From 4d6e6d05d5270a0e81ae12e2583cae9c49667c88 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Fri, 17 Mar 2017 02:01:20 +0100 Subject: Removed duplicate code to configure SSL version ranges. The duplicate code for configuring default SSL version ranges has been merged into reusable methods in CryptoUtil. --- .../src/com/netscape/cmstools/HttpClient.java | 24 +++++----------------- 1 file changed, 5 insertions(+), 19 deletions(-) (limited to 'base/java-tools/src/com') diff --git a/base/java-tools/src/com/netscape/cmstools/HttpClient.java b/base/java-tools/src/com/netscape/cmstools/HttpClient.java index 6a008bf2c..aa3bd1743 100644 --- a/base/java-tools/src/com/netscape/cmstools/HttpClient.java +++ b/base/java-tools/src/com/netscape/cmstools/HttpClient.java @@ -41,6 +41,7 @@ import org.mozilla.jss.ssl.SSLSocket; import org.mozilla.jss.util.Password; import com.netscape.cmsutil.crypto.CryptoUtil; +import com.netscape.cmsutil.crypto.CryptoUtil.SSLVersion; import com.netscape.cmsutil.util.Utils; /** @@ -122,29 +123,14 @@ public class HttpClient { token.login(pass); SSLHandshakeCompletedListener listener = new ClientHandshakeCB(this); - org.mozilla.jss.ssl.SSLSocket.SSLVersionRange stream_range = - new org.mozilla.jss.ssl.SSLSocket.SSLVersionRange( - org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_0, - org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_2); - - SSLSocket.setSSLVersionRangeDefault( - org.mozilla.jss.ssl.SSLSocket.SSLProtocolVariant.STREAM, - stream_range); - - org.mozilla.jss.ssl.SSLSocket.SSLVersionRange datagram_range = - new org.mozilla.jss.ssl.SSLSocket.SSLVersionRange( - org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_1, - org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_2); - - SSLSocket.setSSLVersionRangeDefault( - org.mozilla.jss.ssl.SSLSocket.SSLProtocolVariant.DATA_GRAM, - datagram_range); + CryptoUtil.setSSLStreamVersionRange(SSLVersion.TLS_1_0, SSLVersion.TLS_1_2); + CryptoUtil.setSSLDatagramVersionRange(SSLVersion.TLS_1_1, SSLVersion.TLS_1_2); CryptoUtil.setClientCiphers(); sslSocket = new SSLSocket(_host, _port); - // setSSLVersionRange needs to be exposed in jss - // sslSocket.setSSLVersionRange(org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_0, org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_2); + // SSLSocket.setSSLVersionRange() needs to be exposed in JSS + // sslSocket.setSSLVersionRange(SSLVersionRange.tls1_0, SSLVersionRange.tls1_2); sslSocket.addHandshakeCompletedListener(listener); CryptoToken tt = cm.getThreadToken(); -- cgit From 8b85ace2a2761c8451a11b4df8f142bd291cd6d4 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Fri, 17 Mar 2017 07:55:11 +0100 Subject: Default NSS database for PKI CLI. The PKI CLI has been modified to create a default NSS database without a password if there is no existing database at the expected location. --- .../src/com/netscape/cmstools/cli/MainCLI.java | 28 ++++++++++++++++++---- 1 file changed, 24 insertions(+), 4 deletions(-) (limited to 'base/java-tools/src/com') diff --git a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java index 0a9ddf0a6..75904edc6 100644 --- a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java +++ b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java @@ -467,12 +467,32 @@ public class MainCLI extends CLI { public void init() throws Exception { - // Main program should initialize client security database - if (certDatabase.exists()) { - if (verbose) System.out.println("Initializing client security database"); - CryptoManager.initialize(certDatabase.getAbsolutePath()); + // Create security database if it doesn't exist + if (!certDatabase.exists()) { + + if (verbose) System.out.println("Creating security database"); + + certDatabase.mkdirs(); + + String[] commands = { + "/usr/bin/certutil", "-N", + "-d", certDatabase.getAbsolutePath(), + "--empty-password" + }; + + Runtime rt = Runtime.getRuntime(); + Process p = rt.exec(commands); + + int rc = p.waitFor(); + if (rc != 0) { + throw new Exception("Unable to create security database: " + certDatabase.getAbsolutePath() + " (rc: " + rc + ")"); + } } + // Main program should initialize security database + if (verbose) System.out.println("Initializing security database"); + CryptoManager.initialize(certDatabase.getAbsolutePath()); + // If password is specified, use password to access security token if (config.getCertPassword() != null) { if (verbose) System.out.println("Logging into security token"); -- cgit From d06e291b25087dfd4cd70e6f97e2c0f4f84bd121 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Fri, 17 Mar 2017 09:11:52 +0100 Subject: Moved default SSL configuration out of PKIConnection. To prevent conflicts, the code that configures the default SSL version ranges and ciphers for all SSL sockets created afterwards has been moved out of PKIConnection into the main program (i.e. PKI CLI). --- base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'base/java-tools/src/com') diff --git a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java index 75904edc6..4c0a91823 100644 --- a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java +++ b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java @@ -59,6 +59,7 @@ import com.netscape.cmstools.pkcs12.PKCS12CLI; import com.netscape.cmstools.system.SecurityDomainCLI; import com.netscape.cmstools.user.UserCLI; import com.netscape.cmsutil.crypto.CryptoUtil; +import com.netscape.cmsutil.crypto.CryptoUtil.SSLVersion; /** * @author Endi S. Dewata @@ -518,6 +519,10 @@ public class MainCLI extends CLI { } + CryptoUtil.setSSLStreamVersionRange(SSLVersion.TLS_1_0, SSLVersion.TLS_1_2); + CryptoUtil.setSSLDatagramVersionRange(SSLVersion.TLS_1_1, SSLVersion.TLS_1_2); + CryptoUtil.setClientCiphers(); + client = new PKIClient(config, null); client.setVerbose(verbose); -- cgit From 6bcb89b55db870766ddcf09002a5997b323bd196 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Sat, 18 Mar 2017 07:45:30 +0100 Subject: Fixed PKIClient initialization in PKI CLI. The PKI CLI has been modified such that it initializes the PKIClient (and retrieves the access banner) only if the CLI needs to access the PKI server. https://pagure.io/dogtagpki/issue/2612 --- base/java-tools/src/com/netscape/cmstools/cli/CLI.java | 2 +- base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java | 11 +++++++++++ base/java-tools/src/com/netscape/cmstools/cli/ProxyCLI.java | 2 +- 3 files changed, 13 insertions(+), 2 deletions(-) (limited to 'base/java-tools/src/com') diff --git a/base/java-tools/src/com/netscape/cmstools/cli/CLI.java b/base/java-tools/src/com/netscape/cmstools/cli/CLI.java index 0a9106705..65fad75e0 100644 --- a/base/java-tools/src/com/netscape/cmstools/cli/CLI.java +++ b/base/java-tools/src/com/netscape/cmstools/cli/CLI.java @@ -183,7 +183,7 @@ public class CLI { return null; } - public PKIClient getClient() { + public PKIClient getClient() throws Exception { return client; } diff --git a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java index 4c0a91823..8f575dbf7 100644 --- a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java +++ b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java @@ -522,6 +522,15 @@ public class MainCLI extends CLI { CryptoUtil.setSSLStreamVersionRange(SSLVersion.TLS_1_0, SSLVersion.TLS_1_2); CryptoUtil.setSSLDatagramVersionRange(SSLVersion.TLS_1_1, SSLVersion.TLS_1_2); CryptoUtil.setClientCiphers(); + } + + public PKIClient getClient() throws Exception { + + if (client != null) return client; + + if (verbose) { + System.out.println("Initializing PKIClient"); + } client = new PKIClient(config, null); client.setVerbose(verbose); @@ -558,6 +567,8 @@ public class MainCLI extends CLI { } } } + + return client; } public void execute(String[] args) throws Exception { diff --git a/base/java-tools/src/com/netscape/cmstools/cli/ProxyCLI.java b/base/java-tools/src/com/netscape/cmstools/cli/ProxyCLI.java index c5387cf03..1cf6feaf2 100644 --- a/base/java-tools/src/com/netscape/cmstools/cli/ProxyCLI.java +++ b/base/java-tools/src/com/netscape/cmstools/cli/ProxyCLI.java @@ -87,7 +87,7 @@ public class ProxyCLI extends CLI { return module.removeModule(name); } - public PKIClient getClient() { + public PKIClient getClient() throws Exception { return module.getClient(); } -- cgit From 31683301b69fda23893c80af7c34c42a75e1b906 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Fri, 17 Mar 2017 19:20:30 +0100 Subject: Added configuration parameters for SSL version ranges. The hard-coded SSL version ranges in PKI CLI have been converted into configurable parameters in the pki.conf. --- .../src/com/netscape/cmstools/cli/MainCLI.java | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) (limited to 'base/java-tools/src/com') diff --git a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java index 8f575dbf7..b3de8757f 100644 --- a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java +++ b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java @@ -519,8 +519,24 @@ public class MainCLI extends CLI { } - CryptoUtil.setSSLStreamVersionRange(SSLVersion.TLS_1_0, SSLVersion.TLS_1_2); - CryptoUtil.setSSLDatagramVersionRange(SSLVersion.TLS_1_1, SSLVersion.TLS_1_2); + // See default SSL configuration in /usr/share/pki/etc/pki.conf. + + String streamVersionMin = System.getenv("SSL_STREAM_VERSION_MIN"); + String streamVersionMax = System.getenv("SSL_STREAM_VERSION_MAX"); + + CryptoUtil.setSSLStreamVersionRange( + SSLVersion.valueOf(streamVersionMin), + SSLVersion.valueOf(streamVersionMax) + ); + + String datagramVersionMin = System.getenv("SSL_DATAGRAM_VERSION_MIN"); + String datagramVersionMax = System.getenv("SSL_DATAGRAM_VERSION_MAX"); + + CryptoUtil.setSSLDatagramVersionRange( + SSLVersion.valueOf(datagramVersionMin), + SSLVersion.valueOf(datagramVersionMax) + ); + CryptoUtil.setClientCiphers(); } -- cgit From a168db3f36584a6a576daa91c993d18c134835fe Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Sun, 19 Mar 2017 18:44:06 +0100 Subject: Renamed CryptoUtil.setClientCiphers(). The setClientCiphers() in CryptoUtil has been renamed to setDefaultSSLCiphers() for clarity. --- base/java-tools/src/com/netscape/cmstools/HttpClient.java | 2 +- base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'base/java-tools/src/com') diff --git a/base/java-tools/src/com/netscape/cmstools/HttpClient.java b/base/java-tools/src/com/netscape/cmstools/HttpClient.java index aa3bd1743..29b7446b4 100644 --- a/base/java-tools/src/com/netscape/cmstools/HttpClient.java +++ b/base/java-tools/src/com/netscape/cmstools/HttpClient.java @@ -126,7 +126,7 @@ public class HttpClient { CryptoUtil.setSSLStreamVersionRange(SSLVersion.TLS_1_0, SSLVersion.TLS_1_2); CryptoUtil.setSSLDatagramVersionRange(SSLVersion.TLS_1_1, SSLVersion.TLS_1_2); - CryptoUtil.setClientCiphers(); + CryptoUtil.setDefaultSSLCiphers(); sslSocket = new SSLSocket(_host, _port); // SSLSocket.setSSLVersionRange() needs to be exposed in JSS diff --git a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java index b3de8757f..f2e0d08d9 100644 --- a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java +++ b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java @@ -537,7 +537,7 @@ public class MainCLI extends CLI { SSLVersion.valueOf(datagramVersionMax) ); - CryptoUtil.setClientCiphers(); + CryptoUtil.setDefaultSSLCiphers(); } public PKIClient getClient() throws Exception { -- cgit From a0fde2d91a02c4d11b698582a2cd64a76765ed25 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Fri, 17 Mar 2017 19:25:07 +0100 Subject: Added pki.conf parameter for SSL ciphers. A new parameter has been added to pki.conf to configure the SSL ciphers used by PKI CLI in addition to the default ciphers. --- base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java | 3 +++ 1 file changed, 3 insertions(+) (limited to 'base/java-tools/src/com') diff --git a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java index f2e0d08d9..053d72c4e 100644 --- a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java +++ b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java @@ -538,6 +538,9 @@ public class MainCLI extends CLI { ); CryptoUtil.setDefaultSSLCiphers(); + + String ciphers = System.getenv("SSL_CIPHERS"); + CryptoUtil.setSSLCiphers(ciphers); } public PKIClient getClient() throws Exception { -- cgit From de4b48b9e4523a865e74f8122e130e976b124410 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Sun, 19 Mar 2017 21:47:08 +0100 Subject: Added pki.conf parameter for default SSL ciphers. A new parameter has been added to pki.conf to enable/disable the default SSL ciphers for PKI CLI. --- base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'base/java-tools/src/com') diff --git a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java index 053d72c4e..83090a108 100644 --- a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java +++ b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java @@ -537,7 +537,12 @@ public class MainCLI extends CLI { SSLVersion.valueOf(datagramVersionMax) ); - CryptoUtil.setDefaultSSLCiphers(); + String defaultCiphers = System.getenv("SSL_DEFAULT_CIPHERS"); + if (Boolean.parseBoolean(defaultCiphers)) { + CryptoUtil.setDefaultSSLCiphers(); + } else { + CryptoUtil.unsetSSLCiphers(); + } String ciphers = System.getenv("SSL_CIPHERS"); CryptoUtil.setSSLCiphers(ciphers); -- cgit From cf611311181c3006009a3ae0ad19a39244028bd2 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Mon, 20 Mar 2017 17:03:45 +0100 Subject: Added hard-coded default values for SSL parameters in PKI CLI. The PKI CLI has been modified to use hard-coded default values in case the pki.conf is not available (e.g. in Eclipse). --- base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'base/java-tools/src/com') diff --git a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java index 83090a108..d64a235ad 100644 --- a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java +++ b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java @@ -525,20 +525,20 @@ public class MainCLI extends CLI { String streamVersionMax = System.getenv("SSL_STREAM_VERSION_MAX"); CryptoUtil.setSSLStreamVersionRange( - SSLVersion.valueOf(streamVersionMin), - SSLVersion.valueOf(streamVersionMax) + streamVersionMin == null ? SSLVersion.TLS_1_0 : SSLVersion.valueOf(streamVersionMin), + streamVersionMax == null ? SSLVersion.TLS_1_2 : SSLVersion.valueOf(streamVersionMax) ); String datagramVersionMin = System.getenv("SSL_DATAGRAM_VERSION_MIN"); String datagramVersionMax = System.getenv("SSL_DATAGRAM_VERSION_MAX"); CryptoUtil.setSSLDatagramVersionRange( - SSLVersion.valueOf(datagramVersionMin), - SSLVersion.valueOf(datagramVersionMax) + datagramVersionMin == null ? SSLVersion.TLS_1_0 : SSLVersion.valueOf(datagramVersionMin), + datagramVersionMax == null ? SSLVersion.TLS_1_2 : SSLVersion.valueOf(datagramVersionMax) ); String defaultCiphers = System.getenv("SSL_DEFAULT_CIPHERS"); - if (Boolean.parseBoolean(defaultCiphers)) { + if (defaultCiphers == null || Boolean.parseBoolean(defaultCiphers)) { CryptoUtil.setDefaultSSLCiphers(); } else { CryptoUtil.unsetSSLCiphers(); -- cgit From e25cda67e410d235a934f255c844e8e84ddf6716 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Mon, 20 Mar 2017 17:21:14 +0100 Subject: Fixed default value for SSL datagram. The minimum SSL version for datagram should have been TLS 1.1 to match the default in pki.conf. --- base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'base/java-tools/src/com') diff --git a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java index d64a235ad..653695173 100644 --- a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java +++ b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java @@ -533,7 +533,7 @@ public class MainCLI extends CLI { String datagramVersionMax = System.getenv("SSL_DATAGRAM_VERSION_MAX"); CryptoUtil.setSSLDatagramVersionRange( - datagramVersionMin == null ? SSLVersion.TLS_1_0 : SSLVersion.valueOf(datagramVersionMin), + datagramVersionMin == null ? SSLVersion.TLS_1_1 : SSLVersion.valueOf(datagramVersionMin), datagramVersionMax == null ? SSLVersion.TLS_1_2 : SSLVersion.valueOf(datagramVersionMax) ); -- cgit From 4c6a98d79a02fd0bf6e5da56835e8dd0ce2e7485 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Mon, 20 Mar 2017 01:21:34 +0100 Subject: Allowing pki client-init without NSS database password. The pki client-init has been modified to support creating NSS database without password. --- .../netscape/cmstools/client/ClientInitCLI.java | 30 ++++++++++++++-------- 1 file changed, 20 insertions(+), 10 deletions(-) (limited to 'base/java-tools/src/com') diff --git a/base/java-tools/src/com/netscape/cmstools/client/ClientInitCLI.java b/base/java-tools/src/com/netscape/cmstools/client/ClientInitCLI.java index 968539136..893b40b34 100644 --- a/base/java-tools/src/com/netscape/cmstools/client/ClientInitCLI.java +++ b/base/java-tools/src/com/netscape/cmstools/client/ClientInitCLI.java @@ -23,7 +23,9 @@ import java.io.File; import java.io.FileWriter; import java.io.InputStreamReader; import java.io.PrintWriter; +import java.util.ArrayList; import java.util.Arrays; +import java.util.List; import org.apache.commons.cli.CommandLine; import org.apache.commons.io.FileUtils; @@ -67,10 +69,6 @@ public class ClientInitCLI extends CLI { MainCLI mainCLI = (MainCLI)parent.getParent(); - if (mainCLI.config.getCertPassword() == null) { - throw new Exception("Security database password is required."); - } - boolean force = cmd.hasOption("force"); File certDatabase = mainCLI.certDatabase; @@ -97,16 +95,28 @@ public class ClientInitCLI extends CLI { File passwordFile = new File(certDatabase, "password.txt"); try { - try (PrintWriter out = new PrintWriter(new FileWriter(passwordFile))) { - out.println(mainCLI.config.getCertPassword()); - } - String[] commands = { "/usr/bin/certutil", "-N", "-d", certDatabase.getAbsolutePath(), - "-f", passwordFile.getAbsolutePath() }; + List list = new ArrayList<>(Arrays.asList(commands)); + + if (mainCLI.config.getCertPassword() == null) { + list.add("--empty-password"); + + } else { + try (PrintWriter out = new PrintWriter(new FileWriter(passwordFile))) { + out.println(mainCLI.config.getCertPassword()); + } + + list.add("-f"); + list.add(passwordFile.getAbsolutePath()); + } + + commands = new String[list.size()]; + list.toArray(commands); + Runtime rt = Runtime.getRuntime(); Process p = rt.exec(commands); @@ -119,7 +129,7 @@ public class ClientInitCLI extends CLI { MainCLI.printMessage("Client initialized"); } finally { - passwordFile.delete(); + if (passwordFile.exists()) passwordFile.delete(); } } } -- cgit From 516e9360f96721bdbd0301b12120c9d47225e5e4 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Tue, 21 Mar 2017 02:46:12 +0100 Subject: Allowing client cert auth without NSS database password. The PKI CLI has been modified to support client cert authentication without NSS database password. --- base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java | 11 ----------- 1 file changed, 11 deletions(-) (limited to 'base/java-tools/src/com') diff --git a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java index 653695173..d7246d60c 100644 --- a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java +++ b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java @@ -366,9 +366,6 @@ public class MainCLI extends CLI { if (certPasswordFile != null && certPassword != null) { throw new Exception("The '-C' and '-c' options are mutually exclusive."); - - } else if (certPasswordFile == null && certPassword == null) { - throw new Exception("Missing security database password."); } } else if (username != null) { // basic authentication @@ -402,14 +399,6 @@ public class MainCLI extends CLI { // XXX TBD set client security database token certPassword = tokenPasswordPair[1]; - - } else if (certNickname != null && certPassword == null) { - // prompt for security database password if required for authentication - // - // NOTE: This overrides the password callback provided - // by JSS for NSS security database authentication. - // - certPassword = promptForPassword("Enter Client Security Database Password: "); } // store security database password -- cgit