Personal tools

NSS Shared DB Samples

From MozillaWiki

Jump to: navigation, search



Update: The new page NSS_Shared_DB_Howto gives updated instructions on getting started based on NSS version 3.12.

Update. NSS 3.12 beta is currently in firefox 3, and also in fedora rawhide. On these systems or using these applications, the instalation steps indicated below can be skipped.

This page contains links and instructions for early NSS 3.12 releases to test the major new features of NSS, namely Shared Database and libPKIX. These are developement release of pre-alpha code, some of which are coming from expiremental upstream branches. Bugs should be files against NSS 3.12 in and assigned to Please reference the build number you are using, and the fact that you are using a private build supplied by me (or one you created).

Note that this is a preliminary version of the shared database. Future alphas may change the database format, so any data stored in your database should be backed up as well (particularly certs and keys).

The initial installment has the prealpha shared database code. This code code will have 3 basic types of users:

  1. Existing apps which will continue to use the existing database.
  2. Existing apps which will use the new database in the existing locations.
  3. New or modifed existing apps which will use the new database in a common location.

The current code only implements 1 and 2. We do want testers of these functions to make sure there is no regresions. The 3rd can be simulated with this package, and I'll explain how in the appropriate section.

Getting the binaries

Dogfood Binaries
Platform Release Binary Source Package Type
RHEL 5 i386 May 17,2007 File:Nss- File:Nss- bob.src.rpm RPM
Windows WIN95 Jun 7,2007 File:Nss 3 11 99 File:Nss 3 11 99 0 zip

Or Build it yourself


Common Install Instructions

This section contains information that is common across all use cases below.

If you are using RHEL 5:

  1. Fetch the NSS package from the table below. From a root shell install nss- and nss-tools- with the following command:
  2. rpm -hUv nss- nss-tools-
  3. If you have nss-devel install you will also need to add nss-devel- to the command line above.

Please watch particularly for failures here. If you have a failure, please let me know what the failure was, and what packages you had installed so I can update the rpm.

If you are using Windows:

  1. replace your applications' copyies of:
    • freebl3.dll
    • nss3.dll
    • nssckbi.dll
    • sime3.dll
    • softokn3.dll
    • ssl3.dll
      • with the ones from the .zip file.
  2. copy lgdbm3.dll from the .zip file into your application's directory.

If you built yourself on another platform.

  1. replace your applications' copyies of:
      • with the ones from your build.
  2. copy from your build into your application's directory.

Using existing databases

You are now done. You may want to restart your applications to get them to actually use the new version of nss.

Using the new database format

  1. Add the following to your login environment 'NSS_DEFAULT_DB_TYPE=sql'.
    You can do this by adding the following line to your ~/.bashrc file:
    export NSS_DEFAULT_DB_TYPE="sql"
    And the following line to your ~/.cshrc file:
    setenv NSS_DEFAULT_DB_TYPE "sql"
  2. Logout of the OS.
  3. Restart your applications.
  4. Be sure to log into these applications with the master password for that application after startup. The database upgrade cannot complete until you do so.

NOTE: if your profile directories are in a shared file system (like NFS), then you will find the shared database performance extremely slow. You can get around that by copying your databases to your local drive and creating a symbol link from your profile directory to your local driver.

Using a shared database

To share the database among several common applications (like Thunderbird and Firefox), you will need to configure those applications to use a common database.

  1. Install NSS and follow the instructions above for 'Using the new database format'.
  2. Create a common database location in your home directory.
    • mkdir ~/nss_test_shared_db
    NOTE: if your home directory is in NFS, you may want to choose another directory on your local drive.
  3. Make sure you complete steps 2-4 (above) to update your database format.
  4. CD into the profile directory of your applications which already has most of the certs and keys you will need (If you use encrypted email, I would suggest thunderbird, since it has largest sets of certs you will need. Otherwise the browser is a good choice).
    • NOTE: you will loose stored passwords in the application you didn't choose, so you may choose the browser anyway.
    • Profiles for thunderbird live in ~/.thunderbird/{magic-cookie-string}
    • Profiles for firefox live in ~/.mozilla/firefox/{magic-cookie-string}
      • where {magic-cookie-string} is a random string
  5. Move cert9.db and key4.db to the directoy you created above
    • mv cert9.db key4.db ~/nss_test_shared_db
  6. Create a symbolic link in your profile directory.
    • ln -s ~/nss_test_shared_db/cert9.db .
    • ln -s ~/nss_test_shared_db/key4.db .
  7. Go to the next profile directory you want sharing the database.
  8. Remove cert9.db and key4.db
  9. create links in this directory.
  10. repeat the last 3 steps for each application you want sharing the database.

Known issues

  1. Shared DB against a network file system (such as NFS) is extremely slow. It can take 2 minutes to read in the DB.

(this should be fixed, Network file systems are still slower, but be in the seconds range, not the minutes range).


If the databases not are updating, check to make sure you got all of NSS installed. Do a strings /usr/lib/ | grep NSS. You should be running 3.12 BETA. If your did not upgrade, let me know what your previous version of NSS was.

If you are using your own version of mozilla, firefox, or thunderbird, and you are using system version sof NSS go to the directory for them and remove the following libraries so the firefox and thunderbird are using the system versions of nss:

On RHEL, If you find things suddenly stop working for you, try the following: as root go to /usr/lib and run:

/usr/lib/nss/unsupported-tools/shlibsign -i
/usr/lib/nss/unsupported-tools/shlibsign -i