Red Hat SummitQuesto contenuto non è disponibile nella lingua selezionata.
13.9. Running Self-Tests
The Certificate System has the added functionality to allow self-tests of the server. The self-tests are run at start up and can also be run on demand. The startup self-tests run when the server starts and keep the server from starting if a critical self-test fails. The on-demand self-tests are run by clicking the self-tests button in the subsystem console.
13.9.1. Running Self-Tests
Copia collegamentoCollegamento copiato negli appunti!
The on-demand self-test for the CA, OCSP, KRA, or TKS subsystems are run from the console. The on-demand self-tests for the TPS system are run from the web services page.
13.9.1.1. Running Self-Tests from the Console
Copia collegamentoCollegamento copiato negli appunti!
- Log into the Console.
pkiconsole https://server.example.com:admin_port/subsystem_type
pkiconsole https://server.example.com:admin_port/subsystem_typeCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Select the subsystem name at the top of the left pane.
- Select the Self Tests tab.
- Click .The self-tests that are configured for the subsystem will run. If any critical self-tests fail, the server will stop.
- The On-Demand Self Tests Results window appears, showing the logged events for this run of the self-tests.
13.9.1.2. Running TPS Self-Tests
Copia collegamentoCollegamento copiato negli appunti!
To run TPS self-tests from the command-line interface (CLI):
pki tps-selftest-findpki tps-selftest-runpki tps-selftest-show
13.9.2. Self-Test Logging
Copia collegamentoCollegamento copiato negli appunti!
A separate log,
selftest.log, is added to the log directory that contains reports for both the start up self-tests and the on-demand self-tests. This log is configured by changing the setting for the log in the CS.cfg file. For more information, see Modifying Self-Test Configuration.
13.9.3. Configuring POSIX System ACLs
Copia collegamentoCollegamento copiato negli appunti!
POSIX system access control rules provide finer granularity over system user permissions. These ACLs must be set for each instance after it is fully configured. For more details on ACLs, see Configuring ACLs.
13.9.3.1. Setting POSIX System ACLs for the CA, KRA, OCSP, TKS, and TPS
Copia collegamentoCollegamento copiato negli appunti!
Modern file systems like ext4 and XFS enable ACLs by default, and are most likely used on modern Red Hat Enterprise Linux installations.
- Stop the instance.
systemctl stop pki-tomcatd@instance_name.service
systemctl stop pki-tomcatd@instance_name.serviceCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Set the group readability to the pkiadmin group for the instance's directories and files.
setfacl -R -L -m g:pkiadmin:r,d:g:pkiadmin:r /var/lib/pki/instance_name
# setfacl -R -L -m g:pkiadmin:r,d:g:pkiadmin:r /var/lib/pki/instance_nameCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Apply execute (x) ACL permissions on all directories:
find -L /var/lib/pki/instance_name -type d -exec setfacl -L -n -m g:pkiadmin:rx,d:g:pkiadmin:rx {} \;# find -L /var/lib/pki/instance_name -type d -exec setfacl -L -n -m g:pkiadmin:rx,d:g:pkiadmin:rx {} \;Copy to Clipboard Copied! Toggle word wrap Toggle overflow - Remove group readability for the pkiadmin group from the instance's signedAudit/ directory and its associated files:
setfacl -R -L -x g:pkiadmin,d:g:pkiadmin /var/lib/pki/instance_name/logs/signedAudit
# setfacl -R -L -x g:pkiadmin,d:g:pkiadmin /var/lib/pki/instance_name/logs/signedAuditCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Set group readability for the pkiaudit group for the instance's signedAudit/ directory and its associated files:
setfacl -R -L -m g:pkiaudit:r,d:g:pkiaudit:r /var/lib/pki/instance_name/logs/signedAudit
# setfacl -R -L -m g:pkiaudit:r,d:g:pkiaudit:r /var/lib/pki/instance_name/logs/signedAuditCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Re-apply execute (x) ACL permissions on the signedAudit/ directory and all of its subdirectories:
find -L /var/lib/pki/instance_name/logs/signedAudit -type d -exec setfacl -L -n -m g:pkiaudit:rx,d:g:pkiaudit:rx {} \;# find -L /var/lib/pki/instance_name/logs/signedAudit -type d -exec setfacl -L -n -m g:pkiaudit:rx,d:g:pkiaudit:rx {} \;Copy to Clipboard Copied! Toggle word wrap Toggle overflow - Start the instance.
systemctl start pki-tomcatd@instance_name.service
systemctl start pki-tomcatd@instance_name.serviceCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Confirm that the file access controls were properly applied by using the
getfaclcommand to show the current ACL settings:Copy to Clipboard Copied! Toggle word wrap Toggle overflow
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}