Puppet nsstools Module

Table of Contents

1. Overview
2. Description
3. Usage
   • Security Considerations
   • Example
   • Classes
   • Types
   • Functions
4. Limitations
   • Tested Platforms
   • Puppet Version Compatibility
5. Versioning
6. Support
7. Contributing
8. See Also

Overview

Manages NSS certificate databases

Description

This is a puppet module for the basic management of the certificate database format that is used by various Network Security Services (NSS) libraries and tools. It's functionality is implemented using the NSS Tools and OpenSSL packages.

The latter is some what ironically required as although the NSS suite is intended to be used in place of OpenSSL, it mandates the usage of PKCS#12 format files for certain operations. This is unfortunate as it appears to provide no utility for converting between the ASCII .pem format popular for X.509 certificates and PKCS#12. Thus, OpenSSL is required for some operations.

At present, it is capable of creating a new certificate "database" comprised of the cert8.db, key3.db, and secmod.db files. It is also capable of inserting ASCII .pem format X.509 certificates and private keys into a NSS database.

Usage

Security Considerations

This module creates an on-disk file in the path of the NSS database named nss-password.txt. This file contains the password used to encrypt private keys held by the database in plain txt.

Please consider the security implications before using this module.

Example

This is an example of setting up 389 Directory Service NSS db with externally supplied certificates.

nsstools::create { '/etc/dirsrv/slapd-ldap1':
  owner          => 'nobody',
  group          => 'nobody',
  mode           => '0660',
  password       => 'example',
  manage_certdir => false,
  enable_fips    => false,
}

nsstools::add_cert_and_key{ 'Server-Cert':
  certdir => '/etc/dirsrv/slapd-ldap1',
  cert    => '/tmp/foo.pem',
  key     => '/tmp/foo.key',
}

nsstools::add_cert { 'AlphaSSL CA':
  certdir => '/etc/dirsrv/slapd-ldap1',
  cert    => '/tmp/alphassl_intermediate.pem',
}

nsstools::add_cert { 'GlobalSign Root CA':
  certdir => '/etc/dirsrv/slapd-ldap1',
  cert    => '/tmp/globalsign_root.pem',
}

Classes

nsstools

This class is required by all of this module's types. It "owns" installation of the nss-tools package.

# defaults
class { 'nsstools':
  require_openssl => true,
}

• require_openssl

  Bool. Defaults to: true

  Enables/disables a requirement dependency being placed on Class[openssl].

Types

create

Create an empty NSS database with a password file.

# defaults
nsstools::create { <title>:
  password       => <password>, # required
  certdir        => <title>, # defaults to $title
  owner          => undef,
  group          => undef,
  mode           => '0600',
  certdir_mode   => '0700',
  manage_certdir => true,
  enable_fips    => false,
}

• title

  Used as the default value for the certdir parameter. If certdir is not set separately the value must pass validation as an absolute file path.

• password

  String Required

  Password to set on the database. There are Security Considerations to be aware of with this parameter.

• certdir

  String/absolute path Defaults to: title

  Absolute path to the directory to contain the database files. Please be aware that by setting both the title and certdir parameters it may be possible to declare multiple nsstools::create resources that point to the same set of NSS database files -- care must be taken to avoid such a scenario.

• owner

  String Defaults to: undef

  Sets user ownership of the NSS db files.

• group

  String Defaults to: undef

  User that owns the NSS db files.

• mode

  String Defaults to: 0600

• certdir_mode

  String Defaults to: 0700

• enable_fips

  Boolean Defaults to: true

  If true enables FIPS compliance mode on the NSS DB.

add_cert

Insert a certificate into an existing NSS database.

nsstools::add_cert { <title>:
  certdir  => <certdir>, # required
  cert     => <cert>, # required
  key      => <key>, # required
  nickname => <title> # defaults to $title
}

• title

  Used as the default value for the nickname parameter.

• certdir

  String/absolute path required Absolute path to the directory to contain the database files.

• cert

  String/absolute path required

  Absolute path to the certificate in .pem format to add to the database.

• nickname

  String defaults to: title

  The "nickname" of the certificate in the database.

• trustargs

  String defaults to: CT,,

  The certificate trust attributes in the database.

add_cert_and_key

Insert a certificate and it's associated private key an existing NSS database.

nsstools::add_cert_and_key { <title>:
  certdir  => <certdir>, # required
  cert     => <cert>, # required
  key      => <key>, # required
  nickname => <title> # defaults to $title
}

• title

  Used as the default value for the nickname parameter.

• certdir

  String/absolute path required

  Absolute path to the directory to contain the database files.

• cert

  String/absolute path required

  Absolute path to the certificate in .pem format to add to the database.

• key

  String/absolute path required

  Absolute path to the private key in .pem format (unencrypted) to add to the database.

• nickname

  String defaults to: title

  The "nickname" of the certificate in the database.

create_cert_and_key

Create a certificate and it's associated private key directly in an existing NSS database.

nsstools::create_cert_and_key { <title>:
  nickname => <title>, # defaults to $title
  subject  => <subject>, # required
  certdir  => <certdir>, # required
}

• title

  Used as the default value for the nickname parameter.

• nickname

  String defaults to: title

  The "nickname" of the certificate in the database.

• subject

  String required

  The subject of the certificate. The subject identification format follows RFC #1485.

• keytype

  String defaults to: 'rsa'

  The type of key to generate with the self signed cert. Valid options: ras|dsa|ec|all

• noisefile

  String/absolute path defaults to: '/var/log/messages'

  The path to a file to use as noise to generate the cert. The minimum file size is 20 bytes.

• certdir

  String/absolute path required

  Absolute path to the directory that contains the already created NSS database.

Functions

nsstools_add_cert

Iterates over a hash of cert nickname/path pairs (key/value) and creates nsstools::add_cert resources.

nsstools_add_cert(
  '/etc/dirsrv/slapd-ldap1',
  {
    'AlphaSSL CA'        => '/tmp/alphassl_intermediate.pem',
    'GlobalSign Root CA' => '/tmp/globalsign_root.pem',
  }
)

Would effectively define these resources:

nsstools::add_cert { 'AlphaSSL CA':
  certdir => '/etc/dirsrv/slapd-ldap1',
  cert    => '/tmp/alphassl_intermediate.pem',
}

nsstools::add_cert { 'GlobalSign Root CA':
  certdir => '/etc/dirsrv/slapd-ldap1',
  cert    => '/tmp/globalsign_root.pem',
}

Limitations

The functionality of this module is rather basic, it does not have facilities for:

• Inserting PKCS#12 files directly (trivial to add)
• Removal or purging of certificates

At present, only support for $::osfamily == 'RedHat' has been implemented. Adding other Linux distributions and operatingsystems should be trivial.

Tested Platforms

• el5.x
• el6.x
• el7.x

Puppet Version Compatibility

Contributing

1. Fork it on github
2. Make a local clone of your fork
3. Create a topic branch. Eg, feature/mousetrap
4. Make/commit changes
   • Commit messages should be in imperative tense
   • Check that linter warnings or errors are not introduced - bundle exec rake lint
   • Check that Rspec-puppet unit tests are not broken and coverage is added for new features - bundle exec rake spec
   • Documentation of API/features is updated as appropriate in the README
   • If present, beaker acceptance tests should be run and potentially updated - bundle exec rake beaker
5. When the feature is complete, rebase / squash the branch history as necessary to remove "fix typo", "oops", "whitespace" and other trivial commits
6. Push the topic branch to github
7. Open a Pull Request (PR) from the topic branch onto parent repo's master branch

Versioning

Please log tickets and issues at github

See Also

• Network Security Services (NSS) libraries and tools.
• NSS Tools
• certutil
• PKCS#12
• pk12util
• OpenSSL
• openssl

[Current]

• 02375da - (Joshua Hoblitt) update README tested platforms list
• d044b03 - (Joshua Hoblitt) add Puppet Version Compatibility subsection to README
• 59122af - (Joshua Hoblitt) update README boilerplate
• 4a3b3a7 - (Joshua Hoblitt) update camptocamp/openssl dep to ~> 1.0

Existing constraint predates 1.x release; verified no breaking change for this modules minimal usage.

• be3483d - (Joshua Hoblitt) fix rspec 3 deprecation warnings
• 677b2b5 - (Joshua Hoblitt) remove default nodset symlink

To resolve this PMT error: Puppet::ModuleTool::Errors::ModuleToolError: Found symlinks. Symlinks in modules are not allowed, please remove them.

• 5a96d30 - (Joshua Hoblitt) add centos 5.11 nodeset
• 97f8bf9 - (Joshua Hoblitt) add puppet-blacksmith gem
• 18c6690 - (Joshua Hoblitt) add travis_lint rake target
• dac19d4 - (Joshua Hoblitt) add debian 7.8 nodeset
• 5efd9f7 - (Joshua Hoblitt) fix trailing whitespace
• 3652e16 - (Joshua Hoblitt) update copyright notice year to 2015
• 68cb5ec - (Joshua Hoblitt) add ruby 2.2 to travis matrix
• 560e301 - (Joshua Hoblitt) add :validate to default rake target list
• 94100f5 - (Joshua Hoblitt) add metadata-json-lint gem

Needed by rake metadata.json validation target.

• 3cc942c - (Joshua Hoblitt) set stdlib requirement to 4.6.0
• 74c13be - (Joshua Hoblitt) update travis matrix puppet 3.x minimum version to 3.7
• 2ca39d5 - (Joshua Hoblitt) update rspec-puppet gem version to ~> 2.1.0

For compatibility with puppet 4.0.0

• a2d61cb - (Joshua Hoblitt) add junit/ to .gitiginore

Generated by beaker 5

• 2ce6128 - (Joshua Hoblitt) add puppet 4.0 to travis matrix
• 62d25dd - (Joshua Hoblitt) remove puppet 2.7 from travis matrix

4.0.0 has been released; support major release -1

• 534d1d8 - (Joshua Hoblitt) update beaker nodesets to use current chef/bento boxes
• 4721bcb - (Joshua Hoblitt) add log/ to .gitignore
• 9ef898c - (Joshua Hoblitt) pin rspec on Ruby 1.8.7 (rspec/rspec-core#1864)
• 6ab1dc9 - (Joshua Hoblitt) use rspec-puppet 2.0.0 from gems instead of git
• 9654097 - (Joshua Hoblitt) add FACTER_GEM_VERSION to Gemfile
• b6094f3 - (Joshua Hoblitt) update spec_helper_acceptance to use #puppet_module_install

Instead of custom scp logic

• 419528b - (Joshua Hoblitt) change nodeset default to centos-65-x64
• a51d8e6 - (Joshua Hoblitt) add beaker nodeset for centos 7
• b210b79 - (Joshua Hoblitt) add beaker support
• e8319ac - (Joshua Hoblitt) fail on linter warnings

v1.1.0

• 93f8bf7 - (Joshua Hoblitt) Merge pull request #4 from jhoblitt/feature/v1.1.0

Feature/v1.1.0

• 8e730c9 - (Joshua Hoblitt) bump version to v1.1.0
• 202e4f5 - (Joshua Hoblitt) replace Modulefile vs metadata.json
• 4a079e5 - (Joshua Hoblitt) update travis matrix
• a5c4d09 - (Joshua Hoblitt) update rspec-puppet to v2.0.0
• 40303b0 - (Joshua Hoblitt) update fixtures stdlib to 4.2.0
• c2ebee2 - (Joshua Hoblitt) Merge pull request #2 from jhoblitt/feature/cleanups

fix linter warnings

• 7e43fbf - (Joshua Hoblitt) fix linter warnings
• 8ac26ef - (Joshua Hoblitt) add future parser to travis matrix
• 4c6a028 - (Joshua Hoblitt) Merge pull request #1 from itewk/master

FIPS and Self Signed Certs

• 34f2193 - (Ian Tewksbury) Add type for creating a cert and key directly in the NSS DB.
• 602fae0 - (Ian Tewksbury) add option to enable FIPS on the NSS DB.
• 91e5c91 - (Joshua Hoblitt) restrict rspec-core gem to < 3

To work around rspec 3 being incompatabile with rspec-puppet 1.0.1 (currently, the latest release)

RSpec::Puppet::FunctionMatchers::Run implements a legacy RSpec matcher
protocol. For the current protocol you should expose the failure messages
via the `failure_message` and `failure_message_when_negated` methods.
(Used from /home/jhoblitt/github/puppet-nsstools/spec/functions/nsstools_add_cert_spec.rb:21:in `block (2 levels) in <top (required)>')

v1.0.2

• 02de101 - (Joshua Hoblitt) bump version to v1.0.2
• 05d081a - (Joshua Hoblitt) [re]add dep on camptocamp/openssl >= 0.2.0

The 0.2.0 release of camptocamp/openssl fixes the problem 0.1.0 had with a fixed dep on stdlib = 0.0.1. It's now safe to declare a dep on that module without breaking dep resolution.

https://github.com/camptocamp/puppet-openssl/issues/22

v1.0.1

• eba140d - (Joshua Hoblitt) bump version to v1.0.1
• ab70ece - (Joshua Hoblitt) yet another attempt to work around exec umask issues

v1.0.0

• 75e9d57 - (Joshua Hoblitt) prepare for v1.0.0 release
• 7142b86 - (Joshua Hoblitt) rename CHANGELOG -> CHANGELOG.md
• 0edbbea - (Joshua Hoblitt) update README ToC
• 2ecbada - (Joshua Hoblitt) fix README anchors
• fe742b4 - (Joshua Hoblitt) fix a few README typos + minor formatting
• f79fb87 - (Joshua Hoblitt) flesh out README
• 1cd8de4 - (Joshua Hoblitt) add param validation to nsstools::add_cert_and_key
• 7bb1565 - (Joshua Hoblitt) add param validation to nsstools::add_cert
• c4d4c89 - (Joshua Hoblitt) change the {user,group} params to nsstools::create

To be optional and and default to undef.

• 8cb0ab0 - (Joshua Hoblitt) update rspec to work with ruby 1.8.7

The compat issue was merely a dangling comma so this fix is much less crude than 9fe8511ec88ba6f8c009b9602a63bb4d08a92fef.

• 5c5c89d - (Joshua Hoblitt) Revert "update rspec to work with ruby 1.8.7"

This reverts commit 9fe8511ec88ba6f8c009b9602a63bb4d08a92fef.

• a931569 - (Joshua Hoblitt) update exec type syntax to work with older puppet versions
• 9fe8511 - (Joshua Hoblitt) update rspec to work with ruby 1.8.7
• 868d5ae - (Joshua Hoblitt) add .bundle to .gitignore
• 5e74b6c - (Joshua Hoblitt) disable Modulefile dep on camptocamp/openssl

Due to a dep on stdlib = 0.0.1:

https://github.com/camptocamp/puppet-openssl/issues/22

• 58cf67d - (Joshua Hoblitt) add nsstools_add_cert() function

Imported and renamed the port389_nsstools_add_cert() function from:

https://github.com/jhoblitt/puppet-port389/tree/93e211f0ef862659523f37ef638f23e127198a94

• 2030ca5 - (Joshua Hoblitt) rename spec files to match module nssdb -> nsstools rename
• 05c9988 - (Joshua Hoblitt) suppress lint warnings
• c31de09 - (Joshua Hoblitt) rename module from nssdb -> nsstools

To avoid a namespace conflict with the module this one was initially forked from and has since become highly diverged.

• 258a04e - (Joshua Hoblitt) do not directly manage openssl package

Add require_openssl param to nssdb class to enable/disable requiring the openssl class.

• 5f4ea61 - (Joshua Hoblitt) rename password.conf to nss-password.txt

The password.conf name is rather generic and hard to associate with nss files when the nss db is in a path with other configuration files.

• ee1b60e - (Joshua Hoblitt) change nssdb::add_cert_and_key type to treat it's title as the default nickname

Previously, the title was being used as the default certdir param value.

• 7ea6c6a - (Joshua Hoblitt) update travis matrix
• e22a87a - (Joshua Hoblitt) change nssdb::add_cert type to treat it's title as the default nickname

Previously, the title was being used as the default cert param value.

• a733330 - (Joshua Hoblitt) add certdir param to nssdb::create type

Defaults to the type's title.

• 729396f - (Joshua Hoblitt) modernize Gemfile/Rakefile/spec_helper boilerplate
• 991b4c7 - (Joshua Hoblitt) rename {owner,group}_id params to {owner,group}
• 1be0034 - (Joshua Hoblitt) fix multiple nssdb::create declarations
• 2a212ec - (Joshua Hoblitt) add a simple example to README
• a6e58ff - (Joshua Hoblitt) fix nssdb::create manage_certdir => false
• 639d62e - (Joshua Hoblitt) set umask on generated pkcs12 file so the mode ends up as '0600'
• c208f6e - (Joshua Hoblitt) change pkcs12 file generation to be based on existence of the output file
• 5011b56 - (Joshua Hoblitt) be explicit about ordering between nssdb::create & nssdb::add* types
• c585c7e - (Joshua Hoblitt) change pkcs12 loading to check for existence of the pair in the db
• 388a575 - (Joshua Hoblitt) add boilerplate .gitignore
• 6c99034 - (Joshua Hoblitt) add nssdb::add_cert define for importing certs into a db

In addition, this changeset is removing this functionality and the cacert, canickname, and catrust params from the nssdb::create define. It would be easy to add support back to that define as a wrapper around the new nssdb::add_cert type or to add a new 'convenience' type to accomplish the same thing.

• 6fc4ead - (Joshua Hoblitt) add nssdb base class to ensure package deps

This will prevent duplicate package type declarations when using one of the defined types multiple times in the same manifest.

• 041e0e1 - (Joshua Hoblitt) replace concept of / with just for flexibility

• replaces dbname, basedir params with certdir in nssdb::create & nssdb::add_cert_and_key
• add certdir_mode, manage_certdir params to nssdb::create
• also convert to 2 space indent + linter fixes

• 2145c2b - (Joshua Hoblitt) add stdlib to .fixtures.yml
• ca21742 - (Joshua Hoblitt) add mode parameter to nssdb::create
• 398e639 - (Rob Crittenden) Merge pull request #1 from rhaen/rspec_infrastructure

Added rspec test infrastructure, travis-ci, fixed typo

• 83d3fa6 - (Ulrich Habel) Allow ruby 2.0.0 and puppet version 2.7 to fail
• 8989de1 - (Ulrich Habel) Added rspec test infrastructure, travis-ci, fixed typo
• b3799a9 - (Rob Crittenden) Fix typo in derived Modulefile
• 1a5bca3 - (Rob Crittenden) Add missing Modulefile

release-1-0-0

• 2878747 - (Rob Crittenden) Initial Release