Create a link to nuxwdog library:
$ ln -s /usr/lib/java/nuxwdog.jar /var/lib/pki/
pki-tomcat
/common/lib
Modify environment variables at /etc/sysconfig/pki-tomcat:
JAVA_OPTS="... -Djava.library.path=/usr/lib64/nuxwdog-jni"
# Use Nuxwdog to start server
USE_NUXWDOG="true"
Create a nuxwdog configuration at /var/lib/pki/pki-tomcat/conf/nuxwdog.conf:
ExeFile /usr/lib/jvm/jre-1.8.0-openjdk/bin/java
ExeArgs /usr/lib/jvm/jre-1.8.0-openjdk/bin/java \
`` -DRESTEASY_LIB=/usr/share/java/resteasy-base ``
`` -Djava.library.path=/usr/lib64/nuxwdog-jni ``
`` -classpath /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar ``
`` -Dcatalina.base=/var/lib/pki/
\ ``pki-tomcat
`` ```` -Dcatalina.home=/usr/share/tomcat ``
`` -Djava.endorsed.dirs= ``
`` -Djava.io.tmpdir=/var/lib/pki/
\ ``pki-tomcat
/temp \
`` -Djava.util.logging.config.file=/var/lib/pki/
\ ``pki-tomcat
/conf/logging.properties \
`` -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager org.apache.catalina.startup.Bootstrap start``
ChildSecurity 1
ExeOut /var/lib/pki/
pki-tomcat
/logs/catalina.out
ExeErr /var/lib/pki/
pki-tomcat
/logs/catalina.out
ExeBackground 1
PidFile /var/lib/pki/
pki-tomcat
/logs/wd-
pki-tomcat
.pid
ChildPidFile /var/lib/pki/
pki-tomcat
/logs/
pki-tomcat
.pid
Modify Tomcat configuration at /var/lib/pki/pki-tomcat/conf/server.xml:
`` ``
`` ``
`` <Connector name=”Secure”``
`` …``
`` passwordClass=”com.netscape.cms.tomcat.NuxwdogPasswordStore”``
`` passwordFile=”/var/lib/pki/
\ ``pki-tomcat
/ca/conf/CS.cfg"
`` />``
`` ``
Replace systemd command:
$ rm -f /etc/systemd/system/pki-tomcatd.target.wants/pki-tomcatd@
pki-tomcat
.service
$ ln -s /lib/systemd/system/pki-tomcatd-nuxwdog@.service /etc/systemd/system/pki-tomcatd-nuxwdog.target.wants/pki-tomcatd-nuxwdog@
pki-tomcat
.service
$ systemctl daemon-reload
Edit PKI configuration at /var/lib/pki/pki-tomcat/conf/ca/CS.cfg:
passwordClass=com.netscape.cmsutil.password.NuxwdogPasswordStore
If any of the system certificates reside on cryptographic tokens other than the internal NSS token, the password.conf file will include directives like hardware-TOKEN_NAME=password.
In that case, add the following parameter to CS.cfg.
`` cms.tokenList=TOKEN_NAME``