The nss-db-gen script contains a typo: <quote> Client certificate created. Enter Password or Pin for "NSS Certificate DB": Enter password for PKCS12 file: Re-enter password: pk12util: PKCS12 EXPORT SUCCESSFUL Enter Import Password: MAC verified OK Client key & certficate exported </quote> In the last line of the quote above, "certficate" should be "certificate". I have corrected this error in the documentation (revision 1-13), but it should be corrected in the script itself also. LKB Artifacts copied to: /tmp/rhua/qpid. +++ This bug was initially created as a clone of Bug #707764 +++ I'm pretty sure this would best fit in the Installation Requirements section below "Procedure 2.1. Configuring SSL Certificates" In Procedure 2.1, they generate SSL certificates for the web server (in other words, repo accesses by yum clients). Internally, RHUI also uses a QPID message broker to communicate between its pieces. This communication is also secured through SSL, however the process for generating those certificates is different. To facilitate the creation, we provide a script called "nss-db-gen". That script is as automated as possible, but there are some points where it will ask for a password for some of the newly created items (more on that later). That generates a directory of files that need to be specified in the answers.conf file. If you accept the default directory in the nss-db-gen command (it's the first thing the user is prompted for) then the defaults in answers.sample will point to the correct locations. If you're stubborn/compulsive and insist on your own temporary directory, here are the relevant entries in answers.conf they need to fill out: ----- # Full path to the CA certificate used to secure QPID communications. This is generated # using the nss-db-gen script included with the RHUI Installer. qpid_ca: /tmp/rhua/qpid/ca.crt # Full path to the client certificate used to secure QPID communications. This is generated # using the nss-db-gen script included with the RHUI Installer. qpid_client: /tmp/rhua/qpid/client.crt # Full path to the NSS database used to secure QPID communications. This is generated # using the nss-db-gen script included with the RHUI Installer. Note: This must be # a directory containing a number of files, including the NSS database and password file. qpid_nss_db: /tmp/rhua/qpid/nss ----- So the idea is that they run this script when they create their HTTP SSL certificates so that they have all of the pieces they need to pass into the rhui-installer script. --- Additional comment from jason.dobies on 2011-05-25 17:00:53 EDT --- Sample output from running the script: Working in: /tmp/tmp24055 Please specify a directory into which the created NSS database and associated certificates will be installed. Enter a directory [/tmp/rhua/qpid]: /tmp/rhua/qpid Enter NSS database password: Password file created. Database created. Creating CA certificate: Generating key. This may take a few moments... CA created Creating BROKER certificate: Generating key. This may take a few moments... Broker certificate created. Creating CLIENT certificate: Generating key. This may take a few moments... Client certificate created. Enter Password or Pin for "NSS Certificate DB": Enter password for PKCS12 file: Re-enter password: pk12util: PKCS12 EXPORT SUCCESSFUL Enter Import Password: MAC verified OK Client key & certficate exported Artifacts copied to: /tmp/rhua/qpid. --- Additional comment from jason.dobies on 2011-05-25 17:06:13 EDT --- Same sample output as above, but with commentary before each place they have to input a password. It's your call how much of this you want to document, I just figured Working in: /tmp/tmp24055 Please specify a directory into which the created NSS database and associated certificates will be installed. Enter a directory [/tmp/rhua/qpid]: /tmp/rhua/qpid ---- Note: Password used by QPID to access the NSS database itself. Enter NSS database password: Password file created. Database created. Creating CA certificate: Generating key. This may take a few moments... CA created Creating BROKER certificate: Generating key. This may take a few moments... Broker certificate created. Creating CLIENT certificate: Generating key. This may take a few moments... Client certificate created. ----- Note: Same password as above, specified again here because we're attempting to access the DB we just created in the previous step. Enter Password or Pin for "NSS Certificate DB": ----- Note: Password for the pkcs12 files used to get the private key out of the NSS DB. Enter password for PKCS12 file: ----- Note: Just a confirmation of the above password. Re-enter password: pk12util: PKCS12 EXPORT SUCCESSFUL ----- Note: Same password as the previous two; now we're accessing the certificate we just created/secured in the previous step so we can get the client certificate and private key from it. Enter Import Password: MAC verified OK Client key & certficate exported Artifacts copied to: /tmp/rhua/qpid. --- Additional comment from whayutin on 2011-06-06 17:15:22 EDT --- added to rhui-20 tracker --- Additional comment from lbrindle on 2011-06-14 18:00:58 EDT --- <procedure id="proc-Installation_Guide-Installation_Requirements-Generating_a_Qpid_SSL_Certificate"> <title>Generating a Qpid SSL Certificate</title> <indexterm> <primary>installation</primary> <secondary>qpid SSL</secondary> </indexterm> <para> &RHUI; uses a qpid message broker for internal comunications. These communication processes are secured by SSL, which is set up using a script called <filename>nss-db-gen</filename>. When the script is run, it will prompt you for some information. </para> <step> <para> Run the <filename>nss-db-gen</filename> script by switching to the root user and issuing the command: </para> <screen> # /usr/bin/nss-db-gen Working in: /tmp/tmp24055 </screen> </step> <step> <para> Specify a directory for the new database and certificates to be stored, or press enter to accept the default value of <filename>/tmp/rhua/qpid</filename>: </para> <screen> Please specify a directory into which the created NSS database and associated certificates will be installed. Enter a directory [/tmp/rhua/qpid]: /tmp/rhua/qpid </screen> </step> <step> <para> Enter a password to be used by qpid to secure the database: </para> <screen> Enter NSS database password: Password file created. </screen> </step> <step> <para> The script will create the database and generate the necessary keys and certificates: </para> <screen> Database created. Creating CA certificate: Generating key. This may take a few moments... CA created Creating BROKER certificate: Generating key. This may take a few moments... Broker certificate created. Creating CLIENT certificate: Generating key. This may take a few moments... Client certificate created. </screen> </step> <step> <para> Enter the NSS database password again. This is so that the database created in the last step can be accessed: </para> <screen> Enter Password or Pin for "NSS Certificate DB": </screen> </step> <step> <para> Enter a password to be used for the pkcs12 file, and re-enter it to confirm: </para> <screen> Enter password for PKCS12 file: Re-enter password: pk12util: PKCS12 EXPORT SUCCESSFUL </screen> </step> <step> <para> Enter the pkcs12 password again. This is so that the certificate created in the last step can be accessed. The script will export the key and certificate, and finish: </para> <screen> Enter Import Password: MAC verified OK Client key & certficate exported Artifacts copied to: /tmp/rhua/qpid. </screen> </step> </procedure> Revision 1-13 LKB
commit fd7ee5cc8f325f7d77a490e945760285cd41239f Author: Jay Dobies <jason.dobies> Date: Wed Jun 15 10:40:40 2011 -0400 713316 - Fixed typo rhui-2.0/tools/bin/nss-db-gen
Fixed in RHUI 2.0.31.
Verified with 2.0.32, the typo is fixed. Generating key. This may take a few moments... Client certificate created. Enter Password or Pin for "NSS Certificate DB": Enter password for PKCS12 file: Re-enter password: pk12util: PKCS12 EXPORT SUCCESSFUL Enter Import Password: MAC verified OK Client key & certificate exported <<< Typo fixed Artifacts copied to: /tmp/test. [root@dhcp201-127 ~]# rpm -qa | grep rhui rh-rhui-tools-2.0.32-1.el6.noarch [root@dhcp201-127 ~]#
Comment 3 is for script typo. The same typo is also fixed in stage documentation under Revision 1-13 ( On page 12 ==> Chapter 2 Installation requirement.) http://documentation-stage.bne.redhat.com/docs/en-US/Red_Hat_Update_Infrastructure/2.0/pdf/Installation_Guide/Red_Hat_Update_Infrastructure-2.0-Installation_Guide-en-US.pdf
moving to release pending
closing out, product released