From Fedora Project Wiki

(Created page with "<!-- Make sure the pages is named as "Test Day:YYYY-MM-DD topic" --> {{Infobox_group | name = IPA HSM Test DAy | image = 300px|link=QA/Test Days | date = 2024-07-09 to 2024-07-11 <!-- The testdays app will parse this, so please make sure to have it in format 'date = YYYY-MM-DD' or 'date = YYYY-MM-DD to YYYY-MM-DD' --> | time = all day | website = QA/Test Days | matrix = {{matrix|#test-day:fedoraproject.org}} | fedora_mailing_list = test...")
 
 
(5 intermediate revisions by 3 users not shown)
Line 4: Line 4:
| name = IPA HSM Test DAy
| name = IPA HSM Test DAy
| image = [[File:test-days-banner.svg|300px|link=QA/Test Days]]
| image = [[File:test-days-banner.svg|300px|link=QA/Test Days]]
| date = 2024-07-09 to 2024-07-11
| date = '''2024-07-09 to 2024-07-11'''
<!-- The testdays app will parse this, so please make sure to have it in format 'date = YYYY-MM-DD' or 'date = YYYY-MM-DD to YYYY-MM-DD' -->
| time = all day
| time = all day
| website = [[QA/Test Days]]
| website = [[QA/Test Days]]
Line 18: Line 17:
<!-- Describe in detail what this test day is about and why would users want to participate in it. What makes this interesting for them? What's new and exciting in your software or a feature? -->
<!-- Describe in detail what this test day is about and why would users want to participate in it. What makes this interesting for them? What's new and exciting in your software or a feature? -->


This [[QA/Test Days|Test Day]] will focus on '''FIXME'''
This [[QA/Test Days|Test Day]] will focus on '''FreeIPA HSM'''


== Who's available ==
== Who's available ==
Line 24: Line 23:
The following cast of characters will be available testing, workarounds, bug fixes, and general discussion:
The following cast of characters will be available testing, workarounds, bug fixes, and general discussion:
* Development - [[User:Developer1|rcritten]] (rcritten)
* Development - [[User:Developer1|rcritten]] (rcritten)
* Fedora QA - [[User:Sumantro Mukherjee|sumantrom]] (sumantrom)


You can chat with me on [https://docs.fedoraproject.org/en-US/project/communications/ Matrix]. See the infobox on top of the page to learn where to join.
You can chat with me on [https://docs.fedoraproject.org/en-US/project/communications/ Matrix]. See the infobox on top of the page to learn where to join.
Line 77: Line 77:
This should return the machine(s) to the pre-installed state.
This should return the machine(s) to the pre-installed state.


== Test Cases ==
Visit the '''[http://testdays.fedoraproject.org/events/191 results page]''' and click on the column title links to see the tests that need to be run: most column titles are links to a specific test case. Follow the instructions there, then enter your results by clicking the ''Enter result'' button for the test.
 
=== Test Case 1 ===
 
Install a basic IPA server with HSM using softhsm2
 
How to test:
 
==== Install the freeipa packages ====
  # dnf install freeipa-server freeipa-server-dns softhsm -y
 
==== Rename the hostname with the domain to be used with ipa ====
  # hostnamectl hostname ipa.example.test
  # echo “<ip-address> ipa.example.test ” >> /etc/hosts
 
==== Create softhsm token ====
  # runuser -u pkiuser -- /usr/bin/softhsm2-util --init-token --free --pin $TOKEN_PASSWORD --so-pin $TOKEN_PASSWORD --label ipa_token
 
==== Install the IPA server ====
  # ipa-server-install -a $ADMIN_PASSWORD -p $DM_PASSWORD -r EXAMPLE.TEST -U --random-serial-numbers --token-name=ipa_token --token-library-path=/usr/lib64/pkcs11/libsofthsm2.so --token-password=$TOKEN_PASSWORD
 
==== Ensure that certificate stored with the hsm token ====
  # certutil -L -d /etc/pki/pki-tomcat/alias -h ipa_token
 
  ipa_token:ocspSigningCert cert-pki-ca                    u,u,u
  ipa_token:subsystemCert cert-pki-ca                      u,u,u
  ipa_token:auditSigningCert cert-pki-ca                  u,u,Pu
  ipa_token:caSigningCert cert-pki-ca                      CTu,Cu,Cu
 
==== Basic IPA Sanity ====
 
Test that basic things within IPA work.
 
  # kinit admin
  # ipa user-add --first tim --last user --password tuser
  # id tuser
  # kinit tuser (and reset password)
  # ipa user-show tuser
 
=== Test Case 2 ===
 
TC2
 
Install an IPA server and replica with HSM using softhsm2
 
How to test:
 
Install the freeipa packages on both machines
  # dnf install freeipa-server freeipa-server-dns softhsm -y
 
Rename the hostname with the domain to be used with ipa
 
server:
  # hostnamectl hostname ipa.example.test
  # echo “<ip-address> ipa.example.test ” >> /etc/hosts
 
==== Create softhsm token on ipa.example.test only ====
  # runuser -u pkiuser -- /usr/bin/softhsm2-util --init-token --free --pin $TOKEN_PASSWORD --so-pin $TOKEN_PASSWORD --label ipa_token
 
==== Install the IPA server ====
 
  # ipa-server-install -a $ADMIN_PASSWORD -p $DM_PASSWORD -r EXAMPLE.TEST -U --random-serial-numbers --token-name=ipa_token --token-library-path=/usr/lib64/pkcs11/libsofthsm2.so --token-password=$TOKEN_PASSWORD
 
==== Identify the token directory on ipa.example.test ====
 
  # ls -1tr /var/lib/softhsm/tokens/ | tail -1
 
This will return a UUID like e373ded4-8763-29e9-dff9-e41f6930297e
 
==== Copy token data to replica ====
  # export token=”<UUID>”
  # rsync -avp $IPA_SERVER_IP:/var/lib/softhsm/tokens/${token} /var/lib/softhsm/tokens/
 
==== Add a DNS server to ipa.example.test (it will make things easier) ====
 
  # ipa-dns-install --no-forwarders --auto-reverse
 
==== Add the replica IP information to DNS (on the IPA server) ====
 
  # kinit admin
  # ipa dnsrecord-add example.test. replica --a-rec=$REPLICA_IP
 
==== Set replica hostname ====
 
  # hostnamectl hostname replica.example.test
 
==== Configure the replica to use the IPA server DNS ====
 
  # resolvectl dns eth0 $IPA_SERVER_IP:53
 
==== Install ipa-replica ====
 
  # ipa-replica-install --domain example.test --realm EXAMPLE.TEST --admin-password $ADMIN_PASSWORD -U -N --setup-ca --token-password $TOKEN_PASSWORD
 
==== Verify that the certificate serial numbers are the same. Run this on both machines. ====
 
  # certutil -L -d /etc/pki/pki-tomcat/alias -h ipa_token -n 'ipa_token:subsystemCert cert-pki-ca' |grep -A1 'Serial Number:'
 
        Serial Number: 4 (0x4)
 
 
Expected result:
Package install succeed
HSM token created
The ipa-replica-install command succeeded.
All the certificates from the pki database have a token associated with it.
ipa_token:ocspSigningCert cert-pki-ca                    u,u,u
ipa_token:subsystemCert cert-pki-ca                      u,u,u
ipa_token:auditSigningCert cert-pki-ca                  u,u,Pu
ipa_token:caSigningCert cert-pki-ca                      CTu,Cu,Cu
The serial numbers should match. You can test the other nicknames if you’d like. They should also match between machines. On a networked HSM this would be because they are being read from the same place.
 
<!--
High level details on how a contributor can get involved.  This can include (but not limited to):
* Areas to target with exploratory testing
* Areas to put special focus on
* Links to documentation, if relevant
* How to report the results
Example: https://fedoraproject.org/wiki/Test_Day:2020-02-20_Gnome_3.36_Test_Day#How_to_test.3F
 
If not using the TestDays app, provide a list of test areas or test cases that you'd like contributors to execute. For examples, see https://fedoraproject.org/wiki/Category:Test_Cases . If possible, always include https://fedoraproject.org/wiki/QA:Testcase_Exploratory_Testing among test cases. If using the TestDays app, link the test cases in it.
-->
 
Visit the '''[http://testdays.fedoraproject.org/events/NUMBER FIXME results page]''' and click on the column title links to see the tests that need to be run: most column titles are links to a specific test case. Follow the instructions there, then enter your results by clicking the ''Enter result'' button for the test.
 
Please also try to [[QA:Testcase_Exploratory_Testing|experiment and explore]] and perform tasks not mentioned in any of the pre-defined test cases.


== Reporting bugs ==
== Reporting bugs ==
Line 214: Line 89:
* [https://qa.fedoraproject.org/blockerbugs/milestone/41/final/buglist Fedora 41 Final blocker bugs]
* [https://qa.fedoraproject.org/blockerbugs/milestone/41/final/buglist Fedora 41 Final blocker bugs]


All new bugs should be reported into the '''[https://FIXME FIXME upstream bug tracker]'''. A less-preferred alternative is to file them into '''[https://bugzilla.redhat.com Red Hat Bugzilla]''', in most cases against the <code>FIXME</code> component.  
All new bugs should be reported into the [https://pagure.io/freeipa/issues upstream bug tracker]. A less-preferred alternative is to file them into [https://issues.redhat.com Red Hat JIRA], in most cases against the <code>ipa</code> component.  


{{admon/tip | We really need bug reports! | Please note that just mentioning your problem into the comments section on the results page is not very helpful. Very often those problems only happen in specific circumstances, or with specific steps taken. We need the logs and screenshots, and we need to be able to ask you followup questions. Please file bug reports, it's much more useful than a short comment. Thank you!}}
{{admon/tip | We really need bug reports! | Please note that just mentioning your problem into the comments section on the results page is not very helpful. Very often those problems only happen in specific circumstances, or with specific steps taken. We need the logs and screenshots, and we need to be able to ask you followup questions. Please file bug reports, it's much more useful than a short comment. Thank you!}}
Line 231: Line 106:
== Test Results ==
== Test Results ==


Test results will be exported here once the test day is over. See [[#How_to_test?|How to test?]] section for information how to submit results and see the live results.
Visit the '''[http://testdays.fedoraproject.org/events/191 results page]''' and click on the column title links to see the tests that need to be run: most column titles are links to a specific test case. Follow the instructions there, then enter your results by clicking the ''Enter result'' button for the test.


<!--
=== Basic ===
If you're not using TestDays app for submitting test results, and want to let users input results directly into wiki, here's an example results table:
{| class="wikitable" width=100%
{|
! User
! User
! [[QA:Testcase_example_1|Example test 1]]
! Profile
! [[QA:Testcase_example_2|Example test 2]]
! [http://fedoraproject.org/wiki/QA:Testcase_basicIPA_with_HSM basicIPAwithHSM]
! [[QA:Testcase_example_3|Example test 3]]
! [http://fedoraproject.org/wiki/QA:Testcase_IPA_server_replica_HSM IPA server with replica HSM]
! [[QA:Testcase_example_4|Example test 4]]
! References
! References
|-
|-
| [[User:ExampleUser|Example User]]
| [[User:felipetg|felipetg]]
| {{result|none}}  
| VM using Fedora Rawhide (latest iso available)
| {{result|fail}}<ref>Issue 9623 created</ref>
|
| <references/>
|-
| [[User:sumenon|sumenon]]
|  
| {{result|pass}}{{result|pass}}<ref>Ignore https://pagure.io/freeipa/issue/9622</ref>{{result|fail}}<ref>https://pagure.io/freeipa/issue/9622</ref>
| {{result|pass}}
| {{result|pass}}
| {{result|warn}} <ref>Test pass, but also encountered {{bz|54321}}</ref>
| {{result|fail}} <ref>{{bz|12345}}</ref>
| <references/>
| <references/>
|-
|}
=== Key Recovery Authority (KRA) ===
{| class="wikitable" width=100%
! User
! Profile
! [http://fedoraproject.org/wiki/QA:Testcase_Install_IPA_with_KRA IPA with KRA]
! [http://fedoraproject.org/wiki/QA:Testcase_Install_IPA_Server_replica_with_KRA IPA Server replica with KRA]
! References
|-
| [[User:sumenon|sumenon]]
| Fedora41
| {{result|pass}}<ref>KRA install is successful with the --token-password and --token-name option.
ipatoken: storageCert(u,u,u), auditSigningCert(u,u,Pu), transportCert(u,u,u), subsystemCert(u,u,u) are listed using 'certutil -L -d /etc/pki/pki-tomcat/alias -h ipa_token'
Vault can be added, data can be archived and retrieved.
</ref>
| {{result|pass}}<ref>Installation of Replica prompts 'Enter Password or Pin for "ipa_token":
The TOKEN_PASSWORD is already specified in the command.
https://pagure.io/freeipa/issue/9603</ref>
| <references/>
|-
|-
|}
|}
-->


<!-- uncomment this line when creating a real Test Day
=== Certificate Reissue ===
{| class="wikitable" width=100%
! User
! Profile
! [http://fedoraproject.org/wiki/QA:Testcase_Install_IPA_HSM_renew_cert Outisde grace period]
! [http://fedoraproject.org/wiki/QA:Testcase_Install_IPA_HSM_renew_cert_within_grace Within grace period]
! References
|-
| [[User:sumenon|sumenon]]
| Fedora41
| {{result|pass}}<ref>IPA certs expire in 2years
Current Date: Thu Jul 11 02:44:31 PM IST 2024
Cert Expires: 2026-07-01 14:32:04 IST
Modified Time: date -s +1years+11months+20days, Wed Jul  1 02:45:06 PM IST 2026
root@server:~# ipa-cert-fix
Becoming renewal master.
Restarting IPA
The ipa-cert-fix command was successful
getcert list | grep status -- the certificates go through different states  and finally in MONITORING state.
Certificates (excluding the CA cert) are re-issued correctly when expired.
</ref>
| {{result|pass}}<ref>ALL Certs are VALID and in MONTORING State after certmonger renews them.</ref>{{result|pass}}<ref>For this test the system date is to be moved within 30 days of expiration to test that certmonger would renew things.
Seeing ca-error: Server at "http://server.fedora41.test:8080/ca/ee/ca/profileSubmit" replied: access denied ("java.io.FilePermission" "/var/lib/pki/pki-tomcat/logs/ca" "read") which is known issue for pki.
Current Date: Wed Jul 10 07:13:59 PM IST 2024
Certs Expire: 2026-06-30 12:02:08 IST
Modified Date: date -s 'Wed Jun 07 06:54:58 PM IST 2026'
Restart ipactl.
 
 
 
 
 
</ref>
| <references/>
 
|-
|}
 
 
 
 
 
[[Category:Fedora 41 Test Days]]
[[Category:Fedora 41 Test Days]]
-->
<!-- remove the line below when creating a real Test Day -->
[[Category:QA Templates]]

Latest revision as of 05:44, 14 July 2024


IPA HSM Test DAy
Date 2024-07-09 to 2024-07-11
Time all day
Website QA/Test Days
Matrix #test-day:fedoraproject.org(other clients|?)
Mailing list test


Can't make the date?
If you come to this page after the test day is completed, your testing is still valuable, and you can use the information on this page to test, file any bugs you find, and add your results to the results section. If this page is more than a month old when you arrive here, please check the current schedule and see if a similar but more recent Test Day is planned or has already happened.

What to test?[edit]

This Test Day will focus on FreeIPA HSM

Who's available[edit]

The following cast of characters will be available testing, workarounds, bug fixes, and general discussion:

You can chat with me on Matrix. See the infobox on top of the page to learn where to join.

Prerequisite for Test Day[edit]

  • A virtual machine or a bare metal machine
  • An installation of Fedora 40 (ideally Server). Make sure to fully update your system. If installing a fresh system, it's recommended to use the latest nightly image.

What to test[edit]

This will focus on testing IPA support for generating and storing CA private keys on a Hardware Security Module (HSM).

There are two supported HSMs: the nCipher nShield Connect XC (High) and the Thales TCT Luna Network HSM Luna-T7. Firmware versions can vary so only specific ones are supported.

Using softhsm2 as an HSM is usable for testing. It is not recommended for production because it is not a truly networked HSM and the private keys live on a file system (protected yes but not at a hardware level). Because it is not networked, users will need to carefully synchronize the token files whenever any private key generation is done to ensure the contents are identical.

How to test?[edit]

Install freeIPA packages[edit]

  1. dnf -y install freeipa-server-dns

Pre-configure the HSM[edit]

If you are using softhsm2, grant read access to the tokens: 

 # usermod pkiuser -a -G ods

Set up environment variables on each machine/VM[edit]

 # export TOKEN_PASSWORD=password
 # export ADMIN_PASSWORD=password
 # export DM_PASSWORD=password

If using a supported hardware HSM ensure that it is working properly and have the token name and PKCS#11 library path handy.

In between tests[edit]

To re-use test machines in between installations:

On replica (if there is one) 

 # ipa server-del $HOSTNAME
 # ipa-server-install –uninstall -U

On the initial IPA server 

 # ipa-server-install –uninstall -U

If using softhsm2 you will also need to delete and re-create the token. To delete the token: 

 # softhsm2-util --delete-token --token ipa_token

This should return the machine(s) to the pre-installed state.

Visit the results page and click on the column title links to see the tests that need to be run: most column titles are links to a specific test case. Follow the instructions there, then enter your results by clicking the Enter result button for the test.

Reporting bugs[edit]

Perhaps you've found an already-reported bug. Please look at:

All new bugs should be reported into the upstream bug tracker. A less-preferred alternative is to file them into Red Hat JIRA, in most cases against the ipa component.

We really need bug reports!
Please note that just mentioning your problem into the comments section on the results page is not very helpful. Very often those problems only happen in specific circumstances, or with specific steps taken. We need the logs and screenshots, and we need to be able to ask you followup questions. Please file bug reports, it's much more useful than a short comment. Thank you!

When filing the bug, it's very helpful to include:

  • exact steps you've performed (and whether you can reproduce it again)
  • screenshots or videos, if applicable
  • system journal (log), which you can retrieve by journalctl -b > journal.txt
  • all output in a terminal, if started from a terminal
  • your system description

If you are unsure about exactly how to file the report or what other information to include, just ask us.

Please make sure to link to the bug when submitting your test result, thanks!

Test Results[edit]

Visit the results page and click on the column title links to see the tests that need to be run: most column titles are links to a specific test case. Follow the instructions there, then enter your results by clicking the Enter result button for the test.

Basic[edit]

User Profile basicIPAwithHSM IPA server with replica HSM References
felipetg VM using Fedora Rawhide (latest iso available)
Fail fail
[1]
  1. Issue 9623 created
sumenon
Pass pass
Pass pass
[1]
Fail fail
[2]
Pass pass
  1. Ignore https://pagure.io/freeipa/issue/9622
  2. https://pagure.io/freeipa/issue/9622

Key Recovery Authority (KRA)[edit]

User Profile IPA with KRA IPA Server replica with KRA References
sumenon Fedora41
Pass pass
[1]
Pass pass
[2]
  1. KRA install is successful with the --token-password and --token-name option. ipatoken: storageCert(u,u,u), auditSigningCert(u,u,Pu), transportCert(u,u,u), subsystemCert(u,u,u) are listed using 'certutil -L -d /etc/pki/pki-tomcat/alias -h ipa_token' Vault can be added, data can be archived and retrieved.
  2. Installation of Replica prompts 'Enter Password or Pin for "ipa_token": The TOKEN_PASSWORD is already specified in the command. https://pagure.io/freeipa/issue/9603

Certificate Reissue[edit]

User Profile Outisde grace period Within grace period References
sumenon Fedora41
Pass pass
[1]
Pass pass
[2]
Pass pass
[3]
  1. IPA certs expire in 2years Current Date: Thu Jul 11 02:44:31 PM IST 2024 Cert Expires: 2026-07-01 14:32:04 IST Modified Time: date -s +1years+11months+20days, Wed Jul 1 02:45:06 PM IST 2026 root@server:~# ipa-cert-fix Becoming renewal master. Restarting IPA The ipa-cert-fix command was successful getcert list | grep status -- the certificates go through different states and finally in MONITORING state. Certificates (excluding the CA cert) are re-issued correctly when expired.
  2. ALL Certs are VALID and in MONTORING State after certmonger renews them.
  3. For this test the system date is to be moved within 30 days of expiration to test that certmonger would renew things. Seeing ca-error: Server at "http://server.fedora41.test:8080/ca/ee/ca/profileSubmit" replied: access denied ("java.io.FilePermission" "/var/lib/pki/pki-tomcat/logs/ca" "read") which is known issue for pki. Current Date: Wed Jul 10 07:13:59 PM IST 2024 Certs Expire: 2026-06-30 12:02:08 IST Modified Date: date -s 'Wed Jun 07 06:54:58 PM IST 2026' Restart ipactl.
Retrieved from "https://fedoraproject.org/w/index.php?title=Test_Day:Test_Day:2024-07-09_IPA_HSM&oldid=714427"