Chapter 19. Using the Health Check Feature to Identify Problems

The dsctl healthcheck command analyzes the Directory Server instance for potential issues and recommends solutions to solve them.
The following table displays the checks the health check feature performs:

Table 19.1. Overview of Checks

Component Severity Result Code Description
Backend Low DSBLE0003 The database was not initialized. A database was created but the database is empty.
Backend Medium DSBLE0001 The mapping tree entry for a back end is missing in the configuration.
Config Low DSCLE0001 High-resolution time stamps are disabled.
Config High DSVIRTLE0001 A virtual attribute is incorrectly indexed. Indexed attributes used by roles or Class of Service (CoS) definitions can corrupt search results.
Operating System Medium DSPERMLE0001 The permissions set on the /etc/resolve.conf file are different to 0644.
Operating System High DSDSLE0001 Low disk space
Operating System High DSPERMLE0002 The permissions set on the /etc/dirsrv/slapd-instance_name/pin.txt and /etc/dirsrv/slapd-instance_name/pwdfile.txt files are different to 0400.
Plug-ins Low DSRILE0001 An update delay is set for the Referential Integrity plug-in. This can cause replication issues.
Plug-ins High DSRILE0002 The Referential Integrity plug-in misses indexes. The plug-in queries certain attributes for every delete operation if they are not indexed. This can cause hard-to-detect unindexed searches and high CPU usage.
Replication Low DSREPLLE0002 Conflict entries exist in the database.
Replication Low DSSKEWLE0001 The replication time screw is larger than 6 hours and lower than 12 hours.
Replication Medium DSCLLE0001 Changelog trimming is disabled. In this case, the changelog grows without limits.
Replication Medium DSREPLLE0004 The health check failed to retrieve the replication status.
Replication Medium DSREPLLE0003 The topology is not in sync, but the replication is working.
Replication Medium DSREPLLE0005 A remote replica is not reachable.
Replication Medium DSSKEWLE0002 The replication time screw is larger than 12 hours and lower than 24 hours.
Replication High DSREPLLE0001 The topology is not in sync, and the replication is not working.
Replication High DSSKEWLE0003 The replication time screw is larger than 24 hours. Replication sessions could break.
Security Medium DSELE0001 The minimum TLS version is set to a value lower than TLS 1.2.
Security High DSCLE0002 A weak password storage scheme is configured.
Server High DSBLE0002 The health check failed to query the back end.
TLS certificates Medium DSCERTLE0001 The server certificate expires within the next 30 days.
TLS certificates High DSCERTLE0002 The server certificate has expired.

19.1. Running the Directory Server Health Check

To run the health check, enter:
# dsctl instance_name healthcheck
Beginning lint report, this could take a while ...
Checking Backends ...
Checking Config ...
Checking Encryption ...
Checking FSChecks ...
Checking ReferentialIntegrityPlugin ...
Checking MonitorDiskSpace ...
Checking Replica ...
Checking Changelog5 ...
Checking NssSsl ...
Healthcheck complete.
1 Issue found!  Generating report ...

Example 19.1. Possible Report of the Health Check

The following shows an example health check report:
[1] DS Lint Error: DSELE0001
--------------------------------------------------------------------------------
Severity: MEDIUM 
Affects:
 -- cn=encryption,cn=config

Details:
-----------
This Directory Server may not be using strong TLS protocol versions. TLS1.0 is known to
have a number of issues with the protocol. Please see:

https://tools.ietf.org/html/rfc7457

It is advised you set this value to the maximum possible.

Resolution:
-----------
There are two options for setting the TLS minimum version allowed.  You,
can set "sslVersionMin" in "cn=encryption,cn=config" to a version greater than "TLS1.0"
You can also use 'dsconf' to set this value.  Here is an example:

    # dsconf slapd-instance_name security set --tls-protocol-min=TLS1.2

You must restart the Directory Server for this change to take effect.

Or, you can set the system wide crypto policy to FUTURE which will use a higher TLS
minimum version, but doing this affects the entire system:

    # update-crypto-policies --set FUTURE


===== End Of Report (1 Issue found) =====
To display the output in JSON format, pass the --json parameter to the command:
# dsctl --json instance_name healthcheck

Example 19.2. Possible Report of the Health Check in JSON Format

The following shows an example health check report in JSON format:
[
    {
        "dsle": "DSELE0001",
        "severity": "MEDIUM",
        "items": [
            "cn=encryption,cn=config"
        ],
        "detail": "This Directory Server may not be using strong TLS protocol versions. TLS1.0 is known to\nhave a number of issues with the protocol. Please see:\n\nhttps://tools.ietf.org/html/rfc7457\n\nIt is advised you set this value to the maximum possible.",
        "fix": "There are two options for setting the TLS minimum version allowed.  You,\ncan set \"sslVersionMin\" in \"cn=encryption,cn=config\" to a version greater than \"TLS1.0\"\nYou can also use 'dsconf' to set this value.  Here is an example:\n\n    # dsconf slapd-instance_name security set --tls-protocol-min=TLS1.2\n\nYou must restart the Directory Server for this change to take effect.\n\nOr, you can set the system wide crypto policy to FUTURE which will use a higher TLS\nminimum version, but doing this affects the entire system:\n\n    # update-crypto-policies --set FUTURE"
    }
]