<div dir="ltr">I'm looking at removing at least nss password but both nss and 389 passwords will be better.<br><div><div><br>Actually PKI prompts for password but I don't see the prompt because of systemd.<br><div><br>To reproduce<br><br>systemctl stop pki-tomcatd@pki-tomcat.service<br>sed -i.bak '/internal=/d' /etc/pki/pki-tomcat/password.conf<br>systemctl start pki-tomcatd@pki-tomcat.service<br><div><br></div><div>/var/log/messages<br></div><div>Aug 26 21:37:33 srv333 server[8889]: Enter password for Internal Key Storage Token<br></div><div><br>/var/log/pki/pki-tomcat/ca/debug<br>[26/Aug/2015:21:37:52][localhost-startStop-1]: Got token Internal Key Storage Token by name<br>[26/Aug/2015:21:37:52][localhost-startStop-1]: SigningUnit init: debug org.mozilla.jss.util.IncorrectPasswordException<br>Invalid Password<br>        at com.netscape.ca.SigningUnit.init(SigningUnit.java:192)<br>        at com.netscape.ca.CertificateAuthority.initSigUnit(CertificateAuthority.java:1229)<br>        at com.netscape.ca.CertificateAuthority.init(CertificateAuthority.java:342)<br>        at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1107)<br>        at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1013)<br>        at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:520)<br>        at com.netscape.certsrv.apps.CMS.init(CMS.java:187)<br>        at com.netscape.certsrv.apps.CMS.start(CMS.java:1601)<br>        at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114)<br>        at javax.servlet.GenericServlet.init(GenericServlet.java:158)<br>        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)<br>        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)<br>        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)<br>        at java.lang.reflect.Method.invoke(Method.java:606)<br>        at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)<br>        at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)<br>        at java.security.AccessController.doPrivileged(Native Method)<br>        at javax.security.auth.Subject.doAsPrivileged(Subject.java:536)<br>        at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)<br>        at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169)<br>        at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:123)<br>        at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1272)<br>        at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1197)<br>        at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1087)<br>        at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5210)<br>        at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5493)<br>        at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)<br>        at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901)<br>        at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133)<br>        at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156)<br>        at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145)<br>        at java.security.AccessController.doPrivileged(Native Method)<br>        at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875)<br>        at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:632)<br>        at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:672)<br>        at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1862)<br>        at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)<br>        at java.util.concurrent.FutureTask.run(FutureTask.java:262)<br>        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)<br>        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)<br>        at java.lang.Thread.run(Thread.java:745)<br>[26/Aug/2015:21:37:52][localhost-startStop-1]: CMSEngine.shutdown()<br><br><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Aug 26, 2015 at 8:09 PM, Dave Sirrine <span dir="ltr"><<a href="mailto:dsirrine@redhat.com" target="_blank">dsirrine@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><p dir="ltr">Aleksey, </p>
<p dir="ltr">Did removing the password from the file not cause the system to prompt you for the password at startup. Also, are you looking at doing both nss and 389 passwords? </p>
<p dir="ltr">-- David </p>
<div class="gmail_quote"><div><div>On Aug 26, 2015 5:58 AM, "Aleksey Chudov" <<a href="mailto:aleksey.chudov@gmail.com" target="_blank">aleksey.chudov@gmail.com</a>> wrote:<br type="attribution"></div></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><div><div dir="ltr">Hi,<br><div><br>The <code>password.conf</code> file stores system 
passwords in plaintext, and I prefer to enter system 
passwords manually and to remove the password file.
                        <br><br></div><div>I have found original documentation <a href="https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/System_Passwords.html" target="_blank">https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/System_Passwords.html</a>. But it is for older version on PKI and does not work with systemd.<br></div><div><br>How to setup PKI CA to ask for NSS DB password at startup?<br><br>Packages versions (I have rebuilt F22 packages for CentOS 7):<br># rpm -qa | grep pki<br>pki-base-10.2.5-1.el7.centos.noarch<br>pki-server-10.2.5-1.el7.centos.noarch<br>dogtag-pki-server-theme-10.2.5-1.el7.centos.noarch<br>pki-ca-10.2.5-1.el7.centos.noarch<br>pki-tools-10.2.5-1.el7.centos.x86_64<br>dogtag-pki-console-theme-10.2.5-1.el7.centos.noarch<br><br></div>Aleksey<br></div>
<br></div></div>_______________________________________________<br>
Pki-users mailing list<br>
<a href="mailto:Pki-users@redhat.com" target="_blank">Pki-users@redhat.com</a><br>
<a href="https://www.redhat.com/mailman/listinfo/pki-users" rel="noreferrer" target="_blank">https://www.redhat.com/mailman/listinfo/pki-users</a><br></blockquote></div>
</blockquote></div><br></div></div></div></div></div></div>