From Fedora Project Wiki
Description
This test case ensures the successful installation and basic functionality of an IPA server with HSM on Fedora.
Setup
Install the pre-release version of Fedora that is to be tested on a bare metal system using the default Anaconda settings except to reclaim all disk space in the process.
How to test
- Install the freeipa packages:
dnf install freeipa-server freeipa-server-dns softhsm -y
- Rename the hostname with the domain to be used with ipa :
# hostnamectl hostname ipa.example.test
# echo “<ip-address> ipa.example.test ” >> /etc/hosts
- Create softhsm token :
runuser -u pkiuser -- /usr/bin/softhsm2-util --init-token --free --pin $TOKEN_PASSWORD --so-pin $TOKEN_PASSWORD --label ipa_token
- Install the IPA server :
ipa-server-install -a $ADMIN_PASSWORD -p $DM_PASSWORD -r EXAMPLE.TEST -U --random-serial-numbers --token-name=ipa_token --token-library-path=/usr/lib64/pkcs11/libsofthsm2.so --token-password=$TOKEN_PASSWORD
- Ensure that certificate stored with the hsm token
certutil -L -d /etc/pki/pki-tomcat/alias -h ipa_token
ipa_token:ocspSigningCert cert-pki-ca u,u,u ipa_token:subsystemCert cert-pki-ca u,u,u ipa_token:auditSigningCert cert-pki-ca u,u,Pu ipa_token:caSigningCert cert-pki-ca CTu,Cu,Cu
Expected Results
- All installation steps complete without errors.
- The hostname is successfully renamed and resolved.
- The softhsm token is created and initialized correctly.
- The IPA server installs without issues and recognizes the HSM token.
- Certificates are stored correctly with the HSM token.
- Basic IPA functionality tests (adding and managing users) work as expected.
- Test that basic things within IPA work by running the following
kinit admin ipa user-add --first tim --last user --password tuser id tuser kinit tuser (and reset password) ipa user-show tuser