From Dogtag
Revision as of 06:05, 14 February 2018 by Edewata (talk | contribs) (Simplified Process)

Jump to: navigation, search

What is nuxwdog

Nuxwdog is a watchdog daemon that can be used to start, stop, monitor and reconfigure server programs. It is based on the uxwdog code that is used to start the Netscape Enterprise Server (NES).

Nuxwdog is used in Red Hat Certificate System 8 to start all of the Java-based and C/C++ based servers. These servers require passwords to access security databases in order to start, but there was a requirement that no unencrypted password files be stored on the system. In this case, nuxwdog is used to prompt the user for the relevant passwords during server startup. These passwords are then cached by the nuxwdog, so that nuxwdog can restart the server without human intervention. This is particularly important for automatically restarting the server in case of a server crash.

More details on how nuxwdog works and how to configure it can be found in this Nuxwdog/HOWTO

If you would like to contribute to the nuxwdog, a good place to start would be our Nuxwdog/Contributions page.

If you want to file a bug or enhancement request, please log in with your Fedora Account System credentials. If you do not have a Fedora Account, you can register for one at ​

Enabling Nuwxdog

Simplified Process

$ pki-server nuxwdog enable
$ systemctl stop pki-tomcatd@pki-tomcat.service
$ systemctl start pki-tomcatd-nuxwdog@pki-tomcat.service
[pki-tomcat] Please provide the password for internal: ********


If any of the system certificates reside on a cryptographic token other than the internal NSS database, you will see entries like hardware-TOKEN_NAME=password in /etc/pki/pki-tomcat/password.conf.

In that case, add the following parameter to CS.cfg:


Manual Process

Create a link to nuxwdog library:

$ ln -s /usr/lib/java/nuxwdog.jar /var/lib/pki/pki-tomcat/common/lib

Modify environment variables at /etc/sysconfig/pki-tomcat:

JAVA_OPTS="... -Djava.library.path=/usr/lib64/nuxwdog-jni"

# Use Nuxwdog to start server

Create a nuxwdog configuration at /var/lib/pki/pki-tomcat/conf/nuxwdog.conf:

ExeFile /usr/lib/jvm/jre-1.8.0-openjdk/bin/java
ExeArgs /usr/lib/jvm/jre-1.8.0-openjdk/bin/java \
 -DRESTEASY_LIB=/usr/share/java/resteasy-base \        
 -Djava.library.path=/usr/lib64/nuxwdog-jni  \
 -classpath /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar \
 -Dcatalina.base=/var/lib/pki/pki-tomcat \
 -Dcatalina.home=/usr/share/tomcat \ 
 -Djava.endorsed.dirs= \ \
 -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/ \
 -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager org.apache.catalina.startup.Bootstrap start
TmpDir /var/lib/pki/pki-tomcat/logs/pids 
ChildSecurity 1
ExeOut /var/lib/pki/pki-tomcat/logs/catalina.out
ExeErr /var/lib/pki/pki-tomcat/logs/catalina.out
ExeBackground 1
PidFile /var/lib/pki/pki-tomcat/logs/
ChildPidFile /var/lib/pki/pki-tomcat/logs/

Modify Tomcat configuration at /var/lib/pki/pki-tomcat/conf/server.xml:

<Server port="8005" shutdown="SHUTDOWN">

    <Listener className="com.netscape.cms.tomcat.PKIListener"/>

    <Service name="Catalina">

        <Connector name="Secure"



Replace systemd command:

$ rm -f /etc/systemd/system/
$ ln -s /lib/systemd/system/pki-tomcatd-nuxwdog@.service /etc/systemd/system/
$ systemctl daemon-reload

Edit PKI configuration at /var/lib/pki/pki-tomcat/conf/ca/CS.cfg:


If any of the system certificates reside on cryptographic tokens other than the internal NSS token, the password.conf file will include directives like hardware-TOKEN_NAME=password.

In that case, add the following parameter to CS.cfg.


Nuxwdog Tools

Starting nuxwdog-enabled instance

$ systemctl start pki-tomcatd-nuxwdog@pki-tomcat.service

Stopping nuxwdog-enabled instance

$ systemctl stop pki-tomcatd-nuxwdog@pki-tomcat.service