SYNOPSIS
- nuxwdog -f configuration_file [-i]
DESCRIPTION
nuxwdog
Some servers require a high-level of security to protect their data or operations, which means (for example) that they cannot store plaintext passwords in a password file to allow the server to be started automatically. nuxwdog can be configured to prompt for server passwords when a server first starts and then caches those passwords so that nuxwdog can restart the server without intervention if the server crashes.
To make it easy for clients to communicate with nuxwdog, a C/C++ shared library is provided with the nuxwdog source code (libnuxwdog.so). Additionally, nuxwdog provides JNI interfaces and Perl bindings to the libnuxwdog.so library, so that calls can be made from Java and Perl programs. For more information on this library and the client interfaces, see m[blue]https://fedorahosted.org/nuxwdog/wiki/HOWTOm[].
nuxwdog is used by Dogtag PKI to monitor and manage the subsystem server processes for Java, Tomcat, and Apache servers.
OPTIONS
-f configuration_file
- Passes the configuration file for the service which runs the subsystem. With Dogtag PKI. For the CA, OCSP, TKS, and DRM, this is for the Java process. For the TPS, this is for the Apache process.
-i
- Runs the nuxwdog process in interactive mode and keeps nuxwdog open in the foreground instead of running it as a daemon in the background.
CONFIGURATION FILE PARAMETERS AND EXAMPLES
ExeFile
- Gives the full path to the executable to be started.
ExeArgs
- Passes any arguments to the executable. The first argument must be the full path to the executable (the same as the value in ExeFile).
TmpDir
- Gives the full path to the executable to be started.
ChildSecurity
- Sets whether the child server process should only allow requests from a parent (where nuxwdog is the parent). nuxwdog checks the process ID for any client which sends a request to the Unix domain socket and drops any message where the client is not a descendant of the nuxwdog process. To allow any request, set this to 0; to allow only parent or ancestor requests, sets this to 1.
ExeOut
- Gives the file to write stdout for the server to be started.
ExeErr
- Gives the file to write stderr for the server to be started.
ExeBackground
- Sets whether to run the server and the nuxwdog processes in the background in daemon mode after the watchdog is initialized. Setting this to 1 enables daemon mode, while 0 keeps this in the foreground.
PidFile
- Gives the PID file to use to store the nuxwdog PID.
ChildPidFile
- Gives the PID file to use to store the PID of the server process managed by nuxwdog.
ExeContext
- Sets the SELinux context in which to start the server process.
nuxwdog can be used to manage many types of server processes. For Dogtag PKI, it manages Java, Tomcat, and Apache servers. For the Dogtag PKI Certificate Authority, a Java-based subsystem with a Tomcat web service, the configuration file identifies the appropriate JRE and class paths, along with setting the output, error, and PID files. (The ExeArgs argument should be all on one line.)
-
ExeFile /usr/lib/jvm/jre/bin/java ExeArgs /usr/lib/jvm/jre/bin/java -Djava.endorsed.dirs=/usr/share/tomcat5/common/endorsed -classpath :/usr/lib/jvm/jre/lib/rt.jar :/usr/share/java/commons-collections.jar :/usr/share/tomcat5/bin/bootstrap.jar :/usr/share/tomcat5/bin/commons-logging-api.jar :/usr/share/java/mx4j/mx4j-impl.jar :/usr/share/java/mx4j/mx4j-jmx.jar :/usr/share/tomcat5/common/lib/nuxwdog.jar -Dcatalina.base=/var/lib/pki-ca2 -Dcatalina.home=/usr/share/tomcat5 -Djava.io.tmpdir=/usr/share/tomcat5/temp org.apache.catalina.startup.Bootstrap start TmpDir /var/lib/pki-ca2/logs/pids ChildSecurity 1 ExeOut /var/lib/pki-ca2/logs/catalina.out ExeErr /var/lib/pki-ca2/logs/catalina.out ExeBackground 1 PidFile /var/lib/pki-ca2/logs/wd-pki-ca2.pid ChildPidFile /var/run/pki-ca2.pid
For Dogtag PKI, the Token (smart card) Processing System uses an Apache-based server. This example also sets the SELinux context, pki_tps_t, used by the TPS subsystem processes.
-
ExeFile /usr/sbin/httpd.worker ExeArgs /usr/sbin/httpd.worker -f /etc/pki-tps1/httpd.conf TmpDir /var/lib/pki-tps1/logs/pids PidFile /var/lib/pki-tps1/logs/wd-pki-tps1.pid ExeContext pki_tps_t
ADDITIONAL RESOURCES
There is a more detailed how-to article, including information on available client calls for nuxwdog, at m[blue]https://fedorahosted.org/nuxwdog/wiki/HOWTOm[].
The nuxwdog server works in conjunction with the Dogtag PKI subsystems. The Dogtag PKI project wiki is at m[blue]http://pki.fedoraproject.org/wiki/m[].
For information specifically about nuxwdog, the nuxwdog project wiki is located at m[blue]https://fedorahosted.org/nuxwdog/wiki/m[][1]. The nuxwdog relates directly to nuxwdog code changes and releases, rather than all PKI-related updates.
Mailing lists: [email protected] and [email protected]
IRC: Freenode at #dogtag-pki
AUTHORS
The PKI tools were written and maintained by developers with Netscape and now with Red Hat.
Authors: Ade Lee <[email protected]>, Deon Lackey <[email protected]>.
COPYRIGHT
(c) 2010, Red Hat, Inc. Licensed under the GNU Public License version 2.