From Fedora Project Wiki

Description

This test case ensures the successful installation and basic functionality of an IPA server and its replica with HSM on Fedora.

Setup

Install the pre-release version of Fedora to be tested on two bare metal systems (one for the IPA server and one for the replica) using the default Anaconda settings, except to reclaim all disk space in the process.

How to test

  1. Install the freeipa packages on both machines dnf install freeipa-server freeipa-server-dns softhsm -y
  2. Rename the hostname with the domain to be used with IPA on the server:
    1. hostnamectl hostname ipa.example.test
    2. echo "<ip-address> ipa.example.test" >> /etc/hosts
  3. Create a softhsm token on ipa.example.test only: runuser -u pkiuser -- /usr/bin/softhsm2-util --init-token --free --pin $TOKEN_PASSWORD --so-pin $TOKEN_PASSWORD --label ipa_token
  4. Install IPA Server ipa-server-install -a $ADMIN_PASSWORD -p $DM_PASSWORD -r EXAMPLE.TEST -U --random-serial-numbers --token-name=ipa_token --token-library-path=/usr/lib64/pkcs11/libsofthsm2.so --token-password=$TOKEN_PASSWORD
  5. Identify the token directory on ipa.example.test:
    1. ls -1tr /var/lib/softhsm/tokens/ | tail -1
  6. This will return a UUID like e373ded4-8763-29e9-dff9-e41f6930297e
  7. Copy token data to the replica
    1. export token="<UUID>"
    2. rsync -avp $IPA_SERVER_IP:/var/lib/softhsm/tokens/${token} /var/lib/softhsm/tokens/
  8. Add a DNS server to ipa.example.test (it will make things easier):
    1. ipa-dns-install --no-forwarders --auto-reverse
  9. Add the replica IP information to DNS (on the IPA server):
    1. kinit admin
    2. ipa dnsrecord-add example.test. replica --a-rec=$REPLICA_IP
  10. Set the replica hostname:
    1. hostnamectl hostname replica.example.test
  11. Configure the replica to use the IPA server DNS:
    1. resolvectl dns eth0 $IPA_SERVER_IP:53
  12. Install ipa-replica:
    1. ipa-replica-install --domain example.test --realm EXAMPLE.TEST --admin-password $ADMIN_PASSWORD -U -N --setup-ca --token-password $TOKEN_PASSWORD
  13. Verify that the certificate serial numbers are the same. Run this on both machines:
    1. certutil -L -d /etc/pki/pki-tomcat/alias -h ipa_token -n 'ipa_token
    2. cert-pki-ca' |grep -A1 'Serial Number:'

Expected Results

  1. All installation steps complete without errors.
  2. The hostname is successfully renamed and resolved on both machines.
  3. The softhsm token is created and initialized correctly on the server.
  4. The IPA server and replica install without issues and recognize the HSM token.
  5. DNS is set up correctly and the replica can resolve the IPA server.
  6. Certificates are stored correctly with the HSM token on both the server and replica.
  7. Certificate serial numbers match on both the server and replica.



Retrieved from "https://fedoraproject.org/w/index.php?title=QA:Testcase_IPA_server_replica_HSM&oldid=713276"