红帽全球峰会6.7. Protecting the IPsec NSS database with a password
By default, only the root user can access the IPsec Network Security Services (NSS) database in the /var/lib/ipsec/nss/ directory. You can additionally protect the database with a password. This is required if you run RHEL in Federal Information Processing Standard (FIPS) mode.
Prerequisites
-
The
/var/lib/ipsec/nss/directory contains the NSS database.
Procedure
Enable password protection for the Libreswan NSS database:
# certutil -W -d /var/lib/ipsec/nss/Enter the current password:
Enter Password or Pin for "NSS Certificate DB": <password>If the database is currently not protected by a password, press Enter.
Enter the new password:
Enter new password: <new_password> Re-enter password: <new_password>To unlock the database, the
ipsecservice requires the/etc/ipsec.d/nsspasswordfile. Create the file with the following content:If the host does not run in FIPS mode:
NSS Certificate DB:<password>If the host runs in FIPS mode:
NSS FIPS 140-2 Certificate DB:<password>
Set secure permissions on the
/etc/ipsec.d/nsspasswordfile:# chmod 600 /etc/ipsec.d/nsspassword # chown root:root /etc/ipsec.d/nsspasswordRestart the
ipsecservice:# systemctl restart ipsec
Verification
Verify that the
ipsecservice is running:# systemctl is-active ipsecIf the command returns
active, the service successfully uses the password file to unlock the NSS database.Perform an action on the NSS database that requires the password. For example, display the private keys:
# certutil -K -d /var/lib/ipsec/nss/ certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services" Enter Password or Pin for "NSS Certificate DB":Verify that the command prompts for the password.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}