Red Hat SummitChapter 4. Verifying permissions of IdM configuration files by using Healthcheck
You can test the ownership and permissions of configuration files on an Identity Management (IdM) server by using the Healthcheck tool.
For general information about the tool, see Healthcheck in IdM.
4.1. File permissions Healthcheck tests
The Healthcheck tool tests the ownership and permissions of files installed or configured by Identity Management (IdM).
If you change the ownership or permissions of these files, the tests return a warning in the result section. While this does not necessarily mean that the configuration does not work, it means that the file differs from the default configuration.
You can find the file permissions tests under the ipahealthcheck.ipa.files source of the output of the ipa-healthcheck --list-sources command.
- IPAFileNSSDBCheck
-
This test checks the 389-ds NSS database and the Certificate Authority (CA) database, if relevant. The 389-ds database is located in
/etc/dirsrv/slapd-<dashed-REALM>and the CA database is located in/etc/pki/pki-tomcat/alias/. - IPAFileCheck
This test checks the following files:
-
/var/lib/ipa/ra-agent.{key|pem} -
/var/lib/ipa/certs/httpd.pem -
/var/lib/ipa/private/httpd.key -
/etc/httpd/alias/ipasession.key -
/etc/dirsrv/ds.keytab -
/etc/ipa/ca.crt -
/etc/ipa/custodia/server.keys -
/etc/resolv.conf /etc/hostsIf PKINIT is enabled, it also tests:
-
/var/lib/ipa/certs/kdc.pem /var/lib/ipa/private/kdc.keyIf DNS is configured, it also tests:
-
/etc/named.keytab -
/etc/ipa/dnssec/ipa-dnskeysyncd.keytab
-
- TomcatFileCheck
This test checks certain
tomcat-specific files:-
/etc/pki/pki-tomcat/password.conf -
/var/lib/pki/pki-tomcat/conf/ca/CS.cfg -
/etc/pki/pki-tomcat/server.xml
-
4.2. Screening configuration files by using Healthcheck
You can run a standalone manual test to check the ownership and permissions of configuration files on an Identity Management (IdM) server by using the Healthcheck tool.
Procedure
To run Healthcheck tests on IdM configuration file ownership and permissions, while displaying only warnings, errors and critical issues, enter:
ipa-healthcheck --source=ipahealthcheck.ipa.files
# ipa-healthcheck --source=ipahealthcheck.ipa.filesCopy to Clipboard Copied! Toggle word wrap Toggle overflow A successful test displays empty brackets:
[]
[]Copy to Clipboard Copied! Toggle word wrap Toggle overflow Failed tests display results similar to the following
WARNING:Copy to Clipboard Copied! Toggle word wrap Toggle overflow NoteRun these tests on all IdM servers when trying to find issues.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}