5.3. Using Shared Security Databases

The Enterprise Security Client usually creates a new NSS security database for keys and certificates for each user profile associated with the Enterprise Security Client. Whenever a user imports or trusts a certificate for the Enterprise Security Client to use, it is imported into that NSS database for that profile. (This is similar to the way that web browsers have different user profiles with different security databases, password stores, and bookmarks for each profile.)
There can be instances when there are multiple Enterprise Security Client users who all use the client on a single machine. In that case, it makes sense to have a common, shared security database that is trusted by the Enterprise Security Client in addition to the user profile databases. That shared security database contains certificates that are held in common by all users, such as the CA signing certificate used by the TPS.
Using a shared security database is not configured by default.
  1. Stop the Enterprise Security Client.
  2. Create the security database directory and the databases that will be shared. Before configuring the Enterprise Security Client, the databases must exist, be readable by the client, and contain the certificates that will be used by the client.
    NSS databases can be created using the certutil command. See the certutil documentation, such as http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html, for more information.
  3. Open the esc-prefs.js file. 
    vim /usr/lib/esc-1.1.0/defaults/preferences/esc-prefs.js
  4. Add the esc.global.alt.nss.db parameter, pointing to the directory which contains the shared database. 
    prefs("esc.global.alt.nss.db", "/etc/pki/nssdb");
  5. When the Enterprise Security Client is restarted, the configuration changes will be applied.