1. Manuals
  2. Brands
  3. Red Hat Manuals
  4. Server
  5. NETWORK SATELLITE 5.3.0 - CHANNEL MANAGEMENT
  6. Configuration manual

Red Hat NETWORK SATELLITE 5.3.0 - CLIENT Configuration Manual

Client configuration
Hide thumbs Also See for NETWORK SATELLITE 5.3.0 - CLIENT:
Table of Contents

Advertisement

Quick Links

Download this manual See also: Reference Manual, Installation Manual
Red Hat Network
Satellite 5.3.0
Client Configuration Guide
Red Hat Network Satellite

Advertisement

Table of Contents
loading

Related Manuals for Red Hat NETWORK SATELLITE 5.3.0 - CLIENT

Summary of Contents for Red Hat NETWORK SATELLITE 5.3.0 - CLIENT

  • Page 1 Red Hat Network Satellite 5.3.0 Client Configuration Guide Red Hat Network Satellite...
  • Page 2 Client Configuration Guide Red Hat Network Satellite 5.3.0 Client Configuration Guide Red Hat Network Satellite Edition 5.3.0 Copyright © 2009 Red Hat, Inc. This material may only be distributed subject to the terms and conditions set forth in the Open Publication License, V1.0 or later (the latest version of the OPL is presently available at http://www.opencontent.org/openpub/).

  • Page 3: Table Of Contents

    1. Introduction 2. Client Applications 2.1. Deploying the Latest Red Hat Network Client RPMs ............3 2.2. Configuring the Client Applications ................4 2.2.1. Registering with Activation Keys ................. 4 2.2.2. The up2date --configure Option ..............5 2.2.3. Updating the Configuration Files Manually ............6 2.2.4.

  • Page 5: Introduction

    Chapter 1. Introduction This best practices guide is intended to help customers of RHN Satellite Server and RHN Proxy Server configure their client systems more easily. By default, all Red Hat Network client applications are configured to communicate with central Red Hat Network Servers.

  • Page 7: Client Applications

    Chapter 2. Client Applications In order to utilize most enterprise-class features of Red Hat Network, such as registering with a RHN Satellite, configuration of the latest client applications is required. Obtaining these applications before the client has registered with Red Hat Network can be difficult. This paradox is especially problematic for customers migrating large numbers of older systems to Red Hat Network.

  • Page 8: Configuring The Client Applications

    Chapter 2. Client Applications http://your_proxy_or_sat.your_domain.com/pub/pirut-1.3.28-13.3l5.noarch.rpm Keep in mind that the architecture (in this case, i386) may need to be altered depending on the systems to be served. 2.2. Configuring the Client Applications Not every customer must connect securely to a RHN Satellite Server or RHN Proxy Server within their organization.

  • Page 9: The Up2Date --Configure Option

    The up2date --configure Option rpm -Uvh\ http://your-satellite.com/pub/rhn-org-trusted-ssl- cert-1.0-1.noarch.rpm 4. Register the system with your RHN Proxy Server or RHN Satellite Server. The command for this step could look something like: rhnreg_ks --activationkey mykey --serverUrl https://your-satellite.com/ XMLRPC Alternatively, most of the above steps can be combined in a shell script that includes the following lines: wget -0 - http://your-satellite-DQDN/pub/bootstrap.sh | bash \ &&...

  • Page 10: Updating The Configuration Files Manually

    Chapter 2. Client Applications Figure 2.1. Red Hat Update Agent GUI Configuration Make sure you enter the domain name of your RHN Satellite Server or RHN Proxy Server correctly. Entering an incorrect domain or leaving the field blank may prevent up2date --configure from launching.

  • Page 11: Implementing Server Failover

    Implementing Server Failover with the fully qualified domain name (FQDN) for the RHN Proxy Server or RHN Satellite Server. For example: serverURL[comment]=Remote server URL serverURL=https://your_primary.your_domain.com/XMLRPC noSSLServerURL[comment]=Remote server URL without SSL noSSLServerURL=http://your_primary.your_domain.com/XMLRPC Warning The httpProxy setting in /etc/sysconfig/rhn/up2date does not refer to the RHN Proxy Server.

  • Page 12: Configuring The Red Hat Network Alert Notification Tool With Satellite

    Chapter 2. Client Applications Figure 2.2. Package Updater Applet The Package Updater Applet stays in the notification tray of the desktop panel and checks for new updates periodically. The applet also allows you to perform a few package maintenance tasks from the applet by clicking the notification icon and choosing from the following actions: •...

  • Page 13: Ssl Infrastructure

    Chapter 3. SSL Infrastructure For Red Hat Network customers, security concerns are of the utmost importance. One of the strengths of Red Hat Network is its ability to process every single request over Secure Sockets Layer, or SSL. To maintain this level of security, customers installing Red Hat Network within their infrastructures must generate custom SSL keys and certificates.

  • Page 14: The Rhn Ssl Maintenance Tool

    Chapter 3. SSL Infrastructure servers. Each server has its own SSL key set that is specifically tied to that server's hostname and generated using its own SSL private key and the CA SSL private key in combination. This establishes a digitally verifiable association between the Web server's SSL public certificate and the CA SSL key pair and server's private key.

  • Page 15: Ssl Generation Explained

    SSL Generation Explained • During installation of an RHN Satellite Server - all SSL settings are configured during the installation process. The SSL keys and certificate are built and deployed automatically. • During installation of an RHN Proxy Server version 3.6 or later if connected to an RHN Satellite Server version 3.6 or later as its top-level service - the RHN Satellite Server contains all of the SSL information needed to configure, build and deploy the RHN Proxy Server's SSL keys and certificates.

  • Page 16: Rhn Ssl Maintenance Tool Options

    Chapter 3. SSL Infrastructure 7. Delete the build tree from the build system for security purposes, but only once the entire RHN infrastructure is in place and configured. 8. When additional Web server SSL key sets are needed, restore the build tree on a system running the RHN SSL Maintenance Tool and repeat steps 3 through 7.
  • Page 17 RHN SSL Maintenance Tool Options Option Description The company or organization, such as Red --set-org=ORGANIZATION Hat. The default is Example Corp. Inc. The organizational unit, such as RHN. The --set-org-unit=SET_ORG_UNIT default is ''. Not typically set for the CA. - The common --set-common-name=HOSTNAME name.
  • Page 18 Chapter 3. SSL Infrastructure Option Description Required for most commands - The -d=, --dir=BUILD_DIRECTORY directory where certificates and RPMs are built. The default is ./ssl-build. The Web server's SSL private key filename. --server-key=FILENAME The default is server.key. The Web server's SSL certificate request --server-cert-req=FILENAME filename.

  • Page 19: Generating The Certificate Authority Ssl Key Pair

    Generating the Certificate Authority SSL Key Pair Option Description Rarely used - Generate only a server --cert-only certificate. Review --gen-server -- cert-only --help for more information. Rarely used - Generate only an RPM for --rpm-only deployment. Review --gen-server -- rpm-only --help for more information. Rarely used - Conduct all server-related --no-rpm steps except RPM generation.

  • Page 20: Generating Web Server Ssl Key Sets

    Chapter 3. SSL Infrastructure • latest.txt — always lists the latest versions of the relevant files. Section 3.3, “Deploying Once finished, you're ready to distribute the RPM to client systems. Refer to the CA SSL Public Certificate to Clients”. 3.2.4. Generating Web Server SSL Key Sets Although you must have a CA SSL key pair already generated, you will likely generate web server SSL key sets more frequently, especially if more than one Proxy or Satellite is deployed.

  • Page 21: Deploying The Ca Ssl Public Certificate To Clients

    Deploying the CA SSL Public Certificate to Clients 3.3. Deploying the CA SSL Public Certificate to Clients Both the RHN Proxy Server and RHN Satellite Server installation processes make client deployment relatively easy by generating a CA SSL public certificate and RPM. These installation processes make those publicly available by placing a copy of one or both into the /var/www/html/pub/ directory of the RHN Server.

  • Page 23: Importing Custom Gpg Keys

    Chapter 4. Importing Custom GPG Keys For customers who plan to build and distribute their own RPMs securely, it is strongly recommended that all custom RPMs are signed using GNU Privacy Guard (GPG). Generating GPG keys and building GPG-signed packages are covered in the Red Hat Network Channel Management Guide. Once the packages are signed, the public key must be deployed on all systems importing these RPMs.

  • Page 25: Using Rhn Bootstrap

    Chapter 5. Using RHN Bootstrap Red Hat Network provides a tool that automates much of the manual reconfiguration described in previous chapters: RHN Bootstrap. This tool plays an integral role in the RHN Satellite Server Installation Program, enabling generation of the bootstrap script during installation. RHN Proxy Server customers and customers with updated Satellite settings require a bootstrap tool that can be used independently.

  • Page 26: Generation

    Chapter 5. Using RHN Bootstrap • Red Hat recommends your RPMs be signed by a custom GNU Privacy Guard (GPG) key. Make the key available so you may refer to it from the script. Generate the key as described in the RHN Channel Management Guide and place the key in the /var/www/html/pub/ directory of the RHN Chapter 4, Importing Custom GPG Keys.

  • Page 27: Script Use

    Script Use 5.3. Script Use Finally, when you're finished preparing the script for use, you are ready to run it. Log into the RHN Satellite Server or RHN Proxy Server, navigate to the /var/www/html/pub/bootstrap/ directory and run the following command, altering the hostname and name of the script as needed to suit the system type: cat bootstrap-EDITED-NAME.sh | ssh root@CLIENT_MACHINE1 /bin/bash A less secure alternative is to use either wget or curl to retrieve and run the script from every client...
  • Page 28 Chapter 5. Using RHN Bootstrap Option Description The path to your organization's public --ssl-cert=SSL_CERT SSL certificate, either a package or a raw certificate. It will be copied to the --pub-tree option. A value of "" will force a search of --pub-tree. The path to your organization's public --gpg-key=GPG_KEY GPG key, if used.
  • Page 29 RHN Bootstrap Options Option Description Display verbose messaging. -v, --verbose Accumulative; -vvv causes extremely verbose messaging. Table 5.1. RHN Bootstrap Options...

  • Page 31: Manually Scripting The Configuration

    \ http://proxy-or-sat.example.com.com/pub/up2date-3.0.7-1.i386.rpm \ http://proxy-or-sat.example.com.com/pub/up2date-gnome-3.0.7-1.i386.rpm # Second, reconfigure the clients to talk to the correct server. perl -p -i -e 's/s/www\.rhns\.redhat\.com/proxy-or-sat\.example\.com/g' \ /etc/sysconfig/rhn/rhn_register \ /etc/sysconfig/rhn/up2date # Third, install the SSL client certificate for your company's # RHN Satellite Server or RHN Proxy Server.
  • Page 32 Chapter 6. Manually Scripting the Configuration Remember, the sixth step is documented here as it pertains to systems running Red Hat Linux 3 or newer. This script comprises a clean and repeatable process that should fully configure any potential Red Hat Network client in preparation for registration to an RHN Proxy Server or RHN Satellite Server.

  • Page 33: Implementing Kickstart

    # explanation of these options, consult the Red Hat Linux Customization # Guide. lang en_US langsupport --default en_US en_US keyboard defkeymap network --bootproto dhcp install url --url ftp://ftp.widgetco.com/pub/redhat/linux/7.2/en/os/i386 zerombr yes clearpart --all part /boot --size 128 --fstype ext3 --ondisk hda part / --size 2048 --grow --fstype ext3 --ondisk hda...
  • Page 34 Chapter 7. Implementing Kickstart %packages @ Base @ Utilities @ GNOME @ Laptop Support @ Dialup Support @ Software Development @ Graphics and Image Manipulation @ Games and Entertainment @ Sound and Multimedia Support # Now for the interesting part. %post ( # Note that we run the entire %post section as a subshell for logging.

  • Page 35: Sample Bootstrap Script

    Appendix A. Sample Bootstrap Script The /var/www/html/pub/bootstrap/bootstrap.sh script generated by the RHN Satellite Server installation program provides the ability to reconfigure client systems to access your RHN Server easily. It is available to both RHN Satellite Server and RHN Proxy Server customers through the RHN Bootstrap tool.
  • Page 36 Appendix A. Sample Bootstrap Script # PROVISIONING/KICKSTART NOTE: If provisioning a client, ensure the proper CA SSL public certificate is configured properly in the post section of your kickstart profiles (the RHN Satellite or hosted web user interface). # UP2DATE/RHN_REGISTER VERSIONING NOTE: This script will not work with very old versions of up2date and rhn_register.
  • Page 37 # can be edited, but probably correct: CLIENT_OVERRIDES=client-config-overrides.txt HOSTNAME=your_rhn_server_host.example.com ORG_CA_CERT=RHN-ORG-TRUSTED-SSL-CERT ORG_CA_CERT_IS_RPM_YN=0 USING_SSL=1 USING_GPG=1 REGISTER_THIS_BOX=1 ALLOW_CONFIG_ACTIONS=0 ALLOW_REMOTE_COMMANDS=0 FULLY_UPDATE_THIS_BOX=1 ----------------------------------------------------------------------------- # DO NOT EDIT BEYOND THIS POINT ----------------------------------------------- ----------------------------------------------------------------------------- # an idea from Erich Morisse (of Red Hat). # use either wget *or* curl # Also check to see if the version on the # machine supports the insecure mode and format # command accordingly.
  • Page 38 Appendix A. Sample Bootstrap Script HTTP_PUB_DIRECTORY=http://${HOSTNAME}/pub HTTPS_PUB_DIRECTORY=https://${HOSTNAME}/pub if [ $USING_SSL -eq 0 ] ; then HTTPS_PUB_DIRECTORY=${HTTP_PUB_DIRECTORY} echo echo "UPDATING RHN_REGISTER/UP2DATE CONFIGURATION FILES" echo "-------------------------------------------------" echo "* downloading necessary files" echo " client_config_update.py..." rm -f client_config_update.py $FETCH ${HTTPS_PUB_DIRECTORY}/bootstrap/client_config_update.py echo " ${CLIENT_OVERRIDES}..." rm -f ${CLIENT_OVERRIDES} $FETCH ${HTTPS_PUB_DIRECTORY}/bootstrap/${CLIENT_OVERRIDES} if [ ! -f "client_config_update.py"...
  • Page 39 echo echo "* attempting to install corporate public CA cert" if [ $USING_SSL -eq 1 ] ; then if [ $ORG_CA_CERT_IS_RPM_YN -eq 1 ] ; then rpm -Uvh ${HTTP_PUB_DIRECTORY}/${ORG_CA_CERT} else rm -f ${ORG_CA_CERT} $FETCH ${HTTP_PUB_DIRECTORY}/${ORG_CA_CERT} mv ${ORG_CA_CERT} /usr/share/rhn/ echo echo "REGISTRATION" echo "------------"...
  • Page 40 Appendix A. Sample Bootstrap Script echo "------------------------------------------------------" if [ $FULLY_UPDATE_THIS_BOX -eq 1 ] ; then echo "* completely updating the box" else echo "* ensuring up2date itself is updated" /usr/sbin/up2date up2date /usr/sbin/up2date -p if [ $FULLY_UPDATE_THIS_BOX -eq 1 ] ; then /usr/sbin/up2date -uf echo "-bootstrap complete-"...

  • Page 41: Revision History

    Appendix B. Revision History Revision 1.0 Fri Feb 27 2009...

  • Page 43: Index

    Index generating the server certificate, 16 generation explained, 11 options, 12 rhn-ssl-tool, 10 Symbols rhn-ssl-tool --configure generating the CA, 15 use of, 5 generating the server certificate, 16 generation explained, 11 options, 12 RHN SSL Maintenance Tool, 10 activation keys registering with, 4 SSL (Secure Sockets Layer) introduction, 9...

Table of Contents