cheimes/freeipa-hsm

coprserver · 2019-08-19T13:53:19.819Z

FreeIPA HSM integration testing - Modified Dogtag 10.7.3 with patches from https://magnus-k-karlsson.blogspot.com/2019/08/installing-dogtag-on-fedora-30-with.html - FreeIPA 4.8 upstream with latest HSM related fixes ## installation with SoftHSM2 ### Install COPR version with additional patches ``` # dnf copr enable -y cheimes/freeipa-hsm # dnf update -y # rpm -qa freeipa-server pki-ca freeipa-server-4.8.1-1+hsm1.fc30.x86_64 pki-ca-10.7.3-3+hsm1.fc30.noarch ``` ### Preparse SoftHSM2 and disable P11-Kit completely ``` # softhsm2-util --init-token --label "Dogtag" --so-pin redhat123 --pin redhat123 --free # chmod 777 -R /var/lib/softhsm/ # mv /etc/crypto-policies/local.d/nss-p11-kit.config /etc/crypto-policies/local.d/nss-p11-kit.config.bak # echo "# disabled for FreeIPA" > /etc/crypto-policies/local.d/nss-p11-kit.config # update-crypto-policies ``` ### PKI ini override ``` # cat << EOF > /root/freeipa-hsm.ini [DEFAULT] pki_hsm_enable=True pki_hsm_libfile=%(softhsm2_so)s pki_hsm_modulename=softhsm2 pki_token_name=Dogtag pki_token_password=redhat123 EOF ``` ### Install server ``` # ipa-server-install --domain ipa.example --realm IPA.EXAMPLE -U -p Secret123 -a Secret123 --pki-config-override /root/freeipa-hsm.ini ``` ## Verification ``` # echo "redhat123" > /etc/pki/pki-tomcat/alias/hsm.txt # certutil -d /etc/pki/pki-tomcat/alias/ -L -h internal -f /etc/pki/pki-tomcat/alias/hsm.txt Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI caSigningCert cert-pki-ca CT,C,C auditSigningCert cert-pki-ca ,,P Server-Cert cert-pki-ca u,u,u # certutil -d /etc/pki/pki-tomcat/alias/ -K -h internal -f /etc/pki/pki-tomcat/alias/pwdfile.txt certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services" < 0> rsa 7e63a9f1be92a07e21a16f7d7b4898a9f72533bc NSS Certificate DB:Server-Cert cert-pki-ca # certutil -d /etc/pki/pki-tomcat/alias/ -L -h Dogtag -f /etc/pki/pki-tomcat/alias/hsm.txt Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Dogtag:auditSigningCert cert-pki-ca u,u,Pu Dogtag:subsystemCert cert-pki-ca u,u,u Dogtag:caSigningCert cert-pki-ca CTu,Cu,Cu Dogtag:ocspSigningCert cert-pki-ca u,u,u # certutil -d /etc/pki/pki-tomcat/alias/ -K -h Dogtag -f /etc/pki/pki-tomcat/alias/hsm.txt certutil: Checking token "Dogtag" in slot "SoftHSM slot ID 0x2b24f0e8" < 0> rsa 120991d7c363e5a33b4642e48f2afd2503c73b3e caSigningCert cert-pki-ca < 1> rsa b8486305022a9e49d2e8dd18ddd757d7b628579e auditSigningCert cert-pki-ca < 2> rsa a3f8523a9b141b08ef4916e96d9936b1ba5916b4 subsystemCert cert-pki-ca < 3> rsa cd2b056930cad6cae8e57e60b831916ac5efc0de ocspSigningCert cert-pki-ca ```

This is a companion discussion topic for the original entry at https://copr.fedorainfracloud.org/coprs/cheimes/freeipa-hsm/