From Fedora Project Wiki

Description

This test case ensures the successful installation and functionality of an IPA server and its replica with Key Recovery Authority (KRA) on Fedora.

Setup

Install the pre-release version of Fedora to be tested on two bare metal systems (one for the IPA server and one for the replica) using the default Anaconda settings, except to reclaim all disk space in the process.

How to test

  1. Install the freeipa packages on both machines:dnf install freeipa-server freeipa-server-dns softhsm -y
  2. Rename the hostname with the domain to be used with ipa
    1. hostnamectl hostname ipa.example.test
    2. echo “<ip-address> ipa.example.test” >> /etc/hosts
  3. Create softhsm token runuser -u pkiuser -- /usr/bin/softhsm2-util --init-token --free --pin $TOKEN_PASSWORD --so-pin $TOKEN_PASSWORD --label ipa_token
  4. Install the IPA server ipa-server-install -a $ADMIN_PASSWORD -p $DM_PASSWORD -r EXAMPLE.TEST -U --random-serial-numbers --token-name=ipa_token --token-library-path=/usr/lib64/pkcs11/libsofthsm2.so --token-password=$TOKEN_PASSWORD --setup-kra
  5. Identify the token directory on ipa.example.test ls -1tr /var/lib/softhsm/tokens/ | tail -1
  6. Check if the return is This will return a UUID like e373ded4-8763-29e9-dff9-e41f6930297e
  7. Copy token data to replica
    1. export token=”<UUID>”
    2. rsync -avp $IPA_SERVER_IP:/var/lib/softhsm/tokens/${token} /var/lib/softhsm/tokens/
  8. Add a DNS server to ipa.example.test (it will make things easier)
    1. ipa-dns-install --no-forwarders --auto-reverse
  9. Add the replica IP information to DNS (on the IPA server)
    1. kinit admin
    2. ipa dnsrecord-add example.test. replica --a-rec=$REPLICA_IP
  10. Set replica hostname
    1. hostnamectl hostname replica.example.test
  11. Configure the replica to use the IPA server DNS resolvectl dns eth0 $IPA_SERVER_IP:53
  12. Install an IPA replica with a KRA ipa-replica-install --domain example.test --realm EXAMPLE.TEST --admin-password $ADMIN_PASSWORD -U -N --setup-ca --token-password $TOKEN_PASSWORD --setup-kra

Expected Results

The following must be true to consider this a successful test run. Be brief ... but explicit.

  1. All installation steps complete without errors.
  2. The hostname is successfully renamed and resolved on both machines.
  3. The softhsm token is created and initialized correctly on the server.
  4. The IPA server and replica install without issues and recognize the HSM token.
  5. KRA is set up correctly and its certificates are stored with the HSM token.
  6. DNS is set up correctly and the replica can resolve the IPA server.
  7. Basic KRA functionality tests (vault creation, archiving, and retrieval) work as expected and are accessible on both machines.
  8. Verfiy by running
 # kinit admin
# ipa vault-add test
# ipa vault-archive test --data Zm9vCg==
# ipa vault-retrieve test


Retrieved from "https://fedoraproject.org/w/index.php?title=QA:Testcase_Install_IPA_Server_replica_with_KRA&oldid=713292"