2.3. Optional Configuration Options

2.3.1. Configuring Red Hat Satellite with an HTTP Proxy

This sections shows how to configure Red Hat Satellite for networks that go through an HTTP Proxy. As a prerequisite, make sure that the http_proxy, https_proxy, and no_proxy environment variables are not set: 
# export http_proxy=""
# export https_proxy=$http_proxy
# export no_proxy=$http_proxy
Run katello-installer with the following options: 
# katello-installer --katello-proxy-url=http://myproxy.example.com \
--katello-proxy-port=8080 \
--katello-proxy-username=proxy_username \
--katello-proxy-password=proxy_password
Where:
  • --katello-proxy-url is the URL of the HTTP proxy server.
  • --katello-proxy-port is the port the HTTP proxy server is listening on.
  • --katello-proxy-username (optional) is the HTTP proxy username for authentication. If your HTTP proxy server does not require a username, you are not required to specify the username.
  • --katello-proxy-password (optional) is the HTTP proxy password for authentication. If your HTTP proxy server does not require a password, you are not required to specify the password. The following list of special characters used in a password, as well as any whitespace, must be escaped using the back slash \ character: ] [ ? \ < ~ # ` ! @ $ % ^ & * ( ) + = } | : " ; ' , > { . Alternatively, use quotation marks around the password.
After configuring the Satellite Server to go through the HTTP Proxy, make sure that yum or subscription-manager can connect to the Red Hat Content Delivery Network (CDN) and that the Satellite Server can synchronize its repositories to the CDN by following these steps:

Procedure 2.4. To Configure Satellite Server to Allow Red Hat Subscription Manager Access to the CDN:

  1. On the network gateway and the HTTP Proxy, open the following hostnames, ports and protocols:

    Table 2.1. Required Hostnames, Ports and Protocols

    HostnamePortProtocol
    subscription.rhn.redhat.com443https
    cdn.redhat.com443https
    *.akamaiedge.net443https
  2. In the Satellite Server, complete the following details in the /etc/rhsm/rhsm.conf file. For example: 
    # an http proxy server to use (enter server FQDN)
proxy_hostname = http_proxy.example.com

# port for http proxy server
proxy_port = 3128

# user name for authenticating to an http proxy, if needed
proxy_user =

# password for basic http proxy auth, if needed
proxy_password =

2.3.2. Configuring Red Hat Satellite with a Custom Server Certificate

Red Hat Satellite comes with a default certificate authority (CA) used by both the server and client SSL certificates for authentication of subservices. The server and client certificates can be replaced with custom ones. For more information on creating custom certificates, see the Red Hat Enterprise Linux 7 Security Guide. [6]
Custom server and client certificates may be implemented either before or after running the Katello installer. Implementing custom certificates after installation requires additional effort, so doing so before is recommended.

Note

The certificate's Common Name (CN) must match the fully qualified domain name of the server on which it is used.

Prerequisites

You must have the following files:
Certificate file for the Satellite Server, signed by your certificate authority (or self-signed)
Katello installer parameter --certs-server-cert. In this example, satellite.crt.
Certificate signing request file that was used to create the certificate for the Satellite Server
Katello installer parameter --certs-server-cert-req. In this example, satellite.crt.req.
Satellite Server's private key used to sign the certificate
Katello installer parameter --certs-server-key. In this example, satellite.crt.key.
CA certificate
Katello installer parameter --certs-server-ca-cert. In this example, ca_cert.crt.
If you have already run the Katello installer, see Procedure 2.6, “To Set a Custom Server Certificate After Running the Katello Installer:”, otherwise see Procedure 2.5, “To Set a Custom Server Certificate Before Running the Katello Installer:”.

Procedure 2.5. To Set a Custom Server Certificate Before Running the Katello Installer:

Note

In this example the files are stored in the directory /root/sat_cert. Using an absolute path in the root users' directory provides a fixed location that is available to all users who log in to the server with root permissions. Before running this command, ensure the directory already exists.
  • Run the following command on the Red Hat Satellite Server to use the custom certificate. 
    # katello-installer \
  --certs-server-cert /root/sat_cert/satellite.crt \
  --certs-server-cert-req /root/sat_cert/satellite.crt.req \
  --certs-server-key /root/sat_cert/satellite.crt.key \
  --certs-server-ca-cert /root/sat_cert/ca_cert.crt

Important

If you configure a Satellite Server to use custom certificates, you must do the same for all Capsule Servers. For instructions see Section 7.5.1, “Configuring Red Hat Satellite Capsule Server with a Custom Server Certificate”

Procedure 2.6. To Set a Custom Server Certificate After Running the Katello Installer:

When the Katello installer is run for the first time without certificate parameters, it uses the default CA to sign both server and client certificates. To enforce custom certificates deployment after the Katello installer is first run, the certificates installed must be updated.

Note

In this example the files are stored in the directory /root/sat_cert. Using an absolute path in the root users' directory provides a fixed location that is available to all users who log in to the server with root permissions. Before running this command, ensure the directory already exists.
  1. Run the following command on the Red Hat Satellite Server to regenerate the katello-ca-consumer package and the Satellite Server's certificate. 
    # katello-installer \
  --certs-server-cert /root/sat_cert/satellite.crt \
  --certs-server-cert-req /root/sat_cert/satellite.crt.req \
  --certs-server-key /root/sat_cert/private.crt.key \
  --certs-server-ca-cert /root/sat_cert/ca_cert.crt \
  --certs-update-server \
  --certs-update-server-ca \
  --certs-update-all
  2. Run the following command on the client systems to install the new client and server certificates. 
    # rpm -Uvh http://satellite.example.com/pub/katello-ca-consumer-latest.noarch.rpm

Important

If you configure a Satellite Server to use custom certificates, you must do the same for all Capsule Servers. For instructions see Section 7.5.1, “Configuring Red Hat Satellite Capsule Server with a Custom Server Certificate”.

2.3.3. Configuring DNS, DHCP, and TFTP

This section describes how to configure Satellite to run BIND (named) to provide authoritative DNS services for the example.com domain and the 172.17.13.x subnet. This requires setting up a DNS zone for forward lookups, which will be contained in the example.com zone file. Additionally, a DNS zone for reverse lookups will be created for the 172.17.13.x subnet, which will be contained in the 13.17.172.in-addr.arpa reverse zone file. This ensures that hosts provisioned from Satellite use the correct name resolution parameters. This section also describes how to configure the TFTP proxy so that hosts can boot using PXE.
Clients on this network will have the following characteristics:
  • Have access to IP addresses in the range 172.17.13.100 to 172.17.13.150 for DHCP.
  • Use the Satellite (satellite.example.com at 172.17.13.2) for DNS.
  • Receive a pxelinux.0 file from Satellite (satellite.example.com at 172.17.13.2) to enable PXE-booting.
  • Have host names of hostname.example.com, where hostname is configured when the host is provisioned.

Important

This example enables DHCP services on the Satellite server. Consult your network administrator before proceeding.
Run the following katello-installer command as root, using the specified options to configure the required services on the Satellite server. Remember to substitute your desired administrator user name and password.

Important

  • If you have created an admin user and password by running katello-installer previously , do not include the --foreman-admin-username and --foreman-admin-password options in the following command.
  • If you do not specify the administrator user name and password, the default user admin is created, and the password is automatically generated. The credentials are displayed at the end of the installation process. Make a note of this password. You can also retrieve the password from admin_password parameter in the /etc/katello-installer/answers.katello-installer.yaml file. 
# katello-installer --foreman-admin-username admin-username \
--foreman-admin-password admin-password \
--capsule-dns true \
--capsule-dns-interface eth0 \
--capsule-dns-zone example.com \
--capsule-dns-forwarders 172.17.13.1 \
--capsule-dns-reverse 13.17.172.in-addr.arpa \
--capsule-dhcp true \
--capsule-dhcp-interface eth0 \
--capsule-dhcp-range "172.17.13.100 172.17.13.150" \
--capsule-dhcp-gateway 172.17.13.1 \
--capsule-dhcp-nameservers 172.17.13.2 \
--capsule-tftp true \
--capsule-tftp-servername $(hostname) \
--capsule-puppet true \
--capsule-puppetca true
At the end of the installation process, katello-installer outputs the status of the installation. 
Success!
  * Katello is running at https://satellite.example.com
      Default credentials are 'admin:*******'
  * Capsule is running at https://satellite.example.com:9090
  * To install additional capsule on separate machine continue by running:"

      capsule-certs-generate --capsule-fqdn "$CAPSULE" --certs-tar "~/$CAPSULE-certs.tar"

  The full log is at /var/log/katello-installer/katello-installer.log
Use a web browser to navigate to https://satellite.example.com to display the Satellite home page. This example uses the default organization (Default_Organization) and the default location.
Alternatively, you can configure Satellite to use external DNS and DHCP services as described in Section 7.9, “Configuring Satellite 6 with External Services”. If required to allocate specific IP addresses to host names or MAC addresses, see the DHCP chapter in the Red Hat Enterprise Linux 7 Networking Guide[7].

2.3.3.1. Additional DNS, DHCP and TFTP Options

The following table describes the various options and the values required to correctly configure the Satellite server. The katello-installer command uses Puppet; consequently, it will install additional packages (bind, dhcp, xinetd, and so on) and configure them to add the requested functionality.
For a complete list of available options, run katello-installer --help.

Table 2.2. Satellite Configuration Options

Option
Description
Value
--foreman-admin-usernameThe user name for the initial administrator.User specified.
--foreman-admin-passwordThe password for the initial administrator.User specified.
--capsule-dns Enable DNS proxy capability yes
--capsule-dns-interface Which interface named should listen on eth0
--capsule-dns-zone The Forward DNS zone that the Satellite will host example.com
--capsule-dns-forwarders The DNS server that unknown queries are forwarded to 172.17.13.1
--capsule-dns-reverse The Reverse DNS zone the Satellite hosts. This is usually the first three octets of the IP address (172.17.13) reversed , and appended with ".in-addr.arpa". 13.17.172.in-addr.arpa
--capsule-dhcp Enable DHCP proxy capability yes
--capsule-dhcp-interface The interface that DHCP listens on eth0
--capsule-dhcp-range The range of IP addresses to issue to clients. 172.17.13.100 172.172.13.150
--capsule-dhcp-gateway The default gateway IP to issue to clients. 172.17.13.1
--capsule-dhcp-nameservers The host that the clients should use for name resolution. This should be configured with the Satellite's IP in this deployment model. 172.17.13.2
--capsule-tftp Enable TFTP proxy capability. This is needed to PXE boot the clients. yes
--capsule-tftp-servername Sets the TFTP host name. Set this to match the server's host name (satellite.example.com). $(hostname)
--capsule-puppet Enable the Puppet Master. yes
--capsule-puppetca Enable the Puppet CA. yes