Update PKIServer.open_nssdb()

The PKIServer.open_nssdb() has been modified to ensure that the
NSSDatabase object being created has the password.conf, the user,
and the group of PKI server such that it can be used to access
HSM and create files with the proper ownership.

base/server/python/pki/server/__init__.py

@@ -875,16 +875,16 @@ def create_nssdb(self, force=False):
 
         pki.util.chown(self.nssdb_dir, self.uid, self.gid)
 
-    def open_nssdb(self, token=pki.nssdb.INTERNAL_TOKEN_NAME,
-                   user=None, group=None):
+    def open_nssdb(self, token=pki.nssdb.INTERNAL_TOKEN_NAME):
         return pki.nssdb.NSSDatabase(
             directory=self.nssdb_dir,
             token=token,
             password=self.get_token_password(token),
             internal_password=self.get_token_password(),
             passwords=self.passwords,
-            user=user,
-            group=group)
+            password_conf=self.password_conf,
+            user=self.user,
+            group=self.group)
 
     def get_webapps(self):
 

base/server/python/pki/server/deployment/__init__.py

@@ -1645,11 +1645,7 @@ def generate_ca_signing_request(self, subsystem):
         if not token:
             token = self.mdict['pki_token_name']
 
-        nssdb = self.instance.open_nssdb(
-            token=token,
-            user=self.mdict.get('pki_user'),
-            group=self.mdict.get('pki_group'),
-        )
+        nssdb = self.instance.open_nssdb(token)
 
         try:
             self.generate_csr(
@@ -2815,10 +2811,7 @@ def create_cert_key(self, tag, request):
         else:
             raise Exception('Unsupported key type: %s' % key_type)
 
-        nssdb = self.instance.open_nssdb(
-            user=self.mdict['pki_user'],
-            group=self.mdict['pki_group']
-        )
+        nssdb = self.instance.open_nssdb()
         try:
             result = nssdb.create_key(
                 token=token,
@@ -3001,10 +2994,7 @@ def create_temp_sslserver_cert(self):
         self.instance.set_sslserver_cert_nickname(nickname)
 
         tmpdir = tempfile.mkdtemp()
-        nssdb = self.instance.open_nssdb(
-            user=self.mdict['pki_user'],
-            group=self.mdict['pki_group']
-        )
+        nssdb = self.instance.open_nssdb()
 
         try:
             logger.info('Checking existing temp SSL server cert: %s', nickname)
@@ -3072,10 +3062,7 @@ def remove_temp_sslserver_cert(self):
         nickname = self.mdict['pki_self_signed_nickname']
         logger.info('Removing temp SSL server cert: %s', nickname)
 
-        nssdb = self.instance.open_nssdb(
-            user=self.mdict['pki_user'],
-            group=self.mdict['pki_group']
-        )
+        nssdb = self.instance.open_nssdb()
 
         try:
             # remove temp SSL server cert and key

base/server/python/pki/server/deployment/scriptlets/configuration.py

@@ -57,9 +57,7 @@ def spawn(self, deployer):
         subsystem.save()
 
         token = pki.nssdb.normalize_token(deployer.mdict['pki_token_name'])
-        nssdb = instance.open_nssdb(
-            user=deployer.mdict['pki_user'],
-            group=deployer.mdict['pki_group'])
+        nssdb = instance.open_nssdb()
 
         clone = deployer.configuration_file.clone
 
@@ -181,9 +179,7 @@ def spawn(self, deployer):
         if 'pki_one_time_pin' not in deployer.mdict:
             deployer.mdict['pki_one_time_pin'] = subsystem.config['preop.pin']
 
-        nssdb = subsystem.instance.open_nssdb(
-            user=deployer.mdict['pki_user'],
-            group=deployer.mdict['pki_group'])
+        nssdb = subsystem.instance.open_nssdb()
 
         try:
             system_certs = deployer.setup_system_certs(nssdb, subsystem)