Client Configuration Guide
Configuring, registering, and updating your Red Hat Enterprise Linux clients with Red Hat Satellite
Chapter 1. Introduction
Chapter 2. Configuring Client Applications
yumcommand on Red Hat Enterprise Linux 5 and 6 uses SSL for communication with remote repositories. Consequently, you should ensure that firewalls allow connections over port 443.
/etc/sysconfig/rhn/up2datefile. Similarly, to use Red Hat Network's Monitoring feature and probes requiring the Red Hat Network Monitoring Daemon, client systems must allow connections on port 4545 (or port 22, if it is using
rhn_registerrefers to the main Red Hat Network servers. You need to reconfigure client systems to see Red Hat Satellite or Red Hat Proxy.
2.1. Deploying the Latest Red Hat Network Client Packages
yum, the yum Red Hat Network Plugin (
yum-rhn-plugin) and the Red Hat Network Registration Client (
rhn_register) on Red Hat Enterprise Linux 5 and 6 are prerequisites for using much of Red Hat Network's enterprise functionality. It is crucial to install them on client systems before attempting to use Red Hat Proxy or Red Hat Satellite in your environment.
firstbootprocess after installation or by using the rhn_register command.
2.1.1. The Package Updater Applet
Figure 2.1. Package Updater Applet
- Refresh: check Red Hat Network or Satellite for new updates.
- View Updates: launch the Package Updater application and display any available updates in more detail, and configure the updates to specifications.
- Apply Updates: download and install all updated packages.
- Quit: close the applet.
2.2. Registering Clients with Red Hat Satellite Server
rhn_registercommand to register a system with Red Hat Satellite. Ensure you replace the example host names and domain names with those that apply to your configuration.
Procedure 2.1. To Use rhn_register to Register a System with Red Hat Satellite:
- Change into the
/usr/share/rhn/directory and download the SSL certificate to the client:
# cd /usr/share/rhn/
# wget http://satellite.example.com/pub/RHN-ORG-TRUSTED-SSL-CERT
- Edit the
/etc/sysconfig/rhn/up2datefile and ensure that it contains the following entries:
serverURL=https://satellite.example.com/XMLRPC noSSLServerURL=http://satellite.example.com/XMLRPC sslCACert=/usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT
- Use the
rhn_registercommand to register the machine:
2.3. Using Activation Keys to Register Clients with Red Hat Satellite
Procedure 2.2. To Use Activation Keys to Register a System with Red Hat Satellite:
- Generate an activation key. (See "Using Activation Keys" in the Red Hat Satellite Getting Started Guide.)
- Import custom GPG keys.
- Download and install the SSL Certificate RPM from the
/pub/directory of the Red Hat Proxy or Red Hat Satellite. For example (update the URL to suit your environment):
# rpm -Uvh http://satellite.example.com/pub/rhn-org-trusted-ssl-cert-1.0-1.noarch.rpm
- Register the system with the Red Hat Proxy or Red Hat Satellite:
# rhnreg_ks --activationkey mykey --serverUrl https://satellite.example.com/XMLRPC
wget -0 - http://satellite.example.com/pub/bootstrap.sh | bash && rhnreg_ks --activation-key my_key --serverUrl https://satellite.example.com/XMLRPC
2.4. Updating the Configuration Files Manually
noSSLServerURLsettings in the
/etc/sysconfig/rhn/up2dateconfiguration file (as root). Replace the default Red Hat Network URL with the fully qualified domain name (FQDN) of the Proxy or Satellite. For example:
serverURL[comment]=Remote server URL serverURL=https://your_primary.your_domain.com/XMLRPC noSSLServerURL[comment]=Remote server URL without SSL noSSLServerURL=http://your_primary.your_domain.com/XMLRPC
/etc/sysconfig/rhn/up2datedoes not refer to the Red Hat Proxy. It is used to configure an optional HTTP proxy for the client. With a Red Hat Proxy in place, the
httpProxysetting must be blank (not set to any value).
2.5. Implementing Server Failover
Procedure 2.3. To Implement Server Failover:
- Ensure that you are running Red Hat Enterprise Linux 5 or 6, or for Red Hat Enterprise Linux 3 or 4, the latest version of
- Manually add the secondary servers to the
noSSLServerURLsettings in the
/etc/sysconfig/rhn/up2dateconfiguration file (as root).
- Add the fully qualified domain names (FQDN) of Red Hat Proxy or Red Hat Satellite immediately after the primary server, separated by a semicolon (;). Your client will attempt to connect to these servers in the order provided here. Include as many servers as necessary. For example:
serverURL[comment]=Remote server URL serverURL=https://satellite.example.com/XMLRPC; https://your_secondary.your_domain.com/XMLRPC; noSSLServerURL[comment]=Remote server URL without SSL noSSLServerURL=http://satellite.example.com/XMLRPC; http://your_secondary.your_domain.com/XMLRPC;
Chapter 3. Registering Red Hat Systems with Red Hat Network
rhn_register. This application works with the
yum-based Red Hat Network Hosted and Red Hat Satellite client called Package Updater (or
pup) that replaces
rhn_registerapplication normally runs as part of the
firstbootconfiguration process just after installation. The first time a newly-installed Red Hat Enterprise Linux 5 or 6 system is booted, the
rhn_registerto register the system with Red Hat Network.
rhn_registercommand in the following circumstances:
- You skipped the registration process during the initial installation
- You are reinstalling the system
- You are moving the system to a new account
3.1. Using the Graphical Interface to Register with Red Hat Network
/etc/sysconfig/rhn/systemidfile should not exist. In this case, when you run the
Package Updatercommand, it triggers the
rhnreg_ksand activation keys instead.
Procedure 3.1. To Use the GUI to Register with Red Hat Network:
- On the main panel, click→ → and enter the root password when prompted.The Registering for Software Updates page summarizes the steps involved in the registration process. To learn more about the benefits of Hosted and Satellite, click Otherwise, click to continue.
- Use the Choose an Update Location page to select the source of your software updates - either Red Hat Network Hosted, or Satellite Server or Proxy Server. For Satellite or Proxy, select the associated radio button and enter the URL of your Satellite or Proxy into the Red Hat Network Location field.If you connect to the internet through an HTTP Proxy, click Choose an Update Location page. Click to continue.and enter the details for your HTTP proxy. If your proxy requires authentication, enter the user name and password here, and then click to return to the
- Use the Enter Your Account Information page to enter your Red Hat Network login information. If you do not have an account and your organization has one, ask the Organization Administrator to create an account for you. Otherwise, you might not be associated with your organization or its resources. Click to continue.
- Use the Create Your System Profile page to select a profile name for the system you are registering. The default profile name is the system's host name, but you can change it to any valid profile name. You can also select whether to report hardware and package information to Red Hat Network. It is recommended that you report this information because it allows Red Hat Network to automatically subscribe your system to the base and child channels most appropriate to your system. You can click or to inspect the information that
rhn_registeruploads to Red Hat Network or Satellite in this step.
NoteThis automatic registration does not automatically subscribe your system to optional child channels, such as the Red Hat Network Tools channel. If you want to register a system and automatically subscribe it to a set of channels, consider using a kickstart profile or
rhnreg_ksand activation keys.
- Click Review System Subscription Details page, which displays the base and child channel information to which your system has been subscribed. Review the channels, and then click to continue.to display the
- The Finish Setting Up Software Updates page indicates that you have successfully registered a Red Hat Enterprise Linux system with Red Hat Network. A "package" icon appears in the upper right corner of your desktop when updates are available. Click the icon to apply available updates. Click to exit the wizard.
NoteIf you do not have any entitlements available for this system, this final page indicates that the registration has failed. This does not mean that the system profile has not been stored with Red Hat Network, only that you will not receive automatic updates without manual intervention. You can always log in to the Red Hat Network or Satellite Web interface and either purchase additional entitlements or get an entitlement from your Satellite administrator. Clickto exit the wizard.
If you have already registered the system and the
/etc/sysconfig/rhn/systemid file exists on the system, use a reactivation key. On the Satellite server, navigate to the system profile's → page, which provides a means to create a reactivation key. Use this key with the
rhnreg_ks to reregister the system without creating a duplicate entry in Red Hat Satellite.
3.1.1. Command-line Version of
rhn_registerthat allows you to register your system for access to Red Hat Network or Red Hat Satellite without using a graphical desktop environment.
rhn_registeron the command line to start the text-based version of
rhn_register.If you are in shell terminal window and want to use the text-based version, type
rhn_register --noxto prevent opening the graphical client.
rhn_registerhas the same configuration screens as the graphical version. Use the arrow keys on the keyboard to move left, right, up, or down and to highlight selections. Press the Spacebar key to select an option. Press the Tab key to move through different navigational elements such as text boxes, check boxes, and radio buttons.
Chapter 4. SSL Infrastructure
4.1. A Brief Introduction to SSL
- Certificate Authority (CA) SSL private key and public certificate: only one set per organization generally generated. The public certificate is digitally signed by its private key. The public certificate is distributed to every system.
- Web server SSL private key and public certificate: one set per application server. The public certificate is digitally signed by both its private key and the CA SSL private key. It is often referred to as a Web server's key set; this is because there is an intermediary SSL certificate request that is generated. The details of what this is used for are not important to this discussion. All three are deployed to a Red Hat Satellite Server.
4.2. The Red Hat Satellite SSL Maintenance Tool
rhn-ssl-tool. This tool is available as part of the
spacewalk-certs-toolspackage. This package can be found within the software channels for the latest Red Hat Proxy Server and Red Hat Satellite Server (as well as the Red Hat Satellite Server ISO). The Red Hat Satellite SSL Tool enables organizations to generate their own Certificate Authority SSL key pair, as well as Web server SSL key sets (sometimes called key pairs).
spacewalk-certs-tools, which contains
rhn-ssl-tool, can be installed and run on any current Red Hat Enterprise Linux system with minimal requirements. This is offered as a convenience for administrators who want to manage their SSL infrastructure from their workstation or another system other than their Satellite or Proxy servers.
- When updating the Certificate Authority (CA) public certificate.
- When installing a Red Hat Proxy Server 3.6 or later that connects to the central Red Hat Satellite Servers as its top-level service. The hosted service, for security reasons, cannot be a repository for the CA SSL key and certificate, which is private to the organization.
- When reconfiguring the Satellite or Proxy infrastructure to use SSL where it previously did not.
- When adding multiple Red Hat Satellite Servers to the Red Hat Satellite infrastructure. Consult with a Red Hat representative for instructions regarding this.
- During installation of a Red Hat Satellite Server. All SSL settings are configured during the installation process. The SSL keys and certificate are built and deployed automatically.
- During installation of a Red Hat Proxy Server 3.6 or later if connected to a Red Hat Satellite Server 3.6 or later as its top-level service. The Red Hat Satellite Server contains all of the SSL information needed to configure, build and deploy the Red Hat Proxy Server's SSL keys and certificates.
/pubdirectory of each server. This public certificate is used by the client systems to connect to the Red Hat Satellite Server. See Section 4.3, “Deploying the CA SSL Public Certificate to Clients” for more information.
4.2.1. Generating SSL Certificates
ssl-buildtree from an archive to the
/rootdirectory and utilize the configuration tools provided within the Red Hat Satellite Server's website.
- Install the spacewalk-certs-tools package on a system within the organization, perhaps but not necessarily the Red Hat Satellite Server or Red Hat Proxy Server.
- Create a single Certificate Authority SSL key pair for the organization and install the resulting RPM or public certificate on all client systems. See Section 4.2.3, “Generating the Certificate Authority SSL Key Pair” for more information.
- Create a Web server SSL key set for each of the Proxy and Satellite servers to be deployed and install the resulting RPM files on the Red Hat Satellite servers.
- Restart the
# service httpd restart
- Back up the SSL build tree - consisting of the primary build directory and all subdirectories and files - to removable media, such as a CD or DVD. (Disk space requirements are insignificant.)
- Verify and then store that archive in a safe location, such as the one described for backups in the Additional Requirements sections of either the Proxy or Satellite installation guide.
- Record and secure the CA password for future use.
- Delete the build tree from the build system for security purposes, but only after the entire Satellite infrastructure is in place and configured.
NoteWhen additional Web server SSL key sets are needed, restore the build tree on a system running the Red Hat Satellite SSL Maintenance Tool and repeat steps 3 through 7.
4.2.2. Red Hat Satellite SSL Maintenance Tool Options
rhn-ssl-toolfor general help.
rhn-ssl-toolfor Certificate Authority help.
rhn-ssl-toolfor Web server help.
man rhn-ssl-tool) for more information.
4.2.3. Generating the Certificate Authority SSL Key Pair
/etc/sysconfig/rhn/sslfor older Satellite and Proxy servers). To generate a CA SSL key pair, run the following command.
# rhn-ssl-tool --gen-ca \ --password=MY_CA_PASSWORD \ --dir="/root/ssl-build" \ --set-state="North Carolina" \ --set-city="Raleigh" \ --set-org="Example Inc." \ --set-org-unit="SSL CA Unit"
RHN-ORG-PRIVATE-SSL-KEY:the CA SSL private key.
RHN-ORG-TRUSTED-SSL-CERT:the CA SSL public certificate.
rhn-org-trusted-ssl-cert-VER-REL.noarch.rpm:the RPM prepared for distribution to client systems.This file contains the CA SSL public certificate (above) and installs it as
rhn-ca-openssl.cnf:the SSL CA configuration file.
latest.txt:lists the latest versions of the relevant files.
4.2.4. Generating Web Server SSL Key Sets
--set-hostnameis therefore different for each server.
/root/ssl-build/MACHINE_NAME. To generate a server certificate, run the following command.
# rhn-ssl-tool --gen-server \ --password=MY_CA_PASSWORD \ --dir="/root/ssl-build" \ --set-state="North Carolina" \ --set-city="Raleigh" --set-org="Example Inc." \ --set-org-unit="IS/IT" \ --set-email="email@example.com" \ --set-hostname="rhnbox1.example.com"
server.key:the Web server's SSL private server key.
server.csr:the Web server's SSL certificate request.
server.crt:the web server's SSL public certificate.
rhn-org-httpd-ssl-key-pair-MACHINE_NAME-VER-REL.noarch.rpm:the RPM prepared for distribution to Satellite and Proxy Servers. Its associated
src.rpmfile is also generated.This RPM file contains the
server.crtfiles. These files are installed in the following directories:
rhn-server-openssl.cnf:the Web server's SSL configuration file.
latest.txt:lists the latest versions of the relevant files.
# service httpd restart
4.3. Deploying the CA SSL Public Certificate to Clients
/var/www/html/pub/directory of the Satellite or Proxy Server.
curlcommands to download the CA SSL public certificate to a client system.
# curl -O http://proxy-or-sat.example.com/pub/RHN-ORG-TRUSTED-SSL-CERT
# wget http://proxy-or-sat.example.com/pub/RHN-ORG-TRUSTED-SSL-CERT
/pubdirectory, you can use the
rpmcommand to install the package. For example:
# rpm -Uvh http://proxy-or-sat.example.com/pub/rhn-org-trusted-ssl-cert-VER-REL.noarch.rpm
4.4. Configuring Client Systems to Use Certificates
Chapter 5. Reporting Software Failures
5.1. Installing Software Failure Reporting Tools
Procedure 5.1. To Use the Software Failure Reporting Functionality:
- Log into your client system as the
- Install the spacewalk-abrt package on your client systems. This package installs the abrt package as a dependency.
# yum install spacewalk-abrt
NoteNeither the abrt nor spacewalk-abrt packages are available for Red Hat Enterprise Linux 5.
- Run the
rhn-profile-synccommand to update the information stored on the Satellite server about this client system.
5.2. Using Software Failure Reporting Tools
- The configuration file for ABRT:
abrtdaemon to use the
/usr/bin/spacewalk-abrtutility to automatically report every software failure that occurs on the system to your Satellite server. This is a fully automated process and ordinarily does not require any human intervention.
5.3. Manually Reporting Software Failures
spacewalk-abrtutility to manually report software failures to your Satellite server. The following procedure shows how to perform a manually send a software failure report.
Procedure 5.2. To manually report software failures
- Use the
abrt-cli listparameter to display a list of existing failure reports.
# abrt-cli list @0 Directory: /var/tmp/abrt/ccpp-2013-02-28-15:48:50-8820 count: 2 executable: /usr/bin/python2.7 package: python-2.7.3-13.fc16 time: Thu 28 Feb 2013 03:48:50 PM CET uid: 0 @1 Directory: /var/tmp/abrt/oops-2013-02-27-14:16:03-8107-1 count: 3 package: kernel time: Wed 27 Feb 2013 02:16:03 PM CET
- After you have identified the failure that you want to report, use the
--reportoption to send the report to the Satellite server.
# spacewalk-abrt --report /var/tmp/abrt/ccpp-2013-02-28-15:48:50-8820
- To manually report all of the software failures that have occurred on your system, use the
# spacewalk-abrt --sync
5.4. Creating Software Failures for Testing
killcommand to send a signal
11argument (segmentation fault) to an example process:
# abrt-cli list # sleep 600 &  17564 # kill -11 17564 # + Segmentation fault (core dumped) sleep 600 # # abrt-cli list @0 Directory: /var/spool/abrt/ccpp-2013-05-14-04:56:17-17564 count: 1 executable: /bin/sleep package: coreutils-8.4-19.el6 time: Tue 14 May 2013 04:56:17 EDT uid: 0 #
Appendix A. Revision History
|Revision 3-21.402||Thu Jul 13 2017|
|Revision 3-21.401||Thu Aug 20 2015|
|Revision 3-21||Fri Sep 27 2013|
|Revision 3-20||Tue Sep 10 2013|
|Revision 3-19||Mon Sep 2 2013|
|Revision 3-18||Thu Aug 29 2013|
|Revision 3-17||Tue Aug 20 2013|
|Revision 3-16||Mon Jul 29 2013|
|Revision 3-15||Sun Jul 28 2013|
|Revision 3-14||Wed Jul 24 2013|
|Revision 3-13||Tue Jul 23 2013|
|Revision 3-12||Fri Jul 19 2013|
|Revision 3-11||Fri Jul 12 2013|
|Revision 3-10||Fri Jul 12 2013|
|Revision 3-8||Fri Jul 12 2013|
|Revision 3-6||Fri Jul 12 2013|
|Revision 3-5||Wed Sept 19 2012|
|Revision 3-4||Fri Aug 10 2012|
|Revision 3-0||Tue Jun 28 2012|
|Revision 2-2||Mon Aug 15 2011|
|Revision 2-1||Wed Jun 15 2011|
|Revision 2-0||Fri May 7 2011|
|Revision 1-8||Mon Feb 7 2011|
|Revision 1-7||Tue Feb 1 2011|