Difference between revisions of "Nuxwdog"

From Dogtag
Jump to: navigation, search
m (Enabling Nuwxdog)
(Enabling Nuwxdog)
Line 1: Line 1:
 +
= What is nuxwdog =
 +
 +
Nuxwdog is a watchdog daemon that can be used to start, stop, monitor and reconfigure server programs.
 +
It is based on the uxwdog code that is used to start the Netscape Enterprise Server (NES).
 +
 +
Nuxwdog is used in Red Hat Certificate System 8 to start all of the Java-based and C/C++ based servers.
 +
These servers require passwords to access security databases in order to start, but there was a requirement that
 +
no unencrypted password files be stored on the system. In this case, nuxwdog is used to prompt the user for the
 +
relevant passwords during server startup. These passwords are then cached by the nuxwdog, so that nuxwdog can
 +
restart the server without human intervention. This is particularly important for automatically restarting the server
 +
in case of a server crash.
 +
 
= Enabling Nuwxdog =
 
= Enabling Nuwxdog =
  

Revision as of 17:30, 15 February 2017

What is nuxwdog

Nuxwdog is a watchdog daemon that can be used to start, stop, monitor and reconfigure server programs. It is based on the uxwdog code that is used to start the Netscape Enterprise Server (NES).

Nuxwdog is used in Red Hat Certificate System 8 to start all of the Java-based and C/C++ based servers. These servers require passwords to access security databases in order to start, but there was a requirement that no unencrypted password files be stored on the system. In this case, nuxwdog is used to prompt the user for the relevant passwords during server startup. These passwords are then cached by the nuxwdog, so that nuxwdog can restart the server without human intervention. This is particularly important for automatically restarting the server in case of a server crash.

Enabling Nuwxdog

Create a link to nuxwdog library:

$ ln -s /usr/lib/java/nuxwdog.jar /var/lib/pki/pki-tomcat/common/lib

Modify environment variables at /etc/sysconfig/pki-tomcat:

JAVA_OPTS="... -Djava.library.path=/usr/lib64/nuxwdog-jni"

# Use Nuxwdog to start server
USE_NUXWDOG="true"

Create a nuxwdog configuration at /var/lib/pki/pki-tomcat/conf/nuxwdog.conf:

ExeFile /usr/share/java-utils/java-wrapper
ExeArgs /usr/share/java-utils/java-wrapper \
 -DRESTEASY_LIB=/usr/share/java/resteasy \
 -classpath /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/lib/java/commons-daemon.jar \
 -Dcatalina.base=/var/lib/pki/pki-tomcat \
 -Dcatalina.home=/usr/share/tomcat \
 -Djava.endorsed.dirs= \
 -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp \
 -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties \
 -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager \
 -Djava.security.manager \
 -Djava.security.policy==/var/lib/pki/pki-tomcat/conf/catalina.policy \
 org.apache.catalina.startup.Bootstrap start
TmpDir /var/lib/pki/pki-tomcat/logs/pids 
ChildSecurity 1
ExeOut /var/lib/pki/pki-tomcat/logs/catalina.out
ExeErr /var/lib/pki/pki-tomcat/logs/catalina.out
ExeBackground 1
PidFile /var/lib/pki/pki-tomcat/logs/wd-pki-tomcat.pid
ChildPidFile /var/lib/pki/pki-tomcat/logs/pki-tomcat.pid

Modify Tomcat configuration at /var/lib/pki/pki-tomcat/conf/server.xml:

<Server port="8005" shutdown="SHUTDOWN">

    <Listener className="com.netscape.cms.tomcat.PKIListener"/>

    <Service name="Catalina">

        <Connector name="Secure"
            ...
            passwordClass="com.netscape.cms.tomcat.NuxwdogPasswordStore"
            passwordFile="/var/lib/pki/pki-tomcat/ca/conf/CS.cfg"
        />

   </Service>

</Server>

Replace systemd command:

$ rm -f /etc/systemd/system/pki-tomcatd.target.wants/pki-tomcatd@pki-tomcat.service
$ ln -s /lib/systemd/system/pki-tomcatd-nuxwdog@.service /etc/systemd/system/pki-tomcatd-nuxwdog.target.wants/pki-tomcatd-nuxwdog@pki-tomcat.service
$ systemctl daemon-reload

Edit PKI configuration at /var/lib/pki/pki-tomcat/conf/ca/CS.cfg:

passwordClass=com.netscape.cmsutil.password.NuxwdogPasswordStore

Nuxwdog Tools

Enabling nuxwdog

$ pki-server instance-nuxwdog-enable pki-tomcat

Disabling nuxwdog

$ pki-server instance-nuxwdog-disable pki-tomcat

Starting nuxwdog-enabled instance

$ systemctl start pki-tomcatd-nuxwdog@pki-tomcat.service

Stopping nuxwdog-enabled instance

$ systemctl stop pki-tomcatd-nuxwdog@pki-tomcat.service

References