[Pki-users] How to setup PKI CA to ask for passwords at startup?

[Ade Lee]

Aleksey, 
password prompting in CS 8.1 worked because of a utility program called
nuxwdog which would prompt for passwords.
We have done some work to get nuxwdog working with the latest Dogtag
code, but there is some setup required.
Fortunately, all that setup has been encapsulated in the pki-server
utility.
For details, man pki-server , man pki-server-instance and man pki
-server-nuxwdog.
The specific command would be:
pki-server instance-nuxwdog-enable <instance_id ie. pki-tomcat>
You should then be prompted for the passwords, and can remove your
password.conf file.
Ade
On Wed, 2015-08-26 at 21:49 +0300, Aleksey Chudov wrote:
> I'm looking at removing at least nss password but both nss and 389
> passwords will be better.
> 
> Actually PKI prompts for password but I don't see the prompt because
> of systemd.
> 
> To reproduce
> 
> systemctl stop pki-tomcatd at pki-tomcat.service
> sed -i.bak '/internal=/d' /etc/pki/pki-tomcat/password.conf
> systemctl start pki-tomcatd at pki-tomcat.service
> 
> /var/log/messages
> Aug 26 21:37:33 srv333 server[8889]: Enter password for Internal Key
> Storage Token
> 
> /var/log/pki/pki-tomcat/ca/debug
> [26/Aug/2015:21:37:52][localhost-startStop-1]: Got token Internal Key
> Storage Token by name
> [26/Aug/2015:21:37:52][localhost-startStop-1]: SigningUnit init:
> debug org.mozilla.jss.util.IncorrectPasswordException
> Invalid Password
>         at com.netscape.ca.SigningUnit.init(SigningUnit.java:192)
>         at
> com.netscape.ca.CertificateAuthority.initSigUnit(CertificateAuthority
> .java:1229)
>         at
> com.netscape.ca.CertificateAuthority.init(CertificateAuthority.java:3
> 42)
>         at
> com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1107
> )
>         at
> com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:101
> 3)
>         at
> com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:520)
>         at com.netscape.certsrv.apps.CMS.init(CMS.java:187)
>         at com.netscape.certsrv.apps.CMS.start(CMS.java:1601)
>         at
> com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.ja
> va:114)
>         at javax.servlet.GenericServlet.init(GenericServlet.java:158)
>         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native
> Method)
>         at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.
> java:57)
>         at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
> sorImpl.java:43)
>         at java.lang.reflect.Method.invoke(Method.java:606)
>         at
> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277
> )
>         at
> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274
> )
>         at java.security.AccessController.doPrivileged(Native Method)
>         at
> javax.security.auth.Subject.doAsPrivileged(Subject.java:536)
>         at
> org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:3
> 09)
>         at
> org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.
> java:169)
>         at
> org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.
> java:123)
>         at
> org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.
> java:1272)
>         at
> org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.
> java:1197)
>         at
> org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:10
> 87)
>         at
> org.apache.catalina.core.StandardContext.loadOnStartup(StandardContex
> t.java:5210)
>         at
> org.apache.catalina.core.StandardContext.startInternal(StandardContex
> t.java:5493)
>         at
> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
>         at
> org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase
> .java:901)
>         at
> org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:
> 133)
>         at
> org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(Contain
> erBase.java:156)
>         at
> org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(Contain
> erBase.java:145)
>         at java.security.AccessController.doPrivileged(Native Method)
>         at
> org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:87
> 5)
>         at
> org.apache.catalina.core.StandardHost.addChild(StandardHost.java:632)
>         at
> org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.ja
> va:672)
>         at
> org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfi
> g.java:1862)
>         at
> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:47
> 1)
>         at java.util.concurrent.FutureTask.run(FutureTask.java:262)
>         at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.
> java:1145)
>         at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor
> .java:615)
>         at java.lang.Thread.run(Thread.java:745)
> [26/Aug/2015:21:37:52][localhost-startStop-1]: CMSEngine.shutdown()
> 
> 
> On Wed, Aug 26, 2015 at 8:09 PM, Dave Sirrine <dsirrine at redhat.com>
> wrote:
> > Aleksey,
> > Did removing the password from the file not cause the system to
> > prompt you for the password at startup. Also, are you looking at
> > doing both nss and 389 passwords?
> > -- David
> > On Aug 26, 2015 5:58 AM, "Aleksey Chudov" <aleksey.chudov at gmail.com
> > > wrote:
> > > Hi,
> > > 
> > > The password.conf file stores system passwords in plaintext, and
> > > I prefer to enter system passwords manually and to remove the
> > > password file. 
> > > 
> > > I have found original documentation https://access.redhat.com/doc
> > > umentation/en
> > > -US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/System_Passwo
> > > rds.html. But it is for older version on PKI and does not work
> > > with systemd.
> > > 
> > > How to setup PKI CA to ask for NSS DB password at startup?
> > > 
> > > Packages versions (I have rebuilt F22 packages for CentOS 7):
> > > # rpm -qa | grep pki
> > > pki-base-10.2.5-1.el7.centos.noarch
> > > pki-server-10.2.5-1.el7.centos.noarch
> > > dogtag-pki-server-theme-10.2.5-1.el7.centos.noarch
> > > pki-ca-10.2.5-1.el7.centos.noarch
> > > pki-tools-10.2.5-1.el7.centos.x86_64
> > > dogtag-pki-console-theme-10.2.5-1.el7.centos.noarch
> > > 
> > > Aleksey
> > > 
> > > _______________________________________________
> > > Pki-users mailing list
> > > Pki-users at redhat.com
> > > https://www.redhat.com/mailman/listinfo/pki-users
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20150826/e3ea20e3/attachment.htm>