References

Create a link to nuxwdog library:

$ ln -s /usr/lib/java/nuxwdog.jar /var/lib/pki/pki-tomcat/common/lib

Modify environment variables at /etc/sysconfig/pki-tomcat:

JAVA_OPTS="... -Djava.library.path=/usr/lib64/nuxwdog-jni"
# Use Nuxwdog to start server
USE_NUXWDOG="true"

Create a nuxwdog configuration at /var/lib/pki/pki-tomcat/conf/nuxwdog.conf:

ExeFile /usr/lib/jvm/jre-1.8.0-openjdk/bin/java
ExeArgs /usr/lib/jvm/jre-1.8.0-openjdk/bin/java \
`` -DRESTEASY_LIB=/usr/share/java/resteasy-base         ``
`` -Djava.library.path=/usr/lib64/nuxwdog-jni  ``
`` -classpath /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar ``
`` -Dcatalina.base=/var/lib/pki/\ ``pki-tomcat`` ``
`` -Dcatalina.home=/usr/share/tomcat  ``
`` -Djava.endorsed.dirs= ``
`` -Djava.io.tmpdir=/var/lib/pki/\ ``pki-tomcat/temp \
`` -Djava.util.logging.config.file=/var/lib/pki/\ ``pki-tomcat/conf/logging.properties \
`` -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager org.apache.catalina.startup.Bootstrap start``
TmpDir /var/lib/pki/pki-tomcat``/logs/pids ``
ChildSecurity 1
ExeOut /var/lib/pki/pki-tomcat/logs/catalina.out
ExeErr /var/lib/pki/pki-tomcat/logs/catalina.out
ExeBackground 1
PidFile /var/lib/pki/pki-tomcat/logs/wd-pki-tomcat.pid
ChildPidFile /var/lib/pki/pki-tomcat/logs/pki-tomcat.pid

Modify Tomcat configuration at /var/lib/pki/pki-tomcat/conf/server.xml:


``    ``
``    ``
``        <Connector name=”Secure”``
``            …``
``            passwordClass=”com.netscape.cms.tomcat.NuxwdogPasswordStore”``
``            passwordFile=”/var/lib/pki/\ ``pki-tomcat/ca/conf/CS.cfg"
``        />``
``   ``

Replace systemd command:

$ rm -f /etc/systemd/system/pki-tomcatd.target.wants/pki-tomcatd@pki-tomcat.service
$ ln -s /lib/systemd/system/pki-tomcatd-nuxwdog@.service /etc/systemd/system/pki-tomcatd-nuxwdog.target.wants/pki-tomcatd-nuxwdog@pki-tomcat.service
$ systemctl daemon-reload

Edit PKI configuration at /var/lib/pki/pki-tomcat/conf/ca/CS.cfg:

passwordClass=com.netscape.cmsutil.password.NuxwdogPasswordStore

If any of the system certificates reside on cryptographic tokens other than the internal NSS token, the password.conf file will include directives like hardware-TOKEN_NAME=password.

In that case, add the following parameter to CS.cfg.

`` cms.tokenList=TOKEN_NAME``

References#