From cfb8748b23e93f84c2a6b03cc55d1116d7d1332e Mon Sep 17 00:00:00 2001 From: Sudhir Menon Date: Tue, 10 Oct 2023 15:22:27 +0530 Subject: [PATCH] ipatests: Skip the test failing due to FIPS policy 1. test_certmonger_reads_token_HSM test in test_installaton.py is failing in FIPS/STIG mode with the below error. SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY: Unable to import. Error attempting to import private key in STIG mode 2. Adding the posfix config change, because there was a crash seen in smtpd in FIPS mode. ie. postconf -e smtpd_tls_fingerprint_digest=sha256 KCS: https://access.redhat.com/solutions/6958957 Signed-off-by: Sudhir Menon Reviewed-By: Florence Blanc-Renaud --- ipatests/test_integration/test_epn.py | 4 +++- ipatests/test_integration/test_installation.py | 2 ++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/ipatests/test_integration/test_epn.py b/ipatests/test_integration/test_epn.py index 8ea79cefbdd067b148ef0b7050c9fc803339371a..b391e32219bb0a799c8d75c113af5da24aa58b46 100644 --- a/ipatests/test_integration/test_epn.py +++ b/ipatests/test_integration/test_epn.py @@ -180,7 +180,6 @@ def configure_starttls(host): postconf(host, 'smtpd_tls_session_cache_timeout = 3600s') # announce STARTTLS support to remote SMTP clients, not require postconf(host, 'smtpd_tls_security_level = may') - host.run_command(["systemctl", "restart", "postfix"]) @@ -208,6 +207,9 @@ def configure_ssl_client_cert(host): # CA certificates of root CAs trusted to sign remote SMTP client cert postconf(host, f"smtpd_tls_CAfile = {paths.IPA_CA_CRT}") + if host.is_fips_mode: + postconf(host, 'smtpd_tls_fingerprint_digest = sha256') + host.run_command(["systemctl", "restart", "postfix"]) diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py index 68a442a9cd7746eec728ee38fda34dbc5361c59b..bf4163abc0f138ed42c639eee3e95df52da43a71 100644 --- a/ipatests/test_integration/test_installation.py +++ b/ipatests/test_integration/test_installation.py @@ -35,6 +35,7 @@ from ipatests.pytest_ipa.integration.env_config import get_global_config from ipatests.test_integration.base import IntegrationTest from ipatests.test_integration.test_caless import CALessBase, ipa_certs_cleanup from ipatests.test_integration.test_cert import get_certmonger_fs_id +from ipatests.pytest_ipa.integration import skip_if_fips from ipaplatform import services @@ -298,6 +299,7 @@ class TestInstallCA(IntegrationTest): tasks.install_replica(self.master, self.replicas[1], setup_ca=False) tasks.install_ca(self.replicas[1], extra_args=["--skip-schema-check"]) + @skip_if_fips() def test_certmonger_reads_token_HSM(self): """Test if certmonger reads the token in HSM -- 2.41.0