Specifications

ManualsBrandsRed Hat ManualsComputer equipmentNETWORK 3.6 -

Landmann

Red Hat Network Satellite 5.4

Client Configuration Guide

Red Hat Network Satellite

Edition 2

Summary of content (42 pages)

PAGE 1
Red Hat Network Satellite 5.
PAGE 2
Red Hat Network Satellite 5.4 Client Configuration Guide Red Hat Network Satellite Edition 2 Landmann rlandmann@redhat.
PAGE 3
Legal Notice Copyright © 2010 Red Hat, Inc. T his document is licensed by Red Hat under the Creative Commons Attribution-ShareAlike 3.0 Unported License. If you distribute this document, or a modified version of it, you must provide attribution to Red Hat, Inc. and provide a link to the original. If the document is modified, all Red Hat trademarks must be removed.
PAGE 4
Table of Contents Table of Contents . . . . . . . . . 1. Chapter . . .Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3. . . . . . . . . . .Chapter . . . . . . . . 2. . . .Client . . . . . . .Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4. . . . . . . . . . 2.1.
PAGE 5
Red Hat Network Satellite 5.
PAGE 6
Chapter 1. Introduction Chapter 1. Introduction T his best practices guide is intended to help customers of RHN Satellite Server and RHN Proxy Server configure their client systems more easily. By default, all Red Hat Network client applications are configured to communicate with central Red Hat Network Servers. When connecting clients to RHN Satellite Server or RHN Proxy Server instead, many of these settings must be altered. Altering client settings for a system or two may be relatively simple.
PAGE 7
Red Hat Network Satellite 5.4 Client Configuration Guide Chapter 2. Client Applications In order to utilize most enterprise-class features of Red Hat Network, such as registering with a RHN Satellite, configuration of the latest client applications is required. Obtaining these applications before the client has registered with Red Hat Network can be difficult. T his paradox is especially problematic for customers migrating large numbers of older systems to Red Hat Network.
PAGE 8
Chapter 2. Client Applications 2.2. Configuring the Client Applications Not every customer must connect securely to a RHN Satellite Server or RHN Proxy Server within their organization. Not every customer needs to build and deploy a GPG key for custom packages. (Both of these topics are explained in detail later.
PAGE 9
Red Hat Network Satellite 5.4 Client Configuration Guide RHN Proxy Server or RHN Satellite Server. Activation keys can be used to register, entitle, and subscribe systems in a batch. Refer to the section "Activation Keys" in the RHN Satellite Server Reference Guide for more information on activation keys. Registering with an activation key has four basic steps: 1. Generate an Activation Key. 2. Import custom GPG keys. 3.
PAGE 10
Chapter 2. Client Applications https://your_proxy_or_sat.your_dom ain.com /XMLRPC. Retain the /XMLRPC at the end. When finished, click OK. Figure 2.1. Red Hat Update Agent GUI Configuration Make sure you enter the domain name of your RHN Satellite Server or RHN Proxy Server correctly. Entering an incorrect domain or leaving the field blank may prevent up2date --configure from launching. T his may be resolved, however, by editing the value in the up2date configuration file. Refer to Section 2.2.
PAGE 11
Red Hat Network Satellite 5.4 Client Configuration Guide serverURL[comment]=Remote server URL serverURL=https://your_primary.your_domain.com/XMLRPC noSSLServerURL[comment]=Remote server URL without SSL noSSLServerURL=http://your_primary.your_domain.com/XMLRPC Warning T he httpProxy setting in /etc/sysconfig/rhn/up2date does not refer to the RHN Proxy Server. It is used to configure an optional HT T P proxy for the client.
PAGE 12
Chapter 2. Client Applications T he Package Updater Applet stays in the notification tray of the desktop panel and checks for new updates periodically.
PAGE 13
Red Hat Network Satellite 5.4 Client Configuration Guide Chapter 3. SSL Infrastructure For Red Hat Network customers, security concerns are of the utmost importance. One of the strengths of Red Hat Network is its ability to process every single request over Secure Sockets Layer, or SSL. T o maintain this level of security, customers installing Red Hat Network within their infrastructures must generate custom SSL keys and certificates.
PAGE 14
Chapter 3. SSL Infrastructure Important T he most critical portion of this system is the CA SSL key pair. From that private key and public certificate an administrator can regenerate any Web server's SSL key set. T his CA SSL key pair must be secured.
PAGE 15
Red Hat Network Satellite 5.4 Client Configuration Guide T he installation procedures of both the RHN Satellite Server and the RHN Proxy Server ensure the CA SSL public certificate is deployed to the /pub directory of each server. T his public certificate is used by the client systems to connect to the RHN Server. Refer to Section 3.3, “Deploying the CA SSL Public Certificate to Clients” for more information.
PAGE 16
Chapter 3. SSL Infrastructure generation.
PAGE 17
Red Hat Network Satellite 5.4 Client Configuration Guide T able 3.1. SSL Certificate Authority (CA) Options (rhn-ssl-tool --gen-ca --help) Option Description --gen-ca Generate a Certificate Authority (CA) key pair and public RPM. T his must be issued with any of the remaining options in this table. -h, --help Display the help screen with a list of base options specific to generating and managing a Certificate Authority. -f, --force Forcibly create a new CA private key and/or public certificate.
PAGE 18
Chapter 3. SSL Infrastructure --key-only Rarely used - Generate only a CA private key. Review --gen-ca --key-only -help for more information. --cert-only Rarely used - Generate only a CA public certificate. Review --gen-ca --certonly --help for more information. --rpm -only Rarely used - Generate only an RPM for deployment. Review --gen-ca --rpm only --help for more information. --no-rpm Rarely used - Conduct all CA-related steps except RPM generation.
PAGE 19
Red Hat Network Satellite 5.4 Client Configuration Guide T able 3.2. SSL Web Server Options (rhn-ssl-tool --gen-server --help) Option Description --gen-server Generate the Web server's SSL key set, RPM and tar archive. T his must be issued with any of the remaining options in this table. -h, --help Display the help screen with a list of base options specific to generating and managing a server key-pair. -p=, --password=PASSWORD T he CA password. You will be prompted for this if it's missing.
PAGE 20
Chapter 3. SSL Infrastructure -v, --verbose Display verbose messaging. Accumulative added "v"s result in increasing detail. --key-only Rarely used - Generate only a server private key. Review --gen-server -key-only --help for more information. --cert-req-only Rarely used - Generate only a server certificate request. Review --gen-server --cert-req-only --help for more information. --cert-only Rarely used - Generate only a server certificate. Review --gen-server -cert-only --help for more information.
PAGE 21
Red Hat Network Satellite 5.4 Client Configuration Guide /usr/share/rhn/RHN-ORG-T RUST ED-SSL-CERT rhn-ca-openssl.cnf — the SSL CA configuration file latest.txt — always lists the latest versions of the relevant files. Once finished, you're ready to distribute the RPM to client systems. Refer to Section 3.3, “Deploying the CA SSL Public Certificate to Clients”. 3.2.4.
PAGE 22
Chapter 3. SSL Infrastructure T his public directory can be inspected easily by simply browsing to it via any web browser: http://proxyor-sat.example.com/pub/. T he CA SSL public certificate in that directory can be downloaded to a client system using wget or curl. For example: curl -O http://proxy-or-sat.example.com/pub/RHN-ORG-TRUSTED-SSL-CERT wget http://proxy-or-sat.example.
PAGE 23
Red Hat Network Satellite 5.4 Client Configuration Guide Chapter 4. Importing Custom GPG Keys For customers who plan to build and distribute their own RPMs securely, it is strongly recommended that all custom RPMs are signed using GNU Privacy Guard (GPG). Generating GPG keys and building GPGsigned packages are covered in the Red Hat Network Channel Management Guide. Once the packages are signed, the public key must be deployed on all systems importing these RPMs.
PAGE 24
Chapter 5. Using RHN Bootstrap Chapter 5. Using RHN Bootstrap Red Hat Network provides a tool that automates much of the manual reconfiguration described in previous chapters: RHN Bootstrap. T his tool plays an integral role in the RHN Satellite Server Installation Program, enabling generation of the bootstrap script during installation. RHN Proxy Server customers and customers with updated Satellite settings require a bootstrap tool that can be used independently.
PAGE 25
Red Hat Network Satellite 5.4 Client Configuration Guide package (RPM) containing that certificate available on that RHN Server and include it during script generation with the --ssl-cert option. Refer to Chapter 3, SSL Infrastructure for details. Have the values ready to develop one or many bootstrap scripts, depending on the variety of systems to be reconfigured.
PAGE 26
Chapter 5. Using RHN Bootstrap system. Log into each client machine and issue the following command, altering script and hostname accordingly: wget -qO - \ https://your-satellite.example.com/pub/bootstrap/bootstrap-EDITED-NAME.sh \ | /bin/bash Or with, curl: curl -Sks \ https://your-satellite.example.com/pub/bootstrap/bootstrap-EDITED-NAME.sh \ | /bin/bash When this script has been run on each client system, all should be configured to use the RHN Server. 5.4.
PAGE 27
Red Hat Network Satellite 5.4 Client Configuration Guide T able 5.1. RHN Bootstrap Options Option Description -h, --help Display the help screen with a list of options specific to generating the bootstrap script. --activation-keys=ACTIVATION_KEYS activation key(s) as defined in the RHN website with multiple entries separated by a comma and no space --overrides=OVERRIDES Configuration overrides filename. T he default is client-config-overrides.txt. --script=SCRIPT T he bootstrap script filename.
PAGE 28
Chapter 5. Using RHN Bootstrap --no-up2date Not recommended - Boolean; including this option ensures up2date will not run once the system has been bootstrapped. --pub-tree=PUB_TREE Change not recommended - T he public directory tree where the CA SSL certificate and package will land; the bootstrap directory and scripts. T he default is /var/www/htm l/pub/. --force Not recommended - Boolean; including this option forces bootstrap script generation despite warnings.
PAGE 29
Red Hat Network Satellite 5.4 Client Configuration Guide Chapter 6. Manually Scripting the Configuration Note that this chapter provides an alternative to using RHN Bootstrap to generate the bootstrap script. With these instructions, you should be able to create your own bootstrap script from scratch. All of the initial techniques have shared a common theme: the deployment of necessary files in a centralized location to be retrieved and installed using simple, scriptable commands run on each client.
PAGE 30
Chapter 6. Manually Scripting the Configuration Like its components, this script may be centrally located. By placing this script in the /pub/ directory of the server, running wget -O- on it, and piping the output to a shell session, one may run the entire bootstrap process with a single command from each client: wget -O - http://proxy-or-sat.example.com.
PAGE 31
Red Hat Network Satellite 5.4 Client Configuration Guide Chapter 7. Implementing Kickstart Obviously, the best time to make configuration changes to a system is when that system is first being built. For customers who already use kickstart effectively, the bootstrapping script is an ideal addition to that process.
PAGE 32
Chapter 7. Implementing Kickstart # Generic 7.2 kickstart for laptops in the Widget Corporation (widgetco) # Standard kickstart options for a network-based install. For an # explanation of these options, consult the Red Hat Linux Customization # Guide. lang en_US langsupport --default en_US en_US keyboard defkeymap network --bootproto dhcp install url --url ftp://ftp.widgetco.com/pub/redhat/linux/7.
PAGE 33
Red Hat Network Satellite 5.4 Client Configuration Guide # # # # # # # # --activationkey flag, which describes an activation key. For example, this activation key could be set up in the Web interface to join this system to the "Laptops" group and the local Widgetco "Laptop Software" channel. Note that this section applies only to Proxy users, as this step is handled by the Satellite bootstrap script. For more information about activation keys, consult the Red Hat Network Management Reference Guide.
PAGE 34
Sample Bootstrap Script Sample Bootstrap Script T he /var/www/htm l/pub/bootstrap/bootstrap.sh script generated by the RHN Satellite Server installation program provides the ability to reconfigure client systems to access your RHN Server easily. It is available to both RHN Satellite Server and RHN Proxy Server customers through the RHN Bootstrap tool. After modifying the script for your particular use, it can be run on each client machine.
PAGE 35
Red Hat Network Satellite 5.4 Client Configuration Guide #!/bin/bash echo "RHN Server Client bootstrap script v3.6" # # # # # # # # # # # # # # # # # # # # This file was autogenerated. Minor manual editing of this script (and possibly the client-config-overrides.txt file) may be necessary to complete the bootstrap setup. Once customized, the bootstrap script can be triggered in one of two ways (the first is preferred): (1) centrally, from the RHN Server via ssh (i.e.
PAGE 36
Sample Bootstrap Script echo echo echo echo echo echo echo echo echo echo echo echo echo echo echo exit " " " " - ACTIVATION_KEYS needs to reflect the activation key(s) value(s)" from the website. XKEY or XKEY,YKEY" - ORG_GPG_KEY needs to be set to the name of the corporate public" GPG key filename (residing in /var/www/html/pub) if appropriate." "Verify that the script variable settings are correct:" " - CLIENT_OVERRIDES should be only set differently if a customized" " client-config-overrides-VER.
PAGE 37
Red Hat Network Satellite 5.
PAGE 38
Sample Bootstrap Script echo echo "* attempting to install corporate public CA cert" if [ $USING_SSL -eq 1 ] ; then if [ $ORG_CA_CERT_IS_RPM_YN -eq 1 ] ; then rpm -Uvh ${HTTP_PUB_DIRECTORY}/${ORG_CA_CERT} else rm -f ${ORG_CA_CERT} $FETCH ${HTTP_PUB_DIRECTORY}/${ORG_CA_CERT} mv ${ORG_CA_CERT} /usr/share/rhn/ fi fi echo echo "REGISTRATION" echo "------------" # Should have created an activation key or keys on the RHN Server's # website and edited the value of ACTIVATION_KEYS above.
PAGE 39
Red Hat Network Satellite 5.
PAGE 40
Revision History Revision History Revision 2-2.33.4 00 Rebuild with publican 4.0.0 2013-10-30 Rüdiger Landmann Revision 2-2.33 Rebuild for Publican 3.
PAGE 41
Red Hat Network Satellite 5.
PAGE 42
Revision History - generating the server certificate, Generating Web Server SSL Key Sets generation explained, SSL Generation Explained options, RHN SSL Maintenance T ool Options RHN SSL Maintenance T ool , T he RHN SSL Maintenance T ool S SSL (Secure Sockets Layer) - introduction, A Brief Introduction T o SSL SSL certificates - configuration of, Configuring Client Systems - generating, T he RHN SSL Maintenance T ool - installation of, Deploying the CA SSL Public Certificate to Clients 39