이 콘텐츠는 선택한 언어로 제공되지 않습니다.

22.2. Subsystem Health Check


It is important for administrators to periodically monitor possible failures, such as the following:
  • Audit failure caused by a full disk
  • Signing failure caused by HSM connection issue
  • LDAP server connection issues
  • And so on
Self-tests can also be run by demand as described in Section 14.9, “Running Self-Tests”.

22.2.1. Healthcheck in PKI

PKI Healthcheck is a command-line tool that helps find issues that may impact the health of your Certificate System environment. If needed, this tool can report to the Healthcheck tool present in Red Hat Identity Management.

22.2.1.1. PKI Healthcheck Test Modules

PKI Healthcheck consists of independent modules which test for:
  • Certificate sync between CS.cfg and NSS database
    Checks whether the system certificates in CS.cfg (located in /var/lib/pki/<instance>/<subsystem>/conf/CS.cfg) and NSS database (located in /var/lib/pki/<instance>/alias/ ) match. Else, the Certificate Authority (CA) fails to start.
  • System certificate expiry
    Checks the expiry status of the installed system certificates (See System Certificates for more information).
  • System certificate trust flags
    Checks whether the installed system certificates carry the correct Trust flags (See System Certificates for more information).
  • Subsystem connectivity check
    Checks whether a subsystem is running and able to respond to requests.
  • Subsystem clones connectivity and data check
    Checks simple connectivity and data sanity for a set of clones configured within a given CS subsystem. A given CA subsystem’s security domain is consulted to identify clones that have been set. The check then proceeds to reach out to each clone and verify data sanity where applicable.

22.2.1.2. PKI Healthcheck Configuration

The PKI Healthcheck tool configuration is stored at /etc/pki/healthcheck.conf. It looks like the following:
[global]
		      plugin_timeout=300
		      cert_expiration_days=30

		      # Dogtag specific section
		      [dogtag]
		      instance_name=pki-tomcat

22.2.1.3. Running PKI Healthcheck

  • To perform a health check, run the pki-healthcheck command.
  • You can also execute a specific check. For example:
    # pki-healthcheck --source pki.server.healthcheck.meta.csconfig --check DogtagCertsConfigCheck
For more information on the possible options, see the man page: man pki-healthcheck.

22.2.1.4. Healthcheck Output Formats

Healthcheck generates the following outputs, which you can set using the --output-type:
  • By default, machine-readable output in JSON format (json).
  • Alternatively, human-readable output (human).
You can specify a alternative file destination with the --output-file option.

22.2.1.5. Healthcheck Results

The report consists of a message describing what was run and the status. Each Healthcheck module returns one of the following results:
SUCCESS
configured as expected, the check executed and found no issue
WARNING
not an error, but worth keeping an eye on or evaluating (e.g. a certificate will expire soon)
ERROR
not configured as expected, something is wrong but your server is probably still working (e.g. a clone conflict)
CRITICAL
not configured as expected, with a high possibility for impact (e.g. a service is not started, certificates are expired, etc.)
If the status is not successful, the message may include additional information or recommandations, which can be used by the admin to correct the issue (e.g. a file has the wrong permissions, expected X and got Y).
Red Hat logoGithubRedditYoutubeTwitter

자세한 정보

평가판, 구매 및 판매

커뮤니티

Red Hat 문서 정보

Red Hat을 사용하는 고객은 신뢰할 수 있는 콘텐츠가 포함된 제품과 서비스를 통해 혁신하고 목표를 달성할 수 있습니다.

보다 포괄적 수용을 위한 오픈 소스 용어 교체

Red Hat은 코드, 문서, 웹 속성에서 문제가 있는 언어를 교체하기 위해 최선을 다하고 있습니다. 자세한 내용은 다음을 참조하세요.Red Hat 블로그.

Red Hat 소개

Red Hat은 기업이 핵심 데이터 센터에서 네트워크 에지에 이르기까지 플랫폼과 환경 전반에서 더 쉽게 작업할 수 있도록 강화된 솔루션을 제공합니다.

© 2024 Red Hat, Inc.