[Pki-users] How to setup PKI CA to ask for passwords at startup?

Aleksey Chudov aleksey.chudov at gmail.com
Wed Aug 26 18:49:44 UTC 2015 

I'm looking at removing at least nss password but both nss and 389
passwords will be better.

Actually PKI prompts for password but I don't see the prompt because of
systemd.

To reproduce

systemctl stop pki-tomcatd at pki-tomcat.service
sed -i.bak '/internal=/d' /etc/pki/pki-tomcat/password.conf
systemctl start pki-tomcatd at pki-tomcat.service

/var/log/messages
Aug 26 21:37:33 srv333 server[8889]: Enter password for Internal Key
Storage Token

/var/log/pki/pki-tomcat/ca/debug
[26/Aug/2015:21:37:52][localhost-startStop-1]: Got token Internal Key
Storage Token by name
[26/Aug/2015:21:37:52][localhost-startStop-1]: SigningUnit init: debug
org.mozilla.jss.util.IncorrectPasswordException
Invalid Password
        at com.netscape.ca.SigningUnit.init(SigningUnit.java:192)
        at
com.netscape.ca.CertificateAuthority.initSigUnit(CertificateAuthority.java:1229)
        at
com.netscape.ca.CertificateAuthority.init(CertificateAuthority.java:342)
        at
com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1107)
        at
com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1013)
        at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:520)
        at com.netscape.certsrv.apps.CMS.init(CMS.java:187)
        at com.netscape.certsrv.apps.CMS.start(CMS.java:1601)
        at
com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114)
        at javax.servlet.GenericServlet.init(GenericServlet.java:158)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:606)
        at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)
        at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAsPrivileged(Subject.java:536)
        at
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)
        at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169)
        at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:123)
        at
org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1272)
        at
org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1197)
        at
org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1087)
        at
org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5210)
        at
org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5493)
        at
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
        at
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901)
        at
org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133)
        at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156)
        at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145)
        at java.security.AccessController.doPrivileged(Native Method)
        at
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875)
        at
org.apache.catalina.core.StandardHost.addChild(StandardHost.java:632)
        at
org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:672)
        at
org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1862)
        at
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
        at java.util.concurrent.FutureTask.run(FutureTask.java:262)
        at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
        at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
        at java.lang.Thread.run(Thread.java:745)
[26/Aug/2015:21:37:52][localhost-startStop-1]: CMSEngine.shutdown()


On Wed, Aug 26, 2015 at 8:09 PM, Dave Sirrine <dsirrine at redhat.com> wrote:

> Aleksey,
>
> Did removing the password from the file not cause the system to prompt you
> for the password at startup. Also, are you looking at doing both nss and
> 389 passwords?
>
> -- David
> On Aug 26, 2015 5:58 AM, "Aleksey Chudov" <aleksey.chudov at gmail.com>
> wrote:
>
>> Hi,
>>
>> The password.conf file stores system passwords in plaintext, and I
>> prefer to enter system passwords manually and to remove the password file.
>>
>> I have found original documentation
>> https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/System_Passwords.html.
>> But it is for older version on PKI and does not work with systemd.
>>
>> How to setup PKI CA to ask for NSS DB password at startup?
>>
>> Packages versions (I have rebuilt F22 packages for CentOS 7):
>> # rpm -qa | grep pki
>> pki-base-10.2.5-1.el7.centos.noarch
>> pki-server-10.2.5-1.el7.centos.noarch
>> dogtag-pki-server-theme-10.2.5-1.el7.centos.noarch
>> pki-ca-10.2.5-1.el7.centos.noarch
>> pki-tools-10.2.5-1.el7.centos.x86_64
>> dogtag-pki-console-theme-10.2.5-1.el7.centos.noarch
>>
>> Aleksey
>>
>> _______________________________________________
>> Pki-users mailing list
>> Pki-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/pki-users
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20150826/8ff633fb/attachment.htm>

More information about the Pki-users mailing list