<div dir="ltr">Certainly <a href="https://fedorahosted.org/pki/ticket/1602">https://fedorahosted.org/pki/ticket/1602</a><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Sep 2, 2015 at 11:47 PM, Matthew Harmsen <span dir="ltr"><<a href="mailto:mharmsen@redhat.com" target="_blank">mharmsen@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<div>Aleksey,<br>
<br>
Thanks for the instruction.<br>
<br>
Would you be willing to file a PKI TRAC Ticket on this:<br>
<ul>
<li><a href="https://fedorahosted.org/pki/newticket" target="_blank">https://fedorahosted.org/pki/newticket</a></li>
</ul>
<p>In general, we triage these tickets on a weekly basis, and
assign it to an appropriate release.<br>
</p>
<p>For this specific ticket, although an actual fix may be a ways
off, we generally try to get this type of information documented
as a workaround in the near term.<br>
</p>
<p>Thanks,<br>
-- Matt<br>
</p><div><div class="h5">
On 09/02/15 02:43, Aleksey Chudov wrote:<br>
</div></div></div><div><div class="h5">
<blockquote type="cite">
<div dir="ltr">
<div>Below is quick instruction of how to run
<a href="mailto:pki-tomcatd-nuxwdog@pki-tomcat.service" target="_blank">pki-tomcatd-nuxwdog@pki-tomcat.service</a> as pkiuser:pkiuser <span lang="en"><span>in case</span> <span>it will be useful</span>
<span>for someone</span></span><br>
<br>
<br>
systemctl stop <a href="mailto:pki-tomcatd-nuxwdog@pki-tomcat.service" target="_blank">pki-tomcatd-nuxwdog@pki-tomcat.service</a> <br>
<br>
groupadd -r systemd-ask-password<br>
<br>
usermod -a -G systemd-ask-password pkiuser<br>
<br>
echo "d /run/systemd/ask-password 0775 root
systemd-ask-password -" >
/etc/tmpfiles.d/systemd-ask-password.conf<br>
<br>
/usr/bin/systemd-tmpfiles --create systemd-ask-password.conf<br>
<br>
mkdir /etc/systemd/system/pki-tomcatd-nuxwdog@.service.d/<br>
<br>
cat << EOF >
/etc/systemd/system/pki-tomcatd-nuxwdog@.service.d/override.conf
<br>
[Service]<br>
User=pkiuser<br>
Group=pkiuser<br>
EOF<br>
<br>
systemctl daemon-reload<br>
<br>
find /var/lib/pki/ /var/log/pki/ /etc/pki/pki-*/ -exec chown
pkiuser:pkiuser {} +<br>
<br>
systemctl start <a href="mailto:pki-tomcatd-nuxwdog@pki-tomcat.service" target="_blank">pki-tomcatd-nuxwdog@pki-tomcat.service</a> <br>
<br>
<br>
</div>
<div><br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Wed, Sep 2, 2015 at 11:05 AM,
Aleksey Chudov <span dir="ltr"><<a href="mailto:aleksey.chudov@gmail.com" target="_blank">aleksey.chudov@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">One big difference in starting PKI under
nuxwdog control is that <a href="mailto:pki-tomcatd@pki-tomcat.service" target="_blank">pki-tomcatd@pki-tomcat.service</a>
starts PKI as pkiuser:pkiuser but
<a href="mailto:pki-tomcatd-nuxwdog@pki-tomcat.service" target="_blank">pki-tomcatd-nuxwdog@pki-tomcat.service</a> starts PKI as
root:root. Running PKI as root user is <span lang="en"><span>bad
idea.</span></span>
<div>
<div><br>
<br>
<br>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Thu, Aug 27, 2015 at
2:33 PM, Aleksey Chudov <span dir="ltr"><<a href="mailto:aleksey.chudov@gmail.com" target="_blank"></a><a href="mailto:aleksey.chudov@gmail.com" target="_blank">aleksey.chudov@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">
<div>To begin with I have updated to version
10.2.6 from F22 testing to get pki-server
man pages.<br>
<br>
Enabling nuxwdog <span lang="en"><span>solves
the problem</span></span>. Thank you!<br>
</div>
</div>
<div>
<div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Wed, Aug 26,
2015 at 10:06 PM, Ade Lee <span dir="ltr"><<a href="mailto:alee@redhat.com" target="_blank"></a><a href="mailto:alee@redhat.com" target="_blank">alee@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<div>Aleksey, </div>
<div><br>
</div>
<div>password prompting in CS 8.1
worked because of a utility
program called nuxwdog which would
prompt for passwords.</div>
<div><br>
</div>
<div>We have done some work to get
nuxwdog working with the latest
Dogtag code, but there is some
setup required.</div>
<div>Fortunately, all that setup has
been encapsulated in the
pki-server utility.</div>
<div><br>
</div>
<div>For details, man pki-server ,
man pki-server-instance and man
pki-server-nuxwdog.</div>
<div><br>
</div>
<div>The specific command would be:</div>
<div>pki-server
instance-nuxwdog-enable
<instance_id ie. pki-tomcat></div>
<div><br>
</div>
<div>You should then be prompted for
the passwords, and can remove your
password.conf file.</div>
<span><font color="#888888">
<div><br>
</div>
<div>Ade</div>
</font></span>
<div>
<div>
<div>On Wed, 2015-08-26 at 21:49
+0300, Aleksey Chudov wrote:</div>
<blockquote type="cite">
<div dir="ltr">I'm looking at
removing at least nss
password but both nss and
389 passwords will be
better.<br>
<div>
<div><br>
Actually PKI prompts for
password but I don't see
the prompt because of
systemd.<br>
<div><br>
To reproduce<br>
<br>
systemctl stop
<a href="mailto:pki-tomcatd@pki-tomcat.service" target="_blank">pki-tomcatd@pki-tomcat.service</a><br>
sed -i.bak
'/internal=/d'
/etc/pki/pki-tomcat/password.conf<br>
systemctl start
<a href="mailto:pki-tomcatd@pki-tomcat.service" target="_blank">pki-tomcatd@pki-tomcat.service</a><br>
<div><br>
</div>
<div>/var/log/messages<br>
</div>
<div>Aug 26 21:37:33
srv333 server[8889]:
Enter password for
Internal Key Storage
Token<br>
</div>
<div><br>
/var/log/pki/pki-tomcat/ca/debug<br>
[26/Aug/2015:21:37:52][localhost-startStop-1]:
Got token Internal
Key Storage Token by
name<br>
[26/Aug/2015:21:37:52][localhost-startStop-1]:
SigningUnit init:
debug
org.mozilla.jss.util.IncorrectPasswordException<br>
Invalid Password<br>
at
com.netscape.ca.SigningUnit.init(SigningUnit.java:192)<br>
at
com.netscape.ca.CertificateAuthority.initSigUnit(CertificateAuthority.java:1229)<br>
at
com.netscape.ca.CertificateAuthority.init(CertificateAuthority.java:342)<br>
at
com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1107)<br>
at
com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1013)<br>
at
com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:520)<br>
at
com.netscape.certsrv.apps.CMS.init(CMS.java:187)<br>
at
com.netscape.certsrv.apps.CMS.start(CMS.java:1601)<br>
at
com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114)<br>
at
javax.servlet.GenericServlet.init(GenericServlet.java:158)<br>
at
sun.reflect.NativeMethodAccessorImpl.invoke0(Native
Method)<br>
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)<br>
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)<br>
at
java.lang.reflect.Method.invoke(Method.java:606)<br>
at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)<br>
at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)<br>
at
java.security.AccessController.doPrivileged(Native
Method)<br>
at
javax.security.auth.Subject.doAsPrivileged(Subject.java:536)<br>
at
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)<br>
at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169)<br>
at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:123)<br>
at
org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1272)<br>
at
org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1197)<br>
at
org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1087)<br>
at
org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5210)<br>
at
org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5493)<br>
at
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)<br>
at
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901)<br>
at
org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133)<br>
at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156)<br>
at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145)<br>
at
java.security.AccessController.doPrivileged(Native
Method)<br>
at
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875)<br>
at
org.apache.catalina.core.StandardHost.addChild(StandardHost.java:632)<br>
at
org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:672)<br>
at
org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1862)<br>
at
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)<br>
at
java.util.concurrent.FutureTask.run(FutureTask.java:262)<br>
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)<br>
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)<br>
at
java.lang.Thread.run(Thread.java:745)<br>
[26/Aug/2015:21:37:52][localhost-startStop-1]:
CMSEngine.shutdown()<br>
<br>
<div class="gmail_extra"><br>
<div class="gmail_quote">On
Wed, Aug 26,
2015 at 8:09 PM,
Dave Sirrine <span dir="ltr"><<a href="mailto:dsirrine@redhat.com" target="_blank"></a><a href="mailto:dsirrine@redhat.com" target="_blank">dsirrine@redhat.com</a>></span>
wrote:<br>
<blockquote type="cite">
<p dir="ltr">Aleksey,
</p>
<p dir="ltr">Did
removing the
password from
the file not
cause the
system to
prompt you for
the password
at startup.
Also, are you
looking at
doing both nss
and 389
passwords? </p>
<p dir="ltr">--
David </p>
<div class="gmail_quote">
<div>
<div>On Aug
26, 2015 5:58
AM, "Aleksey
Chudov" <<a href="mailto:aleksey.chudov@gmail.com" target="_blank"></a><a href="mailto:aleksey.chudov@gmail.com" target="_blank">aleksey.chudov@gmail.com</a>>
wrote:<br type="attribution">
</div>
</div>
<blockquote type="cite">
<div>
<div>
<div dir="ltr">Hi,<br>
<div><br>
The <code>password.conf</code>
file stores
system
passwords in
plaintext, and
I prefer to
enter system
passwords
manually and
to remove the
password file.
<br>
<br>
</div>
<div>I have
found original
documentation
<a href="https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/System_Passwords.html" target="_blank"></a><a href="https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/System_Passwords.html" target="_blank">https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/System_Passwords.html</a>.
But it is for
older version
on PKI and
does not work
with systemd.<br>
</div>
<div><br>
How to setup
PKI CA to ask
for NSS DB
password at
startup?<br>
<br>
Packages
versions (I
have rebuilt
F22 packages
for CentOS 7):<br>
# rpm -qa |
grep pki<br>
pki-base-10.2.5-1.el7.centos.noarch<br>
pki-server-10.2.5-1.el7.centos.noarch<br>
dogtag-pki-server-theme-10.2.5-1.el7.centos.noarch<br>
pki-ca-10.2.5-1.el7.centos.noarch<br>
pki-tools-10.2.5-1.el7.centos.x86_64<br>
dogtag-pki-console-theme-10.2.5-1.el7.centos.noarch<br>
<br>
</div>
Aleksey<br>
</div>
<br>
</div>
</div>
_______________________________________________<br>
Pki-users
mailing list<br>
<a href="mailto:Pki-users@redhat.com" target="_blank"></a><a href="mailto:Pki-users@redhat.com" target="_blank">Pki-users@redhat.com</a><br>
<a href="https://www.redhat.com/mailman/listinfo/pki-users" rel="noreferrer" target="_blank"></a><a href="https://www.redhat.com/mailman/listinfo/pki-users" target="_blank">https://www.redhat.com/mailman/listinfo/pki-users</a><br>
</blockquote>
</div>
<br>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</div>
</div>
</div>
<pre>_______________________________________________
Pki-users mailing list
<a href="mailto:Pki-users@redhat.com" target="_blank">Pki-users@redhat.com</a>
<a href="https://www.redhat.com/mailman/listinfo/pki-users" target="_blank">https://www.redhat.com/mailman/listinfo/pki-users</a></pre>
</blockquote>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
Pki-users mailing list
<a href="mailto:Pki-users@redhat.com" target="_blank">Pki-users@redhat.com</a>
<a href="https://www.redhat.com/mailman/listinfo/pki-users" target="_blank">https://www.redhat.com/mailman/listinfo/pki-users</a></pre>
</blockquote>
<br>
</div></div></div>
</blockquote></div><br></div>