Chapter 20. Configuring Identity Management in Red Hat Satellite
20.1. Configuring Red Hat Satellite Server or Capsule Server for IDM Realm Support
Make sure that the following are setup before configuring IDM:
- A Satellite Server registered to the content delivery network or an independent Capsule Server registered to the Satellite Server
- A realm or domain provider such as Red Hat Identity Management configured and set up
- On the Satellite Server or Capsule Server, install the following packages:
# yum install ipa-client foreman-proxy ipa-admintools
- Configure the Satellite Server (or Capsule Server) as an IPA client:
- Create a realm-capsule user and the relevant roles in Red Hat Identity Management on the Satellite Server or Capsule Server:
# foreman-prepare-realm admin realm-capsuleRunning foreman-prepare-realm will prepare a FreeIPA or Red Hat Identity Management server for use with the Foreman Smart Proxy. It creates a dedicated role with the permissions needed for Foreman, creates a user with that role and retrieves the keytab file. You will need your Identity Management server configuration details on this step.If the command successfully executes, you should be able to see the following command output:
Keytab successfully retrieved and stored in: freeipa.keytab Realm Proxy User: realm-capsule Realm Proxy Keytab: /root/freeipa.keytab
- Move the
/etc/foreman-proxydirectory and set the ownership settings to the user foreman-proxy:
# mv /root/freeipa.keytab /etc/foreman-proxy # chown foreman-proxy:foreman-proxy /etc/foreman-proxy/freeipa.keytab
- Configure the realm based on whether you are using Satellite Server or Capsule Server:
- If you are using the integrated capsule in the Satellite Server, use
katello-installerto configure the realm:
# katello-installer --capsule-realm true \ --capsule-realm-keytab /etc/foreman-proxy/freeipa.keytab \ --capsule-realm-principal 'realm-capsule@EXAMPLE.COM' \ --capsule-realm-provider freeipa
NoteThese options may also be run at the initial configuration of Red Hat Satellite Server.
- If you are using an independent Capsule Server, use
capsule-installerto configure the realm:
# capsule-installer --realm true \ --realm-keytab /etc/foreman-proxy/freeipa.keytab \ --realm-principal 'realm-capsule@EXAMPLE.COM' \ --realm-provider freeipa
- Make sure that the most updated versions of the ca-certificates package is installed and trust the IPA Certificate Authority:
# cp /etc/ipa/ca.crt /etc/pki/ca-trust/source/anchors/ipa.crt # update-ca-trust enable # update-ca-trust
- (Optional) If you are configuring IDM on an already existing Satellite Server or Capsule Server, the following steps should also be taken to make sure that the configuration changes take effect:
- Restart the foreman-proxy service:
# service foreman-proxy restart
- Log in to the Satellite Server and click→ .
- Click on the drop down menu on the right-hand side of the Capsule Server you have configured for IDM and choose.
- Finally, create a new realm entry in the Satellite Server user interface:
- Click→ and on the right-hand corner of the main page, click .
- Fill in the fields in the following subtabs:
- Realm - provide the realm name, the type of realm to use and the realm proxy.
- Locations - choose the locations where the new realm is intended for use.
- Organizations - choose the organizations where the new realm is intended for use.