Chapter 1. Introduction This best practices guide is intended to help customers of RHN Satellite Server and RHN Proxy Server more easily configure their client systems. By default, all Red Hat Network client applications are configured to communicate with central Red Hat Network Servers.
Chapter 2. Client Applications Most of the enterprise-class features of Red Hat Network have required changes to the Red Hat Net- work client applications themselves. Of course, it’s difficult to get the latest versions of these applica- tions until the systems are registered with Red Hat Network. This sort of chicken-and-egg problem is especially problematic for customers who want to migrate large numbers of older systems to Red Hat Network.
Chapter 2. Client Applications 2.2. Configuring the Client Applications Not every customer will need to connect securely to an RHN Satellite Server or RHN Proxy Server within their organization. And not every customer will need to build and deploy a GPG key for custom packages.
Chapter 2. Client Applications 2.2.2. Using the Option --configure Both the Red Hat Network Registration Client and the Red Hat Update Agent that ship with Red Hat Enterprise Linux provide interfaces for configuring various settings. For full listings of these settings, refer to the chapters dedicated to the applications in the RHN Management Reference Guide.
Page 10
Chapter 2. Client Applications Warning Systems running Red Hat Enterprise Linux 3 or newer have registration functionality built into the Red Hat Update Agent and therefore do not have the Red Hat Network Registration Client installed. Systems running Red Hat Enterprise Linux 2.1 (and versions of Red Hat Linux prior to 8.0) still need to reconfigure and use the Red Hat Network Registration Client, as well as the Red Hat Update Agent.
Chapter 2. Client Applications To configure the Red Hat Update Agent on the client systems connecting to the RHN Proxy Server or RHN Satellite Server, edit the values of the settings in the serverURL noSSLServerURL configuration file (as root). Replace the default Red Hat Network /etc/sysconfig/rhn/up2date URL with the fully qualified domain name (FQDN) for the RHN Proxy Server or RHN Satellite Server.
Page 12
Chapter 2. Client Applications 1. Ensure you’re running RHN Satellite Server 3.4 or later and have the package rhns-applet installed on the Satellite. The package can be found in the RHN Satellite software channel for versions 3.4 and newer. 2. Install the package on all Red Hat Enterprise Linux 3 and newer sys- rhn-applet-actions tems to be notified of custom updates with the Red Hat Network Alert Notification Tool.
Chapter 3. SSL Infrastructure For Red Hat Network customers, security concerns are of the utmost importance. One of the strengths of Red Hat Network is its ability to process every single request over Secure Sockets Layer, or SSL. To maintain this level of security, customers installing Red Hat Network within their infrastructures must generate custom SSL keys and certificates.
Chapter 3. SSL Infrastructure verifiable association between the Web server’s SSL public certificate and the CA SSL key pair and server’s private key. The Web server’s key set cannot be shared with other web servers. Important The most critical portion of this system is the CA SSL key pair. From that private key and public certificate an administrator can regenerate any Web server’s SSL key set.
Chapter 3. SSL Infrastructure In short, if your organization’s RHN infrastructure deploys the latest version of RHN Satellite Server as its top-level service, you will likely have little need to use the tool. Otherwise, you will have to be familiar with its usage. 3.2.1.
Page 16
Chapter 3. SSL Infrastructure Option Description Option Description Generate a Certificate Authority (CA) key pair and --gen-ca public RPM. This must be issued with any of the remaining options in this table. Display the help screen with a list of base options --help specific to generating and managing a Certificate Authority.
Page 17
Chapter 3. SSL Infrastructure Option Description Rarely used - Generate only a CA private key. Review --key-only for more --gen-ca --key-only --help information. Rarely used - Generate only a CA public certificate. --cert-only Review for more --gen-ca --cert-only --help information. Rarely used - Generate only an RPM for deployment.
Page 18
Chapter 3. SSL Infrastructure Option Description The company or organization. The default is Example --set-org=ORGANIZATION Corp. Inc. The organizational unit. The default is section. --set-org-unit=ORGANIZATIONAL_HURT The common name, typically host plus domain name. --set-common-name=HOSTNAME The hostname of the RHN Server to receive the key. --set-hostname=HOSTNAME The default is dynamically set to the build machine’s hostname.
Chapter 3. SSL Infrastructure 3.2.3. Generating the Certificate Authority SSL Key Pair Before creating the SSL key set required by the Web server, you must have a Certificate Authority (CA) SSL key pair generated. A CA SSL public certificate gets distributed to client systems of the Satellite or Proxy.
Chapter 3. SSL Infrastructure — • rhn-org-httpd-ssl-key-pair-MACHINE_NAME-VER-REL.noarch.rpm prepared for distribution to RHN Servers. Its associated src.rpm file is also generated. This RPM contains the above three files. It will install them in these locations: /etc/httpd/conf/ssl.key/server.key • /etc/httpd/conf/ssl.csr/server.csr • /etc/httpd/conf/ssl.crt/server.crt • rhn-server-openssl.cnf —...
Chapter 4. Importing Custom GPG Keys For customers who plan to build and distribute their own RPMs securely, it’s strongly recommended that all custom RPMs are signed using GNU Privacy Guard (GPG). Generating GPG keys and building GPG-signed packages are covered in the Red Hat Network Channel Management Guide. Once the packages are signed, the public key must be deployed on all systems importing these RPMs.
Chapter 5. Using RHN Bootstrap Red Hat provides a tool designed to accomplish much of the reconfiguration described within this guide in one fell swoop: RHN Bootstrap. This tool plays an integral role in the RHN Satellite Server Installation Program, enabling generation of the bootstrap script during installation. But RHN Proxy Server customers and those who’ve updated their Satellite settings need a bootstrap tool that can be used separately.
Chapter 5. Using RHN Bootstrap Red Hat recommends your RPMs be signed by a custom GNU Privacy Guard (GPG) key. Make • the key available so you may refer to it from the script. Generate the key as described in the RHN Channel Management Guide and place the key in the directory of the RHN /var/www/html/pub/...
Chapter 5. Using RHN Bootstrap cat bootstrap-EDITED-NAME.sh | ssh root@CLIENT_MACHINE1 /bin/bash A less secure alternative is to use either to retrieve and run the script from every client wget curl system. Log into each client machine and issue the following command, altering script and hostname accordingly: wget -qO- https://test.com/pub/bootstrap/bootstrap-EDITED-NAME.sh | /bin/bash Or with,...
Page 26
Chapter 5. Using RHN Bootstrap Option Description Boolean; including this option sets the system to --allow-config-actions allow all configuration actions via RHN. This requires installing certain rhncfg-* packages, possibly through an activation key. Boolean; including this option sets the system to --allow-remote-commands allow arbitrary remote commands via RHN.
\ http://your_proxy_or_sat.your_domain.com/pub/up2date-3.0.7-1.i386.rpm \ http://your_proxy_or_sat.your_domain.com/pub/up2date-gnome-3.0.7-1.i386.rpm # Second, reconfigure the clients to talk to the correct server. perl -p -i -e ’s/s/www\.rhns\.redhat\.com/your_proxy_or_sat\.your_domain\.com/g’ \ /etc/sysconfig/rhn/rhn_register \ /etc/sysconfig/rhn/up2date # Third, install the SSL client certificate for your company’s # RHN Satellite Server or RHN Proxy Server.
Page 28
Chapter 6. Manually Scripting the Configuration Like its components, this script may be centrally located. By placing this script in the directory /pub/ of the server, running on it, and piping the output to a shell session, one may run the entire wget -O- bootstrap process with a single command from each client: wget -O- http://your_proxy_or_sat.your_domain.com/pub/bootstrap_script | bash...
# of these options, consult the Red Hat Linux Customization Guide. lang en_US langsupport --default en_US en_US keyboard defkeymap network --bootproto dhcp install url --url ftp://ftp.widgetco.com/pub/redhat/linux/7.2/en/os/i386 zerombr yes clearpart --all part /boot --size 128 --fstype ext3 --ondisk hda part /...
Page 30
Chapter 7. Implementing Kickstart @ Games and Entertainment @ Sound and Multimedia Support # Now for the interesting part. %post ( # Note that we run the entire %post section as a subshell for logging. # Remember that nifty one-line command for the bootstrap script that we # went through? This is an ideal place for it.
Appendix A. Sample Bootstrap Script script generated by the RHN Satellite /var/www/html/pub/bootstrap/bootstrap.sh Server installation program and available to both Satellite and RHN Proxy Server customers through the use of RHN Bootstrap provides the ability to reconfigure client systems to use the RHN Server easily.
Page 32
Appendix A. Sample Bootstrap Script echo "following:" echo " - copy this file to a name specific to it’s use." echo " (e.g., to bootstrap-SOME_NAME.sh - like bootstrap-web-servers.sh.)" echo " - on the website create an activation key or keys for the system(s) to" echo "...
Page 34
Appendix A. Sample Bootstrap Script # Should have created an activation key or keys on the RHN Server’s # website and edited the value of ACTIVATION_KEYS above. # If you require use of several different activation keys, copy this file and # change the string as needed.
Index generating the script, 20 preparing, 19 using, 19 using the script, 20 Symbols RHN SSL Maintenance Tool --configure generating the CA, 15 use of, 5 generating the server certificate, 15 generation explained, 11 options, 11 rhn-ssl-tool, 10 rhn-ssl-tool activation keys generating the CA, 15 registering with, 4 generating the server certificate, 15...