From Fedora Project Wiki

(Created page with "{{QA/Test_Case |description=This test case ensures the successful installation and basic functionality of an IPA server with HSM on Fedora. |setup=Install the pre-release version of Fedora to be tested on a bare metal system using the default Anaconda settings, except to reclaim all disk space in the process. |setup=Install the pre-release version of Fedora that is to be tested on a bare metal system using the default Anaconda settings except to reclaim all disk space in...")
 
No edit summary
 
Line 17: Line 17:
   ipa_token:caSigningCert cert-pki-ca                      CTu,Cu,Cu
   ipa_token:caSigningCert cert-pki-ca                      CTu,Cu,Cu


# Test that basic things within IPA work.
  # kinit admin
  # ipa user-add --first tim --last user --password tuser
  # id tuser
  # kinit tuser (and reset password)
  # ipa user-show tuser
|results=
|results=
# All installation steps complete without errors.
# All installation steps complete without errors.
# The hostname is successfully renamed and resolved.
# The hostname is successfully renamed and resolved.
Line 30: Line 25:
# Certificates are stored correctly with the HSM token.
# Certificates are stored correctly with the HSM token.
# Basic IPA functionality tests (adding and managing users) work as expected.
# Basic IPA functionality tests (adding and managing users) work as expected.
# Test that basic things within IPA work by running the following
  kinit admin
  ipa user-add --first tim --last user --password tuser
  id tuser
  kinit tuser (and reset password)
  ipa user-show tuser


}}
}}

Latest revision as of 04:59, 1 July 2024

Description

This test case ensures the successful installation and basic functionality of an IPA server with HSM on Fedora.

Setup

Install the pre-release version of Fedora that is to be tested on a bare metal system using the default Anaconda settings except to reclaim all disk space in the process.

How to test

  1. Install the freeipa packages: dnf install freeipa-server freeipa-server-dns softhsm -y
  2. Rename the hostname with the domain to be used with ipa :
  # hostnamectl hostname ipa.example.test
# echo “<ip-address> ipa.example.test ” >> /etc/hosts  
  1. Create softhsm token : runuser -u pkiuser -- /usr/bin/softhsm2-util --init-token --free --pin $TOKEN_PASSWORD --so-pin $TOKEN_PASSWORD --label ipa_token
  2. Install the IPA server : ipa-server-install -a $ADMIN_PASSWORD -p $DM_PASSWORD -r EXAMPLE.TEST -U --random-serial-numbers --token-name=ipa_token --token-library-path=/usr/lib64/pkcs11/libsofthsm2.so --token-password=$TOKEN_PASSWORD
  3. Ensure that certificate stored with the hsm token certutil -L -d /etc/pki/pki-tomcat/alias -h ipa_token
 ipa_token:ocspSigningCert cert-pki-ca                    	u,u,u
 ipa_token:subsystemCert cert-pki-ca                      	u,u,u
 ipa_token:auditSigningCert cert-pki-ca                   	u,u,Pu
 ipa_token:caSigningCert cert-pki-ca                      	CTu,Cu,Cu

Expected Results

  1. All installation steps complete without errors.
  2. The hostname is successfully renamed and resolved.
  3. The softhsm token is created and initialized correctly.
  4. The IPA server installs without issues and recognizes the HSM token.
  5. Certificates are stored correctly with the HSM token.
  6. Basic IPA functionality tests (adding and managing users) work as expected.
  7. Test that basic things within IPA work by running the following
  kinit admin
  ipa user-add --first tim --last user --password tuser
  id tuser
  kinit tuser (and reset password)
  ipa user-show tuser