Add password to certutil calls in NSSDatabase

NSSDatabases should call certutil with a password. Also, removed
`password_filename` argument from `.create_db()`.

https://fedorahosted.org/freeipa/ticket/5695

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>

1 files changed, 6 insertions, 0 deletions

diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 41da723fa..e65592c19 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1543,6 +1543,12 @@ def upgrade_configuration():
             api.env.realm, paths.IPA_RADB_DIR, host_name=api.env.host)
     ca_running = ca.is_running()
 
+    # create passswd.txt file in PKI_TOMCAT_ALIAS_DIR if it does not exist
+    # this file will be required on most actions over this NSS DB in FIPS
+    if not os.path.exists(os.path.join(
+            paths.PKI_TOMCAT_ALIAS_DIR, 'pwdfile.txt')):
+        ca.create_certstore_passwdfile()
+
     with installutils.stopped_service('pki-tomcatd', 'pki-tomcat'):
         # Dogtag must be stopped to be able to backup CS.cfg config
         ca.backup_config()