RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1946789 - Document that modutil creates "sql" database by default, even when "sql:" prefix is not specified
Summary: Document that modutil creates "sql" database by default, even when "sql:" pre...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: nss
Version: 8.0
Hardware: All
OS: Linux
low
low
Target Milestone: beta
: ---
Assignee: nss-nspr-maint
QA Contact: Ivan Nikolchev
URL:
Whiteboard:
Depends On:
Blocks: 1976257
TreeView+ depends on / blocked
 
Reported: 2021-04-06 20:46 UTC by Rupinder Gill
Modified: 2021-12-16 12:09 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
: 1976257 (view as bug list)
Environment:
Last Closed: 2021-12-16 11:54:57 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Mozilla Foundation 1712184 0 -- ASSIGNED NSS tools manpages need to be updated to reflect that sqlite is the default database. 2021-05-20 18:42:00 UTC
Red Hat Issue Tracker CRYPTO-5887 0 None None None 2021-12-16 12:09:14 UTC

Description Rupinder Gill 2021-04-06 20:46:46 UTC 
Description of problem:
"modutil -create -dbdir xxx" will create the newer sql database (e.g. cert9.db) even though no "sql:" prefix is specified.

Version-Release number of selected component (if applicable):
nss-tools 3.53.1

How reproducible:
Easy; just try the command in description.

Steps to Reproduce:
1. Create an empty directory for the database (say ~/xxx)
2. modutil -create -dbdir ~/xxx -force
3.

Actual results:
~/xxx will contain cert9.db, key4.db, and pkcs11.txt

Expected results:
~/xxx should contain cert8.db, key3.db, and secmod.db

Additional info:
Currently using workaround of prefixing -dbdir argument with "dbm:".  This, btw, is NOT document anywhere nss-tools; found it by accident on https://koji.mbox.centos.org/koji/buildinfo?buildID=13084 (see snippet below; I think Bob is to blame! :-)

Thu Jul 30 2020 Bob Relyea <rrelyea> - 3.53.1-11
- Fix issue with upgradedb where upgradedb expects standard to
  generate dbm databases, not sql databases (default in RHEL8)
Comment 2 Rupinder Gill 2021-04-06 21:11:14 UTC 
The workaround proposed above of using "dbm:" prefix is not an option unfortunately... I succeeded to install the COTS java application by modifying its install scripts, but the application fails to launch and displays following error:

Exception in thread "main" java.security.ProviderException: NSS module not available: fips
	at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:277)
	at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11$1.run(SunPKCS11.java:112)
	at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11$1.run(SunPKCS11.java:109)
	at java.base/java.security.AccessController.doPrivileged(Native Method)
	at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.configure(SunPKCS11.java:109)

I verified that "modutil -fips true -dbdir dbm:~/xxx" (executed from install script) did indeed succeed during installation.
Comment 3 Alicja Kario 2021-04-13 15:32:08 UTC 
I can't reproduce this issue:

[root@ci-vm-10-0-139-167 ~]# mkdir xxx
[root@ci-vm-10-0-139-167 ~]# modutil -create -dbdir xxx -force
[root@ci-vm-10-0-139-167 ~]# ls xxx
cert8.db  key3.db  secmod.db

[root@ci-vm-10-0-139-167 ~]# rpm -q nss
nss-3.53.1-3.el7_9.x86_64

same for databases created with certutil:
[root@ci-vm-10-0-139-167 ~]# mkdir test
[root@ci-vm-10-0-139-167 ~]# certutil -N -d test --empty-password
[root@ci-vm-10-0-139-167 ~]# ls test/
cert8.db  key3.db  secmod.db
Comment 4 Bob Relyea 2021-04-13 16:26:20 UTC 
nss-3.53.1.11 isn't in rhel7. It looks like you have a rhel8 build on your rhel-7 system, which is why the default is sql (it's always been sql on rhel8). Even when we rebase on rhel7, we change that default so nss-3.53.1-x_el7 has a different default than nss-3.53.1-x_el8, and our test cases verify this, (which is why hubert jumped in. If RHEL 7 had sql as the default, it means our test case was broken and giving us a false negative).

If you are seeing the issue on rhel7 with a rhel7 build, the next thing to check is your environment. Setting NSS_DEFAULT_DB_TYPE changes what the default is on your system. So if you set:
export NSS_DEFAULT_DB_TYPE=sql

Then your default database type will be sql on any version of RHEL (RHEL5, RHEL6, RHEL7, RHEL8, RHEL9). You can even set RHEL8 back to dbm with:
export NSS_DEFAULT_DB_TYPE=dbm
(though this won't work in RHEL 9 because dbm has been officially retired and isn't even compiled anymore).
Comment 5 Bob Relyea 2021-04-20 15:14:54 UTC 
Can you verify that you aren't tripping over something in comment 4. Thanks.
Comment 6 Rupinder Gill 2021-04-21 23:29:19 UTC 
Apologies for delayed response AND for misidentification of the host platform:. It is rhel8.

I appreciate your very timely and informed responses.  I only ask that the man page(s) be updated to note that the default is "sql".

I have also informed the application vendor of the retiring of "dbm" format.

Thank you!
Comment 7 Alicja Kario 2021-04-22 12:31:45 UTC 
Confirmed that with nss-tools-3.53.1-17.el8_3.x86_64, the man page for certutil states
```
If no prefix is specified the default type is retrieved from NSS_DEFAULT_DB_TYPE. If NSS_DEFAULT_DB_TYPE is not set then dbm: is the default.
```
Similarly, the modutil man page states:
```
           modutil supports two types of databases: the legacy security databases (cert8.db, key3.db, and secmod.db) and new SQLite databases (cert9.db, key4.db, and pkcs11.txt). If the
           prefix sql: is not used, then the tool assumes that the given databases are in the old format.
```
So at least those two instances should be fixed, there may be other references to the dbm format being the default.
Comment 8 Bob Relyea 2021-04-22 15:56:43 UTC 
Agreed, dev_ack+, targetting next NSS rebase for the fix.
Comment 9 Bob Relyea 2021-04-28 16:08:02 UTC 
This needs an upstream fix for RHEL 8 (upstream has the same defaults as rhel 8) with:
       rhel7 reversion when we rebase.
       rhel9/fedora remove comments about dbm support.
Comment 10 Bob Relyea 2021-05-05 16:01:17 UTC 
Affected man pages:
certutil
modutil
pk12util
signver
Comment 12 Bob Relyea 2021-05-20 18:43:58 UTC 
upstream bug created because the upstream defaults match RHEL-8. RHEL-7 needs to revert the documentation patch when it updates (as the default in RHEL-7 is still dbm). RHEL-9/Fedora needs to remove all dbm references since dbm is disabled in RHEL-9/Fedora.
Comment 13 Bob Relyea 2021-06-23 21:48:19 UTC 
Need zstream+ to attach to the errrata.
Comment 14 Simo Sorce 2021-06-23 21:59:28 UTC 
Done
Note You need to log in before you can comment on or make changes to this bug.