From Fedora Project Wiki
Description
This test case ensures the successful installation and functionality of an IPA server with a Key Recovery Authority (KRA) on Fedora.
Setup
Install the pre-release version of Fedora to be tested on a bare metal system using the default Anaconda settings, except to reclaim all disk space in the process.
How to test
- Install the freeipa packages:
dnf install freeipa-server freeipa-server-dns softhsm -y
- Rename the hostname with the domain to be used with ipa
hostnamectl hostname ipa.example.test
echo “<ip-address> ipa.example.test” >> /etc/hosts
- Create softhsm token
runuser -u pkiuser -- /usr/bin/softhsm2-util --init-token --free --pin $TOKEN_PASSWORD --so-pin $TOKEN_PASSWORD --label ipa_token
- Install the IPA server
ipa-server-install -a $ADMIN_PASSWORD -p $DM_PASSWORD -r EXAMPLE.TEST -U --random-serial-numbers --token-name=ipa_token --token-library-path=/usr/lib64/pkcs11/libsofthsm2.so --token-password=$TOKEN_PASSWORD --setup-kra
- Ensure that certificate stored with the hsm token (note the kra certs)
certutil -L -d /etc/pki/pki-tomcat/alias -h ipa_token
Expected Results
- All installation steps complete without errors.
- The hostname is successfully renamed and resolved.
- The softhsm token is created and initialized correctly.
- The IPA server installs without issues and recognizes the HSM token.
- KRA is set up correctly and its certificates are stored with the HSM token.
- Basic KRA functionality tests (vault creation, archiving, and retrieval) work as expected.
- Run the following to verify the above
# kinit admin # ipa vault-add test # ipa vault-archive test --data Zm9vCg== # ipa vault-retrieve test