From Fedora Project Wiki

Revision as of 04:59, 1 July 2024 by Sumantrom (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Description

This test case ensures the successful installation and basic functionality of an IPA server with HSM on Fedora.

Setup

Install the pre-release version of Fedora that is to be tested on a bare metal system using the default Anaconda settings except to reclaim all disk space in the process.

How to test

  1. Install the freeipa packages: dnf install freeipa-server freeipa-server-dns softhsm -y
  2. Rename the hostname with the domain to be used with ipa :
  # hostnamectl hostname ipa.example.test
# echo “<ip-address> ipa.example.test ” >> /etc/hosts  
  1. Create softhsm token : runuser -u pkiuser -- /usr/bin/softhsm2-util --init-token --free --pin $TOKEN_PASSWORD --so-pin $TOKEN_PASSWORD --label ipa_token
  2. Install the IPA server : ipa-server-install -a $ADMIN_PASSWORD -p $DM_PASSWORD -r EXAMPLE.TEST -U --random-serial-numbers --token-name=ipa_token --token-library-path=/usr/lib64/pkcs11/libsofthsm2.so --token-password=$TOKEN_PASSWORD
  3. Ensure that certificate stored with the hsm token certutil -L -d /etc/pki/pki-tomcat/alias -h ipa_token
 ipa_token:ocspSigningCert cert-pki-ca                    	u,u,u
 ipa_token:subsystemCert cert-pki-ca                      	u,u,u
 ipa_token:auditSigningCert cert-pki-ca                   	u,u,Pu
 ipa_token:caSigningCert cert-pki-ca                      	CTu,Cu,Cu

Expected Results

  1. All installation steps complete without errors.
  2. The hostname is successfully renamed and resolved.
  3. The softhsm token is created and initialized correctly.
  4. The IPA server installs without issues and recognizes the HSM token.
  5. Certificates are stored correctly with the HSM token.
  6. Basic IPA functionality tests (adding and managing users) work as expected.
  7. Test that basic things within IPA work by running the following
  kinit admin
  ipa user-add --first tim --last user --password tuser
  id tuser
  kinit tuser (and reset password)
  ipa user-show tuser