From Fedora Project Wiki

Revision as of 03:39, 2 July 2024 by Sumantrom (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Description

This test case ensures the successful installation and functionality of an IPA server with a Key Recovery Authority (KRA) on Fedora.

Setup

Install the pre-release version of Fedora to be tested on a bare metal system using the default Anaconda settings, except to reclaim all disk space in the process.

How to test

  1. Install the freeipa packages: dnf install freeipa-server freeipa-server-dns softhsm -y
  2. Rename the hostname with the domain to be used with ipa
    1. hostnamectl hostname ipa.example.test
    2. echo “<ip-address> ipa.example.test” >> /etc/hosts
  3. Create softhsm token runuser -u pkiuser -- /usr/bin/softhsm2-util --init-token --free --pin $TOKEN_PASSWORD --so-pin $TOKEN_PASSWORD --label ipa_token
  4. Install the IPA server ipa-server-install -a $ADMIN_PASSWORD -p $DM_PASSWORD -r EXAMPLE.TEST -U --random-serial-numbers --token-name=ipa_token --token-library-path=/usr/lib64/pkcs11/libsofthsm2.so --token-password=$TOKEN_PASSWORD --setup-kra
  5. Ensure that certificate stored with the hsm token (note the kra certs) certutil -L -d /etc/pki/pki-tomcat/alias -h ipa_token

Expected Results

  1. All installation steps complete without errors.
  2. The hostname is successfully renamed and resolved.
  3. The softhsm token is created and initialized correctly.
  4. The IPA server installs without issues and recognizes the HSM token.
  5. KRA is set up correctly and its certificates are stored with the HSM token.
  6. Basic KRA functionality tests (vault creation, archiving, and retrieval) work as expected.
  7. Run the following to verify the above
# kinit admin
# ipa vault-add test
# ipa vault-archive test --data Zm9vCg==
# ipa vault-retrieve test