Home > Articles > Operating Systems, Server > Solaris

  • Print
  • + Share This
This chapter is from the book

This chapter is from the book

5.5 Trust Database Files (*.db Files)

The Web Server stores security-based information in three Network Security Services (NSS) libdbm database files as follows:

  • cert8.db—Stores publicly accessible objects (such as certificates, certificate revocation lists, and S/MIME records)
  • key3.db—Stores the private keys generated by the server
  • secmod.db—Stores PKCS #11 module configuration information

The combination of these files is commonly called the trust database, and each file plays a different role in securing your Web Server.

For example, the cert8.db and key3.db files are used to store public and private keys and certificates used for enabling secure socket layer (SSL). The secmod.db file stores information for enabling and configuring additional security modules that can be used with the Web Server (such as hardware accelerator cards). See Chapter 8, “Securing Web Server 7.0,” for more information about how these files are used to provide security for your Web Server.

5.5.1 File Structure

Trust database files are formatted in a Berkeley DB 1.85 hash format so they are not viewable or editable with a standard text editor. You can, however, use a hex editor or the UNIX strings command to obtain an insight into the contents of these files. Example 5.7 provides a sample of the cert8.db file.

Example 5.7. Snippet of Hex Output from the cert8.db File

.....
0000bc10  00 00 08 03 00 00 01 00 15 00 00 63 65 72 74 2d  ...........cert-
0000bc20  66 6f 6f 2e 65 78 61 6d 70 6c 65 2e 63 6f 6d 00  foo.example.com.
0000bc30  00 6f 00 00 00 87 1b db 31 30 68 31 0b 30 09 06  .o...‡.Û10h1.0..
0000bc40  03 55 04 06 13 02 55 53 31 0b 30 09 06 03 55 04  .U....US1.0...U.
0000bc50  08 13 02 46 4c 31 0e 30 0c 06 03 55 04 07 13 05  ...FL1.0...U....
0000bc60  54 61 6d 70 61 31 0d 30 0b 06 03 55 04 0a 13 04  Tampa1.0...U....
0000bc70  54 65 73 74 31 13 30 11 06 03 55 04 0b 13 0a 57  Test1.0...U....W
0000bc80  65 62 20 53 65 72 76 65 72 31 18 30 16 06 03 55  eb Server1.0...U
0000bc90  04 03 13 0f 66 6f 6f 2e 65 78 61 6d 70 6c 65 2e  ....foo.example.
0000bca0  63 6f 6d 03 30 68 31 0b 30 09 06 03 55 04 06 13  com.0h1.0...U...
0000bcb0  02 55 53 31 0b 30 09 06 03 55 04 08 13 02 46 4c  .US1.0...U....FL
0000bcc0  31 0e 30 0c 06 03 55 04 07 13 05 54 61 6d 70 61  1.0...U....Tampa
0000bcd0  31 0d 30 0b 06 03 55 04 0a 13 04 54 65 73 74 31  1.0...U....Test1
0000bce0  13 30 11 06 03 55 04 0b 13 0a 57 65 62 20 53 65  .0...U....Web Se
0000bcf0  72 76 65 72 31 18 30 16 06 03 55 04 03 13 0f 66  rver1.0...U....f
0000bd00  6f 6f 2e 65 78 61 6d 70 6c 65 2e 63 6f 6d 08 01
oo.example.com..
.....

If you look closely at the text portion of the file (the far right column), you can see certain data elements that can be found within the details of the certificate shown in Table 5.3.

Table 5.3. Sample Certificate

Attribute

Value

Nickname

cert-foo.example.com

Subject

CN=foo.example.com,OU=Web Server,O=Test,L=Tampa, ST=FL,C=US

Issuer

Self Signed

Key Type

RSA

Key Size (bits)

1024

Valid From

August 29, 2007 7:21:30 PM EDT

Valid Till

August 29, 2008 7:21:30 PM EDT

Finger Print

0B:DE:C8:80:17:38:EC:C6:6F:98:5A:5C:8F:3A:54:76

Serial Number

00:87:1B:DB:31

5.5.2 Context

Each server instance has its own trust database; therefore, there is a one-to-one correspondence between the server instance and the trust database.

5.5.3 Modifications

You cannot edit files within the trust database directly. These files must be managed with the Administration Console or the command line interface. If any of these files are updated through either of these two interfaces, you must deploy the updated configuration before the changes are reflected on the appropriate Administration Node(s).

  • + Share This
  • 🔖 Save To Your Account