Difference between revisions of "Nuxwdog"

From Dogtag
Jump to: navigation, search
(Simplified Process)
m
 
(12 intermediate revisions by the same user not shown)
Line 1: Line 1:
= What is nuxwdog =
+
= Overview =
  
 
Nuxwdog is a watchdog daemon that can be used to start, stop, monitor and reconfigure server programs.
 
Nuxwdog is a watchdog daemon that can be used to start, stop, monitor and reconfigure server programs.
Line 18: Line 18:
 
If you do not have a Fedora Account, you can register for one at ​https://admin.fedoraproject.org/accounts/
 
If you do not have a Fedora Account, you can register for one at ​https://admin.fedoraproject.org/accounts/
  
= Enabling Nuwxdog =
+
= Installation =
  
== Simplified Process ==
+
$ dnf install nuxwdog
  
<pre>
+
= Configuration =
$ pki-server nuxwdog enable
 
$ systemctl stop pki-tomcatd@pki-tomcat.service
 
$ systemctl start pki-tomcatd-nuxwdog@pki-tomcat.service
 
[pki-tomcat] Please provide the password for internal: ********
 
</pre>
 
  
Note:
+
== Enabling Nuwxdog ==
  
If any of the system certificates reside on a cryptographic token other than the
+
First, shutdown the server with the following command:
internal NSS database, you will see entries like hardware-TOKEN_NAME=password in /etc/pki-=tomcat/password.conf.
 
  
In that case, add the following parameter to CS.cfg:
+
$ systemctl stop pki-tomcatd@<font color="red">pki-tomcat</font>.service
  cms.tokenList=TOKEN_NAME
 
  
== Manual Process ==
+
Enable nuxwdog with the following command:
  
Create a link to nuxwdog library:
+
$ pki-server nuxwdog-enable
  
$ ln -s /usr/lib/java/nuxwdog.jar /var/lib/pki/<font color="red">pki-tomcat</font>/common/lib
+
If any of the system certificates reside on a cryptographic token other than the
 +
internal NSS database, you will see entries like this in /etc/pki/<font color="red">pki-tomcat</font>/password.conf:
  
Modify environment variables at /etc/sysconfig/<font color="red">pki-tomcat</font>:
+
hardware-<token>=<password>
  
JAVA_OPTS="... -Djava.library.path=/usr/lib64/nuxwdog-jni"
+
In that case, add the following parameter to /etc/pki/<font color="red">pki-tomcat</font>/<font color="red">subsystem</font>/CS.cfg:
 
# Use Nuxwdog to start server
 
USE_NUXWDOG="true"
 
  
Create a nuxwdog configuration at /var/lib/pki/<font color="red">pki-tomcat</font>/conf/nuxwdog.conf:
+
cms.tokenList=<token>
  
ExeFile /usr/lib/jvm/jre-1.8.0-openjdk/bin/java
+
Remove the password file or move it somewhere else:
ExeArgs /usr/lib/jvm/jre-1.8.0-openjdk/bin/java \
 
  -DRESTEASY_LIB=/usr/share/java/resteasy-base \       
 
  -Djava.library.path=/usr/lib64/nuxwdog-jni  \
 
  -classpath /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar \
 
  -Dcatalina.base=/var/lib/pki/<font color="red">pki-tomcat</font> \
 
  -Dcatalina.home=/usr/share/tomcat \
 
  -Djava.endorsed.dirs= \
 
  -Djava.io.tmpdir=/var/lib/pki/<font color="red">pki-tomcat</font>/temp \
 
  -Djava.util.logging.config.file=/var/lib/pki/<font color="red">pki-tomcat</font>/conf/logging.properties \
 
  -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager org.apache.catalina.startup.Bootstrap start
 
TmpDir /var/lib/pki/<font color="red">pki-tomcat</font>/logs/pids
 
ChildSecurity 1
 
ExeOut /var/lib/pki/<font color="red">pki-tomcat</font>/logs/catalina.out
 
ExeErr /var/lib/pki/<font color="red">pki-tomcat</font>/logs/catalina.out
 
ExeBackground 1
 
PidFile /var/lib/pki/<font color="red">pki-tomcat</font>/logs/wd-<font color="red">pki-tomcat</font>.pid
 
ChildPidFile /var/lib/pki/<font color="red">pki-tomcat</font>/logs/<font color="red">pki-tomcat</font>.pid
 
  
Modify Tomcat configuration at /var/lib/pki/<font color="red">pki-tomcat</font>/conf/server.xml:
+
$ rm -f /etc/pki/<font color="red">pki-tomcat</font>/password.conf
  
<Server port="8005" shutdown="SHUTDOWN">
+
Restart the server with the following command:
 
    <Listener className="com.netscape.cms.tomcat.PKIListener"/>
 
 
    <Service name="Catalina">
 
 
        <Connector name="Secure"
 
            ...
 
            passwordClass="com.netscape.cms.tomcat.NuxwdogPasswordStore"
 
            passwordFile="/var/lib/pki/<font color="red">pki-tomcat</font>/ca/conf/CS.cfg"
 
        />
 
 
    </Service>
 
 
</Server>
 
  
Replace systemd command:
+
$ systemctl start pki-tomcatd-nuxwdog@<font color="red">pki-tomcat</font>.service
 +
[pki-tomcat] Please provide the password for internal: **********
 +
[pki-tomcat] Please provide the password for internaldb: **********
 +
[pki-tomcat] Please provide the password for replicationdb: ***********
  
$ rm -f /etc/systemd/system/pki-tomcatd.target.wants/pki-tomcatd@<font color="red">pki-tomcat</font>.service
+
== Disabling Nuxwdog ==
$ ln -s /lib/systemd/system/pki-tomcatd-nuxwdog@.service /etc/systemd/system/pki-tomcatd-nuxwdog.target.wants/pki-tomcatd-nuxwdog@<font color="red">pki-tomcat</font>.service
 
$ systemctl daemon-reload
 
  
Edit PKI configuration at /var/lib/pki/pki-tomcat/conf/ca/CS.cfg:
+
$ systemctl stop pki-tomcatd-nuxwdog@<font color="red">pki-tomcat</font>.service
 
+
$ pki-server nuxwdog-disable
  passwordClass=com.netscape.cmsutil.password.NuxwdogPasswordStore
+
  $ systemctl start pki-tomcatd@<font color="red">pki-tomcat</font>.service
 
 
If any of the system certificates reside on cryptographic tokens other than the internal NSS token, the password.conf file
 
will include directives like hardware-TOKEN_NAME=password.
 
  
In that case, add the following parameter to CS.cfg.
+
== Manual Configuration ==
  
  cms.tokenList=TOKEN_NAME
+
See [[Nuxwdog Manual Configuration]].
  
= Nuxwdog Tools =
+
= Usage =
  
== Starting nuxwdog-enabled instance ==
+
To starting nuxwdog-enabled instance:
  
 
  $ systemctl start pki-tomcatd-nuxwdog@<font color="red">pki-tomcat</font>.service
 
  $ systemctl start pki-tomcatd-nuxwdog@<font color="red">pki-tomcat</font>.service
  
== Stopping nuxwdog-enabled instance ==
+
To stopping nuxwdog-enabled instance:
  
 
  $ systemctl stop pki-tomcatd-nuxwdog@<font color="red">pki-tomcat</font>.service
 
  $ systemctl stop pki-tomcatd-nuxwdog@<font color="red">pki-tomcat</font>.service
Line 122: Line 80:
 
* [[Systemd]]
 
* [[Systemd]]
 
* [[Tomcat Configuration]]
 
* [[Tomcat Configuration]]
* [[PKI Server Nuxwdog CLI]]
+
* [https://github.com/dogtagpki/pki/blob/master/docs/admin/Nuxwdog.md PKI Nuxwdog]
* [[PKI Server Instance Nuxwdog CLI]]
+
* [https://github.com/dogtagpki/pki/wiki/PKI-Server-Nuxwdog-CLI PKI Server Nuxwdog CLI]
 +
* [https://github.com/dogtagpki/pki/wiki/PKI-Server-Instance-Nuxwdog-CLI PKI Server Instance Nuxwdog CLI]
 +
* [[Keyring]]

Latest revision as of 23:25, 19 August 2020

Overview

Nuxwdog is a watchdog daemon that can be used to start, stop, monitor and reconfigure server programs. It is based on the uxwdog code that is used to start the Netscape Enterprise Server (NES).

Nuxwdog is used in Red Hat Certificate System 8 to start all of the Java-based and C/C++ based servers. These servers require passwords to access security databases in order to start, but there was a requirement that no unencrypted password files be stored on the system. In this case, nuxwdog is used to prompt the user for the relevant passwords during server startup. These passwords are then cached by the nuxwdog, so that nuxwdog can restart the server without human intervention. This is particularly important for automatically restarting the server in case of a server crash.

More details on how nuxwdog works and how to configure it can be found in this Nuxwdog/HOWTO

If you would like to contribute to the nuxwdog, a good place to start would be our Nuxwdog/Contributions page.

If you want to file a bug or enhancement request, please log in with your Fedora Account System credentials. If you do not have a Fedora Account, you can register for one at ​https://admin.fedoraproject.org/accounts/

Installation

$ dnf install nuxwdog

Configuration

Enabling Nuwxdog

First, shutdown the server with the following command:

$ systemctl stop pki-tomcatd@pki-tomcat.service

Enable nuxwdog with the following command:

$ pki-server nuxwdog-enable

If any of the system certificates reside on a cryptographic token other than the internal NSS database, you will see entries like this in /etc/pki/pki-tomcat/password.conf:

hardware-<token>=<password>

In that case, add the following parameter to /etc/pki/pki-tomcat/subsystem/CS.cfg:

cms.tokenList=<token>

Remove the password file or move it somewhere else:

$ rm -f /etc/pki/pki-tomcat/password.conf

Restart the server with the following command:

$ systemctl start pki-tomcatd-nuxwdog@pki-tomcat.service
[pki-tomcat] Please provide the password for internal: **********
[pki-tomcat] Please provide the password for internaldb: **********
[pki-tomcat] Please provide the password for replicationdb: ***********

Disabling Nuxwdog

$ systemctl stop pki-tomcatd-nuxwdog@pki-tomcat.service
$ pki-server nuxwdog-disable
$ systemctl start pki-tomcatd@pki-tomcat.service

Manual Configuration

See Nuxwdog Manual Configuration.

Usage

To starting nuxwdog-enabled instance:

$ systemctl start pki-tomcatd-nuxwdog@pki-tomcat.service

To stopping nuxwdog-enabled instance:

$ systemctl stop pki-tomcatd-nuxwdog@pki-tomcat.service

References