Hello,
We hear quite often that the key/cert db's RHDS is using are in the old
format and have been suggested to switch to the sql db. It turned out
it is quite easy although there is one minor issue I described in the
comment in the patch *[*]*. But as long as we use "sql:path" to access
the db's, there is no problem.
Also, we need to find out the upgrade scenario, which should not be hard
since, e.g., lots of mozilla products have gone through the path.
My biggest question is we should do this or not... :) Please share your
thoughts.
Thanks!
--noriko
https://fedorahosted.org/389/ticket/48760
https://fedorahosted.org/389/attachment/ticket/48760/0001-Ticket-48760-NSS-switching-to-the-sql-db.patch
git patch file (master)
Description: 389-ds-base and 389-admin are using the old format of key/cert
db. NSS recommends to switch to the sql format having the shared DB feature.
The current version of NSS (3.22.0 and older) takes ordinary paths to access
the cert db, while it requires the prefix "sql:" for the sql db.
By setting the environment variable 'NSS_DEFAULT_DB_TYPE="sql"', the default
path setting is supposed to be swtiched.
This patch tries these 2 cases.
1) #define ENABLE_SQL_PREFIX 1
This enables generating "sql:/path/to/certdir".
2) /* #define ENABLE_SQL_PREFIX 1 */
This depends upon the NSS_DEFAULT_DB_TYPE="sql" and use the ordinary
path to access the cert db.
Both works fine with the test script. The case (1) generates just the new
key/cert db's.
$ ls slapd-master_1/*.db
slapd-master_1/cert9.db slapd-master_1/key4.db
*[*]* But in the case (2), the server creates 2 sets of key/cert db's:
$ ls slapd-master_1/*.db
slapd-master_1/key3.db slapd-master_1/cert8.db slapd-master_1/secmod.db
slapd-master_1/key4.db slapd-master_1/cert9.db
$ cerrtutil -L -d sql:slapd-master_1
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
CAcertificate CTu,u,u
Server-Cert1 u,u,u
Server-Cert2 u,u,u
$ cerrtutil -L -d slapd-master_1
returns nothing.
To reduce the confusion, we should choose the case (1).
https://fedorahosted.org/389/attachment/ticket/48760/0002-Ticket-48760-CI-test-test-cases-for-47536-and-48760.patch
git patch file (master) -- CI test
--
389-devel mailing list
389-devel@%(host_name)s
http://lists.fedoraproject.org/admin/lists/389-devel@lists.fedoraproject.org