Introduce NSS database /etc/ipa/nssdb

This is the new default NSS database for IPA.

/etc/pki/nssdb is still maintained for backward compatibility.

https://fedorahosted.org/freeipa/ticket/3259

Reviewed-By: Rob Crittenden <rcritten@redhat.com>

ipapython/certdb.py

@@ -17,6 +17,34 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 #
 
+import os
+
+from ipaplatform.paths import paths
+from ipapython import ipautil
+
 CA_NICKNAME_FMT = "%s IPA CA"
+
+
 def get_ca_nickname(realm, format=CA_NICKNAME_FMT):
     return format % realm
+
+
+def create_ipa_nssdb():
+    pwdfile = os.path.join(paths.IPA_NSSDB_DIR, 'pwdfile.txt')
+
+    ipautil.backup_file(pwdfile)
+    ipautil.backup_file(os.path.join(paths.IPA_NSSDB_DIR, 'cert8.db'))
+    ipautil.backup_file(os.path.join(paths.IPA_NSSDB_DIR, 'key3.db'))
+    ipautil.backup_file(os.path.join(paths.IPA_NSSDB_DIR, 'secmod.db'))
+
+    with open(pwdfile, 'w') as f:
+        f.write(ipautil.ipa_generate_password(pwd_len=40))
+    os.chmod(pwdfile, 0600)
+
+    ipautil.run([paths.CERTUTIL,
+         "-N",
+         "-d", paths.IPA_NSSDB_DIR,
+         "-f", pwdfile])
+    os.chmod(os.path.join(paths.IPA_NSSDB_DIR, 'cert8.db'), 0644)
+    os.chmod(os.path.join(paths.IPA_NSSDB_DIR, 'key3.db'), 0644)
+    os.chmod(os.path.join(paths.IPA_NSSDB_DIR, 'secmod.db'), 0644)