[Pki-users] How to setup PKI CA to ask for passwords at startup?
Matthew Harmsen
mharmsen at redhat.com
Wed Sep 2 20:47:55 UTC 2015
Aleksey,
Thanks for the instruction.
Would you be willing to file a PKI TRAC Ticket on this:
* https://fedorahosted.org/pki/newticket
In general, we triage these tickets on a weekly basis, and assign it to
an appropriate release.
For this specific ticket, although an actual fix may be a ways off, we
generally try to get this type of information documented as a workaround
in the near term.
Thanks,
-- Matt
On 09/02/15 02:43, Aleksey Chudov wrote:
> Below is quick instruction of how to run
> pki-tomcatd-nuxwdog at pki-tomcat.service as pkiuser:pkiuser in case it
> will be useful for someone
>
>
> systemctl stop pki-tomcatd-nuxwdog at pki-tomcat.service
>
> groupadd -r systemd-ask-password
>
> usermod -a -G systemd-ask-password pkiuser
>
> echo "d /run/systemd/ask-password 0775 root systemd-ask-password -" >
> /etc/tmpfiles.d/systemd-ask-password.conf
>
> /usr/bin/systemd-tmpfiles --create systemd-ask-password.conf
>
> mkdir /etc/systemd/system/pki-tomcatd-nuxwdog at .service.d/
>
> cat << EOF >
> /etc/systemd/system/pki-tomcatd-nuxwdog at .service.d/override.conf
> [Service]
> User=pkiuser
> Group=pkiuser
> EOF
>
> systemctl daemon-reload
>
> find /var/lib/pki/ /var/log/pki/ /etc/pki/pki-*/ -exec chown
> pkiuser:pkiuser {} +
>
> systemctl start pki-tomcatd-nuxwdog at pki-tomcat.service
>
>
>
>
> On Wed, Sep 2, 2015 at 11:05 AM, Aleksey Chudov
> <aleksey.chudov at gmail.com <mailto:aleksey.chudov at gmail.com>> wrote:
>
> One big difference in starting PKI under nuxwdog control is that
> pki-tomcatd at pki-tomcat.service starts PKI as pkiuser:pkiuser but
> pki-tomcatd-nuxwdog at pki-tomcat.service starts PKI as root:root.
> Running PKI as root user is bad idea.
>
>
>
>
> On Thu, Aug 27, 2015 at 2:33 PM, Aleksey Chudov
> <aleksey.chudov at gmail.com <mailto:aleksey.chudov at gmail.com>> wrote:
>
> To begin with I have updated to version 10.2.6 from F22
> testing to get pki-server man pages.
>
> Enabling nuxwdog solves the problem. Thank you!
>
> On Wed, Aug 26, 2015 at 10:06 PM, Ade Lee <alee at redhat.com
> <mailto:alee at redhat.com>> wrote:
>
> Aleksey,
>
> password prompting in CS 8.1 worked because of a utility
> program called nuxwdog which would prompt for passwords.
>
> We have done some work to get nuxwdog working with the
> latest Dogtag code, but there is some setup required.
> Fortunately, all that setup has been encapsulated in the
> pki-server utility.
>
> For details, man pki-server , man pki-server-instance and
> man pki-server-nuxwdog.
>
> The specific command would be:
> pki-server instance-nuxwdog-enable <instance_id ie.
> pki-tomcat>
>
> You should then be prompted for the passwords, and can
> remove your password.conf file.
>
> Ade
> On Wed, 2015-08-26 at 21:49 +0300, Aleksey Chudov wrote:
>> I'm looking at removing at least nss password but both
>> nss and 389 passwords will be better.
>>
>> Actually PKI prompts for password but I don't see the
>> prompt because of systemd.
>>
>> To reproduce
>>
>> systemctl stop pki-tomcatd at pki-tomcat.service
>> sed -i.bak '/internal=/d' /etc/pki/pki-tomcat/password.conf
>> systemctl start pki-tomcatd at pki-tomcat.service
>>
>> /var/log/messages
>> Aug 26 21:37:33 srv333 server[8889]: Enter password for
>> Internal Key Storage Token
>>
>> /var/log/pki/pki-tomcat/ca/debug
>> [26/Aug/2015:21:37:52][localhost-startStop-1]: Got token
>> Internal Key Storage Token by name
>> [26/Aug/2015:21:37:52][localhost-startStop-1]:
>> SigningUnit init: debug
>> org.mozilla.jss.util.IncorrectPasswordException
>> Invalid Password
>> at
>> com.netscape.ca.SigningUnit.init(SigningUnit.java:192)
>> at
>> com.netscape.ca.CertificateAuthority.initSigUnit(CertificateAuthority.java:1229)
>> at
>> com.netscape.ca.CertificateAuthority.init(CertificateAuthority.java:342)
>> at
>> com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1107)
>> at
>> com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1013)
>> at
>> com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:520)
>> at com.netscape.certsrv.apps.CMS.init(CMS.java:187)
>> at com.netscape.certsrv.apps.CMS.start(CMS.java:1601)
>> at
>> com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114)
>> at
>> javax.servlet.GenericServlet.init(GenericServlet.java:158)
>> at
>> sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>> at
>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
>> at
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>> at java.lang.reflect.Method.invoke(Method.java:606)
>> at
>> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)
>> at
>> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)
>> at
>> java.security.AccessController.doPrivileged(Native Method)
>> at
>> javax.security.auth.Subject.doAsPrivileged(Subject.java:536)
>> at
>> org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)
>> at
>> org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169)
>> at
>> org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:123)
>> at
>> org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1272)
>> at
>> org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1197)
>> at
>> org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1087)
>> at
>> org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5210)
>> at
>> org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5493)
>> at
>> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
>> at
>> org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901)
>> at
>> org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133)
>> at
>> org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156)
>> at
>> org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145)
>> at
>> java.security.AccessController.doPrivileged(Native Method)
>> at
>> org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875)
>> at
>> org.apache.catalina.core.StandardHost.addChild(StandardHost.java:632)
>> at
>> org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:672)
>> at
>> org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1862)
>> at
>> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
>> at
>> java.util.concurrent.FutureTask.run(FutureTask.java:262)
>> at
>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
>> at
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
>> at java.lang.Thread.run(Thread.java:745)
>> [26/Aug/2015:21:37:52][localhost-startStop-1]:
>> CMSEngine.shutdown()
>>
>>
>> On Wed, Aug 26, 2015 at 8:09 PM, Dave Sirrine
>> <dsirrine at redhat.com <mailto:dsirrine at redhat.com>> wrote:
>>>
>>> Aleksey,
>>>
>>> Did removing the password from the file not cause the
>>> system to prompt you for the password at startup. Also,
>>> are you looking at doing both nss and 389 passwords?
>>>
>>> -- David
>>>
>>> On Aug 26, 2015 5:58 AM, "Aleksey Chudov"
>>> <aleksey.chudov at gmail.com
>>> <mailto:aleksey.chudov at gmail.com>> wrote:
>>>> Hi,
>>>>
>>>> The |password.conf| file stores system passwords in
>>>> plaintext, and I prefer to enter system passwords
>>>> manually and to remove the password file.
>>>>
>>>> I have found original documentation
>>>> https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/System_Passwords.html.
>>>> But it is for older version on PKI and does not work
>>>> with systemd.
>>>>
>>>> How to setup PKI CA to ask for NSS DB password at startup?
>>>>
>>>> Packages versions (I have rebuilt F22 packages for
>>>> CentOS 7):
>>>> # rpm -qa | grep pki
>>>> pki-base-10.2.5-1.el7.centos.noarch
>>>> pki-server-10.2.5-1.el7.centos.noarch
>>>> dogtag-pki-server-theme-10.2.5-1.el7.centos.noarch
>>>> pki-ca-10.2.5-1.el7.centos.noarch
>>>> pki-tools-10.2.5-1.el7.centos.x86_64
>>>> dogtag-pki-console-theme-10.2.5-1.el7.centos.noarch
>>>>
>>>> Aleksey
>>>>
>>>> _______________________________________________
>>>> Pki-users mailing list
>>>> Pki-users at redhat.com <mailto:Pki-users at redhat.com>
>>>> https://www.redhat.com/mailman/listinfo/pki-users
>>>
>>
>> _______________________________________________
>> Pki-users mailing list
>> Pki-users at redhat.com <mailto:Pki-users at redhat.com>
>> https://www.redhat.com/mailman/listinfo/pki-users
>
>
>
>
>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20150902/150961d1/attachment.htm>
More information about the Pki-users
mailing list