Chapter 1. Accessing Red Hat Satellite

After Red Hat Satellite has been installed and configured, use the Satellite web UI interface to log in to Satellite for further configuration.

1.1. Importing the Katello Root CA Certificate

The first time you log in to Satellite, you might see a warning informing you that you are using the default self-signed certificate and you might not be able to connect this browser to Satellite until the root CA certificate is imported in the browser. Use the following procedure to locate the root CA certificate on Satellite and to import it into your browser.

To use the CLI instead of the Satellite web UI, see CLI Procedure.

Prerequisite

  • Your Red Hat Satellite is installed and configured.

Procedure

  1. Identify the fully qualified domain name of your Satellite Server:

    # hostname -f
  2. Access the pub directory on your Satellite Server using a web browser pointed to the fully qualified domain name:

    https://satellite.example.com/pub
  3. When you access Satellite for the first time, an untrusted connection warning displays in your web browser. Accept the self-signed certificate and add the Satellite URL as a security exception to override the settings. This procedure might differ depending on the browser being used. Ensure that the Satellite URL is valid before you accept the security exception.
  4. Select katello-server-ca.crt.
  5. Import the certificate into your browser as a certificate authority and trust it to identify websites.

CLI procedure

  1. From the Satellite CLI, copy the katello-server-ca.crt file to the machine you use to access the Satellite web UI:

    # scp /var/www/html/pub/katello-server-ca.crt username@hostname:remotefile
  2. In the browser, import the katello-server-ca.crt certificate as a certificate authority and trust it to identify websites.

1.2. Logging in to Satellite

Use the web user interface to log in to Satellite for further configuration.

Prerequisite

Procedure

  1. Access Satellite Server using a web browser pointed to the fully qualified domain name:

    https://satellite.example.com/
  2. Enter the user name and password created during the configuration process. If a user was not created during the configuration process, the default user name is admin. If you have problems logging in, you can reset the password. For more information, see Section 1.8, “Resetting the Administrative User Password”.

1.3. Using Red Hat Identity Management credentials to log in to the Satellite Hammer CLI

This section describes how to log in to your Satellite Hammer CLI with your Red Hat Identity Management (IdM) login and password.

Prerequisites

  • You have enrolled your Satellite Server into Red Hat Identity Management and configured it to use Red Hat Identity Management for authentication. More specifically, you have enabled access both to the Satellite web UI and the Satellite API. For more information, see Using Red Hat Identity Management in Installing Satellite Server in a Connected Network Environment.
  • The host on which you run this procedure is configured to use Red Hat Identity Management credentials to log users in to your Satellite Hammer CLI. For more information, see Configuring the Hammer CLI to Use Red Hat Identity Management User Authentication in Installing Satellite Server in a Connected Network Environment.
  • The host is an Red Hat Identity Management client.
  • An Red Hat Identity Management server is running and reachable by the host.

Procedure

  1. Obtain a Kerberos ticket-granting ticket (TGT) on behalf of a Satellite user:

    $ kinit idm_user
    Warning

    If, when you were setting Red Hat Identity Management to be the authentication provider, you enabled access to both the Satellite API and the Satellite web UI, an attacker can now obtain an API session after the user receives the Kerberos TGT. The attack is possible even if the user did not previously enter the Satellite login credentials anywhere, for example in the browser.

  2. If automatic negotiate authentication is not enabled, use the TGT to authenticate to Hammer manually:

    $ hammer auth login negotiate
  3. Optional: Destroy all cached Kerberos tickets in the collection:

    $ kdestroy -A

You are still logged in, even after destroying the Kerberos ticket.

Verification

  • Use any hammer command to ensure that the system does not ask you to authenticate again:

    $ hammer host list
Note

To log out of Hammer, enter: hammer auth logout.

1.4. Using Red Hat Identity Management credentials to log in to the Satellite web UI with a Firefox browser

This section describes how to use the Firefox browser to log in to your Satellite web UI with your Red Hat Identity Management (IdM) login and password.

Prerequisites

  • You have enrolled your Satellite Server into Red Hat Identity Management and configured the server to use Red Hat Identity Management for authentication. For more information, see Using Red Hat Identity Management in Installing Satellite Server in a Connected Network Environment.
  • The host on which you are using a Firefox browser to log in to the Satellite web UI is an Red Hat Identity Management client.
  • You have a valid Red Hat Identity Management login and password.
  • Red Hat recommends using the latest stable Firefox browser.
  • Your Firefox browser is configured for Single Sign-On (SSO). For more information, see Configuring Firefox to use Kerberos for single sign-on in Configuring authentication and authorization in Red Hat Enterprise Linux.
  • An Red Hat Identity Management server is running and reachable by the host.

Procedure

  1. Obtain the Kerberos ticket granting ticket (TGT) for yourself using your Red Hat Identity Management credentials:

    $ kinit idm_user
    Password for idm_user@EXAMPLE.COM:
  2. In your browser address bar, enter the URL of your Satellite Server.

    You are logged in automatically.

Note

Alternatively, you can skip the first two steps and enter your login and password in the fields displayed on the Satellite web UI. This is also the only option if the host from which you are accessing the Satellite web UI is not an Red Hat Identity Management client.

1.5. Using Red Hat Identity Management credentials to log in to the Satellite web UI with a Chrome browser

This section describes how to use a Chrome browser to log in to your Satellite web UI with your Red Hat Identity Management login and password.

Prerequisites

  • You have enrolled your Satellite Server into Red Hat Identity Management and configured the server to use Red Hat Identity Management for authentication. For more information, see Using Red Hat Identity Management in Installing Satellite Server in a Connected Network Environment.
  • The host on which you are using the Chrome browser to log in to the Satellite web UI is an Red Hat Identity Management client.
  • You have a valid Red Hat Identity Management login and password.
  • Red Hat recommends using the latest stable Chrome browser.
  • An Red Hat Identity Management server is running and reachable by the host.

Procedure

  1. Enable the Chrome browser to use Kerberos authentication:

    $ google-chrome --auth-server-whitelist=".example.com" --auth-negotiate-delegate-whitelist=”.example.com"
    Note

    Instead of allowlisting the whole domain, you can also allowlist a specific Satellite Server.

  2. Obtain the Kerberos ticket-granting ticket (TGT) for yourself using your Red Hat Identity Management credentials:

    $ kinit idm_user
    Password for idm_user@_EXAMPLE.COM:
  3. In your browser address bar, enter the URL of your Satellite Server.

    You are logged in automatically.

Note

Alternatively, you can skip the first three steps and enter your login and password in the fields displayed on the Satellite web UI. This is also the only option if the host from which you are accessing the Satellite web UI is not an Red Hat Identity Management client.

1.7. Changing the Password

These steps show how to change your password.

Procedure

  1. Click your user name at the top right corner.
  2. Select My Account from the menu.
  3. In the Current Password field, enter the current password.
  4. In the Password field, enter a new password.
  5. In the Verify field, enter the new password again.
  6. Click the Submit button to save your new password.

1.8. Resetting the Administrative User Password

Use the following procedures to reset the administrative password to randomly generated characters or to set a new administrative password.

To Reset the Administrative User Password

  1. Log in to the base operating system where Satellite Server is installed.
  2. Enter the following command to reset the password:

    # foreman-rake permissions:reset
    Reset to user: admin, password: qwJxBptxb7Gfcjj5
  3. Use this password to reset the password in the Satellite web UI.
  4. Edit the ~/.hammer/cli.modules.d/foreman.yml file on Satellite Server to add the new password:

    # vi ~/.hammer/cli.modules.d/foreman.yml

Unless you update the ~/.hammer/cli.modules.d/foreman.yml file, you cannot use the new password with Hammer CLI.

To Set a New Administrative User Password

  1. Log in to the base operating system where Satellite Server is installed.
  2. To set the password, enter the following command:

    # foreman-rake permissions:reset password=new_password
  3. Edit the ~/.hammer/cli.modules.d/foreman.yml file on Satellite Server to add the new password:

    # vi ~/.hammer/cli.modules.d/foreman.yml

Unless you update the ~/.hammer/cli.modules.d/foreman.yml file, you cannot use the new password with Hammer CLI.

1.9. Setting a Custom Message on the Login Page

Procedure

  1. In the Satellite web UI, navigate to Administer > Settings, and click the General tab.
  2. Click the edit button next to Login page footer text, and enter the desired text to be displayed on the login page. For example, this text may be a warning message required by your company.
  3. Click Save.
  4. Log out of the Satellite web UI and verify that the custom text is now displayed on the login page below the Satellite version number.