Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 957014

Summary: Step 5 needs change
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: Pavel Janousek <pjanouse>
Component: DocumentationAssignee: Russell Dickenson <rdickens>
Status: CLOSED CURRENTRELEASE QA Contact: Russell Dickenson <rdickens>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 6.1.0CC: jcacek, lcosti, myarboro, rsvoboda
Target Milestone: ---Keywords: Documentation
Target Release: EAP 6.1.1   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Instance Name: Not Defined Build: CSProcessor Builder Version 1.8 Build Name: 11865, Administration and Configuration Guide-6.1-3 Build Date: 19-04-2013 15:35:25
Last Closed: 2013-09-16 20:29:18 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 957026    

Description Pavel Janousek 2013-04-26 07:58:47 UTC 
Title: Enable FIPS 140-2 Cryptography for SSL on Red Hat Enterprise Linux 6

Describe the issue:
PASSWORD can't be anything.

Suggestions for improvement:
Change the line to:
modutil -changepw "NSS FIPS 140-2 Certificate DB" -dbdir /usr/share/jboss-as/nssdb

Additional information:
https://access.redhat.com/site/solutions/42301
Comment 1 Lucas Costi 2013-04-29 04:06:58 UTC 
Just to confirm, as per your link should the value after -changepw be the token name and not the password itself?
Comment 2 Pavel Janousek 2013-04-29 08:08:08 UTC 
I'm not security expert, nor FIPS experienced user, but it looks for me, the password content must be exactly the string "NSS FIPS 140-2 Certificate DB" (nothing else didn't work for me), looping Josef, our FIPS expert for confirmation.
Comment 3 Josef Cacek 2013-04-29 13:04:06 UTC 
Lucas is right - the value following -changepw option is not a password, but it is the token name. The user can provide passwords stored in files:

$ moduil --help
...
-changepw TOKEN                  Change the password on the named token
   [-pwfile FILE]                The old password is in this file
   [-newpwfile FILE]             The new password is in this file
...
Comment 4 Lucas Costi 2013-04-30 01:05:22 UTC 
Ok, thanks Josef.

After doing a bit more research [1], it looks like you can enter in passwords at the CLI in addition to using files, so I will fix the documentation for step 5 to reflect the token name.

[1] http://www.mozilla.org/projects/security/pki/nss/tools/modutil.html
Comment 6 Rostislav Svoboda 2013-05-02 08:43:26 UTC 
Reseting blocker flag as documentation can be updated async.
Comment 8 Josef Cacek 2013-06-03 08:36:42 UTC 
Seems OK in EAP 6.2 Administration and Cunfiguration guide, but we should fix it in the 6.1.x documentation too.
Comment 10 Josef Cacek 2013-06-28 06:15:11 UTC 
Verification failed. The change is not available on the stage (http://documentation-devel.engineering.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/6.1/html/Administration_and_Configuration_Guide/Enable_FIPS_140-2_Cryptography_for_SSL_on_Red_Hat_Enterprise_Linux_6.html).

Please use status value MODIFIED for fixes which are not yet on the stage server and change to ON_QA when they are staged. Thank you.
Comment 11 Lucas Costi 2013-07-11 00:12:36 UTC 
As we are doing an async update of the 6.1 docs for HP-UX support, the revised 6.1 guides will also include fixes of 6.1 documentation bugs done to date. So, I will link to the 6.1 Guide (Revision 1.0-17) for the QA for this fix:

http://documentation-devel.engineering.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/6.1/html/Administration_and_Configuration_Guide/Enable_FIPS_140-2_Cryptography_for_SSL_on_Red_Hat_Enterprise_Linux_6.html
Comment 12 Pavel Janousek 2013-07-11 10:28:18 UTC 
Verified during EAP-6.1.1-ER2, fixed.