mechanisms mechanism-list]
228
229       For example:
230
231           modutil -dbdir /home/my/sharednssdb -add "Example PKCS #11 Module" -libfile "/tmp/crypto.so" -mechanisms RSA:DSA:RC2:RANDOM
232
233           Using database directory ...
234           Module "Example PKCS #11 Module" added to database.
235
236       Installing a Cryptographic Module from a JAR File
237
238       PKCS #11 modules can also be loaded using a JAR file, which contains
239       all of the required libraries and an installation script that describes
240       how to install the module. The JAR install script is described in more
241       detail in the section called “JAR INSTALLATION FILE FORMAT”.
242
243       The JAR installation script defines the setup information for each
244       platform that the module can be installed on. For example:
245
246           Platforms {
247              Linux:5.4.08:x86 {
248                 ModuleName { "Example PKCS #11 Module" }
249                 ModuleFile { crypto.so }
250                 DefaultMechanismFlags{0x0000}
251                 CipherEnableFlags{0x0000}
252                 Files {
253                    crypto.so {
254                       Path{ /tmp/crypto.so }
255                    }
256                    setup.sh {
257                       Executable
258                       Path{ /tmp/setup.sh }
259                    }
260                 }
261              }
262              Linux:6.0.0:x86 {
263                 EquivalentPlatform { Linux:5.4.08:x86 }
264              }
265           }
266
267       Both the install script and the required libraries must be bundled in a
268       JAR file, which is specified with the -jar argument.
269
270           modutil -dbdir /home/mt"jar-install-filey/sharednssdb -jar install.jar -installdir /home/my/sharednssdb
271
272           This installation JAR file was signed by:
273           ----------------------------------------------
274
275           **SUBJECT NAME**
276
277           C=US, ST=California, L=Mountain View, CN=Cryptorific Inc., OU=Digital ID
278           Class 3 - Netscape Object Signing, OU="www.verisign.com/repository/CPS
279           Incorp. by Ref.,LIAB.LTD(c)9 6", OU=www.verisign.com/CPS Incorp.by Ref
280           . LIABILITY LTD.(c)97 VeriSign, OU=VeriSign Object Signing CA - Class 3
281           Organization, OU="VeriSign, Inc.", O=VeriSign Trust Network **ISSUER
282           NAME**, OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97
283           VeriSign, OU=VeriSign Object Signing CA - Class 3 Organization,
284           OU="VeriSign, Inc.", O=VeriSign Trust Network
285           ----------------------------------------------
286
287           Do you wish to continue this installation? (y/n) y
288           Using installer script "installer_script"
289           Successfully parsed installation script
290           Current platform is Linux:5.4.08:x86
291           Using installation parameters for platform Linux:5.4.08:x86
292           Installed file crypto.so to /tmp/crypto.so
293           Installed file setup.sh to ./pk11inst.dir/setup.sh
294           Executing "./pk11inst.dir/setup.sh"...
295           "./pk11inst.dir/setup.sh" executed successfully
296           Installed module "Example PKCS #11 Module" into module database
297
298           Installation completed successfully
299
300       Adding Module Spec
301
302       Each module has information stored in the security database about its
303       configuration and parameters. These can be added or edited using the
304       -rawadd command. For the current settings or to see the format of the
305       module spec in the database, use the -rawlist option.
306
307           modutil -rawadd modulespec
308
309       Deleting a Module
310
311       A specific PKCS #11 module can be deleted from the secmod.db database:
312
313           modutil -delete modulename -dbdir directory
314
315       Displaying Module Information
316
317       The secmod.db database contains information about the PKCS #11 modules
318       that are available to an application or server to use. The list of all
319       modules, information about specific modules, and database configuration
320       specs for modules can all be viewed.
321
322       To simply get a list of modules in the database, use the -list command.
323
324           modutil -list [modulename] -dbdir directory
325
326       Listing the modules shows the module name, their status, and other
327       associated security databases for certificates and keys. For example:
328
329           modutil -list -dbdir /home/my/sharednssdb
330
331           Listing of PKCS #11 Modules
332           -----------------------------------------------------------
333             1. NSS Internal PKCS #11 Module
334                    slots: 2 slots attached
335                   status: loaded
336
337                    slot: NSS Internal Cryptographic Services
338                   token: NSS Generic Crypto Services
339                  uri: pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203
340
341                    slot: NSS User Private Key and Certificate Services
342                   token: NSS Certificate DB
343                  uri: pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203
344           -----------------------------------------------------------
345
346       Passing a specific module name with the -list returns details
347       information about the module itself, like supported cipher mechanisms,
348       version numbers, serial numbers, and other information about the module
349       and the token it is loaded on. For example:
350
351            modutil -list "NSS Internal PKCS #11 Module" -dbdir /home/my/sharednssdb
352
353           -----------------------------------------------------------
354           Name: NSS Internal PKCS #11 Module
355           Library file: **Internal ONLY module**
356           Manufacturer: Mozilla Foundation
357           Description: NSS Internal Crypto Services
358           PKCS #11 Version 2.20
359           Library Version: 3.11
360           Cipher Enable Flags: None
361           Default Mechanism Flags: RSA:RC2:RC4:DES:DH:SHA1:MD5:MD2:SSL:TLS:AES
362
363             Slot: NSS Internal Cryptographic Services
364             Slot Mechanism Flags: RSA:RC2:RC4:DES:DH:SHA1:MD5:MD2:SSL:TLS:AES
365             Manufacturer: Mozilla Foundation
366             Type: Software
367             Version Number: 3.11
368             Firmware Version: 0.0
369             Status: Enabled
370             Token Name: NSS Generic Crypto Services
371             Token Manufacturer: Mozilla Foundation
372             Token Model: NSS 3
373             Token Serial Number: 0000000000000000
374             Token Version: 4.0
375             Token Firmware Version: 0.0
376             Access: Write Protected
377             Login Type: Public (no login required)
378             User Pin: NOT Initialized
379
380             Slot: NSS User Private Key and Certificate Services
381             Slot Mechanism Flags: None
382             Manufacturer: Mozilla Foundation
383             Type: Software
384             Version Number: 3.11
385             Firmware Version: 0.0
386             Status: Enabled
387             Token Name: NSS Certificate DB
388             Token Manufacturer: Mozilla Foundation
389             Token Model: NSS 3
390             Token Serial Number: 0000000000000000
391             Token Version: 8.3
392             Token Firmware Version: 0.0
393             Access: NOT Write Protected
394             Login Type: Login required
395             User Pin: Initialized
396
397       A related command, -rawlist returns information about the database
398       configuration for the modules. (This information can be edited by
399       loading new specs using the -rawadd command.)
400
401            modutil -rawlist -dbdir /home/my/sharednssdb
402            name="NSS Internal PKCS #11 Module" parameters="configdir=. certPrefix= keyPrefix= secmod=secmod.db flags=readOnly " NSS="trustOrder=75 cipherOrder=100 slotParams={0x00000001=[slotFlags=RSA,RC4,RC2,DES,DH,SHA1,MD5,MD2,SSL,TLS,AES,RANDOM askpw=any timeout=30 ] }  Flags=internal,critical"
403
404       Setting a Default Provider for Security Mechanisms
405
406       Multiple security modules may provide support for the same security
407       mechanisms. It is possible to set a specific security module as the
408       default provider for a specific security mechanism (or, conversely, to
409       prohibit a provider from supplying those mechanisms).
410
411           modutil -default modulename -mechanisms mechanism-list
412
413       To set a module as the default provider for mechanisms, use the
414       -default command with a colon-separated list of mechanisms. The
415       available mechanisms depend on the module; NSS supplies almost all
416       common mechanisms. For example:
417
418           modutil -default "NSS Internal PKCS #11 Module" -dbdir -mechanisms RSA:DSA:RC2
419
420           Using database directory c:\databases...
421
422           Successfully changed defaults.
423
424       Clearing the default provider has the same format:
425
426           modutil -undefault "NSS Internal PKCS #11 Module" -dbdir -mechanisms MD2:MD5
427
428       Enabling and Disabling Modules and Slots
429
430       Modules, and specific slots on modules, can be selectively enabled or
431       disabled using modutil. Both commands have the same format:
432
433           modutil -enable|-disable modulename [-slot slotname]
434
435       For example:
436
437           modutil -enable "NSS Internal PKCS #11 Module" -slot "NSS Internal Cryptographic Services                            " -dbdir .
438
439           Slot "NSS Internal Cryptographic Services                            " enabled.
440
441       Be sure that the appropriate amount of trailing whitespace is after the
442       slot name. Some slot names have a significant amount of whitespace that
443       must be included, or the operation will fail.
444
445       Enabling and Verifying FIPS Compliance
446
447       The NSS modules can have FIPS 140-2 compliance enabled or disabled
448       using modutil with the -fips option. For example:
449
450           modutil -fips true -dbdir /home/my/sharednssdb/
451
452           FIPS mode enabled.
453
454       To verify that status of FIPS mode, run the -chkfips command with
455       either a true or false flag (it doesn't matter which). The tool returns
456       the current FIPS setting.
457
458           modutil -chkfips false -dbdir /home/my/sharednssdb/
459
460           FIPS mode enabled.
461
462       Changing the Password on a Token
463
464       Initializing or changing a token's password:
465
466           modutil -changepw tokenname [-pwfile old-password-file] [-newpwfile new-password-file]
467
468           modutil -dbdir /home/my/sharednssdb -changepw "NSS Certificate DB"
469
470           Enter old password:
471           Incorrect password, try again...
472           Enter old password:
473           Enter new password:
474           Re-enter new password:
475           Token "Communicator Certificate DB" password changed successfully.
476

JAR INSTALLATION FILE FORMAT

478       When a JAR file is run by a server, by modutil, or by any program that
479       does not interpret JavaScript, a special information file must be
480       included to install the libraries. There are several things to keep in
481       mind with this file:
482
483       •   It must be declared in the JAR archive's manifest file.
484
485       •   The script can have any name.
486
487       •   The metainfo tag for this is Pkcs11_install_script. To declare
488           meta-information in the manifest file, put it in a file that is
489           passed to signtool.
490
491       Sample Script
492
493       For example, the PKCS #11 installer script could be in the file
494       pk11install. If so, the metainfo file for signtool includes a line such
495       as this:
496
497           + Pkcs11_install_script: pk11install
498
499       The script must define the platform and version number, the module name
500       and file, and any optional information like supported ciphers and
501       mechanisms. Multiple platforms can be defined in a single install file.
502
503           ForwardCompatible { IRIX:6.2:mips SUNOS:5.5.1:sparc }
504           Platforms {
505              WINNT::x86 {
506                 ModuleName { "Example Module" }
507                 ModuleFile { win32/fort32.dll }
508                 DefaultMechanismFlags{0x0001}
509                 DefaultCipherFlags{0x0001}
510                 Files {
511                    win32/setup.exe {
512                       Executable
513                       RelativePath { %temp%/setup.exe }
514                    }
515                    win32/setup.hlp {
516                       RelativePath { %temp%/setup.hlp }
517                    }
518                    win32/setup.cab {
519                       RelativePath { %temp%/setup.cab }
520                    }
521                 }
522              }
523              WIN95::x86 {
524                 EquivalentPlatform {WINNT::x86}
525              }
526              SUNOS:5.5.1:sparc {
527                 ModuleName { "Example UNIX Module" }
528                 ModuleFile { unix/fort.so }
529                 DefaultMechanismFlags{0x0001}
530                 CipherEnableFlags{0x0001}
531                 Files {
532                    unix/fort.so {
533                       RelativePath{%root%/lib/fort.so}
534                       AbsolutePath{/usr/local/netscape/lib/fort.so}
535                       FilePermissions{555}
536                    }
537                    xplat/instr.html {
538                       RelativePath{%root%/docs/inst.html}
539                       AbsolutePath{/usr/local/netscape/docs/inst.html}
540                       FilePermissions{555}
541                    }
542                 }
543              }
544              IRIX:6.2:mips {
545                 EquivalentPlatform { SUNOS:5.5.1:sparc }
546              }
547           }
548
549       Script Grammar
550
551       The script is basic Java, allowing lists, key-value pairs, strings, and
552       combinations of all of them.
553
554           --> valuelist
555
556           valuelist --> value valuelist
557                          <null>
558
559           value ---> key_value_pair
560                       string
561
562           key_value_pair --> key { valuelist }
563
564           key --> string
565
566           string --> simple_string
567                       "complex_string"
568
569           simple_string --> [^ \t\n\""{""}"]+
570
571           complex_string --> ([^\"\\\r\n]|(\\\")|(\\\\))+
572
573       Quotes and backslashes must be escaped with a backslash. A complex
574       string must not include newlines or carriage returns.Outside of complex
575       strings, all white space (for example, spaces, tabs, and carriage
576       returns) is considered equal and is used only to delimit tokens.
577
578       Keys
579
580       The Java install file uses keys to define the platform and module
581       information.
582
583       ForwardCompatible gives a list of platforms that are forward
584       compatible. If the current platform cannot be found in the list of
585       supported platforms, then the ForwardCompatible list is checked for any
586       platforms that have the same OS and architecture in an earlier version.
587       If one is found, its attributes are used for the current platform.
588
589       Platforms (required) Gives a list of platforms. Each entry in the list
590       is itself a key-value pair: the key is the name of the platform and the
591       value list contains various attributes of the platform. The platform
592       string is in the format system name:OS release:architecture. The
593       installer obtains these values from NSPR. OS release is an empty string
594       on non-Unix operating systems. NSPR supports these platforms:
595
596       •   AIX (rs6000)
597
598       •   BSDI (x86)
599
600       •   FREEBSD (x86)
601
602       •   HPUX (hppa1.1)
603
604       •   IRIX (mips)
605
606       •   LINUX (ppc, alpha, x86)
607
608       •   MacOS (PowerPC)
609
610       •   NCR (x86)
611
612       •   NEC (mips)
613
614       •   OS2 (x86)
615
616       •   OSF (alpha)
617
618       •   ReliantUNIX (mips)
619
620       •   SCO (x86)
621
622       •   SOLARIS (sparc)
623
624       •   SONY (mips)
625
626       •   SUNOS (sparc)
627
628       •   UnixWare (x86)
629
630       •   WIN16 (x86)
631
632       •   WIN95 (x86)
633
634       •   WINNT (x86)
635
636       For example:
637
638           IRIX:6.2:mips
639           SUNOS:5.5.1:sparc
640           Linux:2.0.32:x86
641           WIN95::x86
642
643       The module information is defined independently for each platform in
644       the ModuleName, ModuleFile, and Files attributes. These attributes must
645       be given unless an EquivalentPlatform attribute is specified.
646
647       Per-Platform Keys
648
649       Per-platform keys have meaning only within the value list of an entry
650       in the Platforms list.
651
652       ModuleName (required) gives the common name for the module. This name
653       is used to reference the module by servers and by the modutil tool.
654
655       ModuleFile (required) names the PKCS #11 module file for this platform.
656       The name is given as the relative path of the file within the JAR
657       archive.
658
659       Files (required) lists the files that need to be installed for this
660       module. Each entry in the file list is a key-value pair. The key is the
661       path of the file in the JAR archive, and the value list contains
662       attributes of the file. At least RelativePath or AbsolutePath must be
663       specified for each file.
664
665       DefaultMechanismFlags specifies mechanisms for which this module is the
666       default provider; this is equivalent to the -mechanism option with the
667       -add command. This key-value pair is a bitstring specified in
668       hexadecimal (0x) format. It is constructed as a bitwise OR. If the
669       DefaultMechanismFlags entry is omitted, the value defaults to 0x0.
670
671           RSA:                   0x00000001
672           DSA:                   0x00000002
673           RC2:                   0x00000004
674           RC4:                   0x00000008
675           DES:                   0x00000010
676           DH:                    0x00000020
677           FORTEZZA:              0x00000040
678           RC5:                   0x00000080
679           SHA1:                  0x00000100
680           MD5:                   0x00000200
681           MD2:                   0x00000400
682           RANDOM:                0x08000000
683           FRIENDLY:              0x10000000
684           OWN_PW_DEFAULTS:       0x20000000
685           DISABLE:               0x40000000
686
687       CipherEnableFlags specifies ciphers that this module provides that NSS
688       does not provide (so that the module enables those ciphers for NSS).
689       This is equivalent to the -cipher argument with the -add command. This
690       key is a bitstring specified in hexadecimal (0x) format. It is
691       constructed as a bitwise OR. If the CipherEnableFlags entry is omitted,
692       the value defaults to 0x0.
693
694       EquivalentPlatform specifies that the attributes of the named platform
695       should also be used for the current platform. This makes it easier when
696       more than one platform uses the same settings.
697
698       Per-File Keys
699
700       Some keys have meaning only within the value list of an entry in a
701       Files list.
702
703       Each file requires a path key the identifies where the file is. Either
704       RelativePath or AbsolutePath must be specified. If both are specified,
705       the relative path is tried first, and the absolute path is used only if
706       no relative root directory is provided by the installer program.
707
708       RelativePath specifies the destination directory of the file, relative
709       to some directory decided at install time. Two variables can be used in
710       the relative path: %root% and %temp%.  %root% is replaced at run time
711       with the directory relative to which files should be installed; for
712       example, it may be the server's root directory. The %temp% directory is
713       created at the beginning of the installation and destroyed at the end.
714       The purpose of %temp% is to hold executable files (such as setup
715       programs) or files that are used by these programs. Files destined for
716       the temporary directory are guaranteed to be in place before any
717       executable file is run; they are not deleted until all executable files
718       have finished.
719
720       AbsolutePath specifies the destination directory of the file as an
721       absolute path.
722
723       Executable specifies that the file is to be executed during the course
724       of the installation. Typically, this string is used for a setup program
725       provided by a module vendor, such as a self-extracting setup
726       executable. More than one file can be specified as executable, in which
727       case the files are run in the order in which they are specified in the
728       script file.
729
730       FilePermissions sets permissions on any referenced files in a string of
731       octal digits, according to the standard Unix format. This string is a
732       bitwise OR.
733
734           user read:                0400
735           user write:               0200
736           user execute:             0100
737           group read:               0040
738           group write:              0020
739           group execute:            0010
740           other read:               0004
741           other write:              0002
742           other execute:            0001
743
744       Some platforms may not understand these permissions. They are applied
745       only insofar as they make sense for the current platform. If this
746       attribute is omitted, a default of 777 is assumed.
747

NSS DATABASE TYPES

749       NSS originally used BerkeleyDB databases to store security information.
750       The last versions of these legacy databases are:
751
752       •   cert8.db for certificates
753
754       •   key3.db for keys
755
756       •   secmod.db for PKCS #11 module information
757
758       BerkeleyDB has performance limitations, though, which prevent it from
759       being easily used by multiple applications simultaneously. NSS has some
760       flexibility that allows applications to use their own, independent
761       database engine while keeping a shared database and working around the
762       access issues. Still, NSS requires more flexibility to provide a truly
763       shared security database.
764
765       In 2009, NSS introduced a new set of databases that are SQLite
766       databases rather than BerkleyDB. These new databases provide more
767       accessibility and performance:
768
769       •   cert9.db for certificates
770
771       •   key4.db for keys
772
773       •   pkcs11.txt, which is listing of all of the PKCS #11 modules
774           contained in a new subdirectory in the security databases directory
775
776       Because the SQLite databases are designed to be shared, these are the
777       shared database type. The shared database type is preferred; the legacy
778       format is included for backward compatibility.
779
780       By default, the tools (certutil, pk12util, modutil) assume that the
781       given security databases use the SQLite type.
782
783https://wiki.mozilla.org/NSS_Shared_DB_Howto
784
785       For an engineering draft on the changes in the shared NSS databases,
786       see the NSS project wiki:
787
788https://wiki.mozilla.org/NSS_Shared_DB
789

SEE ALSO

791       certutil (1)
792
793       pk12util (1)
794
795       signtool (1)
796
797       The NSS wiki has information on the new database design and how to
798       configure applications to use it.
799
800https://wiki.mozilla.org/NSS_Shared_DB_Howto
801
802https://wiki.mozilla.org/NSS_Shared_DB
803

ADDITIONAL RESOURCES

805       For information about NSS and other tools related to NSS (like JSS),
806       check out the NSS project wiki at
807       http://www.mozilla.org/projects/security/pki/nss/. The NSS site relates
808       directly to NSS code changes and releases.
809
810       Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto
811
812       IRC: Freenode at #dogtag-pki
813

AUTHORS

815       The NSS tools were written and maintained by developers with Netscape,
816       Red Hat, Sun, Oracle, Mozilla, and Google.
817
818       Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey
819       <dlackey@redhat.com>.
820

LICENSE

822       Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL
823       was not distributed with this file, You can obtain one at
824       http://mozilla.org/MPL/2.0/.
825

NOTES

827        1. Mozilla NSS bug 836477
828           https://bugzilla.mozilla.org/show_bug.cgi?id=836477
829
830
831
832nss-tools                       11 January 2023                     MODUTIL(1)
Impressum