2.3. Configuring Red Hat Satellite Manually

Satellite Server has an automatic initial configuration that prepares the Satellite Server for use. The katello-installer script supports the ability to override various default settings within the different components of Satellite Server. For example, for organizations that have an existing HTTP proxy, additional configuration options need to be passed to the Satellite Server installer. See Section 2.3.1, “Configuring Red Hat Satellite Manually with an HTTP Proxy” for HTTP proxy options and Section 2.3.2, “Configuring Red Hat Satellite with a Custom Server Certificate” for custom Certificate Authority (CA) certificates.

Procedure 2.2. Running the Installer Script

  1. As the root user, configure Red Hat Satellite Server manually by running the katello-installer script:
    katello-installer --foreman-admin-username desired_username --foreman-admin-password desired_password
    Where:
    1. desired_username is the username that will replace the default "admin" user.
    2. desired_password is the password that will replace the default password generated.
    Additional configuration options can be passed to the katello-installer command to adjust various aspects of the configuration. View a complete list of options using the command:
    # katello-installer --help
    
    This script can be run multiple times without any issues.

    Important

    The default username is admin. The default organization name is Default Organization. It is strongly recommended that you override these default settings once you log in to the Satellite Server interface and navigate to AdministerUsers and AdministerOrganizations.
    When the configuration script has completed successfully, it displays:
    # katello-installer
    Installing             Done
       [100%] [........................................]
       Success!
       * Katello is running at https://sat6.example.com
           Default credentials are 'admin:changeme'
       * Capsule is running at
    https://sat6.example.com:9090
       * To install additional capsule on separate machine continue by running:"
    
           capsule-certs-generate --capsule-fqdn "$CAPSULE" --certs-tar
    "~/$CAPSULE-certs.tar"
    
       The full log is at /var/log/katello/installer/katello-installer.log
    
  2. After configuration, run the following commands to configure the firewall to limit elasticsearch to the foreman, katello and root users and make these rules persistent during reboots:
    • For Red Hat Enterprise Linux 6:
      iptables -A OUTPUT -o lo -p tcp -m tcp --dport 9200 -m owner --uid-owner foreman -j ACCEPT \
      && iptables -A OUTPUT -o lo -p tcp -m tcp --dport 9200 -m owner --uid-owner katello -j ACCEPT \
      && iptables -A OUTPUT -o lo -p tcp -m tcp --dport 9200 -m owner --uid-owner root -j ACCEPT \
      && iptables -A OUTPUT -o lo -p tcp -m tcp --dport 9200 -j DROP
      iptables-save > /etc/sysconfig/iptables
      
    • For Red Hat Enterprise Linux 7:
      firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -o lo -p tcp -m tcp --dport 9200 -m owner --uid-owner foreman -j ACCEPT \
      && firewall-cmd --permanent --direct --add-rule ipv6 filter OUTPUT 0 -o lo -p tcp -m tcp --dport 9200 -m owner --uid-owner foreman -j ACCEPT \
      && firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -o lo -p tcp -m tcp --dport 9200 -m owner --uid-owner katello -j ACCEPT \
      && firewall-cmd --permanent --direct --add-rule ipv6 filter OUTPUT 0 -o lo -p tcp -m tcp --dport 9200 -m owner --uid-owner katello -j ACCEPT \
      && firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -o lo -p tcp -m tcp --dport 9200 -m owner --uid-owner root -j ACCEPT \
      && firewall-cmd --permanent --direct --add-rule ipv6 filter OUTPUT 0 -o lo -p tcp -m tcp --dport 9200 -m owner --uid-owner root -j ACCEPT \
      && firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -o lo -p tcp -m tcp --dport 9200 -j DROP \
      && firewall-cmd --permanent --direct --add-rule ipv6 filter OUTPUT 1 -o lo -p tcp -m tcp --dport 9200 -j DROP
      
The Red Hat Satellite Server is initially populated with an initial organization and location named "Default Organization" and "Default Location", respectively. These organizations can be used within the Satellite Server as they are. However, additional organizations and locations can be created in the Satellite Server after initial configuration. The default location and organization can be deleted after new organizations and locations have been created.

2.3.1. Configuring Red Hat Satellite Manually with an HTTP Proxy

For networks that go through an HTTP Proxy, the following katello-installer options should be used in order for the Satellite Server to successfully complete the configuration:
katello-installer --katello-proxy-url=http://myproxy.example.com --katello-proxy-port=8080 --katello-proxy-username=proxy_username --katello-proxy-password=proxy_password
Where:
  • --katello-proxy-url - the URL of the HTTP proxy server.
  • --katello-proxy-port - the port the HTTP proxy server is listening on.
  • --katello-proxy-username - (optional) the HTTP proxy username for authentication. If your HTTP proxy server does not require a username, you are not required to specify the username.
  • --katello-proxy-password - (optional) the HTTP proxy password for authentication. If your HTTP proxy server does not require a password, you are not required to specify the password.
After configuring the Satellite Server to go through the HTTP Proxy, make sure that yum or subscription-manager can connect to the Red Hat Content Delivery Network (CDN) and that the Satellite Server can synchronize its repositories to the CDN by following these steps:

Procedure 2.3. Configuring the Satellite Server to Allow Red Hat Subscription Manager Access to the CDN

  1. On the network gateway and the HTTP Proxy, open the following hostnames, ports and protocols:

    Table 2.1. Required Hostnames, Ports and Protocols

    HostnamePortProtocol
    subscription.rhn.redhat.com443https
    cdn.redhat.com443https
    *.akamaiedge.net443https
  2. On the Satellite Server, fill in the following details in the/etc/rhsm/rhsm.conf file:
    # an http proxy server to use (enter server FQDN)
    proxy_hostname = http_proxy.example.com
    
    # port for http proxy server
    proxy_port = 3128
    
    # user name for authenticating to an http proxy, if needed
    proxy_user =
    
    # password for basic http proxy auth, if needed
    proxy_password =