Red Hat SummitEste conteúdo não está disponível no idioma selecionado.
Chapter 10. Self-tests
Red Hat Certificate System has the added functionality to allow self-tests of the server. The self-tests are run at start up and can also be run on demand. The startup self-tests run when the server starts and keep the server from starting if a critical self-test fails. The on-demand self-tests are run by clicking the self-tests button in the subsystem console.
10.1. Running self-tests
You can run the on-demand self-tests using the CLI on all CS subsystems (CA, OCSP, KRA, TKS, and TPS).
The console also provides on-demand self-tests services, however only for the CA, OCSP, KRA, and TKS subsystems - not for the TPS. As the pkiconsole tool is also being deprecated, we encourage using the CLI.
10.1.1. Running self-tests from the console
Log into the Console.
pkiconsole -d nssdb -n 'optional client cert nickname' https://server.example.com:admin_port/subsystem_type
# pkiconsole -d nssdb -n 'optional client cert nickname' https://server.example.com:admin_port/subsystem_typeCopy to Clipboard Copied! Toggle word wrap Toggle overflow Notepkiconsoleis being deprecated and will be replaced by a new browser-based UI in a future major release. Althoughpkiconsolewill continue to be available until the replacement UI is released, we encourage using the command line equivalent ofpkiconsoleat this time, as the pki CLI will continue to be supported and improved upon even when the new browser-based UI becomes available in the future.Select the subsystem name at the top of the left pane.
- Select the Self Tests tab.
Click .
The self-tests that are configured for the subsystem will run. If any critical self-tests fail, the server will stop.
- The On-Demand Self Tests Results window appears, showing the logged events for this run of the self-tests.
10.1.2. Running self-tests using the CLI
The following command-line interfaces (CLIs) are available for self-tests for all subsystems. Where <subsystem> can be “ca”, “kra”, “ocsp”, “tks”, or “tps”
To view all the self-tests enabled for a subsystem:
pki -d nssdb -n 'cert-nickname' -p subsystem_port <subsystem>-selftest-find
# pki -d nssdb -n 'cert-nickname' -p subsystem_port <subsystem>-selftest-findCopy to Clipboard Copied! Toggle word wrap Toggle overflow For example:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow To run on demand self-tests:
pki -d nssdb -n ‘cert-nickname’ -p subsystem_port <subsystem>-selftest-run
# pki -d nssdb -n ‘cert-nickname’ -p subsystem_port <subsystem>-selftest-runCopy to Clipboard Copied! Toggle word wrap Toggle overflow For example:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow To show the details of a self-test:
pki -d nssdb -n ‘cert-nickname’ -p subsystem_port <subsystem>-selftest-show
# pki -d nssdb -n ‘cert-nickname’ -p subsystem_port <subsystem>-selftest-showCopy to Clipboard Copied! Toggle word wrap Toggle overflow For example:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
10.2. Debugging self-tests failures
In the event of self-test failure, the Certificate System instance will stop completely and will not respond to any HTTP or HTTPS requests.
To diagnose a manually run self-test failure, refer to the various logs described in Section 10.2.1, “Self-Test logging”. Often other logs are useful as well, including debug logs. For more information on subsystem logs, refer to Chapter 12, Configuring subsystem logs. For more information on debug logs, refer to 2.3.14 Logs section under Chapter 2 Certificate System Architecture Overview in the Planning, Installation and Deployment Guide (Common Criteria Edition).
Common causes of self-test failures are services (such as LDAP) are down or unreachable, certificates are expired, or the system configuration is wrong. A precise cause of self-test failure is given in the logs.
After the cause of the self-test failure is identified and fixed, please restart the Certificate System server to resume normal operations:
systemctl restart pki-tomcatd-nuxwdog@instance_name.service
# systemctl restart pki-tomcatd-nuxwdog@instance_name.service10.2.1. Self-Test logging
A separate log, selftests.log, is added to the log directory that contains reports for both the start up self-tests and the on-demand self-tests. This log is configured by changing the setting for the log in the CS.cfg file. See the Modifying Self-Test Configuration in the Planning, Installation and Deployment Guide (Common Criteria Edition) for details.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}