NSS and DRBD

Hi,
I have customer with a limited budget, but wanting to use OES and NSS in a cluster. I've used DRBD quite a lot before and have always been very happy with it, so I'd like to combine it with NSS (and possibly other Novell services).
Has anyone every installed NSS on top of DRBD and Heartbeat?
In the past I clustered NSS volumes with NCS and remember that shared storage was abolutely needed. Can NSS be clustered with Heartbeat? Can an NSS volume be swapped in between servers by stopping and starting a init.d-script (as is required for Heartbeat)?
Thank you,
Bart

Originally Posted by brunold
Bart,
a few things on this ....
We have a bunch of xen server running where we mirror the xen guests with drbd and control them with heartbeat.
The problem with nss and heartbeat might be that nss cannot be stopped. The runlevel script supports just the start option and I'm not aware that the nss system supports 'hotplug' for whole disks. Hotplug in case the heartbeat will deactivate the mirror and activate it on the second node. I guess there might be soem wrisk in data loss ....
Another idea for you could be not to use nss volumes, but to simply use reiser or ext3 filesystems and provide them to the clients via a ncp volume. So you can use drbd to mirror the devices, heartbeat mount / dismount the filesystems and then you would need to create the ncp share.
Please see "man ncpcon" - section Managing NCP Volumes for more information.
Rainer
nss supports activation and deactivation of pools - this can be used "turn off" nss on the shared disk.
try nss /poolact=POOL1 and nss /pooldeact=POOL1 commands

Similar Messages

  • NSS and LUN expanding - what you need to know before you migrate

    Thought I'd share, since this isn't in any documentation or TID that I
    can find.
    Before you move to OES2 Linux with NSS or multipathing code or EVMS, you
    may want to consider this limitation (IMO, a major limitation if you're
    running an Enterprise).
    If you SAN allows you to grow/expand a LUN (ie, LUN1 was 50 GB and now
    you grow it to 100 GB), you cannot use the new space until you reboot
    the server itself. If you're running NCS, then you need to reboot every
    node that can host the clustered resource before you can expand the NSS
    pool.
    The issue is a bug in the devmapper portion of SLES. ANYTHING that uses
    devmapper will prevent the further layers (ie, multipathing or EVMS)
    from seeing the additional space until you reboot the server.
    Obviously rebooting servers in the middle of the day to add more space
    affects Enterprise services to your users. As does making them wait
    until off-hours before they can write/save any data to the servers. Not
    to mention rebooting multiple nodes in your NCS cluster.
    Novell won't fix this until SLES 11. Even then (ie, if you implement
    OES2 now and can live with the limitation it won't be truly fixed in
    SLES 11 if you're using NSS/EVMS), as the limitation will still be in
    EVMS in SLES 11. Therefore, you'd have to migrate your data to LVM2 (I
    believe that's what Novell is switching to). Yet another major
    disruption for your users.
    So, if you're thinking about OES2 with NSS/EVMS or multipathing, you may
    want to consider the effect this will have to your userbase (ie, how
    many times do you want to migrate your data?)
    In our case, looks like it's goint to be one migration --- to MS
    Windows.

    Hi,
    General rule, if you think rebooting is NOT an option AND you are not using clustering - you're looking for trouble.
    I know I can increase space to my cluster with out kicking my users offline.
    Worked for NSS.
    Worked for OCFS.
    Limitation noted and ignored.
    -M
    Originally Posted by KittyNoLegs
    Thought I'd share, since this isn't in any documentation or TID that I
    can find.
    Before you move to OES2 Linux with NSS or multipathing code or EVMS, you
    may want to consider this limitation (IMO, a major limitation if you're
    running an Enterprise).
    If you SAN allows you to grow/expand a LUN (ie, LUN1 was 50 GB and now
    you grow it to 100 GB), you cannot use the new space until you reboot
    the server itself. If you're running NCS, then you need to reboot every
    node that can host the clustered resource before you can expand the NSS
    pool.
    The issue is a bug in the devmapper portion of SLES. ANYTHING that uses
    devmapper will prevent the further layers (ie, multipathing or EVMS)
    from seeing the additional space until you reboot the server.
    Obviously rebooting servers in the middle of the day to add more space
    affects Enterprise services to your users. As does making them wait
    until off-hours before they can write/save any data to the servers. Not
    to mention rebooting multiple nodes in your NCS cluster.
    Novell won't fix this until SLES 11. Even then (ie, if you implement
    OES2 now and can live with the limitation it won't be truly fixed in
    SLES 11 if you're using NSS/EVMS), as the limitation will still be in
    EVMS in SLES 11. Therefore, you'd have to migrate your data to LVM2 (I
    believe that's what Novell is switching to). Yet another major
    disruption for your users.
    So, if you're thinking about OES2 with NSS/EVMS or multipathing, you may
    want to consider the effect this will have to your userbase (ie, how
    many times do you want to migrate your data?)
    In our case, looks like it's goint to be one migration --- to MS
    Windows.

  • NSS and Syslog information

    Hi All,
    Long time user of Netware and audit for Netware here. We are moving to OES 2SP2 Linux and I am evaluating Senitinel Logmanager as a upgrade to the Audit starter pack. What I would like is the same functionality in NetWare in Linux, what seems to be there now is a lot of logging but not a whole lot of usefull information.
    Now part of this is the Sentinel Logmanager itself but part also seems to be the vigil interaction with the Logmanager/syslog server.
    What I am finding is that NSS/vigil reports a whole lot of information for every file transaction, viewing a raw data feed for one file event there are something like 4-6 vigil log entries. What it looks like is happening is everything NSS does for verification is being reported to Vigil, including background processes that probably should not be. For instance, I created a directory as a test and it generated nss logs for opening and closing and creating a tmp file in the directory then deleting it, I assume many of these are NSS procedures to ensure the the directory was in fact created and that a file was able to be saved in it. For logging though what needs to be known is that a directory was created and who created it, so it seems to be way to much information.
    The second issue I am seeing is that most of the packets being sent by Vigil are coming with a initiate user as root. I was able to find some packets in the raw data tap that mention the username but all other log entries that are in relation to that event reference root. Now I figure this is acurate if a lot of these entries are really lower level system verifications( which as I mention above should not show up) but it would be helpful to extend(if you do not have a pre-existing field) the schema of the log packets to include the original event and the originating user of that event.
    Right now in log manager I see a ton of events and not one NSS event referencing a username or IP address, so I can tell you when a file was modified, opened, deleted etc., etc., etc., but I can not tell you by who or by what address. Now part of this is logmanager, obviously if I am recieving some packets with the username in the event from the raw data tap the vigil is sending but log manager is not retaining it, but the other side is that for every single event I am recieving 4-6 event packets and not one of those packets reference the initiating IP address or username, only one packet for every event is referencing a username and IP address.
    Is there is roadmap to address this?
    Thanks

    What I am finding is that NSS/vigil reports a whole lot of information for every file transaction, viewing a raw data feed for one file event there are something like 4-6 vigil log entries. What it looks like is happening is everything NSS does for verification is being reported to Vigil, including background processes that probably should not be. For instance, I created a directory as a test and it generated nss logs for opening and closing and creating a tmp file in the directory then deleting it, I assume many of these are NSS procedures to ensure the the directory was in fact created and that a file was able to be saved in it. For logging though what needs to be known is that a directory was created and who created it, so it seems to be way to much information.
    [DGC] From your discussion it sounds like the old Netware auditing did a better job of reporting only what is actually relevant.
    To some extent, this is working as designed - we get raw records from Vigil, convert them to Sentinel events, and send them. On the other hand, we understand that ultimately you want to be able to ask the simple questions like "which directories were created by Joe?", and get a useful answer.
    The Vigil auditing piece is brand new, so we're still getting a handle on the exact information that is produced and how it maps to actual user behavior. Internally, NSS is a complex beast that does shared filehandles and all sorts of fun stuff, so it's quite difficult to do this exactly right the first time. What we need is feedback like yours so that we can go in and refine how we process the inbound events.
    The second issue I am seeing is that most of the packets being sent by Vigil are coming with a initiate user as root. I was able to find some packets in the raw data tap that mention the username but all other log entries that are in relation to that event reference root. Now I figure this is acurate if a lot of these entries are really lower level system verifications( which as I mention above should not show up) but it would be helpful to extend(if you do not have a pre-existing field) the schema of the log packets to include the original event and the originating user of that event.
    [DGC] This problem has several root causes, but fundamentally the issue is that NSS itself rarely does anything as a user other than root/SUPERVISOR. It's the client (NCP/CIFS/AFP) that "knows" who the real end user is. There were also some bugs in the Vigil framework that prevented this information from passing through.
    Some time in the next few months the OES team will be releasing some patches and a new version of the Vigil client that will address several of these issue. At the same time we'll be updating the Collector to do pretty much what you describe. Likely the solution won't be perfect quite yet, as there's still a lot to learn, but we should be a lot closer to the solution you're looking for. If you still see significant issues, simply file SRs with NTS and we will take care of them.

  • Berkeley DB and DRBD

    Hello,
    Do you have any advices to give about the use of Berkeley DB with DRBD (on linux clusters)?
    Things I must have in mind, etc.
    Note : Currently, my Berkeley DB databases are stored on a replicated storage managed by DRBD on a two-node Linux cluster. These DBs are handled inside an environment using transactions.
    Thanks

    Hello,
    The default is memory mapped files. For the BDB SQL API, we do not
    yet support DB_SYSTEM_MEM, for allocating memory from system
    shared memory. For more details see:
    BDB SQL Performance
    The "Shared memory regions" documentation at:
    http://download.oracle.com/docs/cd/E17076_02/html/programmer_reference/env_region.html
    provides a further discussion of memory mapped files vs DB_SYSTEM_MEM.
    Thanks,
    Sandra

  • SunPKCS11 and NSS on Mac OS X 10.5

    Hello there,
    I've been scratching my head the whole day about how to use the SunPKCS11 provider and Mozilla's NSS framework under Mac OS X 10.5 (a.k.a Leopard).
    Let me replay the whole movie for you...
    So here I am, religiously following Sun's guidelines ([Java PKCS11 reference guide|http://java.sun.com/javase/6/docs/technotes/guides/security/p11guide.html#NSS]).
    I have of course compiled and installed [Mozilla's NSS and NSP|http://www.mozilla.org/projects/security/pki/nss/].
    So far, so good. Now, I followed Sun's instruction and wrote a configuration file for the SunPKCS11 provider. It looks like this:
    name = NSS
    nssLibraryDirectory = /Users/<path_to_lib_dir>/lib
    nssDbMode = noDb
    attributes = compatibilitywhere <path_to_lib_dir> refers of course to the real path on my Leopard machine.
    To test my setup, I use a trivial program that I've found in this very forum if I remember correctly. Here is the error I (violently!) get when trying to run it:
    $ java6 -cp /Users/<path_to_my_classes>/*:. MySmallProgram
    java.security.ProviderException: Could not initialize NSS
         at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:183)
         at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:86)
         at MySmallProgram.test_nss_with_sunpkcs(MySmallProgram.java:214)
         at MySmallProgram.main(MySmallProgram.java:255)
    Caused by: java.io.FileNotFoundException: /Users/<path_to_lib_dir>/lib/libnss3.jnilib
         at sun.security.pkcs11.Secmod.initialize(Secmod.java:169)
         at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:179)
         ... 3 moreOf course, I checked the content of the /Users/<path_to_lib_dir>/lib/ directory and... I got a whole bunch of NSS libraries but not the one SunPKCS11 is looking for. I got a libnss3.dylib library (the equivalent to libnss3.so on a "regular" Unix machine) but no jnilib library. And indeed, why should I have a JNI library? I thought that the purpose of SunPKCS11 was to provide the JNI stuff required to bridge the gap between Java and native libraries.
    After that, I tried to install [Mozilla's JSS|http://www.mozilla.org/projects/security/pki/jss/] but all I get is a libjss4.jnilib library and nothing like a libnss3.jnilib.
    So, any guess about what's going on? Should I really have a JNI library instead of a pure, standard C library?
    Any help will be reaaally appreciated.
    Regards,
    Ctrl-x-53

    You shouldn't be calling System.loadLibrary...The SunPKCS11 provider loads all that up for you. You don't need to explicitly load ANY native libraries to use this.
    Code-wise, all I do is:
    Provider nss = new sun.security.pkcs11.SunPKCS11("c:/nss/nss.cfg");
    Security.insertProviderAt(nss, 1);the contents of c:/nss/nss.cfg:
    name = nss
    nssLibraryDirectory = /nss
    nssSecmodDirectory = /nss
    nssModule = keystoreIn /nss I have all the NSS and NSPR libraries (and .chk files) and I created a new db with certutil.
    At that point you can either pass the provider object around or I think it names them all "PKCS11-<name>" so in my case "PKCS11-nss". You can have several different SunPKCS11 providers installed and active at one time.
    Oh and it shouldn't be any problem that you compiled NSS/NSPR as 64-bit libraries as long as everything else (like the JVM) is 64 bit. You will run into problems trying to mix and match but it should work fine all 64-bit.
    Edited by: dstutz on Jul 15, 2008 7:25 AM
    And now reading stuff again...you say it all works fine on linux. Maybe it's just something about how you've compiled it? I don't have any experience with OS-X. I would recommend posting to the mozilla.dev.tech.crypto newsgroup or join the mailing list at [https://lists.mozilla.org/listinfo/dev-tech-crypto|https://lists.mozilla.org/listinfo/dev-tech-crypto] and asking the NSS developers directly.
    Edited by: dstutz on Jul 15, 2008 7:26 AM

  • NSS issues and can't do any administration

    Hello all,
    I hope this is not a re post, I have searched on the forum and Google and can not find anything and am in dire need of some help! I have a SLES 10 SP4, with OES 2 installed on it. It also runs Groupwise 2012. I have NSS setup and configured and it has been running great for the past 2 years. The other day a colleague of mine restarted the server cause it 'was acting funny'. Now that the server has been restarted, we can not access the groupwise nss volume. If I access the server from a windows machine(\\servername) all i get is the sys volume listing. I have gone on the console of the server and try to restart nss, it looks as if it starts up, but I can not access my NSS volume through windows using the server name or with the novell client. If I try to use imanager to check the pools and volumes, It says that the version file can not be read, and NSS may not be running on the server. If I use nsscon, and try to run any nss commands, /pools and /volumes shows everything as active. As I looked through log files I did find that ncp2nss is reporting can not open /_admin/Manage_NSS/manage.cmd the says ncp2nss halted(0). I have removed NDS and re added NDS, I have refreshed the NSS and NCP through Yast-OES Install, and I have verified that LDAP, and nam are running. If i go to the server console, I can navigate to the /media/nss/GROUPWISE volume and see all the files, and Groupwise is still working fine. I can not administer Groupwise and add users from Console one, and my backup uses the unc path to backup databases, which is not accessible. Any help or thoughts would be much appreciated!!
    Thanks in advance

    Originally Posted by magic31
    With your other post, I'm not sure what's causing the problem as you mention LDAP and namcd are running and your volumes and eDir services seem to have loaded ok. To make sure not to over jump things, have you checked to make sure the server's certificates are still valid? (as you mention 2 years)
    Can you give some more detail on the server itself... is it running physical or virtual? Have there been changes to the disk configuration (adding/removing/expanding) or other while keeping the server online?
    Also, does your colleague have a little more description to what was acting funny? Or was it just slow at times?
    -Willem
    No there have been no changes to the disks or server at all. It is a physical server, not virtual. As for certificates, when I removed edirectory, I deleted everything in the OU dealing with the server, and assume that when edir was added back it created new certs. I did however go through iManager and repair default certs there, telling it to overwrite all certs. The only other Certs I have not touched is the CA for the tree, however I have other servers running NSS volumes and they are fine. Also noticed that the pools and volumes for this server are NOT in edir, and with out iManager, or nssmu, I am not sure of how to update edir with volume information, and not sure if that is the problem. and Last, unfortunately, no my colleague has given me very little information on what was going on.
    Thanks for the help.

  • LVM and NSS in OES11

    I am building out a replacement server which will be the target for a server migration. The server will host an NSS volume. In the past I have always created an array-level logical drive for my NSS partiton/volume. Rather than doing this, I would rather just have one logical drive and partition the space using LVM (except for /boot and swap). Once I create the LVM and add /, /home, /var, /tmp to it, I will have a lot of extra space which I want to use for the NSS volume.
    So, is it possible to use the unused space in LVM for NSS? Or should I stick which a separate logical partition for NSS?
    Chris

    Originally Posted by cmosentine
    I am building out a replacement server which will be the target for a server migration. The server will host an NSS volume. In the past I have always created an array-level logical drive for my NSS partiton/volume. Rather than doing this, I would rather just have one logical drive and partition the space using LVM (except for /boot and swap). Once I create the LVM and add /, /home, /var, /tmp to it, I will have a lot of extra space which I want to use for the NSS volume.
    So, is it possible to use the unused space in LVM for NSS? Or should I stick which a separate logical partition for NSS?
    Chris
    With OES11 it's possible and quite easy to use the left free space on the system disk for NSS.
    It also does not have the potential for havoc as was the case with OES2 (as with OES2 this was also possible, it just meant using EVMS on the system disk device, which could lead to issues booting after patching of updating due to needed missing kernel modules for EVMS within initrd).
    Still, even with it being possible and supported to do so, if you can house the OS bits and data (be it on NSS and other filesystems) on different disk devices.. that would always be what I'd opt for. It makes certain maintenance/recovery and update tasks easier/more flexible/reliable as OS and data partitions are not within one and the same "container".
    Cheers,
    Willem

  • Java 8 64 bit on Windows with NSS for FIPS 140 compliance

    I have asked this question on Stackoverflow but I am beginning to think that this may be a better forum to ask.
    According to JEP 131, Java 8 should provide a PKCS#11 Crypto provider for 64 bit Windows:  https://blogs.oracle.com/mullan/entry/jep_131_pkcs_11_crypto.
    With that in mind, I downloaded and built both 32 and 64 bit versions of NSS with NSPR using these instructions:  https://developer.mozilla.org/en-US/docs/NSS_Sources_Building_Testing
    I downloaded Java 8 for Windows 64 build b118, configured the java.security file and created a nss.cfg file:
    Excerpt from java.security file:
    security.provider.1=sun.security.provider.Sun
    security.provider.2=sun.security.rsa.SunRsaSign
    security.provider.3=sun.security.ec.SunEC
    security.provider.4=com.sun.net.ssl.internal.ssl.Provider SunPKCS11-NSS
    security.provider.5=com.sun.crypto.provider.SunJCE
    security.provider.6=sun.security.jgss.SunProvider
    security.provider.7=com.sun.security.sasl.Provider
    security.provider.8=org.jcp.xml.dsig.internal.dom.XMLDSigRI
    security.provider.9=sun.security.smartcardio.SunPCSC
    security.provider.10=sun.security.pkcs11.SunPKCS11 /devel/nss.cfg
    From my nss.cfg file:
    # Use NSS as a FIPS-140 compliant cryptographic token
    # SunPKCS11-NSS
    name = NSS
    #32 bit
    #nssLibraryDirectory = C:\devel\nss\nss-3.15.3.1\dist\WINNT6.1_DBG.OBJ\lib
    #64 bit
    nssLibraryDirectory = C:\devel\nss\nss-3.15.3.1\dist\WINNT6.1_64_DBG.OBJ\lib
    #non FIPS
    #nssDbMode = noDb
    #attributes = compatibility
    #FIPS
    nssSecmodDirectory = c:\devel\fipsdb
    nssModule = fips
    I ran the test suite that comes with NSS and it looks like all of the encryption/decryption tests passed (did have some issues with the tests that required hostname/domainname but that has to do with the Windows environment).
    So here is the problem. I run my test encryption app on Java 7 32 bit with the 32 bit version of NSS and everything works great. When I attempt to run Java 8 64 bit with 64 bit NSS I get the following error:
    java.security.ProviderException: Could not initialize NSS
    at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:212)
    at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:103)
    at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
    at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
    at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
    at java.lang.reflect.Constructor.newInstance(Unknown Source)
    at sun.security.jca.ProviderConfig$2.run(Unknown Source)
    at sun.security.jca.ProviderConfig$2.run(Unknown Source)
    at java.security.AccessController.doPrivileged(Native Method)
    at sun.security.jca.ProviderConfig.doLoadProvider(Unknown Source)
    at sun.security.jca.ProviderConfig.getProvider(Unknown Source)
    at sun.security.jca.ProviderList.getProvider(Unknown Source)
    at sun.security.jca.ProviderList.getIndex(Unknown Source)
    at sun.security.jca.ProviderList.getProviderConfig(Unknown Source)
    at sun.security.jca.ProviderList.getProvider(Unknown Source)
    at java.security.Security.getProvider(Unknown Source)
    at sun.security.ssl.SunJSSE.<init>(Unknown Source)
    at sun.security.ssl.SunJSSE.<init>(Unknown Source)
    at com.sun.net.ssl.internal.ssl.Provider.<init>(Unknown Source)
    at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
    at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
    at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
    at java.lang.reflect.Constructor.newInstance(Unknown Source)
    at sun.security.jca.ProviderConfig$2.run(Unknown Source)
    at sun.security.jca.ProviderConfig$2.run(Unknown Source)
    at java.security.AccessController.doPrivileged(Native Method)
    at sun.security.jca.ProviderConfig.doLoadProvider(Unknown Source)
    at sun.security.jca.ProviderConfig.getProvider(Unknown Source)
    at sun.security.jca.ProviderList.getProvider(Unknown Source)
    at sun.security.jca.ProviderList$ServiceList.tryGet(Unknown Source)
    at sun.security.jca.ProviderList$ServiceList.access$200(Unknown Source)
    at sun.security.jca.ProviderList$ServiceList$1.hasNext(Unknown Source)
    at javax.crypto.KeyGenerator.nextSpi(KeyGenerator.java:323)
    at javax.crypto.KeyGenerator.<init>(KeyGenerator.java:158)
    at javax.crypto.KeyGenerator.getInstance(KeyGenerator.java:208)
    at STSAESEncryption.generateKeyWithGenerator(STSAESEncryption.java:74)
    at Main.main(Main.java:24)
    Caused by: java.io.IOException: %1 is not a valid Win32 application.
    at sun.security.pkcs11.Secmod.nssLoadLibrary(Native Method)
    at sun.security.pkcs11.Secmod.initialize(Secmod.java:210)
    at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:207)
    ... 36 more
    Has JEP 131 been implemented with Windows/Java 64 bit as of b119?  If so has it been verified to work with NSS or should I submit a bug report?  I did download the code and the error is occurring in the following block of code at the line in bold (also with the arrow by it):
    public synchronized void initialize(DbMode dbMode, String configDir,
            String nssLibDir, boolean nssOptimizeSpace) throws IOException {
            if (isInitialized()) {
                throw new IOException("NSS is already initialized");
            if (dbMode == null) {
                throw new NullPointerException();
            if ((dbMode != DbMode.NO_DB) && (configDir == null)) {
                throw new NullPointerException();
            String platformLibName = System.mapLibraryName("nss3");
            String platformPath;
            if (nssLibDir == null) {
                platformPath = platformLibName;
            } else {
                File base = new File(nssLibDir);
                if (base.isDirectory() == false) {
                    throw new IOException("nssLibDir must be a directory:" + nssLibDir);
                File platformFile = new File(base, platformLibName);
                if (platformFile.isFile() == false) {
                    throw new FileNotFoundException(platformFile.getPath());
                platformPath = platformFile.getPath();
            if (configDir != null) {
                File configBase = new File(configDir);
                if (configBase.isDirectory() == false ) {
                    throw new IOException("configDir must be a directory: " + configDir);
                File secmodFile = new File(configBase, "secmod.db");
                if (secmodFile.isFile() == false) {
                    throw new FileNotFoundException(secmodFile.getPath());
            if (DEBUG) System.out.println("lib: " + platformPath);
    --->   nssHandle = nssLoadLibrary(platformPath);
            if (DEBUG) System.out.println("handle: " + nssHandle);
            fetchVersions();
            if (supported == false) {
                throw new IOException
                    ("The specified version of NSS is incompatible, "
                    + "3.7 or later required");
            if (DEBUG) System.out.println("dir: " + configDir);
            boolean initok = nssInitialize(dbMode.functionName, nssHandle,
                configDir, nssOptimizeSpace);
            if (DEBUG) System.out.println("init: " + initok);
            if (initok == false) {
                throw new IOException("NSS initialization failed");
            this.configDir = configDir;
            this.nssLibDir = nssLibDir;
    Any help or advise about filing a bug report would be appreciated.
    Thanks,

    Had a few similar short system freezes, after installing Windows 8 x64 on 13” MacBook Pro Mid-2010 with BootCamp 5.0.5033.
    There is a suggestion that DisableDynamicTick may fix the problem: https://discussions.apple.com/message/21565295#21565295. There were similar topics at Microsoft forums: 1, 2, 3. It was said “that this will likely reduce system battery life, so it should be undone when you update your Windows build or if it doesn't resolve your issue”, and that “this problem is resolved in the release versions of Windows 8”.
    Another possibility is that there is indeed a buggy driver, within BootCamp 5.0.5033, or a 3rd party, like a wireless network driver in the following case http://answers.microsoft.com/en-us/windows/forum/windows_8-performance/system-fr eeze-randomly-after-installing-windows-8/49488183-26cf-4389-af21-a85dc366c99a?pa ge=2#LastReply.
    The problem has been noticeable on my MacBook, but not annoying enough yet to spend time troubleshooting. If you find a robust solution, using the links above or other method, it would be interesting to know.
    HTH

  • I want to add your local cryptographic algorithms to firefox. What I must modify except NSS?

    I want to add some local cryptographic algorithms to Firefox. I know, that I must modify NSS. I can, for example, modify only NSS and use this libraries in browser, or I must do something else with Firefox?

    Duplicate: https://support.mozilla.org/en-US/questions/1013323
    I will lock this thread.

  • PKCS#11 with NSS

    Hello to ALL Saviours,
    From past 5 days i am struggling with cryptography problem. Let me explain my problem statement.
    I have to test Intel AES-NI feature on Westmere EP series processor with a JAVA Application.
    My Environment Setup:-
    Application server: Apache Tomcat 6.0.33
    Database: Derby
    Application: JPetStore
    JAVA: jdk1.6.0_23
    Network Security Services(NSS): 3.12.10
    OS: CentOS 6.0 x86-64
    Steps i have followed to make it work.
    1. Setup the application running perfectly fine on 8443 port. Created a key using "keytool -genkey -alias tomcat -keyalg RSA".
    2. Checked the property of page of my application. Output is "TLS 1.0, AES with 128 bit encryption (High); RSA with 1024 bit exchange".
    3. I have compiled the NSS and put all *.so files into the existing JDK ($JAVA_HOME/jre/lib/amd64).
    4. Update jre/lib/security/java.security AS "security.provider.1=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.cfg"
    5. put nss.cfg to ($JAVA_HOME/jre/lib/security).
    #Content of nss.cfg
    name=NSS
    nssLibraryDirectory=${java.home}/lib/amd64
    nssDbMode=noDb
    attributes=compatibility
    6. Started the Application again. Application running fine without any error in CATALINA.out.
    Problem Statement:-
    I have generated a load of 20 virtual users and collected the Throughput. In both the cases (With and Without PKCS#11-NSS Implemented) i am getting same Results.
    I am not sure whether i am missing some steps or done something mis-configuration.
    Help is appreciated because i am in need of it badly.
    Please suggest your views.

    handat wrote:
    NSS doesn't use the JKS store file but instead uses either a hardware token or its own softstore (cert8.db & key3.db). You need to generate the certificate using the certutil tool and update Tomcat server.xml config and set keystoreType.
    Edited by: handat on Nov 18, 2011 1:13 PM
    Edited by: handat on Nov 18, 2011 1:24 PMI am using keytool to generate the PKCS11 keystore, but it is giving some error "keytool error: java.security.KeyStoreException: token write-protected".
    I have used nssDbMode=noDb option in nss.cfg file. so do i have to still generate the db file.
    Can you please give me snapshot of server.xml file in tomcat.
    I have configured it as:-
    <Connector port="8443"
    minSpareThreads="5"
    maxSpareThreads="75"
    enableLookups="true"
    disableUploadTimeout="true"
    acceptCount="100"
    maxThreads="200"
    scheme="https"
    secure="true"
    SSLEnabled="true"
    clientAuth="false"
    sslProtocol="TLS"
    keystoreType="PKCS11"
    ciphers="TLS_RSA_WITH_AES_128_CBC_SHA"
    />
    Appreciate for the response.

  • NFS exports and the mandatory no_root_squash

    We are running a SUSE11/OES11 cluster serving NSS volumes as NCP, NFS and AFP. Is the only feasible workaround for the NFS no_root_squash requirement to firewall the mountd port?
    If so will having a list of 1,000+ IP numbers in the allow list for mountd have a significant impact on the cluster nodes? Unfortunately on our University class B IPv4 site the allocated IP addresses are scattered and the subset of PCs controlled by technicians (and therefore 'trusted') are not contiguous and neatly arranged.

    There is another workaround to the "no_root_squash" requirement. The below is taken from TID: Support | OES: Compatibility issues between NSS and NFS
    2. no_root_squash: Officially, this is mandatory, so care should be taken to limit what hosts can mount the export (as the root user of the NFS client host will be able to act as the root user on the NSS exported path).
    However, due to potential security concerns with allowing root access, some administrators chose to set this up in another way. This alternative way is thus far considered experimental, and not thoroughly tested: It seems that the key requirement here is that the user who is requesting the mount (typically root) have at least Filescan rights to the NSS volume. If root is "squashed" he is treated like "nobody." Typically, "nobody" does not have access, neither through its own merits nor by being associated with any LUM-enabled user in eDir. However, an eDir user can be created and LUM-enabled, given Filescan right to the NSS volume(s), and then the UID assigned to that user can be used as the "anonuid" for that particular export. So, for example, if the user in question was given UID 1011, then instead of "no_root_squash" the combination of "root_squash,anonuid=1011" could be used.
    In that case, be sure to remember that even after mount, "squashed root user" will be treated as having whatever rights the anonuid user has been given. Also remember that if you use the "all_squash" parameter as well, all NFS client users (not just eDir users and not just root) will be treated as the anonuid user, and will be able to access the NSS volume.
    On the other subject: I do not know the potential impact of 1000+ IP numbers in an allow list for mountd.
    Darcy

  • Nss / pk12util on Solaris

    Hi - has anyone any experience with getting the above from Mozilla installed on Solaris? I'm running Solaris 10 11/06 s10s_u3wos_10 SPARC on some T1000 / T2000 servers and need the pk12util command but am at a loss as to how to get this installed. I see other O/S distros just provide all the necessary nss* packages and the tools are there but not Solaris.
    The main link is http://www.mozilla.org/projects/security/pki/nss/ and then there's download details here http://www.mozilla.org/projects/security/pki/src/download.html
    I'm almost certain that some of the problems I'll have if I need to build from source which I don't want to do is my servers will have no compiler installed, they won't have gmake and I'm also working on zones.
    Any help would be greatly appreciated.
    Thanks - Julian.

    Hi!
    Check on you system. On my i found more one pk12util.
    bash-3.00$ grep pk12util /var/sadm/install/contents
    /usr/appserver/lib/install/templates/pk12util.sh.template f none 0644 root bin 329 26943 1155745133 SUNWasut
    /usr/appserver/lib/pk12util f none 0755 root bin 135240 41456 1155745133 SUNWasut
    /usr/appserver/lib/pk12util.sh e appservenv 0755 root bin 329 26943 1155745133 SUNWasut
    /usr/appserver/lib/upgrade/pk12util f none 0755 root bin 100116 4833 1155745134 SUNWasut
    /usr/sfw/bin/pk12util f none 0755 root bin 139536 44255 1268710916 SUNWtlsu
    /usr/sfw/bin/sparcv9/pk12util f none 0755 root bin 156240 55607 1268710920 SUNWtlsu
    -bash-3.00$ pkginfo SUNWasut
    system SUNWasut Sun Java System Application Server, upgrade tool
    -bash-3.00$ pkginfo SUNWtlsu
    system SUNWtlsu Network Security Services Tools
    -bash-3.00$
    Reagrds.

  • Case insensitive NSS volume on cluster

    We are trying to migrate from Apache2 running on a Netware server to a OES2 Linux server running on a two node cluster. The Cluster Volume is NSS and when Apache runs we appear to have a case sensitivity issue. I have read on the Forums that NSS can be configured to be case insensitive but I am unsure how I change the cluster to mount NSS case insensitive.
    Can anyone assist? (It would sure help because trying to change all of the folders and files to lowercase and change all of the .php scripts to load the lowercase folders has been a nightmare!)
    Thanks for any information that you can provide!
    Charlie
    ~~~

    Originally Posted by utman
    I found an OES 1 doc that says if you add the long namespace it will make it case insensitive.
    Novell Documentation
    Any idea if I LOSE anything by mounting it with Long Namespace? I have never been quite sure WHY you would want it to be Case Sensitive in Linux. It just seems to make for a lot of confusion. (HOME vs. home)

  • OpenSSL and java interaction

    Hi
    I am working on a project which requires me to use crypto library of OpenSSL. The calling program is Java. Does anyone have examples of OpenSSL interaction and java ?
    Thanks
    p

    In order of worst to best ideas for doing cryptography that is (or at least should be) compatible with
    OpenSSL:
    System.exec to call openssl binaries
    JNI to wrap calls to OpenSSL methods
    Not-Yet-Commons-SSL has some OpenSSL compatible stuff: http://juliusdavies.ca/commons-ssl/
    Just use the Java Cryptographic API using algorithms/params that are compatible with OpenSSL.
    It seems odd to have a requirement for a project that is written in Java to have to use a C library. If you want open source (free $$) and Java, go with BouncyCastle or Mozilla's JSS (which is FIPS approved, BTW).
    It's not too hard to find a common middle ground between such crypto toolkits as Microsoft CAPI, NSS, and OpenSSL.

  • Lvm and gparted

    a few months ago i installed arch linux on my computer. i use reiserfs as a filesystem and i have lvm on it (or is this backwards, i don't know ). i really don't know why i used lvm at installation, but at that time it seemed to me as a great tool to manage different "partitions" (logical volumes) on one partition. now i am thinking to cut a little space from my windows partition and give it to linux. So i have a few (well lots of ) questions.
    My specs first:
    # fdisk -l
    Disk /dev/sda: 118.5 GB, 118526284800 bytes
    255 heads, 63 sectors/track, 14410 cylinders
    Units = cylinders of 16065 * 512 = 8225280 bytes
    Device Boot Start End Blocks Id System
    /dev/sda1 * 1 1912 15358108+ 7 HPFS/NTFS
    /dev/sda2 * 1913 1925 104422+ 83 Linux
    /dev/sda3 1926 14410 100285762+ f W95 Ext'd (LBA)
    /dev/sda5 1926 4475 20482843+ 7 HPFS/NTFS
    /dev/sda6 4476 4606 1052226 82 Linux swap / Solaris
    /dev/sda7 4607 14410 78750598+ 8e Linux LVM
    # di -h
    Filesystem Mount Size Used Avail %Used fs Type
    /dev/mapper/VolGro / 10.0G 4.6G 5.4G 46% reiserfs #VolGroup00-lvol0
    /dev/sda2 /boot 101.9M 59.5M 42.4M 58% reiserfs
    /dev/mapper/VolGro /home 65.1G 46.6G 18.5G 72% reiserfs #VolGroup00-lvol1
    /dev/sda5 /mnt/win 19.5G 12.1G 7.5G 62% fuseblk
    And questions:
    1. can i resize partitions using gparted without damaging data on them? does this include partitions with lvm on them?
    2. can i resize logical volumes on lvm without damaging data on them too? is snapshot used at doing this and how?
    3. is there any benefit of using lvm if i can resize partitions without damaging data on them?
    4. does changing logical volumes require a restart?
    5. why does gparted show that on /dev/sda7 there is only 34 MB of used space?
    6. is it ok to have two partitions marked as boot?
    thank you for your answers.
    Last edited by billy (2007-02-24 17:25:19)

    Originally Posted by cmosentine
    I am building out a replacement server which will be the target for a server migration. The server will host an NSS volume. In the past I have always created an array-level logical drive for my NSS partiton/volume. Rather than doing this, I would rather just have one logical drive and partition the space using LVM (except for /boot and swap). Once I create the LVM and add /, /home, /var, /tmp to it, I will have a lot of extra space which I want to use for the NSS volume.
    So, is it possible to use the unused space in LVM for NSS? Or should I stick which a separate logical partition for NSS?
    Chris
    With OES11 it's possible and quite easy to use the left free space on the system disk for NSS.
    It also does not have the potential for havoc as was the case with OES2 (as with OES2 this was also possible, it just meant using EVMS on the system disk device, which could lead to issues booting after patching of updating due to needed missing kernel modules for EVMS within initrd).
    Still, even with it being possible and supported to do so, if you can house the OS bits and data (be it on NSS and other filesystems) on different disk devices.. that would always be what I'd opt for. It makes certain maintenance/recovery and update tasks easier/more flexible/reliable as OS and data partitions are not within one and the same "container".
    Cheers,
    Willem

Maybe you are looking for

  • Excise invoice cancellation

    I have transferred  100 pieces from manufacturing plant to depot via Stock transfer Order. Excise invoice of 100 pieces is made. Due to some reason ,depot returns back 20 pieces to plant. how should i cancel the excise invoice for 20 nos. Plz help me

  • ISE Alarm at Failed Authentications per User

    Hi there! Is there a way to define an alarm for Failed authentications in a given time for a specific user in ISE 1.3? We have an alarm like this defined in ACS 5.3 but I can't find it in the ISE. Here is a picture of the definition in ACS: Can anyon

  • 4GLTE HomeFusion Service Disappears after 2 months and no support from Verizon

    I am hoping this may gain some attention, or anyone else can share if this has happened to them On July 5th, after 2 SOLID months of very good speeds and HomeFusion service with 3+ bars on the router, the service disappeared. YES: The 4G Signal is GO

  • Missing "citation Manager" button

    Hi I just started using endnote, in pages 5.2. I am however missing the "manage citaton" option. I have downloaded the plug-in. Does anybody know how to get the "manage citation" button available?

  • Missing audiobook

    I see that there are a lot of questions about not being able to locate purchased audiobooks. I've done a lot of reading but not found my solution. I purchased an audiobook in the iTunes store, using my computer. I see it in my Library and can play it