From Fedora Project Wiki

Revision as of 03:38, 2 July 2024 by Sumantrom (talk | contribs) (Created page with "{{QA/Test_Case |description=This test case ensures the successful installation and functionality of an IPA server with a Key Recovery Authority (KRA) on Fedora. |setup=Install the pre-release version of Fedora to be tested on a bare metal system using the default Anaconda settings, except to reclaim all disk space in the process. |actions= # Install the freeipa packages: <code> dnf install freeipa-server freeipa-server-dns softhsm -y </code> # Rename the hostname with th...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

{{QA/Test_Case |description=This test case ensures the successful installation and functionality of an IPA server with a Key Recovery Authority (KRA) on Fedora. |setup=Install the pre-release version of Fedora to be tested on a bare metal system using the default Anaconda settings, except to reclaim all disk space in the process. |actions=

  1. Install the freeipa packages: dnf install freeipa-server freeipa-server-dns softhsm -y
  2. Rename the hostname with the domain to be used with ipa
    1. hostnamectl hostname ipa.example.test
    2. echo “<ip-address> ipa.example.test” >> /etc/hosts
  3. Create softhsm token runuser -u pkiuser -- /usr/bin/softhsm2-util --init-token --free --pin $TOKEN_PASSWORD --so-pin $TOKEN_PASSWORD --label ipa_token
  4. Install the IPA server ipa-server-install -a $ADMIN_PASSWORD -p $DM_PASSWORD -r EXAMPLE.TEST -U --random-serial-numbers --token-name=ipa_token --token-library-path=/usr/lib64/pkcs11/libsofthsm2.so --token-password=$TOKEN_PASSWORD --setup-kra
  5. Ensure that certificate stored with the hsm token (note the kra certs) certutil -L -d /etc/pki/pki-tomcat/alias -h ipa_token

|results=

  1. All installation steps complete without errors.
  2. The hostname is successfully renamed and resolved.
  3. The softhsm token is created and initialized correctly.
  4. The IPA server installs without issues and recognizes the HSM token.
  5. KRA is set up correctly and its certificates are stored with the HSM token.
  6. Basic KRA functionality tests (vault creation, archiving, and retrieval) work as expected.
  7. Run the following to verify the above
# kinit admin
# ipa vault-add test
# ipa vault-archive test --data Zm9vCg==
# ipa vault-retrieve test