Show Table of Contents
Chapter 3. Red Hat Update Infrastructure Installer
The Red Hat Update Infrastructure Installer is used to configure Red Hat Update Infrastructure and get it started. This is achieved through an answers file which you complete with information describing the environment in which Red Hat Update Infrastructure will be installed. Red Hat Update Infrastructure Installer will then create the configuration RPMs it needs. This configures and starts all the necessary services.
The Red Hat Update Infrastructure Installer performs the following tasks:
- Configures
httpdon the Red Hat Update Appliance and any CDS instances with SSL certificates - Installs a custom CA certificate that is used for authentication of users
- Configures the Red Hat Update Appliance
- Configures secure communication between the Red Hat Update Appliance and the CDS instances
Once Red Hat Update Infrastructure Installer has completed, use Red Hat Update Infrastructure Manager to interact with Red Hat Update Infrastructure.
This chapter explains how to perform an initial installation of Red Hat Update Infrastructure using Red Hat Update Infrastructure Installer. Ensure all the prerequisites described in Chapter 2, Installation Requirements have been met before attempting to install Red Hat Update Infrastructure.
3.1. Setting Up SSL
In order to use Red Hat Update Infrastructure you will need to purchase a root SSL certificate and a private key, and be able generate SSL certificates of your own. This section outlines the basic skills you require to be able to perform these tasks.
Important
It is recommended that you sign the SSL certificates and the client entitlement certificates with different certificate authorities (CAs). However, if you choose to use the same CA to sign both certificates, ensure the serial numbers for all server-side SSL certificates are below
0100 to avoid conflicts within Red Hat Update Infrastructure.
3.1.1. Configuring SSL Certificates Manually
Users must be able to generate SSL certificates for secure communication between CDS instances and clients. The following steps detail the process of acquiring and generating SSL certificates for use in Red Hat Update Infrastructure manually.
Procedure 3.1. Configuring Red Hat Update Appliance SSL Certificates
- Acquire your company's root certificate and private key. Alternatively you can purchase one from a certificate authority (CA), or generate your own using tools such as
opensslorgenkey.The CA key and certificate enables you to create SSL keys and certificates for the Red Hat Update Appliance and the CDS, as well as sign the entitlement certificates for the clients to access the CDS instances.Note
In this section, ca.key and ca.crt are the example names for the CA key and certificate. - Create a file with the same name and in the same location as the CA certificate you have but using a
.srlextension. The file should contain the text10only. This can be performed using the following command:# echo 10 > /home/example/certs/ca.srl
- Generate the Red Hat Update Appliance Server SSL key, using the following command:
# openssl genrsa -out ssl_RHUA.key 2048
- Generate a certificate request using the
opensslcommand:# openssl req -new -key ssl_RHUA.key -out ssl_RHUA.csr
The tool will prompt you for further information, and then create an output file calledssl_RHUA.csr. - Use the CSR file to create a SSL certificate for the Red Hat Update Appliance instance with the following command:
# openssl x509 -req -days 365 -CA ca.crt -CAkey ca.key -in ssl_RHUA.csr -out ssl_RHUA.crt
In this example,ssl_RHUA.csris the file created in the previous step,ca.crtis the certificate generated by the CA,ca.keyis the CA certificate private key, andssl_RHUA.crtis the name of the certificate file that will result from running this command.
Procedure 3.2. Configuring Content Delivery Server (CDS) SSL Certificates
- Generate the CDS SSL key, using the following command:
# openssl genrsa -out ssl_cds01.key 2048
- Generate a certificate request using the
opensslcommand:# openssl req -new -key ssl_cds01.key -out ssl_cds01.csr
The tool will prompt you for further information, and then create an output file calledssl_cds01.csr.Important
When entering the hostname for.csrfile, the hostname needs to be the same hostname clients will use to access the CDS. This is also the client hostname used in Procedure 3.3 Add a CDS Instance of the Administration guide. - Use the CSR file to create SSL certificates for each CDS instance with the following command:
# openssl x509 -req -days 365 -CA ca.crt -CAkey ca.key -in ssl_cds01.csr -out ssl_cds01.crt
Note
It is recommended that you name the output files correspondent with the hostname of the CDS instance for which the request was created. For example, if the hostname for the CDS iscds01.example.com, the output files could be namedssl-cds01.key,ssl_cds01.csr, andssl_cds01.crt. This will help avoiding confusion when creating multiple CDS instances.
3.1.2. Configuring SSL Certificates Using the Automated Script
Users must be able to generate SSL certificates for secure communication between CDS instances and clients. The following steps detail the process of acquiring and generating SSL certificates for use in Red Hat Update Infrastructure using the automated script. Using the script reduces install time and reduces the chance of errors during the entry of the repetitive SSL information.
Procedure 3.3. Configuring SSL Certificates Using the Automated Script
- Generate the SSL certificates required for the Red Hat Update Infrastructure installation using the following command:
# /usr/share/rh-rhua/rhui_certs/create_rhui_ssl_certs.sh RHUA_HOSTNAME CDS1_HOSTNAME
Note
If you do not wish to encrypt the keys use the--noencryptoption.Additional hostnames can be added to the end of the command if SSL certificates are required for more than one CDS. - You will be prompted for three separate passwords. These are for the root CA, the server CA and the client CA. Enter and confirm the passwords when prompted.
Important
Use different passwords for each CA and record the passwords in a secure location.
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.