5.3. Using Shared Security Databases
The Enterprise Security Client usually creates a new NSS security database for keys and certificates for each user profile associated with the Enterprise Security Client. Whenever a user imports or trusts a certificate for the Enterprise Security Client to use, it is imported into the NSS database for that profile. (This is similar to the way web browsers have different user profiles with different security databases, password stores, and bookmarks for each profile.)
There can be instances when multiple Enterprise Security Client users all use the client on a single machine. In that case, it makes sense to have a common, shared security database that is trusted by the Enterprise Security Client in addition to the user profile databases. This shared security database contains certificates that are held in common by all users, such as the CA signing certificate used by the TPS.
Using a shared security database is not configured by default.
- Stop the Enterprise Security Client.
- Create the security database directory and the databases that will be shared. Before configuring the Enterprise Security Client, the databases must exist, be readable by the client, and contain the certificates that will be used by the client.NSS databases can be created using the
certutil
command. See thecertutil
documentation, such as https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/tools/NSS_Tools_certutil, for more information. - Open the
esc-prefs.js
file.vim /usr/lib/esc-1.1.0/defaults/preferences/esc-prefs.js
- Add the
esc.global.alt.nss.db
parameter, pointing to the directory that contains the shared database.prefs("esc.global.alt.nss.db", "/etc/pki/nssdb");
- Restart the Enterprise Security Client to apply the configuration changes.