nuxwdog(1) Provides a simple watchdog process that can be used to start, stop, monitor, or reconfigure a server process.


nuxwdog -f configuration_file [-i]



is a watchdog daemon that builds on the uxwdog service that is part of the Netscape Enterprise Server (NES). nuxwdog can start, stop, monitor, and reconfigure server programs, depending on the parameters passed to it in its configuration file. nuxwdog opens a Unix domain socket to accept requests from any server process it is managing. Optionally, nuxwdog can be configured to communicate only with clients that are descendants of the nuxwdog process, limiting an avenue of potential access to any servers managed by the watchdog.

Some servers require a high-level of security to protect their data or operations, which means (for example) that they cannot store plaintext passwords in a password file to allow the server to be started automatically. nuxwdog can be configured to prompt for server passwords when a server first starts and then caches those passwords so that nuxwdog can restart the server without intervention if the server crashes.

To make it easy for clients to communicate with nuxwdog, a C/C++ shared library is provided with the nuxwdog source code ( Additionally, nuxwdog provides JNI interfaces and Perl bindings to the library, so that calls can be made from Java and Perl programs. For more information on this library and the client interfaces, see m[blue][].

nuxwdog is used by Dogtag PKI to monitor and manage the subsystem server processes for Java, Tomcat, and Apache servers.


-f configuration_file

Passes the configuration file for the service which runs the subsystem. With Dogtag PKI. For the CA, OCSP, TKS, and DRM, this is for the Java process. For the TPS, this is for the Apache process.


Runs the nuxwdog process in interactive mode and keeps nuxwdog open in the foreground instead of running it as a daemon in the background.



Gives the full path to the executable to be started.


Passes any arguments to the executable. The first argument must be the full path to the executable (the same as the value in ExeFile).


Gives the full path to the executable to be started.


Sets whether the child server process should only allow requests from a parent (where nuxwdog is the parent). nuxwdog checks the process ID for any client which sends a request to the Unix domain socket and drops any message where the client is not a descendant of the nuxwdog process. To allow any request, set this to 0; to allow only parent or ancestor requests, sets this to 1.


Gives the file to write stdout for the server to be started.


Gives the file to write stderr for the server to be started.


Sets whether to run the server and the nuxwdog processes in the background in daemon mode after the watchdog is initialized. Setting this to 1 enables daemon mode, while 0 keeps this in the foreground.


Gives the PID file to use to store the nuxwdog PID.


Gives the PID file to use to store the PID of the server process managed by nuxwdog.


Sets the SELinux context in which to start the server process.

nuxwdog can be used to manage many types of server processes. For Dogtag PKI, it manages Java, Tomcat, and Apache servers. For the Dogtag PKI Certificate Authority, a Java-based subsystem with a Tomcat web service, the configuration file identifies the appropriate JRE and class paths, along with setting the output, error, and PID files. (The ExeArgs argument should be all on one line.)

ExeFile /usr/lib/jvm/jre/bin/java
ExeArgs /usr/lib/jvm/jre/bin/java  
        -classpath :/usr/lib/jvm/jre/lib/rt.jar
        -Dcatalina.home=/usr/share/tomcat5 org.apache.catalina.startup.Bootstrap
TmpDir /var/lib/pki-ca2/logs/pids 
ChildSecurity 1
ExeOut /var/lib/pki-ca2/logs/catalina.out
ExeErr /var/lib/pki-ca2/logs/catalina.out
ExeBackground 1
PidFile /var/lib/pki-ca2/logs/
ChildPidFile /var/run/

For Dogtag PKI, the Token (smart card) Processing System uses an Apache-based server. This example also sets the SELinux context, pki_tps_t, used by the TPS subsystem processes.

ExeFile /usr/sbin/httpd.worker
ExeArgs /usr/sbin/httpd.worker -f /etc/pki-tps1/httpd.conf
TmpDir /var/lib/pki-tps1/logs/pids
PidFile /var/lib/pki-tps1/logs/
ExeContext pki_tps_t


There is a more detailed how-to article, including information on available client calls for nuxwdog, at m[blue][].

The nuxwdog server works in conjunction with the Dogtag PKI subsystems. The Dogtag PKI project wiki is at m[blue][].

For information specifically about nuxwdog, the nuxwdog project wiki is located at m[blue][][1]. The nuxwdog relates directly to nuxwdog code changes and releases, rather than all PKI-related updates.

Mailing lists: [email protected] and [email protected]

IRC: Freenode at #dogtag-pki


The PKI tools were written and maintained by developers with Netscape and now with Red Hat.

Authors: Ade Lee <[email protected]>, Deon Lackey <[email protected]>.


(c) 2010, Red Hat, Inc. Licensed under the GNU Public License version 2.