NSS Shared DB Samples
Intro
This page contains links and instructions for early NSS 3.12 releases to test the major new features of NSS, namely Shared Database and libPKIX. These are developement release of pre-alpha code, some of which are coming from expiremental upstream branches. Bugs should be files against NSS 3.12 in http://bugzilla.mozilla.org and assigned to rrelyea@redhat.com. Please reference the build number you are using, and the fact that you are using a private build supplied by me (or one you created).
Note that this is a preliminary version of the shared database. Future alphas may change the database format, so any data stored in your database should be backed up as well (particularly certs and keys).
The initial installment has the prealpha shared database code. This code code will have 3 basic types of users:
- Existing apps which will continue to use the existing database.
- Existing apps which will use the new database in the existing locations.
- New or modifed existing apps which will use the new database in a common location.
The current code only implements 1 and 2. We do want testers of these functions to make sure there is no regresions. The 3rd can be simulated with this package, and I'll explain how in the appropriate section.
Getting the binaries
| Dogfood Binaries | ||||
| Platform | Release | Binary | Source | Package Type | 
|---|---|---|---|---|
| RHEL 5 i386 | May 17,2007 3.11.99.0-2 | File:Nss-3.11.99.0-2.tar | File:Nss-3.11.99.0-2.rhel5 bob.src.rpm | RPM | 
| Windows WIN95 | Jun 7,2007 3.11.99.0-2 | File:Nss 3 11 99 0.zip | File:Nss 3 11 99 0 src.zip | zip | 
Installation
Common Install Instructions
This section contains information that is common across all use cases below.
Fetch the NSS package from the table below. From a root shell install nss-3.11.99.0-2.rhel5_bob.i386.rpm and nss-tools-3.11.99.0-2.rhel5_bob.i386.rpm with the following command:
rpm -hUv nss-3.11.99.0-2.rhel5_bob.i386.rpm nss-tools-3.11.99.0-2.rhel5_bob.i386.rpm
If you have nss-devel install you will also need to add nss-devel-3.11.99.0-2.rhel5_bob.i386.rpm to the command line above. Please watch particularly for failures here. If you have a failure, please let me know what the failure was, and what packages you had installed so I can update the rpm.
Using existing databases
You are now done. You may want to restart your applications to get them to actually use the new version of nss.
Using the new database format
- Add the following to your login environment 'NSS_DEFAULT_DB_TYPE=sql'.
- You can do this by adding the following line to your ~/.bashrc file:
- export NSS_DEFAULT_DB_TYPE="sql"
- And the following line to your ~/.cshrc file:
- setenv NSS_DEFAULT_DB_TYPE "sql"
 
- Logout of the OS.
- Restart your applications.
- Be sure to log into these applications with the master password for that application after startup. The database upgrade cannot complete until you do so.
NOTE: if your profile directories are in a shared file system (like NFS), then you will find the shared database performance extremely slow. You can get around that by copying your databases to your local drive and creating a symbol link from your profile directory to your local driver.
To share the database among several common applications (like Thunderbird and Firefox), you will need to configure those applications to use a common database.
- Install NSS and follow the instructions above for 'Using the new database format'.
- Create a common database location in your home directory.
- mkdir ~/nss_test_shared_db
 - NOTE: if your home directory is in NFS, you may want to choose another directory on your local drive.
 
- Make sure you complete steps 2-4 (above) to update your database format.
- CD into the profile directory of your applications which already has most of the certs and keys you will need (If you use encrypted email, I would suggest thunderbird, since it has largest sets of certs you will need. Otherwise the browser is a good choice).
- Profiles for thunderbird live in ~/.thunderbird/{magic-cookie-string}
- Profiles for firefox live in ~/.mozilla/firefox/{magic-cookie-string}
- where {magic-cookie-string} is a random string
 
 
- Move cert9.db and key4.db to the directoy you created above
- mv cert9.db key4.db ~/nss_test_shared_db
 
- Create a symbolic link in your profile directory.
- ln -s ~/nss_test_shared_db/cert9.db .
- ln -s ~/nss_test_shared_db/key4.db .
 
- Go to the next profile directory you want sharing the database.
- Remove cert9.db and key4.db
- create links in this directory.
- repeat the last 3 steps for each application you want sharing the database.
Known issues
- SDR keys are not updating correctly.
- Shared DB against a network file system (such as NFS) is extremely slow. It can take 2 minutes to read in the DB.
Problems
If the databases are updating, check to make sure you got all of NSS installed. Do a strings /usr/lib/libsoftokn3.so | grep NSS. You should be running 3.12 BETA. If your libsoftokn3.so did not upgrade, let me know what your previous version of NSS was.
If you are using your own version of mozilla, firefox, or thunderbird, go to the directory for them and remove the following libraries so the firefox and thunderbird are using the system versions of nss:
libnspr4.so libplc4.so libplds4.so libfreebl3.so libnss3.so libnssckbi.so libsime3.so libsoftokn3.so libssl3.so
If you find things suddenly stop working for you, try the following: as root go to /usr/lib and run:
/usr/lib/nss/unsupported-tools/shlibsign -i libfreebl3.so /usr/lib/nss/unsupported-tools/shlibsign -i libsoftokn3.so