security/nss/doc/nroff/modutil.1@b8a032363ba2
security/nss/doc/nroff/modutil.1
Thu, 22 Jan 2015 13:21:57 +0100
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Thu, 22 Jan 2015 13:21:57 +0100
- branch
- TOR_BUG_9701
- changeset 15
- b8a032363ba2
- permissions
- -rw-r--r--
Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6
1 '\" t
2 .\" Title: MODUTIL
3 .\" Author: [see the "Authors" section]
4 .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
5 .\" Date: 5 June 2014
6 .\" Manual: NSS Security Tools
7 .\" Source: nss-tools
8 .\" Language: English
9 .\"
10 .TH "MODUTIL" "1" "5 June 2014" "nss-tools" "NSS Security Tools"
11 .\" -----------------------------------------------------------------
12 .\" * Define some portability stuff
13 .\" -----------------------------------------------------------------
14 .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
15 .\" http://bugs.debian.org/507673
16 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
17 .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
18 .ie \n(.g .ds Aq \(aq
19 .el .ds Aq '
20 .\" -----------------------------------------------------------------
21 .\" * set default formatting
22 .\" -----------------------------------------------------------------
23 .\" disable hyphenation
24 .nh
25 .\" disable justification (adjust text to left margin only)
26 .ad l
27 .\" -----------------------------------------------------------------
28 .\" * MAIN CONTENT STARTS HERE *
29 .\" -----------------------------------------------------------------
30 .SH "NAME"
31 modutil \- Manage PKCS #11 module information within the security module database\&.
32 .SH "SYNOPSIS"
33 .HP \w'\fBmodutil\fR\ 'u
34 \fBmodutil\fR [\fIoptions\fR] [[\fIarguments\fR]]
35 .SH "STATUS"
36 .PP
37 This documentation is still work in progress\&. Please contribute to the initial review in
38 \m[blue]\fBMozilla NSS bug 836477\fR\m[]\&\s-2\u[1]\d\s+2
39 .SH "DESCRIPTION"
40 .PP
41 The Security Module Database Tool,
42 \fBmodutil\fR, is a command\-line utility for managing PKCS #11 module information both within
43 secmod\&.db
44 files and within hardware tokens\&.
45 \fBmodutil\fR
46 can add and delete PKCS #11 modules, change passwords on security databases, set defaults, list module contents, enable or disable slots, enable or disable FIPS 140\-2 compliance, and assign default providers for cryptographic operations\&. This tool can also create certificate, key, and module security database files\&.
47 .PP
48 The tasks associated with security module database management are part of a process that typically also involves managing key databases and certificate databases\&.
49 .SH "OPTIONS"
50 .PP
51 Running
52 \fBmodutil\fR
53 always requires one (and only one) option to specify the type of module operation\&. Each option may take arguments, anywhere from none to multiple arguments\&.
54 .PP
55 \fBOptions\fR
56 .PP
57 \-add modulename
58 .RS 4
59 Add the named PKCS #11 module to the database\&. Use this option with the
60 \fB\-libfile\fR,
61 \fB\-ciphers\fR, and
62 \fB\-mechanisms\fR
63 arguments\&.
64 .RE
65 .PP
66 \-changepw tokenname
67 .RS 4
68 Change the password on the named token\&. If the token has not been initialized, this option initializes the password\&. Use this option with the
69 \fB\-pwfile\fR
70 and
71 \fB\-newpwfile\fR
72 arguments\&. A
73 \fIpassword\fR
74 is equivalent to a personal identification number (PIN)\&.
75 .RE
76 .PP
77 \-chkfips
78 .RS 4
79 Verify whether the module is in the given FIPS mode\&.
80 \fBtrue\fR
81 means to verify that the module is in FIPS mode, while
82 \fBfalse\fR
83 means to verify that the module is not in FIPS mode\&.
84 .RE
85 .PP
86 \-create
87 .RS 4
88 Create new certificate, key, and module databases\&. Use the
89 \fB\-dbdir\fR
90 directory argument to specify a directory\&. If any of these databases already exist in a specified directory,
91 \fBmodutil\fR
92 returns an error message\&.
93 .RE
94 .PP
95 \-default modulename
96 .RS 4
97 Specify the security mechanisms for which the named module will be a default provider\&. The security mechanisms are specified with the
98 \fB\-mechanisms\fR
99 argument\&.
100 .RE
101 .PP
102 \-delete modulename
103 .RS 4
104 Delete the named module\&. The default NSS PKCS #11 module cannot be deleted\&.
105 .RE
106 .PP
107 \-disable modulename
108 .RS 4
109 Disable all slots on the named module\&. Use the
110 \fB\-slot\fR
111 argument to disable a specific slot\&.
112 .sp
113 The internal NSS PKCS #11 module cannot be disabled\&.
114 .RE
115 .PP
116 \-enable modulename
117 .RS 4
118 Enable all slots on the named module\&. Use the
119 \fB\-slot\fR
120 argument to enable a specific slot\&.
121 .RE
122 .PP
123 \-fips [true | false]
124 .RS 4
125 Enable (true) or disable (false) FIPS 140\-2 compliance for the default NSS module\&.
126 .RE
127 .PP
128 \-force
129 .RS 4
130 Disable
131 \fBmodutil\fR\*(Aqs interactive prompts so it can be run from a script\&. Use this option only after manually testing each planned operation to check for warnings and to ensure that bypassing the prompts will cause no security lapses or loss of database integrity\&.
132 .RE
133 .PP
134 \-jar JAR\-file
135 .RS 4
136 Add a new PKCS #11 module to the database using the named JAR file\&. Use this command with the
137 \fB\-installdir\fR
138 and
139 \fB\-tempdir\fR
140 arguments\&. The JAR file uses the NSS PKCS #11 JAR format to identify all the files to be installed, the module\*(Aqs name, the mechanism flags, and the cipher flags, as well as any files to be installed on the target machine, including the PKCS #11 module library file and other files such as documentation\&. This is covered in the JAR installation file section in the man page, which details the special script needed to perform an installation through a server or with
141 \fBmodutil\fR\&.
142 .RE
143 .PP
144 \-list [modulename]
145 .RS 4
146 Display basic information about the contents of the
147 secmod\&.db
148 file\&. Specifying a
149 \fImodulename\fR
150 displays detailed information about a particular module and its slots and tokens\&.
151 .RE
152 .PP
153 \-rawadd
154 .RS 4
155 Add the module spec string to the
156 secmod\&.db
157 database\&.
158 .RE
159 .PP
160 \-rawlist
161 .RS 4
162 Display the module specs for a specified module or for all loadable modules\&.
163 .RE
164 .PP
165 \-undefault modulename
166 .RS 4
167 Specify the security mechanisms for which the named module will not be a default provider\&. The security mechanisms are specified with the
168 \fB\-mechanisms\fR
169 argument\&.
170 .RE
171 .PP
172 \fBArguments\fR
173 .PP
174 MODULE
175 .RS 4
176 Give the security module to access\&.
177 .RE
178 .PP
179 MODULESPEC
180 .RS 4
181 Give the security module spec to load into the security database\&.
182 .RE
183 .PP
184 \-ciphers cipher\-enable\-list
185 .RS 4
186 Enable specific ciphers in a module that is being added to the database\&. The
187 \fIcipher\-enable\-list\fR
188 is a colon\-delimited list of cipher names\&. Enclose this list in quotation marks if it contains spaces\&.
189 .RE
190 .PP
191 \-dbdir [sql:]directory
192 .RS 4
193 Specify the database directory in which to access or create security module database files\&.
194 .sp
195 \fBmodutil\fR
196 supports two types of databases: the legacy security databases (cert8\&.db,
197 key3\&.db, and
198 secmod\&.db) and new SQLite databases (cert9\&.db,
199 key4\&.db, and
200 pkcs11\&.txt)\&. If the prefix
201 \fBsql:\fR
202 is not used, then the tool assumes that the given databases are in the old format\&.
203 .RE
204 .PP
205 \-\-dbprefix prefix
206 .RS 4
207 Specify the prefix used on the database files, such as
208 my_
209 for
210 my_cert8\&.db\&. This option is provided as a special case\&. Changing the names of the certificate and key databases is not recommended\&.
211 .RE
212 .PP
213 \-installdir root\-installation\-directory
214 .RS 4
215 Specify the root installation directory relative to which files will be installed by the
216 \fB\-jar\fR
217 option\&. This directory should be one below which it is appropriate to store dynamic library files, such as a server\*(Aqs root directory\&.
218 .RE
219 .PP
220 \-libfile library\-file
221 .RS 4
222 Specify a path to a library file containing the implementation of the PKCS #11 interface module that is being added to the database\&.
223 .RE
224 .PP
225 \-mechanisms mechanism\-list
226 .RS 4
227 Specify the security mechanisms for which a particular module will be flagged as a default provider\&. The
228 \fImechanism\-list\fR
229 is a colon\-delimited list of mechanism names\&. Enclose this list in quotation marks if it contains spaces\&.
230 .sp
231 The module becomes a default provider for the listed mechanisms when those mechanisms are enabled\&. If more than one module claims to be a particular mechanism\*(Aqs default provider, that mechanism\*(Aqs default provider is undefined\&.
232 .sp
233 \fBmodutil\fR
234 supports several mechanisms: RSA, DSA, RC2, RC4, RC5, AES, DES, DH, SHA1, SHA256, SHA512, SSL, TLS, MD5, MD2, RANDOM (for random number generation), and FRIENDLY (meaning certificates are publicly readable)\&.
235 .RE
236 .PP
237 \-newpwfile new\-password\-file
238 .RS 4
239 Specify a text file containing a token\*(Aqs new or replacement password so that a password can be entered automatically with the
240 \fB\-changepw\fR
241 option\&.
242 .RE
243 .PP
244 \-nocertdb
245 .RS 4
246 Do not open the certificate or key databases\&. This has several effects:
247 .sp
248 .RS 4
249 .ie n \{\
250 \h'-04'\(bu\h'+03'\c
251 .\}
252 .el \{\
253 .sp -1
254 .IP \(bu 2.3
255 .\}
256 With the
257 \fB\-create\fR
258 command, only a module security file is created; certificate and key databases are not created\&.
259 .RE
260 .sp
261 .RS 4
262 .ie n \{\
263 \h'-04'\(bu\h'+03'\c
264 .\}
265 .el \{\
266 .sp -1
267 .IP \(bu 2.3
268 .\}
269 With the
270 \fB\-jar\fR
271 command, signatures on the JAR file are not checked\&.
272 .RE
273 .sp
274 .RS 4
275 .ie n \{\
276 \h'-04'\(bu\h'+03'\c
277 .\}
278 .el \{\
279 .sp -1
280 .IP \(bu 2.3
281 .\}
282 With the
283 \fB\-changepw\fR
284 command, the password on the NSS internal module cannot be set or changed, since this password is stored in the key database\&.
285 .RE
286 .RE
287 .PP
288 \-pwfile old\-password\-file
289 .RS 4
290 Specify a text file containing a token\*(Aqs existing password so that a password can be entered automatically when the
291 \fB\-changepw\fR
292 option is used to change passwords\&.
293 .RE
294 .PP
295 \-secmod secmodname
296 .RS 4
297 Give the name of the security module database (like
298 secmod\&.db) to load\&.
299 .RE
300 .PP
301 \-slot slotname
302 .RS 4
303 Specify a particular slot to be enabled or disabled with the
304 \fB\-enable\fR
305 or
306 \fB\-disable\fR
307 options\&.
308 .RE
309 .PP
310 \-string CONFIG_STRING
311 .RS 4
312 Pass a configuration string for the module being added to the database\&.
313 .RE
314 .PP
315 \-tempdir temporary\-directory
316 .RS 4
317 Give a directory location where temporary files are created during the installation by the
318 \fB\-jar\fR
319 option\&. If no temporary directory is specified, the current directory is used\&.
320 .RE
321 .SH "USAGE AND EXAMPLES"
322 .PP
323 \fBCreating Database Files\fR
324 .PP
325 Before any operations can be performed, there must be a set of security databases available\&.
326 \fBmodutil\fR
327 can be used to create these files\&. The only required argument is the database that where the databases will be located\&.
328 .sp
329 .if n \{\
330 .RS 4
331 .\}
332 .nf
333 modutil \-create \-dbdir [sql:]directory
334 .fi
335 .if n \{\
336 .RE
337 .\}
338 .PP
339 \fBAdding a Cryptographic Module\fR
340 .PP
341 Adding a PKCS #11 module means submitting a supporting library file, enabling its ciphers, and setting default provider status for various security mechanisms\&. This can be done by supplying all of the information through
342 \fBmodutil\fR
343 directly or by running a JAR file and install script\&. For the most basic case, simply upload the library:
344 .sp
345 .if n \{\
346 .RS 4
347 .\}
348 .nf
349 modutil \-add modulename \-libfile library\-file [\-ciphers cipher\-enable\-list] [\-mechanisms mechanism\-list]
350 .fi
351 .if n \{\
352 .RE
353 .\}
354 .PP
355 For example:
356 .sp
357 .if n \{\
358 .RS 4
359 .\}
360 .nf
361 modutil \-dbdir sql:/home/my/sharednssdb \-add "Example PKCS #11 Module" \-libfile "/tmp/crypto\&.so" \-mechanisms RSA:DSA:RC2:RANDOM
363 Using database directory \&.\&.\&.
364 Module "Example PKCS #11 Module" added to database\&.
365 .fi
366 .if n \{\
367 .RE
368 .\}
369 .PP
370 \fBInstalling a Cryptographic Module from a JAR File\fR
371 .PP
372 PKCS #11 modules can also be loaded using a JAR file, which contains all of the required libraries and an installation script that describes how to install the module\&. The JAR install script is described in more detail in
373 the section called \(lqJAR INSTALLATION FILE FORMAT\(rq\&.
374 .PP
375 The JAR installation script defines the setup information for each platform that the module can be installed on\&. For example:
376 .sp
377 .if n \{\
378 .RS 4
379 .\}
380 .nf
381 Platforms {
382 Linux:5\&.4\&.08:x86 {
383 ModuleName { "Example PKCS #11 Module" }
384 ModuleFile { crypto\&.so }
385 DefaultMechanismFlags{0x0000}
386 CipherEnableFlags{0x0000}
387 Files {
388 crypto\&.so {
389 Path{ /tmp/crypto\&.so }
390 }
391 setup\&.sh {
392 Executable
393 Path{ /tmp/setup\&.sh }
394 }
395 }
396 }
397 Linux:6\&.0\&.0:x86 {
398 EquivalentPlatform { Linux:5\&.4\&.08:x86 }
399 }
400 }
401 .fi
402 .if n \{\
403 .RE
404 .\}
405 .PP
406 Both the install script and the required libraries must be bundled in a JAR file, which is specified with the
407 \fB\-jar\fR
408 argument\&.
409 .sp
410 .if n \{\
411 .RS 4
412 .\}
413 .nf
414 modutil \-dbdir sql:/home/mt"jar\-install\-filey/sharednssdb \-jar install\&.jar \-installdir sql:/home/my/sharednssdb
416 This installation JAR file was signed by:
417 \-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-
419 **SUBJECT NAME**
421 C=US, ST=California, L=Mountain View, CN=Cryptorific Inc\&., OU=Digital ID
422 Class 3 \- Netscape Object Signing, OU="www\&.verisign\&.com/repository/CPS
423 Incorp\&. by Ref\&.,LIAB\&.LTD(c)9 6", OU=www\&.verisign\&.com/CPS Incorp\&.by Ref
424 \&. LIABILITY LTD\&.(c)97 VeriSign, OU=VeriSign Object Signing CA \- Class 3
425 Organization, OU="VeriSign, Inc\&.", O=VeriSign Trust Network **ISSUER
426 NAME**, OU=www\&.verisign\&.com/CPS Incorp\&.by Ref\&. LIABILITY LTD\&.(c)97
427 VeriSign, OU=VeriSign Object Signing CA \- Class 3 Organization,
428 OU="VeriSign, Inc\&.", O=VeriSign Trust Network
429 \-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-
431 Do you wish to continue this installation? (y/n) y
432 Using installer script "installer_script"
433 Successfully parsed installation script
434 Current platform is Linux:5\&.4\&.08:x86
435 Using installation parameters for platform Linux:5\&.4\&.08:x86
436 Installed file crypto\&.so to /tmp/crypto\&.so
437 Installed file setup\&.sh to \&./pk11inst\&.dir/setup\&.sh
438 Executing "\&./pk11inst\&.dir/setup\&.sh"\&.\&.\&.
439 "\&./pk11inst\&.dir/setup\&.sh" executed successfully
440 Installed module "Example PKCS #11 Module" into module database
442 Installation completed successfully
443 .fi
444 .if n \{\
445 .RE
446 .\}
447 .PP
448 \fBAdding Module Spec\fR
449 .PP
450 Each module has information stored in the security database about its configuration and parameters\&. These can be added or edited using the
451 \fB\-rawadd\fR
452 command\&. For the current settings or to see the format of the module spec in the database, use the
453 \fB\-rawlist\fR
454 option\&.
455 .sp
456 .if n \{\
457 .RS 4
458 .\}
459 .nf
460 modutil \-rawadd modulespec
461 .fi
462 .if n \{\
463 .RE
464 .\}
465 .PP
466 \fBDeleting a Module\fR
467 .PP
468 A specific PKCS #11 module can be deleted from the
469 secmod\&.db
470 database:
471 .sp
472 .if n \{\
473 .RS 4
474 .\}
475 .nf
476 modutil \-delete modulename \-dbdir [sql:]directory
477 .fi
478 .if n \{\
479 .RE
480 .\}
481 .PP
482 \fBDisplaying Module Information\fR
483 .PP
484 The
485 secmod\&.db
486 database contains information about the PKCS #11 modules that are available to an application or server to use\&. The list of all modules, information about specific modules, and database configuration specs for modules can all be viewed\&.
487 .PP
488 To simply get a list of modules in the database, use the
489 \fB\-list\fR
490 command\&.
491 .sp
492 .if n \{\
493 .RS 4
494 .\}
495 .nf
496 modutil \-list [modulename] \-dbdir [sql:]directory
497 .fi
498 .if n \{\
499 .RE
500 .\}
501 .PP
502 Listing the modules shows the module name, their status, and other associated security databases for certificates and keys\&. For example:
503 .sp
504 .if n \{\
505 .RS 4
506 .\}
507 .nf
508 modutil \-list \-dbdir sql:/home/my/sharednssdb
510 Listing of PKCS #11 Modules
511 \-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-
512 1\&. NSS Internal PKCS #11 Module
513 slots: 2 slots attached
514 status: loaded
516 slot: NSS Internal Cryptographic Services
517 token: NSS Generic Crypto Services
519 slot: NSS User Private Key and Certificate Services
520 token: NSS Certificate DB
521 \-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-
522 .fi
523 .if n \{\
524 .RE
525 .\}
526 .PP
527 Passing a specific module name with the
528 \fB\-list\fR
529 returns details information about the module itself, like supported cipher mechanisms, version numbers, serial numbers, and other information about the module and the token it is loaded on\&. For example:
530 .sp
531 .if n \{\
532 .RS 4
533 .\}
534 .nf
535 modutil \-list "NSS Internal PKCS #11 Module" \-dbdir sql:/home/my/sharednssdb
537 \-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-
538 Name: NSS Internal PKCS #11 Module
539 Library file: **Internal ONLY module**
540 Manufacturer: Mozilla Foundation
541 Description: NSS Internal Crypto Services
542 PKCS #11 Version 2\&.20
543 Library Version: 3\&.11
544 Cipher Enable Flags: None
545 Default Mechanism Flags: RSA:RC2:RC4:DES:DH:SHA1:MD5:MD2:SSL:TLS:AES
547 Slot: NSS Internal Cryptographic Services
548 Slot Mechanism Flags: RSA:RC2:RC4:DES:DH:SHA1:MD5:MD2:SSL:TLS:AES
549 Manufacturer: Mozilla Foundation
550 Type: Software
551 Version Number: 3\&.11
552 Firmware Version: 0\&.0
553 Status: Enabled
554 Token Name: NSS Generic Crypto Services
555 Token Manufacturer: Mozilla Foundation
556 Token Model: NSS 3
557 Token Serial Number: 0000000000000000
558 Token Version: 4\&.0
559 Token Firmware Version: 0\&.0
560 Access: Write Protected
561 Login Type: Public (no login required)
562 User Pin: NOT Initialized
564 Slot: NSS User Private Key and Certificate Services
565 Slot Mechanism Flags: None
566 Manufacturer: Mozilla Foundation
567 Type: Software
568 Version Number: 3\&.11
569 Firmware Version: 0\&.0
570 Status: Enabled
571 Token Name: NSS Certificate DB
572 Token Manufacturer: Mozilla Foundation
573 Token Model: NSS 3
574 Token Serial Number: 0000000000000000
575 Token Version: 8\&.3
576 Token Firmware Version: 0\&.0
577 Access: NOT Write Protected
578 Login Type: Login required
579 User Pin: Initialized
580 .fi
581 .if n \{\
582 .RE
583 .\}
584 .PP
585 A related command,
586 \fB\-rawlist\fR
587 returns information about the database configuration for the modules\&. (This information can be edited by loading new specs using the
588 \fB\-rawadd\fR
589 command\&.)
590 .sp
591 .if n \{\
592 .RS 4
593 .\}
594 .nf
595 modutil \-rawlist \-dbdir sql:/home/my/sharednssdb
596 name="NSS Internal PKCS #11 Module" parameters="configdir=\&. certPrefix= keyPrefix= secmod=secmod\&.db flags=readOnly " NSS="trustOrder=75 cipherOrder=100 slotParams={0x00000001=[slotFlags=RSA,RC4,RC2,DES,DH,SHA1,MD5,MD2,SSL,TLS,AES,RANDOM askpw=any timeout=30 ] } Flags=internal,critical"
597 .fi
598 .if n \{\
599 .RE
600 .\}
601 .PP
602 \fBSetting a Default Provider for Security Mechanisms\fR
603 .PP
604 Multiple security modules may provide support for the same security mechanisms\&. It is possible to set a specific security module as the default provider for a specific security mechanism (or, conversely, to prohibit a provider from supplying those mechanisms)\&.
605 .sp
606 .if n \{\
607 .RS 4
608 .\}
609 .nf
610 modutil \-default modulename \-mechanisms mechanism\-list
611 .fi
612 .if n \{\
613 .RE
614 .\}
615 .PP
616 To set a module as the default provider for mechanisms, use the
617 \fB\-default\fR
618 command with a colon\-separated list of mechanisms\&. The available mechanisms depend on the module; NSS supplies almost all common mechanisms\&. For example:
619 .sp
620 .if n \{\
621 .RS 4
622 .\}
623 .nf
624 modutil \-default "NSS Internal PKCS #11 Module" \-dbdir \-mechanisms RSA:DSA:RC2
626 Using database directory c:\edatabases\&.\&.\&.
628 Successfully changed defaults\&.
629 .fi
630 .if n \{\
631 .RE
632 .\}
633 .PP
634 Clearing the default provider has the same format:
635 .sp
636 .if n \{\
637 .RS 4
638 .\}
639 .nf
640 modutil \-undefault "NSS Internal PKCS #11 Module" \-dbdir \-mechanisms MD2:MD5
641 .fi
642 .if n \{\
643 .RE
644 .\}
645 .PP
646 \fBEnabling and Disabling Modules and Slots\fR
647 .PP
648 Modules, and specific slots on modules, can be selectively enabled or disabled using
649 \fBmodutil\fR\&. Both commands have the same format:
650 .sp
651 .if n \{\
652 .RS 4
653 .\}
654 .nf
655 modutil \-enable|\-disable modulename [\-slot slotname]
656 .fi
657 .if n \{\
658 .RE
659 .\}
660 .PP
661 For example:
662 .sp
663 .if n \{\
664 .RS 4
665 .\}
666 .nf
667 modutil \-enable "NSS Internal PKCS #11 Module" \-slot "NSS Internal Cryptographic Services " \-dbdir \&.
669 Slot "NSS Internal Cryptographic Services " enabled\&.
670 .fi
671 .if n \{\
672 .RE
673 .\}
674 .PP
675 Be sure that the appropriate amount of trailing whitespace is after the slot name\&. Some slot names have a significant amount of whitespace that must be included, or the operation will fail\&.
676 .PP
677 \fBEnabling and Verifying FIPS Compliance\fR
678 .PP
679 The NSS modules can have FIPS 140\-2 compliance enabled or disabled using
680 \fBmodutil\fR
681 with the
682 \fB\-fips\fR
683 option\&. For example:
684 .sp
685 .if n \{\
686 .RS 4
687 .\}
688 .nf
689 modutil \-fips true \-dbdir sql:/home/my/sharednssdb/
691 FIPS mode enabled\&.
692 .fi
693 .if n \{\
694 .RE
695 .\}
696 .PP
697 To verify that status of FIPS mode, run the
698 \fB\-chkfips\fR
699 command with either a true or false flag (it doesn\*(Aqt matter which)\&. The tool returns the current FIPS setting\&.
700 .sp
701 .if n \{\
702 .RS 4
703 .\}
704 .nf
705 modutil \-chkfips false \-dbdir sql:/home/my/sharednssdb/
707 FIPS mode enabled\&.
708 .fi
709 .if n \{\
710 .RE
711 .\}
712 .PP
713 \fBChanging the Password on a Token\fR
714 .PP
715 Initializing or changing a token\*(Aqs password:
716 .sp
717 .if n \{\
718 .RS 4
719 .\}
720 .nf
721 modutil \-changepw tokenname [\-pwfile old\-password\-file] [\-newpwfile new\-password\-file]
722 .fi
723 .if n \{\
724 .RE
725 .\}
726 .sp
727 .if n \{\
728 .RS 4
729 .\}
730 .nf
731 modutil \-dbdir sql:/home/my/sharednssdb \-changepw "NSS Certificate DB"
733 Enter old password:
734 Incorrect password, try again\&.\&.\&.
735 Enter old password:
736 Enter new password:
737 Re\-enter new password:
738 Token "Communicator Certificate DB" password changed successfully\&.
739 .fi
740 .if n \{\
741 .RE
742 .\}
743 .SH "JAR INSTALLATION FILE FORMAT"
744 .PP
745 When a JAR file is run by a server, by
746 \fBmodutil\fR, or by any program that does not interpret JavaScript, a special information file must be included to install the libraries\&. There are several things to keep in mind with this file:
747 .sp
748 .RS 4
749 .ie n \{\
750 \h'-04'\(bu\h'+03'\c
751 .\}
752 .el \{\
753 .sp -1
754 .IP \(bu 2.3
755 .\}
756 It must be declared in the JAR archive\*(Aqs manifest file\&.
757 .RE
758 .sp
759 .RS 4
760 .ie n \{\
761 \h'-04'\(bu\h'+03'\c
762 .\}
763 .el \{\
764 .sp -1
765 .IP \(bu 2.3
766 .\}
767 The script can have any name\&.
768 .RE
769 .sp
770 .RS 4
771 .ie n \{\
772 \h'-04'\(bu\h'+03'\c
773 .\}
774 .el \{\
775 .sp -1
776 .IP \(bu 2.3
777 .\}
778 The metainfo tag for this is
779 \fBPkcs11_install_script\fR\&. To declare meta\-information in the manifest file, put it in a file that is passed to
780 \fBsigntool\fR\&.
781 .RE
782 .PP
783 \fBSample Script\fR
784 .PP
785 For example, the PKCS #11 installer script could be in the file pk11install\&. If so, the metainfo file for
786 \fBsigntool\fR
787 includes a line such as this:
788 .sp
789 .if n \{\
790 .RS 4
791 .\}
792 .nf
793 + Pkcs11_install_script: pk11install
794 .fi
795 .if n \{\
796 .RE
797 .\}
798 .PP
799 The script must define the platform and version number, the module name and file, and any optional information like supported ciphers and mechanisms\&. Multiple platforms can be defined in a single install file\&.
800 .sp
801 .if n \{\
802 .RS 4
803 .\}
804 .nf
805 ForwardCompatible { IRIX:6\&.2:mips SUNOS:5\&.5\&.1:sparc }
806 Platforms {
807 WINNT::x86 {
808 ModuleName { "Example Module" }
809 ModuleFile { win32/fort32\&.dll }
810 DefaultMechanismFlags{0x0001}
811 DefaultCipherFlags{0x0001}
812 Files {
813 win32/setup\&.exe {
814 Executable
815 RelativePath { %temp%/setup\&.exe }
816 }
817 win32/setup\&.hlp {
818 RelativePath { %temp%/setup\&.hlp }
819 }
820 win32/setup\&.cab {
821 RelativePath { %temp%/setup\&.cab }
822 }
823 }
824 }
825 WIN95::x86 {
826 EquivalentPlatform {WINNT::x86}
827 }
828 SUNOS:5\&.5\&.1:sparc {
829 ModuleName { "Example UNIX Module" }
830 ModuleFile { unix/fort\&.so }
831 DefaultMechanismFlags{0x0001}
832 CipherEnableFlags{0x0001}
833 Files {
834 unix/fort\&.so {
835 RelativePath{%root%/lib/fort\&.so}
836 AbsolutePath{/usr/local/netscape/lib/fort\&.so}
837 FilePermissions{555}
838 }
839 xplat/instr\&.html {
840 RelativePath{%root%/docs/inst\&.html}
841 AbsolutePath{/usr/local/netscape/docs/inst\&.html}
842 FilePermissions{555}
843 }
844 }
845 }
846 IRIX:6\&.2:mips {
847 EquivalentPlatform { SUNOS:5\&.5\&.1:sparc }
848 }
849 }
850 .fi
851 .if n \{\
852 .RE
853 .\}
854 .PP
855 \fBScript Grammar\fR
856 .PP
857 The script is basic Java, allowing lists, key\-value pairs, strings, and combinations of all of them\&.
858 .sp
859 .if n \{\
860 .RS 4
861 .\}
862 .nf
863 \-\-> valuelist
865 valuelist \-\-> value valuelist
866 <null>
868 value \-\-\-> key_value_pair
869 string
871 key_value_pair \-\-> key { valuelist }
873 key \-\-> string
875 string \-\-> simple_string
876 "complex_string"
878 simple_string \-\-> [^ \et\en\e""{""}"]+
880 complex_string \-\-> ([^\e"\e\e\er\en]|(\e\e\e")|(\e\e\e\e))+
881 .fi
882 .if n \{\
883 .RE
884 .\}
885 .PP
886 Quotes and backslashes must be escaped with a backslash\&. A complex string must not include newlines or carriage returns\&.Outside of complex strings, all white space (for example, spaces, tabs, and carriage returns) is considered equal and is used only to delimit tokens\&.
887 .PP
888 \fBKeys\fR
889 .PP
890 The Java install file uses keys to define the platform and module information\&.
891 .PP
892 \fBForwardCompatible\fR
893 gives a list of platforms that are forward compatible\&. If the current platform cannot be found in the list of supported platforms, then the
894 \fBForwardCompatible\fR
895 list is checked for any platforms that have the same OS and architecture in an earlier version\&. If one is found, its attributes are used for the current platform\&.
896 .PP
897 \fBPlatforms\fR
898 (required) Gives a list of platforms\&. Each entry in the list is itself a key\-value pair: the key is the name of the platform and the value list contains various attributes of the platform\&. The platform string is in the format
899 \fIsystem name:OS release:architecture\fR\&. The installer obtains these values from NSPR\&. OS release is an empty string on non\-Unix operating systems\&. NSPR supports these platforms:
900 .sp
901 .RS 4
902 .ie n \{\
903 \h'-04'\(bu\h'+03'\c
904 .\}
905 .el \{\
906 .sp -1
907 .IP \(bu 2.3
908 .\}
909 AIX (rs6000)
910 .RE
911 .sp
912 .RS 4
913 .ie n \{\
914 \h'-04'\(bu\h'+03'\c
915 .\}
916 .el \{\
917 .sp -1
918 .IP \(bu 2.3
919 .\}
920 BSDI (x86)
921 .RE
922 .sp
923 .RS 4
924 .ie n \{\
925 \h'-04'\(bu\h'+03'\c
926 .\}
927 .el \{\
928 .sp -1
929 .IP \(bu 2.3
930 .\}
931 FREEBSD (x86)
932 .RE
933 .sp
934 .RS 4
935 .ie n \{\
936 \h'-04'\(bu\h'+03'\c
937 .\}
938 .el \{\
939 .sp -1
940 .IP \(bu 2.3
941 .\}
942 HPUX (hppa1\&.1)
943 .RE
944 .sp
945 .RS 4
946 .ie n \{\
947 \h'-04'\(bu\h'+03'\c
948 .\}
949 .el \{\
950 .sp -1
951 .IP \(bu 2.3
952 .\}
953 IRIX (mips)
954 .RE
955 .sp
956 .RS 4
957 .ie n \{\
958 \h'-04'\(bu\h'+03'\c
959 .\}
960 .el \{\
961 .sp -1
962 .IP \(bu 2.3
963 .\}
964 LINUX (ppc, alpha, x86)
965 .RE
966 .sp
967 .RS 4
968 .ie n \{\
969 \h'-04'\(bu\h'+03'\c
970 .\}
971 .el \{\
972 .sp -1
973 .IP \(bu 2.3
974 .\}
975 MacOS (PowerPC)
976 .RE
977 .sp
978 .RS 4
979 .ie n \{\
980 \h'-04'\(bu\h'+03'\c
981 .\}
982 .el \{\
983 .sp -1
984 .IP \(bu 2.3
985 .\}
986 NCR (x86)
987 .RE
988 .sp
989 .RS 4
990 .ie n \{\
991 \h'-04'\(bu\h'+03'\c
992 .\}
993 .el \{\
994 .sp -1
995 .IP \(bu 2.3
996 .\}
997 NEC (mips)
998 .RE
999 .sp
1000 .RS 4
1001 .ie n \{\
1002 \h'-04'\(bu\h'+03'\c
1003 .\}
1004 .el \{\
1005 .sp -1
1006 .IP \(bu 2.3
1007 .\}
1008 OS2 (x86)
1009 .RE
1010 .sp
1011 .RS 4
1012 .ie n \{\
1013 \h'-04'\(bu\h'+03'\c
1014 .\}
1015 .el \{\
1016 .sp -1
1017 .IP \(bu 2.3
1018 .\}
1019 OSF (alpha)
1020 .RE
1021 .sp
1022 .RS 4
1023 .ie n \{\
1024 \h'-04'\(bu\h'+03'\c
1025 .\}
1026 .el \{\
1027 .sp -1
1028 .IP \(bu 2.3
1029 .\}
1030 ReliantUNIX (mips)
1031 .RE
1032 .sp
1033 .RS 4
1034 .ie n \{\
1035 \h'-04'\(bu\h'+03'\c
1036 .\}
1037 .el \{\
1038 .sp -1
1039 .IP \(bu 2.3
1040 .\}
1041 SCO (x86)
1042 .RE
1043 .sp
1044 .RS 4
1045 .ie n \{\
1046 \h'-04'\(bu\h'+03'\c
1047 .\}
1048 .el \{\
1049 .sp -1
1050 .IP \(bu 2.3
1051 .\}
1052 SOLARIS (sparc)
1053 .RE
1054 .sp
1055 .RS 4
1056 .ie n \{\
1057 \h'-04'\(bu\h'+03'\c
1058 .\}
1059 .el \{\
1060 .sp -1
1061 .IP \(bu 2.3
1062 .\}
1063 SONY (mips)
1064 .RE
1065 .sp
1066 .RS 4
1067 .ie n \{\
1068 \h'-04'\(bu\h'+03'\c
1069 .\}
1070 .el \{\
1071 .sp -1
1072 .IP \(bu 2.3
1073 .\}
1074 SUNOS (sparc)
1075 .RE
1076 .sp
1077 .RS 4
1078 .ie n \{\
1079 \h'-04'\(bu\h'+03'\c
1080 .\}
1081 .el \{\
1082 .sp -1
1083 .IP \(bu 2.3
1084 .\}
1085 UnixWare (x86)
1086 .RE
1087 .sp
1088 .RS 4
1089 .ie n \{\
1090 \h'-04'\(bu\h'+03'\c
1091 .\}
1092 .el \{\
1093 .sp -1
1094 .IP \(bu 2.3
1095 .\}
1096 WIN16 (x86)
1097 .RE
1098 .sp
1099 .RS 4
1100 .ie n \{\
1101 \h'-04'\(bu\h'+03'\c
1102 .\}
1103 .el \{\
1104 .sp -1
1105 .IP \(bu 2.3
1106 .\}
1107 WIN95 (x86)
1108 .RE
1109 .sp
1110 .RS 4
1111 .ie n \{\
1112 \h'-04'\(bu\h'+03'\c
1113 .\}
1114 .el \{\
1115 .sp -1
1116 .IP \(bu 2.3
1117 .\}
1118 WINNT (x86)
1119 .RE
1120 .PP
1121 For example:
1122 .sp
1123 .if n \{\
1124 .RS 4
1125 .\}
1126 .nf
1127 IRIX:6\&.2:mips
1128 SUNOS:5\&.5\&.1:sparc
1129 Linux:2\&.0\&.32:x86
1130 WIN95::x86
1131 .fi
1132 .if n \{\
1133 .RE
1134 .\}
1135 .PP
1136 The module information is defined independently for each platform in the
1137 \fBModuleName\fR,
1138 \fBModuleFile\fR, and
1139 \fBFiles\fR
1140 attributes\&. These attributes must be given unless an
1141 \fBEquivalentPlatform\fR
1142 attribute is specified\&.
1143 .PP
1144 \fBPer\-Platform Keys\fR
1145 .PP
1146 Per\-platform keys have meaning only within the value list of an entry in the
1147 \fBPlatforms\fR
1148 list\&.
1149 .PP
1150 \fBModuleName\fR
1151 (required) gives the common name for the module\&. This name is used to reference the module by servers and by the
1152 \fBmodutil\fR
1153 tool\&.
1154 .PP
1155 \fBModuleFile\fR
1156 (required) names the PKCS #11 module file for this platform\&. The name is given as the relative path of the file within the JAR archive\&.
1157 .PP
1158 \fBFiles\fR
1159 (required) lists the files that need to be installed for this module\&. Each entry in the file list is a key\-value pair\&. The key is the path of the file in the JAR archive, and the value list contains attributes of the file\&. At least
1160 \fBRelativePath\fR
1161 or
1162 \fBAbsolutePath\fR
1163 must be specified for each file\&.
1164 .PP
1165 \fBDefaultMechanismFlags\fR
1166 specifies mechanisms for which this module is the default provider; this is equivalent to the
1167 \fB\-mechanism\fR
1168 option with the
1169 \fB\-add\fR
1170 command\&. This key\-value pair is a bitstring specified in hexadecimal (0x) format\&. It is constructed as a bitwise OR\&. If the DefaultMechanismFlags entry is omitted, the value defaults to 0x0\&.
1171 .sp
1172 .if n \{\
1173 .RS 4
1174 .\}
1175 .nf
1176 RSA: 0x00000001
1177 DSA: 0x00000002
1178 RC2: 0x00000004
1179 RC4: 0x00000008
1180 DES: 0x00000010
1181 DH: 0x00000020
1182 FORTEZZA: 0x00000040
1183 RC5: 0x00000080
1184 SHA1: 0x00000100
1185 MD5: 0x00000200
1186 MD2: 0x00000400
1187 RANDOM: 0x08000000
1188 FRIENDLY: 0x10000000
1189 OWN_PW_DEFAULTS: 0x20000000
1190 DISABLE: 0x40000000
1191 .fi
1192 .if n \{\
1193 .RE
1194 .\}
1195 .PP
1196 \fBCipherEnableFlags\fR
1197 specifies ciphers that this module provides that NSS does not provide (so that the module enables those ciphers for NSS)\&. This is equivalent to the
1198 \fB\-cipher\fR
1199 argument with the
1200 \fB\-add\fR
1201 command\&. This key is a bitstring specified in hexadecimal (0x) format\&. It is constructed as a bitwise OR\&. If the
1202 \fBCipherEnableFlags\fR
1203 entry is omitted, the value defaults to 0x0\&.
1204 .PP
1205 \fBEquivalentPlatform\fR
1206 specifies that the attributes of the named platform should also be used for the current platform\&. This makes it easier when more than one platform uses the same settings\&.
1207 .PP
1208 \fBPer\-File Keys\fR
1209 .PP
1210 Some keys have meaning only within the value list of an entry in a
1211 \fBFiles\fR
1212 list\&.
1213 .PP
1214 Each file requires a path key the identifies where the file is\&. Either
1215 \fBRelativePath\fR
1216 or
1217 \fBAbsolutePath\fR
1218 must be specified\&. If both are specified, the relative path is tried first, and the absolute path is used only if no relative root directory is provided by the installer program\&.
1219 .PP
1220 \fBRelativePath\fR
1221 specifies the destination directory of the file, relative to some directory decided at install time\&. Two variables can be used in the relative path:
1222 \fB%root%\fR
1223 and
1224 \fB%temp%\fR\&.
1225 \fB%root%\fR
1226 is replaced at run time with the directory relative to which files should be installed; for example, it may be the server\*(Aqs root directory\&. The
1227 \fB%temp%\fR
1228 directory is created at the beginning of the installation and destroyed at the end\&. The purpose of
1229 \fB%temp%\fR
1230 is to hold executable files (such as setup programs) or files that are used by these programs\&. Files destined for the temporary directory are guaranteed to be in place before any executable file is run; they are not deleted until all executable files have finished\&.
1231 .PP
1232 \fBAbsolutePath\fR
1233 specifies the destination directory of the file as an absolute path\&.
1234 .PP
1235 \fBExecutable\fR
1236 specifies that the file is to be executed during the course of the installation\&. Typically, this string is used for a setup program provided by a module vendor, such as a self\-extracting setup executable\&. More than one file can be specified as executable, in which case the files are run in the order in which they are specified in the script file\&.
1237 .PP
1238 \fBFilePermissions\fR
1239 sets permissions on any referenced files in a string of octal digits, according to the standard Unix format\&. This string is a bitwise OR\&.
1240 .sp
1241 .if n \{\
1242 .RS 4
1243 .\}
1244 .nf
1245 user read: 0400
1246 user write: 0200
1247 user execute: 0100
1248 group read: 0040
1249 group write: 0020
1250 group execute: 0010
1251 other read: 0004
1252 other write: 0002
1253 other execute: 0001
1254 .fi
1255 .if n \{\
1256 .RE
1257 .\}
1258 .PP
1259 Some platforms may not understand these permissions\&. They are applied only insofar as they make sense for the current platform\&. If this attribute is omitted, a default of 777 is assumed\&.
1260 .SH "NSS DATABASE TYPES"
1261 .PP
1262 NSS originally used BerkeleyDB databases to store security information\&. The last versions of these
1263 \fIlegacy\fR
1264 databases are:
1265 .sp
1266 .RS 4
1267 .ie n \{\
1268 \h'-04'\(bu\h'+03'\c
1269 .\}
1270 .el \{\
1271 .sp -1
1272 .IP \(bu 2.3
1273 .\}
1274 cert8\&.db for certificates
1275 .RE
1276 .sp
1277 .RS 4
1278 .ie n \{\
1279 \h'-04'\(bu\h'+03'\c
1280 .\}
1281 .el \{\
1282 .sp -1
1283 .IP \(bu 2.3
1284 .\}
1285 key3\&.db for keys
1286 .RE
1287 .sp
1288 .RS 4
1289 .ie n \{\
1290 \h'-04'\(bu\h'+03'\c
1291 .\}
1292 .el \{\
1293 .sp -1
1294 .IP \(bu 2.3
1295 .\}
1296 secmod\&.db for PKCS #11 module information
1297 .RE
1298 .PP
1299 BerkeleyDB has performance limitations, though, which prevent it from being easily used by multiple applications simultaneously\&. NSS has some flexibility that allows applications to use their own, independent database engine while keeping a shared database and working around the access issues\&. Still, NSS requires more flexibility to provide a truly shared security database\&.
1300 .PP
1301 In 2009, NSS introduced a new set of databases that are SQLite databases rather than BerkleyDB\&. These new databases provide more accessibility and performance:
1302 .sp
1303 .RS 4
1304 .ie n \{\
1305 \h'-04'\(bu\h'+03'\c
1306 .\}
1307 .el \{\
1308 .sp -1
1309 .IP \(bu 2.3
1310 .\}
1311 cert9\&.db for certificates
1312 .RE
1313 .sp
1314 .RS 4
1315 .ie n \{\
1316 \h'-04'\(bu\h'+03'\c
1317 .\}
1318 .el \{\
1319 .sp -1
1320 .IP \(bu 2.3
1321 .\}
1322 key4\&.db for keys
1323 .RE
1324 .sp
1325 .RS 4
1326 .ie n \{\
1327 \h'-04'\(bu\h'+03'\c
1328 .\}
1329 .el \{\
1330 .sp -1
1331 .IP \(bu 2.3
1332 .\}
1333 pkcs11\&.txt, which is listing of all of the PKCS #11 modules contained in a new subdirectory in the security databases directory
1334 .RE
1335 .PP
1336 Because the SQLite databases are designed to be shared, these are the
1337 \fIshared\fR
1338 database type\&. The shared database type is preferred; the legacy format is included for backward compatibility\&.
1339 .PP
1340 By default, the tools (\fBcertutil\fR,
1341 \fBpk12util\fR,
1342 \fBmodutil\fR) assume that the given security databases follow the more common legacy type\&. Using the SQLite databases must be manually specified by using the
1343 \fBsql:\fR
1344 prefix with the given security directory\&. For example:
1345 .sp
1346 .if n \{\
1347 .RS 4
1348 .\}
1349 .nf
1350 modutil \-create \-dbdir sql:/home/my/sharednssdb
1351 .fi
1352 .if n \{\
1353 .RE
1354 .\}
1355 .PP
1356 To set the shared database type as the default type for the tools, set the
1357 \fBNSS_DEFAULT_DB_TYPE\fR
1358 environment variable to
1359 \fBsql\fR:
1360 .sp
1361 .if n \{\
1362 .RS 4
1363 .\}
1364 .nf
1365 export NSS_DEFAULT_DB_TYPE="sql"
1366 .fi
1367 .if n \{\
1368 .RE
1369 .\}
1370 .PP
1371 This line can be added to the
1372 ~/\&.bashrc
1373 file to make the change permanent for the user\&.
1374 .PP
1375 Most applications do not use the shared database by default, but they can be configured to use them\&. For example, this how\-to article covers how to configure Firefox and Thunderbird to use the new shared NSS databases:
1376 .sp
1377 .RS 4
1378 .ie n \{\
1379 \h'-04'\(bu\h'+03'\c
1380 .\}
1381 .el \{\
1382 .sp -1
1383 .IP \(bu 2.3
1384 .\}
1385 https://wiki\&.mozilla\&.org/NSS_Shared_DB_Howto
1386 .RE
1387 .PP
1388 For an engineering draft on the changes in the shared NSS databases, see the NSS project wiki:
1389 .sp
1390 .RS 4
1391 .ie n \{\
1392 \h'-04'\(bu\h'+03'\c
1393 .\}
1394 .el \{\
1395 .sp -1
1396 .IP \(bu 2.3
1397 .\}
1398 https://wiki\&.mozilla\&.org/NSS_Shared_DB
1399 .RE
1400 .SH "SEE ALSO"
1401 .PP
1402 certutil (1)
1403 .PP
1404 pk12util (1)
1405 .PP
1406 signtool (1)
1407 .PP
1408 The NSS wiki has information on the new database design and how to configure applications to use it\&.
1409 .sp
1410 .RS 4
1411 .ie n \{\
1412 \h'-04'\(bu\h'+03'\c
1413 .\}
1414 .el \{\
1415 .sp -1
1416 .IP \(bu 2.3
1417 .\}
1418 https://wiki\&.mozilla\&.org/NSS_Shared_DB_Howto
1419 .RE
1420 .sp
1421 .RS 4
1422 .ie n \{\
1423 \h'-04'\(bu\h'+03'\c
1424 .\}
1425 .el \{\
1426 .sp -1
1427 .IP \(bu 2.3
1428 .\}
1429 https://wiki\&.mozilla\&.org/NSS_Shared_DB
1430 .RE
1431 .SH "ADDITIONAL RESOURCES"
1432 .PP
1433 For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at
1434 \m[blue]\fBhttp://www\&.mozilla\&.org/projects/security/pki/nss/\fR\m[]\&. The NSS site relates directly to NSS code changes and releases\&.
1435 .PP
1436 Mailing lists: https://lists\&.mozilla\&.org/listinfo/dev\-tech\-crypto
1437 .PP
1438 IRC: Freenode at #dogtag\-pki
1439 .SH "AUTHORS"
1440 .PP
1441 The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google\&.
1442 .PP
1443 Authors: Elio Maldonado <emaldona@redhat\&.com>, Deon Lackey <dlackey@redhat\&.com>\&.
1444 .SH "LICENSE"
1445 .PP
1446 Licensed under the Mozilla Public License, v\&. 2\&.0\&. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla\&.org/MPL/2\&.0/\&.
1447 .SH "NOTES"
1448 .IP " 1." 4
1449 Mozilla NSS bug 836477
1450 .RS 4
1451 \%https://bugzilla.mozilla.org/show_bug.cgi?id=836477
1452 .RE
