IPA HSM Test Day | |
---|---|
Date | 2024-07-09 to 2024-07-11 |
Time | all day |
Website | QA/Test Days |
Matrix | #test-day:fedoraproject.org(other clients|?) |
Mailing list | test |
What to test?[edit]
This Test Day will focus on FreeIPA HSM
Who's available[edit]
The following cast of characters will be available testing, workarounds, bug fixes, and general discussion:
You can chat with me on Matrix. See the infobox on top of the page to learn where to join.
Prerequisite for Test Day[edit]
- A virtual machine or a bare metal machine
- An installation of Fedora 40 (ideally Server). Make sure to fully update your system. If installing a fresh system, it's recommended to use the latest nightly image.
What to test[edit]
This will focus on testing IPA support for generating and storing CA private keys on a Hardware Security Module (HSM).
There are two supported HSMs: the nCipher nShield Connect XC (High) and the Thales TCT Luna Network HSM Luna-T7. Firmware versions can vary so only specific ones are supported.
Using softhsm2 as an HSM is usable for testing. It is not recommended for production because it is not a truly networked HSM and the private keys live on a file system (protected yes but not at a hardware level). Because it is not networked, users will need to carefully synchronize the token files whenever any private key generation is done to ensure the contents are identical.
How to test?[edit]
Install freeIPA packages[edit]
- dnf -y install freeipa-server-dns
Pre-configure the HSM[edit]
If you are using softhsm2, grant read access to the tokens:
# usermod pkiuser -a -G ods
Set up environment variables on each machine/VM[edit]
# export TOKEN_PASSWORD=password # export ADMIN_PASSWORD=password # export DM_PASSWORD=password
If using a supported hardware HSM ensure that it is working properly and have the token name and PKCS#11 library path handy.
In between tests[edit]
To re-use test machines in between installations:
On replica (if there is one)
# ipa server-del $HOSTNAME # ipa-server-install –uninstall -U
On the initial IPA server
# ipa-server-install –uninstall -U
If using softhsm2 you will also need to delete and re-create the token. To delete the token:
# softhsm2-util --delete-token --token ipa_token
This should return the machine(s) to the pre-installed state.
Visit the results page and click on the column title links to see the tests that need to be run: most column titles are links to a specific test case. Follow the instructions there, then enter your results by clicking the Enter result button for the test.
Reporting bugs[edit]
Perhaps you've found an already-reported bug. Please look at:
All new bugs should be reported into the upstream bug tracker. A less-preferred alternative is to file them into Red Hat JIRA, in most cases against the ipa
component.
When filing the bug, it's very helpful to include:
- exact steps you've performed (and whether you can reproduce it again)
- screenshots or videos, if applicable
- system journal (log), which you can retrieve by
journalctl -b > journal.txt
- all output in a terminal, if started from a terminal
- your system description
If you are unsure about exactly how to file the report or what other information to include, just ask us.
Please make sure to link to the bug when submitting your test result, thanks!
Test Results[edit]
Visit the results page and click on the column title links to see the tests that need to be run: most column titles are links to a specific test case. Follow the instructions there, then enter your results by clicking the Enter result button for the test.
Basic[edit]
User | Profile | basicIPAwithHSM | IPA server with replica HSM | References |
---|---|---|---|---|
felipetg | VM using Fedora Rawhide (latest iso available) |
| ||
sumenon |
Key Recovery Authority (KRA)[edit]
User | Profile | IPA with KRA | IPA Server replica with KRA | References |
---|---|---|---|---|
sumenon | Fedora41 |
|
Certificate Reissue[edit]
User | Profile | Outisde grace period | Within grace period | References |
---|---|---|---|---|
sumenon | Fedora41 |
|