Wednesday Jan 05, 2011

What's new in NSS 3.12.\*- New Shared DBs

NSS has introduced NEW Shared Databases based on SQLite in NSS 3.12.x. 
Motivation for introducing these new Shared Databases were :
  • ability to edit NSS databases without stopping server and
  • servers want to share DBs.

Advantages of these Shared DBs

Some experts from https://wiki.mozilla.org/NSS_Shared_DB

"NSS has been using an old version of the Berkeley Database as its database engine (commonly described in NSS documents as "DBM") has a number of limitations. One of the most severe limitations concerns the number of processes that may share a database file. While any process has a DBM file open for writing, NO other process may access it in any way. Multiple processes may share a DBM database ONLY if they ALL access it READ-ONLY. Processes cannot share a DBM database file if ANY of them wants to update it.

Applications that want to share databases have resorted to these strategies:
\* Synchronized updates, with application down time : The applications share the database read-only. If any update is desired, all the applications are shut down, and a database update program performs the update, then all the applications are restarted in read-only mode. This results in undesirable downtime and desired database changes are delayed until the next interval in which such downtime is acceptable."
...

"The new databases will be called 'shareable' databases. They may or may not be shared by multiple processes, but they are all capable of being shared. "
...

Shareable DB files : cert9.db, key4.db, pkcs11.txt

  • Are based on SQLite3
  • Allows read write by multiple simultaneous processes
  • Not enabled by default, must be enabled. To be enable it, use environment variable NSS_DEFAULT_DB_TYPE or add "sql:" prefix in configDir.
  • certutil utility program can do upgrade i.e. convert old DB (cert8.db) to new DB(cert9.db). For automatic upgrade, NSS must be told to use SQL AND the databases must be opened for reading AND writing. If NSS is not told to use SQL, or if the databases are opened READ-ONLY, then no automatic upgrade takes place.

Different types of NSS DBs

\* Directory name string prefix "sql:", "dbm:", "extern:", "multiaccess:" OR
\* Environment variable NSS_DEFAULT_DB_TYPE "sql", "dbm", "extern"

where "dbm" is the old default Berkeley DB (cert8). 
      "sql" is the new sqlite3 (cert9) DB. 
      "extern" and "multiaccess" are now obsolete.

How to upgrade from cert8.db to cert9.db

You can either use environment variables or use sql: prefix in database directory parameter of certutil:
$export NSS_DEFAULT_DB_TYPE=sql
$certutil -K -d /tmp/nss -X

OR

$certutil -K -d sql:/tmp/nss -X
When you upgrade these are the files you get :
key3.db -> key4.db
cert8.db -> cert9.db
secmod.db -> pkcs11.txt
The contents of the pkcs11.txt files are basically identical to the contents of the old secmod.db, just not in the old Berkeley DB format. If you run the command "$modutil -dbdir DBDIR -rawlist" on an older secmod.db file, you should get output similar to what you see in pkcs11.txt.
 
  
 
  

What needs to be done in programs / C code

Either add  environment variable NSS_DEFAULT_DB_TYPE "sql"

NSS_Initialize call in https://developer.mozilla.org/en/NSS_Initialize
takes this "configDir" parameter as shown below :

    NSS_Initialize(configDir, "", "", "secmod.db", NSS_INIT_READONLY);


For cert9.db, change this first parameter to "sql:" + configDir (like "sql:/tmp/nss/") i.e. prefix "sql:" in the directory name where these NSS Databases exist.

This code will work with cert8.db as well if cert9.db is not present.

References

  1. https://wiki.mozilla.org/NSS_Shared_DB_Samples
  2. https://wiki.mozilla.org/NSS_Shared_DB_Howto
  3. https://wiki.mozilla.org/NSS_Shared_DB
  4. http://www.mail-archive.com/dev-tech-crypto@lists.mozilla.org/msg05282.html

        
    
About

Meena Vyas

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today