F41 FreeIPA HSM

More information about the event can be found here: http://fedoraproject.org/wiki/Test_Day:Test_Day:2024-07-09_IPA_HSM
Go back to List of Events.

Results

Clicking on the testcase name will show you the appropriate "how to test" page.
Click on the Enter result button, to enter result.
Note: results are cached and reloaded from the database each 10 seconds.

Basic

Username Profile basicIPAwithHSM IPA server with replica HSM Comments
Enter result Enter result
felipetg VM using Fedora Rawhide (latest iso available) [1] 1. Issue 9623 created
saibug [1] 1. 2024-12-09T21:17:26Z INFO - You will have to manually migrate IDM related configuration files. Here are some, but not all, of the configuration files to look into: - /etc/ipa/* - /etc/sssd/sssd.conf - /etc/named.conf - /etc/named/* - ... 2024-12-09T21:17:26Z INFO - SSSD should be restarted after a successful migration 2024-12-09T21:17:26Z INFO - The admin password is not migrated from the remote server. Reset it manually if needed.
sumenon [1] [2] 1. Ignore https://pagure.io/freeipa/issue/9622
2. https://pagure.io/freeipa/issue/9622

Key Recovery Authority (KRA)

Username Profile IPA with KRA IPA Server replica with KRA Comments
Enter result Enter result
sumenon Fedora41 [1] [2] 1. KRA install is successful with the --token-password and --token-name option. ipatoken: storageCert(u,u,u), auditSigningCert(u,u,Pu), transportCert(u,u,u), subsystemCert(u,u,u) are listed using 'certutil -L -d /etc/pki/pki-tomcat/alias -h ipa_token' Vault can be added, data can be archived and retrieved.
2. Installation of Replica prompts 'Enter Password or Pin for "ipa_token": The TOKEN_PASSWORD is already specified in the command. https://pagure.io/freeipa/issue/9603

Certificate Reissue

Username Profile Outisde grace period Within grace period Comments
Enter result Enter result
sumenon Fedora41 [1] [2] [3] 1. IPA certs expire in 2years Current Date: Thu Jul 11 02:44:31 PM IST 2024 Cert Expires: 2026-07-01 14:32:04 IST Modified Time: date -s +1years+11months+20days, Wed Jul 1 02:45:06 PM IST 2026 root@server:~# ipa-cert-fix Becoming renewal master. Restarting IPA The ipa-cert-fix command was successful getcert list | grep status -- the certificates go through different states and finally in MONITORING state. Certificates (excluding the CA cert) are re-issued correctly when expired.
2. ALL Certs are VALID and in MONTORING State after certmonger renews them.
3. For this test the system date is to be moved within 30 days of expiration to test that certmonger would renew things. Seeing ca-error: Server at "http://server.fedora41.test:8080/ca/ee/ca/profileSubmit" replied: access denied ("java.io.FilePermission" "/var/lib/pki/pki-tomcat/logs/ca" "read") which is known issue for pki. Current Date: Wed Jul 10 07:13:59 PM IST 2024 Certs Expire: 2026-06-30 12:02:08 IST Modified Date: date -s 'Wed Jun 07 06:54:58 PM IST 2026' Restart ipactl.
Wiki Metadata

Copyright © 2015-2020 Red Hat, Inc. and others.

Testdays and  ResultsDB (results back-end) are Free Software under GPL.

Please file issues and PRs if you have ideas.

 Legal   Privacy policy