Bug 524931 - FEAT: CA should be able to use sqlite databased (NSS shared DB).
Summary: FEAT: CA should be able to use sqlite databased (NSS shared DB).
Keywords:
Status: CLOSED UPSTREAM
Alias: None
Product: Dogtag Certificate System
Classification: Retired
Component: CA
Version: 1.3
Hardware: All
OS: Linux
high
medium
Target Milestone: ---
Assignee: Christina Fu
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks: 530474
TreeView+ depends on / blocked
 
Reported: 2009-09-22 18:33 UTC by Bob Relyea
Modified: 2018-06-30 00:18 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-06-30 00:18:36 UTC


Attachments (Terms of Use)

Description Bob Relyea 2009-09-22 18:33:17 UTC
Description of problem:

NSS now supports a superior database format based on sqlite3 databases. CS should start using this new format.

NSS shared DB uses sqlite3 to store certs and keys rather than the old berkeley dbm. Sqlite has a vibrant upstream which is continuing to improve the database. The old berkeley DB is basically dead code. The developers moved on to sleepy cat long ago. The only bug fixing to that database format is what we have done.

Besides a more vibrant upstream, sqlite3 also provides the ability for multiple processes to safely share a single database instance. It supports transactions, reducing the risk of database corruption (even when used by a single database user). You can also use sqlite3 commands to examine the raw database when debugging issues.

The database is used just like the old DBM database. You can continue to open your own private databases, as well as allowing servers to share databases (so they could, for instance, use a single cert database to store all the keys and certs that may be shared by multiple servers). Even more useful for servers, however, is now you can make admin changes without rebooting. If you change the trust on a root cert, or you import a new cert and key, the server will be able to use that new cert and key, or will respond to the new trust attributes immediately without requiring a reboot.

Comment 4 Matthew Harmsen 2012-11-28 01:29:02 UTC
Upstream ticket:
https://fedorahosted.org/pki/ticket/167


Note You need to log in before you can comment on or make changes to this bug.