71 lines
2.8 KiB
Diff
71 lines
2.8 KiB
Diff
|
From cfb8748b23e93f84c2a6b03cc55d1116d7d1332e Mon Sep 17 00:00:00 2001
|
||
|
From: Sudhir Menon <sumenon@redhat.com>
|
||
|
Date: Tue, 10 Oct 2023 15:22:27 +0530
|
||
|
Subject: [PATCH] ipatests: Skip the test failing due to FIPS policy
|
||
|
|
||
|
1. test_certmonger_reads_token_HSM test in test_installaton.py
|
||
|
is failing in FIPS/STIG mode with the below error.
|
||
|
|
||
|
SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY: Unable to import.
|
||
|
Error attempting to import private key in STIG mode
|
||
|
|
||
|
2. Adding the posfix config change, because there was a crash
|
||
|
seen in smtpd in FIPS mode.
|
||
|
|
||
|
ie. postconf -e smtpd_tls_fingerprint_digest=sha256
|
||
|
|
||
|
KCS: https://access.redhat.com/solutions/6958957
|
||
|
|
||
|
Signed-off-by: Sudhir Menon <sumenon@redhat.com>
|
||
|
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
||
|
---
|
||
|
ipatests/test_integration/test_epn.py | 4 +++-
|
||
|
ipatests/test_integration/test_installation.py | 2 ++
|
||
|
2 files changed, 5 insertions(+), 1 deletion(-)
|
||
|
|
||
|
diff --git a/ipatests/test_integration/test_epn.py b/ipatests/test_integration/test_epn.py
|
||
|
index 8ea79cefbdd067b148ef0b7050c9fc803339371a..b391e32219bb0a799c8d75c113af5da24aa58b46 100644
|
||
|
--- a/ipatests/test_integration/test_epn.py
|
||
|
+++ b/ipatests/test_integration/test_epn.py
|
||
|
@@ -180,7 +180,6 @@ def configure_starttls(host):
|
||
|
postconf(host, 'smtpd_tls_session_cache_timeout = 3600s')
|
||
|
# announce STARTTLS support to remote SMTP clients, not require
|
||
|
postconf(host, 'smtpd_tls_security_level = may')
|
||
|
-
|
||
|
host.run_command(["systemctl", "restart", "postfix"])
|
||
|
|
||
|
|
||
|
@@ -208,6 +207,9 @@ def configure_ssl_client_cert(host):
|
||
|
# CA certificates of root CAs trusted to sign remote SMTP client cert
|
||
|
postconf(host, f"smtpd_tls_CAfile = {paths.IPA_CA_CRT}")
|
||
|
|
||
|
+ if host.is_fips_mode:
|
||
|
+ postconf(host, 'smtpd_tls_fingerprint_digest = sha256')
|
||
|
+
|
||
|
host.run_command(["systemctl", "restart", "postfix"])
|
||
|
|
||
|
|
||
|
diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
|
||
|
index 68a442a9cd7746eec728ee38fda34dbc5361c59b..bf4163abc0f138ed42c639eee3e95df52da43a71 100644
|
||
|
--- a/ipatests/test_integration/test_installation.py
|
||
|
+++ b/ipatests/test_integration/test_installation.py
|
||
|
@@ -35,6 +35,7 @@ from ipatests.pytest_ipa.integration.env_config import get_global_config
|
||
|
from ipatests.test_integration.base import IntegrationTest
|
||
|
from ipatests.test_integration.test_caless import CALessBase, ipa_certs_cleanup
|
||
|
from ipatests.test_integration.test_cert import get_certmonger_fs_id
|
||
|
+from ipatests.pytest_ipa.integration import skip_if_fips
|
||
|
from ipaplatform import services
|
||
|
|
||
|
|
||
|
@@ -298,6 +299,7 @@ class TestInstallCA(IntegrationTest):
|
||
|
tasks.install_replica(self.master, self.replicas[1], setup_ca=False)
|
||
|
tasks.install_ca(self.replicas[1], extra_args=["--skip-schema-check"])
|
||
|
|
||
|
+ @skip_if_fips()
|
||
|
def test_certmonger_reads_token_HSM(self):
|
||
|
"""Test if certmonger reads the token in HSM
|
||
|
|
||
|
--
|
||
|
2.41.0
|
||
|
|