Procedure

1. Install the cockpit package:

   # yum install cockpit

2. Enable and start the cockpit.socket service, which runs a web server:

   # systemctl enable --now cockpit.socket

3. If you are using a custom firewall profile, add the cockpit service to firewalld to open port 9090 in the firewall:

Verification steps

1. To verify the previous installation and configuration, you open the web console.

Procedure

1. Open the web console in your web browser:

   • Locally: https://localhost:9090
   • Remotely with the server’s hostname: https://example.com:9090

   • Remotely with the server’s IP address: https://192.0.2.2:9090

     If you use a self-signed certificate, the browser issues a warning. Check the certificate and accept the security exception to proceed with the login.

     The console loads a certificate from the /etc/cockpit/ws-certs.d directory and uses the last file with a .cert extension in alphabetical order. To avoid having to grant security exceptions, install a certificate signed by a certificate authority (CA).

2. In the login screen, enter your system user name and password.

   

3. Optionally, click the Reuse my password for privileged tasks option.

   If the user account you are using to log in has sudo privileges, this makes it possible to perform privileged tasks in the web console, such as installing software or configuring SELinux.

4. Click Log In.

Procedure

1. Open your web browser.

2. Type the remote server’s address in one of the following formats:

   1. With the server’s host name: server.hostname.example.com:port_number
   2. With the server’s IP address: server.IP_address:port_number
3. After the login interface opens, log in with your RHEL machine credentials.

Procedure

1. Open the RHEL web console in your browser:

   • Locally: https://localhost:PORT_NUMBER
   • Remotely with the server hostname: https://example.com:PORT_NUMBER

   • Remotely with the server IP address: https://EXAMPLE.SERVER.IP.ADDR:PORT_NUMBER

     If you use a self-signed certificate, the browser issues a warning. Check the certificate and accept the security exception to proceed with the login.

     The console loads a certificate from the /etc/cockpit/ws-certs.d directory and uses the last file with a .cert extension in alphabetical order. To avoid having to grant security exceptions, install a certificate signed by a certificate authority (CA).

2. The Login window opens. In the Login window, enter your system user name and password.
3. Generate a one-time password on your device.
4. Enter the one-time password into a new field that appears in the web console interface after you confirm your password.
5. Click Log in.
6. Succesful login takes you to the Overview page of the web console interface.

Procedure

1. Log into the RHEL 8 web console.

   For details, see Logging in to the web console.

2. Click Overview.

3. Click the Restart restart button.

   

4. If any users are logged into the system, write a reason for the restart in the Restart dialog box.

5. Optional: In the Delay drop down list, select a time interval.

   

6. Click Restart.

Procedure

1. Log into the RHEL 8 web console.

   For details, see Logging in to the web console.

2. Click Overview.

3. In the Restart drop down list, select Shut Down.

   

4. If any users are logged in to the system, write a reason for the shutdown in the Shut Down dialog box.
5. Optional: In the Delay drop down list, select a time interval.
6. Click Shut Down.

Procedure

1. Log into the RHEL web console.

   For details, see Logging in to the web console.

2. Open the System tab.

3. Click Join Domain.

   

4. In the Join a Domain dialog box, enter the host name of the IdM server in the Domain Address field.

5. In the Authentication drop down list, select if you want to use a password or a one-time password for authentication.

   

6. In the Domain Administrator Name field, enter the user name of the IdM administration account.
7. In the password field, add the password or one-time password according to what you selected in the Authentication drop down list earlier.

8. Click Join.

   

Verification steps

1. If the RHEL 8 web console did not display an error, the system has been joined to the IdM domain and you can see the domain name in the System screen.

2. To verify that the user is a member of the domain, click the Terminal page and type the id command:

   $ id
   euid=548800004(example_user) gid=548800004(example_user) groups=548800004(example_user) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

Procedure

1. Log in to the RHEL 8 web console.

   For details, see Logging in to the web console.

2. Click the current system time in Overview.

   

3. In the Change System Time dialog box, change the time zone if necessary.

4. In the Set Time drop down menu, select one of the following:

   Manually

   Use this option if you need to set the time manually, without an NTP server.

   Automatically using NTP server

   This is a default option, which synchronizes time automatically with the preset NTP servers.

   Automatically using specific NTP servers

   Use this option only if you need to synchronize the system with a specific NTP server. Specify the DNS name or the IP address of the server.

5. Click Change.

   

Procedure

1. Log in to the RHEL 8 web console.

   For details, see Logging in to the web console.

2. Click System.

3. In the Hardware item, click the hardware information.

   

4. In the CPU Security item, click Mitigations.

   If this link is not present, it means that your system does not support SMT, and therefore is not vulnerable.

5. In the CPU Security Toggles, switch on the Disable simultaneous multithreading (nosmt) option.

   

6. Click on the Save and reboot button.

Procedure

1. Log in to the THEL 8 web console.

   For details, see Logging in to the web console.

2. Click Logs.

3. By default, web console shows logs from your current boot. To filter by a different time range, click on the drop down menu with your current date and choose a preferred option.

   

4. Error and above severity logs list is shown by default. To filter by different severity, click on the Error and above drop-down menu and choose a preferred severity.

   

5. By default, web console shows logs for all services. To filter logs for a particular service, click on the All drop-down menu and select a service name.

   

6. To open a log entry, click on a selected log.

Procedure

1. Log in to the RHEL web console.
2. Click Accounts.

3. Click Create New Account.

   

4. In the Full Name field, enter the full name of the user.

   The RHEL web console automatically suggests a user name from the full name and fills it in the User Name field. If you do not want to use the original naming convention consisting of the first letter of the first name and the whole surname, update the suggestion.

5. In the Password/Confirm fields, enter the password and retype it for verification that your password is correct. The color bar placed below the fields shows you security level of the entered password, which does not allow you to create a user with a weak password.

   

6. Click Create to save the settings and close the dialog box.
7. Select the newly created account.
8. Select Server Administrator in the Roles item.

Procedure

1. Log in to the RHEL 8 web console interface.
2. Click Accounts.
3. Select the user account for which to enforce password expiration.
4. In the user account settings, click Never expire password.

5. In the Password Expiration dialog box, select Require password change every …​ days and enter a positive whole number representing the number of days when the password expires.

   

6. Click Change.

Procedure

1. Log in to the RHEL 8 web console.
2. Click Accounts.
3. Click the user account for which you want to terminate the session.

4. Click the Terminate Session button.

   If the Terminate Session button is inactive, the user is not logged in to the system.

1. Log in to the RHEL web console with administrator privileges.

   For details, see Logging in to the web console.

2. Click Services in the web console menu on the left.

3. The default tab for Services is System Services. If you want to manage targets, sockets, timers, or paths, switch to the respective tab in the menu on top.

   

4. To open service settings, click on a selected service from the list. You can tell which services are active or inactive by checking the State column.

5. Activate or deactivate a service:

   • To activate an inactive service, click the Start button.

     

   • To deactivate an active service, click the Stop button.

     

1. Log in to the RHEL web console with administrator privileges.

   For details, see Logging in to the web console.

2. Click Services in the web console menu on the left.

3. The default tab for Services is System Services. If you want to manage targets, sockets, timers, or paths, switch to the respective tab in the menu on top.

   

4. To open service settings, click on a selected service from the list.

5. To restart a service, click the Restart button.

   

Procedure

1. Log in to the RHEL web console.

   For details, see Logging in to the web console.

2. Open Networking.

3. Click Add VLAN button.

   

4. In the VLAN Settings dialog box, select the physical interface for which you want to create a VLAN.
5. Enter the VLAN Id or just use the predefined number.

6. In the Name field, you can see a predefined name consisted of the parent interface and VLAN Id. If it is not necessary, leave the name as it is.

   

7. Click Apply.

Procedure

1. Log in to the RHEL 8 web console.

   For details, see Logging in to the web console.

2. Open the Networking section.

3. In the Firewall section, click ON to run the firewall.

   

   If you do not see the Firewall box, log in to the web console with the administration privileges.

Procedure

1. Log in to the RHEL 8 web console.

   For details, see Logging in to the web console.

2. Open the Networking section.

3. In the Firewall section, click OFF to stop it.

   

   If you do not see the Firewall box, log in to the web console with the administration privileges.

Procedure

1. Log in to the RHEL web console with administration privileges.

   For details, see Logging in to the web console.

2. Click Networking.

3. Click on the Firewall box title.

   

   If you do not see the Firewall box, log in to the web console with the administrator privileges.

4. In the Firewall section, click Add Services.
5. Click on the Add Zone button.

6. In the Add Zone dialog box, select a zone from the Trust level scale.

   You can see here all zones predefined in the firewalld service.

7. In the Interfaces part, select an interface or interfaces on which the selected zone is applied.

8. In the Allowed Addresses part, you can select whether the zone is applied on:

   • the whole subnet

   • or a range of IP addresses in the following format:

     • 192.168.1.0
     • 192.168.1.0/24
     • 192.168.1.0/24, 192.168.1.0

9. Click on the Add zone button.

   

Procedure

1. Log in to the RHEL web console with administrator privileges.

   For details, see Logging in to the web console.

2. Click Networking.

3. Click on the Firewall box title.

   

   If you do not see the Firewall box, log in to the web console with the administrator privileges.

4. In the Firewall section, click Add Services.

   

5. In the Add Services dialog box, select a zone for which you want to add the service.

   The Add Services dialog box includes a list of active firewall zones only if the system includes multiple active zones.

   If the system uses just one (the default) zone, the dialog does not include zone settings.

6. In the Add Services dialog box, find the service you want to enable on the firewall.

7. Enable desired services.

   

8. Click Add Services.

Procedure

1. Log in to the RHEL web console with administrator privileges.

   For details, see Logging in to the web console.

2. Click Networking.

3. Click on the Firewall box title.

   

   If you do not see the Firewall box, log in to the web console with the administration privileges.

4. In the Firewall section, click Add Services.

   

5. In the Add Services dialog box, select a zone for which you want to add the service.

   The Add Services dialog box includes a list of active firewall zones only if the system includes multiple active zones.

   If the system uses just one (the default) zone, the dialog does not include zone settings.

6. In the Add Ports dialog box, click on the Custom Ports radio button.

7. In the TCP and UDP fields, add ports according to examples. You can add ports in the following formats:

   • Port numbers such as 22
   • Range of port numbers such as 5900-5910
   • Aliases such as nfs, rsync
   Note

   You can add multiple values into each field. Values must be separated with the comma and without the space, for example: 8080,8081,http

8. After adding the port number in the TCP and/or UDP fields, verify the service name in the Name field.

   The Name field displays the name of the service for which is this port reserved. You can rewrite the name if you are sure that this port is free to use and no server needs to communicate on this port.

9. In the Name field, add a name for the service including defined ports.

10. Click on the Add Ports button.

    

Procedure

1. Log in to the RHEL web console with administrator privileges.

   For details, see Logging in to the web console.

2. Click Networking.

3. Click on the Firewall box title.

   

   If you do not see the Firewall box, log in to the web console with the administrator privileges.

4. On the Active zones table, click on the Delete icon at the zone you want to remove.

   

Procedure

1. Log in to the RHEL web console.

   For details, see Logging in to the web console.

2. Click on the Storage tab.

Procedure

1. Log in to the RHEL web console.

   For details, see Logging in to the web console.

2. Click the Storage tab.
3. In the Other Devices table, click a volume in which you want to create the partition.
4. In the Content section, click the Create Partition button.
5. In the Create partition dialog box, select the size of the new partition.

6. In the Erase drop down menu, select:

   • Don’t overwrite existing data — the RHEL web console rewrites only the disk header. Advantage of this option is speed of formatting.
   • Overwrite existing data with zeros — the RHEL web console rewrites the whole disk with zeros. This option is slower because the program has to go through the whole disk, but it is more secure. Use this option if the disk includes any data and you need to overwrite it.

7. In the Type drop down menu, select a file system:

   • XFS file system supports large logical volumes, switching physical drives online without outage, and growing an existing file system. Leave this file system selected if you do not have a different strong preference.

   • ext4 file system supports:

     • Logical volumes
     • Switching physical drives online without outage
     • Growing a file system
     • Shrinking a file system

   Additional option is to enable encryption of partition done by LUKS (Linux Unified Key Setup), which allows you to encrypt the volume with a passphrase.

8. In the Name field, enter the logical volume name.

9. In the Mounting drop down menu, select Custom.

   The Default option does not ensure that the file system will be mounted on the next boot.

10. In the Mount Point field, add the mount path.
11. Select Mount at boot.

12. Click the Create partition button.

    

    Formatting can take several minutes depending on the volume size and which formatting options are selected.

    After the formatting has completed successfully, you can see the details of the formatted logical volume on the Filesystem tab.

Procedure

1. Log in to the RHEL web console.

   For details, see Logging in to the web console.

2. Click on the Storage tab.
3. In the Filesystems table, select a volume in which you want to delete the partition.

4. In the Content section, click on the partition you want to delete.

   

5. The partition rolls down and you can click on the Delete button.

   

   The partition must not be mounted and used.

Procedure

1. Log in to the RHEL web console.

   For details, see Logging in to the web console.

2. Click on the Storage tab.
3. In the Filesystems table, select a volume in which you want to delete the partition.
4. In the Content section, click on the partition whose file system you want to mount or unmount.

5. Click on the Mount or Unmount button.

   

Procedure

1. Log in to the RHEL 8 web console.

   For details, see Logging in to the web console.

2. Click Software Updates.

   The list of available updates refreshes automatically if the last check happened more than 24 hours ago. To trigger a refresh, click the Check for Updates button.

3. Apply updates.

   1. To install all available updates, click the Install all updates button.

      

   2. If you have security updates available, you can install them separately by clicking the Install Security Updates button.

      

      You can watch the update log while the update is running.

4. After the system applies updates, you get a recommendation to restart your system.

   We recommend this especially if the update included a new kernel or system services that you do not want to restart individually.

5. Click Ignore to cancel the restart, or Restart Now to proceed with restarting your system.

   After the system restart, log in to the web console and go to the Software Updates page to verify that the update has been successful.

Procedure

1. Log in to RHEL 8 web console.

   For details, see Logging in to the web console.

2. Click Software Updates.
3. If you want to automatically apply only security updates, click on the Apply all updates drop-down menu and select Apply security updates.
4. To modify day of the automatic update, click on the every day drop-down menu and select a specific day.

5. To modify time of the automatic update, click on the 6:00 drop-down menu and select a specific time.

   

6. If you want to disable automatic software updates, click on switch next to Automatic Updates to move it to disabled position.

   

Procedure

1. Type subscription in the search field and press the Enter key.

   

   Alternatively, you can log in to the RHEL 8 web console. For details, see Logging in to the web console.

2. In the polkit authentication dialog for privileged tasks, add the password belonging to the user name displayed in the dialog.

   

3. Click Authenticate.

4. In the Subscriptions dialog box, click Register.

   

5. Enter your Customer Portal credentials.

   

6. Enter the name of your organization.

   If you have more than one account on the Red Hat Customer Portal, you have to add the organization name or organization ID. To get the org ID, go to your Red Hat contact point.

7. Click the Register button.

Procedure

1. Type subscription in the search field and press the Enter key.

   

   Alternatively, you can log in to the RHEL 8 web console. For details, see Logging in to the web console.

2. In the authentication dialog, add the system username and password you created during the system installation.

   

3. Click Authenticate.

4. In the Subscriptions dialog box, click Register.

   

5. Enter the activation key in the registration form.

6. Enter the name of your organization.

   You need to add the organization name or organization ID, if you have more than one account in the Red Hat Customer Portal.

   To get the org ID, go to your Red Hat contact point.

   

7. Click the Register button.

Procedure

1. Open the Kernel Dump tab and start the kdump service.
2. Configure the kdump memory usage through the command line.

3. Click the link next to the Crash dump location option.

   

4. Select the Local Filesystem option from the drop-down and specify the directory you want to save the dump in.

   

   • Alternatively, select the Remote over SSH option from the drop-down to send the vmcore to a remote machine using the SSH protocol.

     Fill the Server, ssh key, and Directory fields with the remote machine address, ssh key location, and a target directory.

   • Another choice is to select the Remote over NFS option from the drop-down and fill the Mount field to send the vmcore to a remote machine using the NFS protocol.

     Note

     Tick the Compression check box to reduce the size of the vmcore file.

5. Test your configuration by crashing the kernel.

   
   Warning

   This step disrupts execution of the kernel and results in a system crash and loss of data.

Procedure

1. In the RHEL 8 web console, go to Dashboard.

2. In the Dashboard, click the Add Server icon.

   

3. In the Add Machine to Dashboard dialog box, enter the host name or IP address of the remote system.
4. (Optional) Click the Color field to change the color of the system in Dashboard.
5. Click Add.

6. In the Log in to <servername> dialog box, enter the credentials for the remote system.

   You can use any user account of the remote system. Howerver, if you use credetials of a user account without administration privileges, you will not be able to perform administration tasks.

   If you use the same credentials as for your local system, the web console will authenticate remote systems automatically every time you log in. However, using the same credentials on more machines could be a potential security risk.

   

7. Click Log In.

Procedure

1. Log in to the RHEL 8 web console.
2. Click Dashboard.

3. Click the Edit Server icon.

   

4. To remove the server from the Dashboard, click the red Remove icon.

   

1. Open the web console.
2. Click Dashboard.
3. Select the remote system where you want to add the public key.
4. In the system settings, go to Accounts.
5. Select the user account to which you want to assign the public key.

6. In the Authorized Public SSH Keys settings, click the + button.

   

7. In the Add public key dialog box, paste the public key you have in the clipboard.
8. Click Add key.

1. Go to upper right corner settings.

2. In the drop down menu, select Authentication.

   

3. Verify that the web console uses the correct path to the private key you want to use.

   By default, the web console uses the following paths for private keys:

   ~/.ssh/id_rsa
   ~/.ssh/id_dsa
   ~/.ssh/id_ed25519
   ~/.ssh/id_ecdsa

   To use a different key, add the path manually.

4. Enable the key with the On/Off button.

   Enabling the key opens a password dialog.

5. Enter the SSH key password.

   

6. Click Unlock Key.

   On Details tab, you can verify the certificate owner and the fingerprint.

7. Click Close.

1. Log out yourself from the web console.

   After the logging back in the web console, red triangle icon appears before the remote system.

2. Click the system trying to connect to the web console.

   You can see two buttons in the screen. Reconnect and Troubleshoot.

3. Click the Troubleshoot button.

   Login dialog appears.

   

4. In the Authentication drop down menu, select Using available credentials.

Procedure

1. Log into the RHEL web console.

   For details, see Logging in to the web console.

2. Open the System tab.

3. Click Join Domain.

   

4. In the Join a Domain dialog box, enter the host name of the IdM server in the Domain Address field.

5. In the Authentication drop down list, select if you want to use a password or a one-time password for authentication.

   

6. In the Domain Administrator Name field, enter the user name of the IdM administration account.
7. In the password field, add the password or one-time password according to what you selected in the Authentication drop down list earlier.

8. Click Join.

   

Verification steps

1. If the RHEL 8 web console did not display an error, the system has been joined to the IdM domain and you can see the domain name in the System screen.

2. To verify that the user is a member of the domain, click the Terminal page and type the id command:

   $ id
   euid=548800004(example_user) gid=548800004(example_user) groups=548800004(example_user) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

Procedure

1. Connect to the IdM server.

2. Run the ipa-advise script:

   $ ipa-advise enable-admins-sudo | sh -ex

Procedure

1. Install the opensc and gnutls-utils packages:

   # dnf -y install opensc gnutls-utils

2. Start the pcscd service.

   # systemctl start pcscd

Procedure

1. Erase your smart card and authenticate yourself with your PIN:

   $ pkcs15-init --erase-card --use-default-transport-keys
   Using reader with a card: Reader name
   PIN [Security Officer PIN] required.
   Please enter PIN [Security Officer PIN]:

   The card has been erased.

2. Initialize your smart card, set your user PIN and PUK, and your Security Officer PIN and PUK:

   $ pkcs15-init --create-pkcs15 --use-default-transport-keys \
       --pin 963214 --puk 321478 --so-pin 65498714 --so-puk 784123
   Using reader with a card: Reader name

   The pcks15-init tool creates a new slot on the smart card.

3. Set the label and the authentication ID for the slot:

   $ pkcs15-init --store-pin --label testuser \
       --auth-id 01 --so-pin 65498714 --pin 963214 --puk 321478
   Using reader with a card: Reader name

   The label is set to a human-readable value, in this case, testuser. The auth-id must be two hexadecimal values, in this case it is set to 01.

4. Store and label the private key in the new slot on the smart card:

   $ pkcs15-init --store-private-key testuser.key --label testuser_key \
       --auth-id 01 --id 01 --pin 963214
   Using reader with a card: Reader name

   Note

   The value you specify for --id must be the same when storing your private key, and certificate. If you do not specify a value for --id, a more complicated value is calculated by the tool and it is therefore easier to define your own value.

5. Store and label the certificate in the new slot on the smart card:

   $ pkcs15-init --store-certificate testuser.crt --label testuser_crt \
       --auth-id 01 --id 01 --format pem --pin 963214
   Using reader with a card: Reader name

6. (Optional) Store and label the public key in the new slot on the smart card:

   $ pkcs15-init --store-public-key testuserpublic.key
       --label testuserpublic_key --auth-id 01 --id 01 --pin 963214
   Using reader with a card: Reader name

   Note

   If the public key corresponds to a private key and/or certificate, you should specify the same ID as that private key and/or certificate.

7. (Optional) Some smart cards require you to finalize the card by locking the settings:

   $ pkcs15-init -F

   At this stage, your smart card includes the certificate, private key, and public key in the newly created slot. You have also created your user PIN and PUK and the Security Officer PIN and PUK.

Procedure

1. Log in to the RHEL web console with administrator privileges.

   For details, see Logging in to the web console.

2. Click Terminal.

3. In the /etc/cockpit/cockpit.conf, set the ClientCertAuthentication to yes:

   [WebService]
   ClientCertAuthentication = yes

4. Optionally, disable password based authentication in cockpit.conf with:

   [Basic]
   action = none

   This configuration disables password authentication and you must always use the smart card.

5. Restart the web console to make sure that the cockpit.service accepts the change:

   # systemctl restart cockpit

Procedure

1. Open your web browser and add the web console’s address in the address bar.

   The browser asks you to add the PIN protecting the certificate stored on the smart card.

2. In the Password Required dialog box, enter PIN and click OK.
3. In the User Identification Request dialog box, select the certificate stored in the smart card.

4. Select Remember this decision.

   The system does not open this window next time.

5. Click OK.

Procedure

1. In the terminal, open the system-cockpithttps.slice configuration file:

   # systemctl edit system-cockpithttps.slice

2. Limit the TasksMax to 100 and CPUQuota to 30%:

   [Slice]
   # change existing value
   TasksMax=100
   # add new restriction
   CPUQuota=30%

3. To apply the changes, restart the system:

   # systemctl daemon-reload
   # systemctl stop cockpit