Skip to content

Commit 602fae0

Browse files
itewkitewk
committed
add option to enable FIPS on the NSS DB.
1 parent 91e5c91 commit 602fae0

File tree

2 files changed

+30
-7
lines changed

2 files changed

+30
-7
lines changed

README.md

Lines changed: 9 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -74,6 +74,7 @@ nsstools::create { '/etc/dirsrv/slapd-ldap1':
7474
mode => '0660',
7575
password => 'example',
7676
manage_certdir => false,
77+
enable_fips => false,
7778
}
7879
7980
nsstools::add_cert_and_key{ 'Server-Cert':
@@ -128,7 +129,8 @@ nsstools::create { <title>:
128129
group => undef,
129130
mode => '0600',
130131
certdir_mode => '0700',
131-
manage_certdir => true
132+
manage_certdir => true,
133+
enable_fips => false,
132134
}
133135
```
134136

@@ -175,6 +177,12 @@ nsstools::create { <title>:
175177

176178
`String` Defaults to: `0700`
177179

180+
* `enable_fips`
181+
182+
`Boolean` Defaults to: `true`
183+
184+
If `true` enables FIPS compliance mode on the NSS DB.
185+
178186
### `add_cert`
179187

180188
Insert a certificate into an existing NSS database.

manifests/create.pp

Lines changed: 21 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,7 @@
88
# $mode - optional - defaults to '0600'
99
# $certdir_mode - optional - defaults to '0700'
1010
# $manage_certdir - optional - defaults to true
11+
# $enable_fips - optional - defaults to false
1112
#
1213
# Actions:
1314
# creates a new NSS database, consisting of 4 files:
@@ -25,7 +26,8 @@
2526
# group => 'root',
2627
# mode => '0600',
2728
# certdir_mode => '0700',
28-
# manage_certdir => true
29+
# manage_certdir => true,
30+
# enable_fips => false,
2931
# }
3032
#
3133
#
@@ -36,7 +38,8 @@
3638
$group = undef,
3739
$mode = '0600',
3840
$certdir_mode = '0700',
39-
$manage_certdir = true
41+
$manage_certdir = true,
42+
$enable_fips = false,
4043
) {
4144
include nsstools
4245

@@ -47,6 +50,7 @@
4750
validate_string($mode)
4851
validate_string($certdir_mode)
4952
validate_bool($manage_certdir)
53+
validate_bool($enable_fips)
5054

5155
if $manage_certdir {
5256
file { $certdir:
@@ -62,7 +66,8 @@
6266
$require_certdir = undef
6367
}
6468

65-
file { "${certdir}/nss-password.txt":
69+
$_password_file = "${certdir}/nss-password.txt"
70+
file { $_password_file:
6671
ensure => file,
6772
owner => $owner,
6873
group => $group,
@@ -81,17 +86,27 @@
8186
group => $group,
8287
mode => $mode,
8388
require => [
84-
File["${certdir}/nss-password.txt"],
89+
File[$_password_file],
8590
Exec["create_nss_db_${title}"],
8691
],
8792
}
8893

8994
exec { "create_nss_db_${title}":
90-
command => "/usr/bin/certutil -N -d ${certdir} -f ${certdir}/nss-password.txt",
95+
command => "/usr/bin/certutil -N -d ${certdir} -f ${_password_file}",
9196
creates => ["${certdir}/cert8.db", "${certdir}/key3.db", "${certdir}/secmod.db"],
9297
require => [
93-
File["${certdir}/nss-password.txt"],
98+
File[$_password_file],
9499
Class['nsstools'],
95100
]
96101
}
102+
103+
if $enable_fips {
104+
# enable fips mode on the NSS DB after DB creation
105+
exec { "enable_fips_mode_${title}":
106+
command => "/usr/bin/modutil -fips true -dbdir ${certdir} -force",
107+
unless => "/usr/bin/modutil -chkfips true -dbdir ${certdir}",
108+
subscribe => [Exec["create_nss_db_${title}"],],
109+
refreshonly => true,
110+
}
111+
}
97112
}

0 commit comments

Comments
 (0)