Chapter 1. Installing and running the IdM Healthcheck tool
This chapter describes the IdM Healthcheck tool and how to install and run it.
1.1. Healthcheck in IdM
The Healthcheck tool in Identity Management (IdM) helps find issues that may impact the health of your IdM environment.
The Healthcheck tool is a command line tool that can be used without Kerberos authentication.
Modules are Independent
Healthcheck consists of independent modules which test for:
- Replication issues
- Certificate validity
- Certificate Authority infrastructure issues
- IdM and Active Directory trust issues
- Correct file permissions and ownership settings
Two output formats
Healthcheck generates the following outputs, which you can set using the
json: Machine-readable output in JSON format (default)
human: Human-readable output
You can specify a different file destination with the
Each Healthcheck module returns one of the following results:
- configured as expected
- not an error, but worth keeping an eye on or evaluating
- not configured as expected
- not configured as expected, with a high possibility for impact
1.2. Installing IdM Healthcheck
This section describes how to install the IdM Healthcheck tool.
[root@server ~]# dnf install ipa-healthcheck
--failures-onlyoption to have
ipa-healthcheckonly report errors. A fully-functioning IdM installation returns an empty result of
[root@server ~]# ipa-healthcheck --failures-only 
ipa-healthcheck --helpto see all supported arguments.
1.3. Running IdM Healthcheck
Healthcheck can be run manually or automatically using log rotation.
- The Healthcheck tool must be installed. See Installing IdM Healthcheck.
To run healthcheck manually, enter the
[root@server ~]# ipa-healthcheck
For all options, see the man page:
1.4. Log rotation
Log rotation creates a new log file every day, and the files are organized by date. Since log files are saved in the same directory, you can select a particular log file according to the date.
Rotation means that there is configured a number for max number of log files and if the number is exceeded, the newest file rewrites and renames the oldest one. For example, if the rotation number is 30, the thirty-first log file replaces the first (oldest) one.
Log rotation reduces voluminous log files and organizes them, which can help with analysis of the logs.
1.5. Configuring log rotation using the IdM Healthcheck
This section describes how to configure a log rotation with:
systemd timer runs the Healthcheck tool periodically and generates the logs. The default value is set to 4 a.m. every day.
crond service is used for log rotation.
The default log name is
healthcheck.log and the rotated logs use the
- You must execute commands as root.
# systemctl enable ipa-healthcheck.timer Created symlink /etc/systemd/system/multi-user.target.wants/ipa-healthcheck.timer -> /usr/lib/systemd/system/ipa-healthcheck.timer.
# systemctl start ipa-healthcheck.timer
/etc/logrotate.d/ipahealthcheckfile to configure the number of logs which should be saved.
By default, log rotation is set up for 30 days.
/etc/logrotate.d/ipahealthcheckfile, configure the path to the logs.
By default, logs are saved in the
/etc/logrotate.d/ipahealthcheckfile, configure the time for log generation.
By default, a log is created daily at 4 a.m.
To use log rotation, ensure that the
crondservice is enabled and running:
# systemctl enable crond # systemctl start crond
To start with generating logs, start the IPA healthcheck service:
# systemctl start ipa-healthcheck
To verify the result, go to
/var/log/ipa/healthcheck/ and check if logs are created correctly.
1.6. Additional resources
See the following sections of the Configuring and managing Identity Management guide for examples of using IdM Healthcheck.
- You can also see those chapters organized into a single guide: Using IdM Healthcheck to monitor your IdM environment