Chapter 20. Configuring Identity Management in Red Hat Satellite

Identity Management (IDM) deals with the management of individual identities, their credentials and privileges used in a networking environment. IDM can help to increase the security of your system and ensure that the right people have access to the right information when they need it.
Red Hat Satellite has a realm feature that will automatically manage the life cycle of any system registered to a realm or domain provider. This section will explain how you need to configure the Satellite Server or Capsule Server for IDM and how to automatically add client systems to the Satellite 6 Identity Management host group.

20.1. Configuring Red Hat Satellite Server or Capsule Server for IDM Realm Support

The initial step to use Identity Management (IDM) in Red Hat Satellite is to configure the Red Hat Satellite Server or Red Hat Satellite Capsule Server.
Prerequisites

Make sure that the following are setup before configuring IDM:

  1. A Satellite Server registered to the content delivery network or an independent Capsule Server registered to the Satellite Server
  2. A realm or domain provider such as Red Hat Identity Management configured and set up
To configure the Satellite Server or Capsule Server for IDM Realm Support:
  1. On the Satellite Server or Capsule Server, install the following packages:
    # yum install ipa-client foreman-proxy ipa-admintools
    
  2. Configure the Satellite Server (or Capsule Server) as an IPA client:
    # ipa-client-install
    
  3. Create a realm-capsule user and the relevant roles in Red Hat Identity Management on the Satellite Server or Capsule Server:
    # foreman-prepare-realm admin realm-capsule
    
    Running foreman-prepare-realm will prepare a FreeIPA or Red Hat Identity Management server for use with the Foreman Smart Proxy. It creates a dedicated role with the permissions needed for Foreman, creates a user with that role and retrieves the keytab file. You will need your Identity Management server configuration details on this step.
    If the command successfully executes, you should be able to see the following command output:
    Keytab successfully retrieved and stored in: freeipa.keytab
    Realm Proxy User:    realm-capsule
    Realm Proxy Keytab:  /root/freeipa.keytab
    
  4. Move the /root/freeipa.keytab to the /etc/foreman-proxy directory and set the ownership settings to the user foreman-proxy:
    # mv /root/freeipa.keytab /etc/foreman-proxy
    # chown foreman-proxy:foreman-proxy /etc/foreman-proxy/freeipa.keytab
    
  5. Configure the realm based on whether you are using Satellite Server or Capsule Server:
    • If you are using the integrated capsule in the Satellite Server, use katello-installer to configure the realm:
      # katello-installer --capsule-realm true \
        --capsule-realm-keytab /etc/foreman-proxy/freeipa.keytab \
        --capsule-realm-principal 'realm-capsule@EXAMPLE.COM' \
        --capsule-realm-provider freeipa
      

      Note

      These options may also be run at the initial configuration of Red Hat Satellite Server.
    • If you are using an independent Capsule Server, use capsule-installer to configure the realm:
      # capsule-installer --realm true \
        --realm-keytab /etc/foreman-proxy/freeipa.keytab \
        --realm-principal 'realm-capsule@EXAMPLE.COM' \
        --realm-provider freeipa
      
  6. Make sure that the most updated versions of the ca-certificates package is installed and trust the IPA Certificate Authority:
    # cp /etc/ipa/ca.crt /etc/pki/ca-trust/source/anchors/ipa.crt
    # update-ca-trust enable
    # update-ca-trust
    
  7. (Optional) If you are configuring IDM on an already existing Satellite Server or Capsule Server, the following steps should also be taken to make sure that the configuration changes take effect:
    1. Restart the foreman-proxy service:
      # service foreman-proxy restart
      
    2. Log in to the Satellite Server and click InfrastructureCapsules.
    3. Click on the drop down menu on the right-hand side of the Capsule Server you have configured for IDM and choose Refresh Features.
  8. Finally, create a new realm entry in the Satellite Server user interface:
    1. Click InfrastructureRealms and on the right-hand corner of the main page, click New Realm.
    2. Fill in the fields in the following subtabs:
      1. Realm - provide the realm name, the type of realm to use and the realm proxy.
      2. Locations - choose the locations where the new realm is intended for use.
      3. Organizations - choose the organizations where the new realm is intended for use.
    3. Click Submit.
The Satellite Server or Capsule Server is now ready to provision hosts that automatically register to IDM. The next section will detail the steps on how to automatically add hosts to an IDM host group.