9.4. Setting up Subscription Asset Manager on a Multihomed System

SSL certificates rely on the hostname of the server to identify and authenticate the server. When Subscription Asset Manager is running on a multi-homed instance, each interface requires its own certificate for secure connections to succeed.
  1. Configure a self-signed certificate authority (CA) to use to generate the server certificates.

    Note

    If a CA is already configured or a third-party CA is available to issue certificates, then this step can be skipped.
    1. Create the appropriate directory and subdirectories in /etc/pki. This example creates myCA.
      This command is split onto multiple lines for clarity; this should be run on the same line. 
      [root@server1 ~]# mkdir -m 0755 \
     /etc/pki/myCA \
     /etc/pki/myCA/private \
     /etc/pki/myCA/certs \
     /etc/pki/myCA/newcerts \
     /etc/pki/myCA/crl
    2. Copy the OpenSSL configuration file to the new PKI directory, and set the appropriate permissions. 
      [root@server1 ~]# cp /etc/pki/tls/openssl.cnf /etc/pki/myCA/openssl.my.cnf
[root@server1 ~]# chmod 0600 /etc/pki/myCA/openssl.my.cnf
    3. Create an index file. 
      [root@server1 ~]# touch /etc/pki/myCA/index.txt
    4. Create a serial number file and seed it with the starting serial number. 
      [root@server1 ~]# echo '01' > /etc/pki/myCA/serial
    5. Open the CA directory. 
      [root@server1 ~]# cd /etc/pki/myCA/
    6. Generate the self-signed CA certificate. This prompts for information such as the location and company to use in the certificate's subject name. 
      [root@server1 myCA]# openssl req -config openssl.my.cnf -new -x509 -extensions v3_ca -keyout private/myca.key -out certs/myca.crt -days 1825

-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:North Carolina
Locality Name (eg, city) [Default City]:Raleigh
Organization Name (eg, company) [Default Company Ltd]:Example
Organizational Unit Name (eg, section) []:Engineering
Common Name (eg, your name or your server's hostname) []:server1
Email Address []:admin@example.com
-----
    7. Edit the OpenSSL configuration file to use the location of the new CA directory (/etc/pki/myCA/. 
      [root@server1 myCA]# sed -i "s/\/etc\/pki\/CA/\/etc\/pki\/myCA/" openssl.my.cnf
    8. Create a multi-homed CA configuration file. 
      [root@server1 myCA]# cp /etc/pki/tls/openssl.cnf /etc/pki/myCA/openssl.my_multihome.cnf
    9. Edit the multi-homed configuration file.
      • Change the CA directory to /etc/pki/myCA. 
        dir            = /etc/pki/myCA
      • Uncomment the copy_extensions line and set the value to copy. 
        copy_extensions = copy
      • Uncomment th required extensions line and enable version 3 extensions for requests. 
        req_extensions = v3_req
      • Add the subjectAltNames extension, and add the list of other interfaces on the system. 
        subjectAltName = @alt_names

[alt_names]
DNS.1   = server2
DNS.2   = server3
  2. Create and sign the server certificate for Subscription Asset Manager.
    1. Create the certificate request for Subscription Asset Manager, using the multi-homed configuration file. As with creating the CA certificate, it prompts for information (such as locality and organizational units) to use to build the subject name of the certificate 
      [root@server1 myCA]# openssl req -config openssl.my_multihome.cnf -new -nodes -keyout private/server.key -out server.csr -days 365

-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:North Carolina
Locality Name (eg, city) [Default City]:Raleigh
Organization Name (eg, company) [Default Company Ltd]:Example
Organizational Unit Name (eg, section) []:Engineering
Common Name (eg, your name or your server's hostname) []:server1
Email Address []:admin@example.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
-----
    2. Set the owner and permissions for the generated keys. 
      [root@server1 myCA]# chown root.apache /etc/pki/myCA/private/server.key
[root@server1 myCA]# chmod 0440 /etc/pki/myCA/private/server.key
    3. Sign the certificate, using the multi-homed configuration file. 
      [root@server1 myCA]# openssl ca -config openssl.my_multihome.cnf -keyfile ./private/myca.key -cert ./certs/myca.crt -policy policy_anything -out certs/server.crt -infiles server.csr
    4. Verify that the certificate is valid. 
      [root@server1 myCA]# openssl verify -purpose sslserver -CAfile /etc/pki/myCA/certs/myca.crt /etc/pki/myCA/certs/server.crt
  3. Set up the Subscription Asset Manager web server with the new certificates.
    1. Copy the certificates into the Subscription Asset Manager certificate directory. 
      [root@server1 myCA]# /etc/pki/myCA/certs/server.crt /etc/pki/katello/
[root@server1 myCA]# /etc/pki/myCA/certs/myca.crt /etc/pki/katello/
[root@server1 myCA]# /etc/pki/myCA/certs/server.key /etc/pki/katello/
    2. Edit web server configuration file to point to the new certificates. 
      [root@server1 myCA]# vim /etc/httpd/conf.d/katello.conf 
      
SSLCaCertificateFile /etc/candlepin/certs/candlepin-ca.crt
SSLCertificateFile /etc/pki/katello/server.crt
SSLCertificateKeyFile /etc/pki/katello/server.key
    3. Restart the Subscription Asset Manager services to load the new certificate information. 
      [root@server1 myCA]# service tomcat6 restart && service pulp-server restart && service katello restart && service katello-jobs restart
    4. Copy the CA certificate into the pub/ directory for the web server so that clients can download it. 
      [root@server1 myCA]# cp /etc/pki/myCA/certs/myca.crt /var/www/html/pub/
    5. Import the CA certificate into the browser used to access the SAM web UI.
  4. Set up new certificate RPMs to use to install the proper configuration and certificates on clients.
    1. Open the pub directory. 
      [root@server1 myCA]# cd /var/www/html/pub
    2. Edit the Red Hat Subscription Manager configuration files to use the newly-created CA. 
      [root@server1 pub]# sed 's/scandlepin-local/smyca/' ~/ssl-build/rhsm-katello-reconfigure > ~/ssl-build/rhsm-katello-reconfigure-myca
    3. Generate new client RPMs with the new certificate and the updated rhsm.conf file. 
      [root@server1 pub]# SERVER_NAMES="server1 server2 server3"
[root@server1 pub]# for KATELLO_SERVER in $SERVER_NAMES; do sed "s/KATELLO_SERVER=.*/KATELLO_SERVER=${KATELLO_SERVER}/" ~/ssl-build/rhsm-katello-reconfigure-myca > ~/ssl-build/rhsm-katello-reconfigure-myca-${KATELLO_SERVER};/usr/share/katello/certs/gen-rpm.sh --name "candlepin-cert-consumer-${KATELLO_SERVER}" --version 1.0 --release 2 --packager None --vendor None --group 'Applications/System' --summary "Subscription-manager consumer certificate for Katello instance ${KATELLO_SERVER}" --description 'Consumer certificate and post installation script that configures rhsm.' --post /root/ssl-build/rhsm-katello-reconfigure-myca-${KATELLO_SERVER} /etc/rhsm/ca/candlepin-local.pem:666=/root/ssl-build/candlepin-cert.crt /etc/rhsm/ca/myca.pem:666=/etc/pki/myCA/certs/myca.crt && /sbin/restorecon ./*rpm; done
      This creates a new RPM for each interface in the multi-homed configuration.For example: 
      ./candlepin-cert-consumer-server1.noarch.rpm
./candlepin-cert-consumer-server1.src.rpm
./candlepin-cert-consumer-server2.noarch.rpm
./candlepin-cert-consumer-server2.src.rpm
./candlepin-cert-consumer-server3.noarch.rpm
./candlepin-cert-consumer-server3.src.rpm
  5. Install the updated RPMs, for each interface, on all of the Subscription Asset Manager clients. 
    [root@sam-client ~]# yum -y install http://server1/pub/candlepin-cert-consumer-server1.noarch.rpm
[root@sam-client ~]# yum -y install http://server2/pub/candlepin-cert-consumer-server2.noarch.rpm
[root@sam-client ~]# yum -y install http://server3/pub/candlepin-cert-consumer-server3.noarch.rpm