-
Language:
English
-
Language:
English
Chapter 3. RHUI Installer
RHUI Installer is used to configure Red Hat Update Infrastructure and get it started. This is achieved through an answers file which you complete with information describing the environment in which RHUI will be installed. RHUI Installer will then create the configuration RPMs it needs. This configures and starts all the necessary services.
The RHUI Installer performs the following tasks:
- Configures
httpd
on the RHUA and any CDS instances with SSL certificates - Installs a custom CA certificate that is used for authentication of users
- Configures the RHUA
- Configures secure communication between the RHUA and the CDS instances
Once RHUI Installer has completed, use RHUI Manager to interact with Red Hat Update Infrastructure.
Important
You need one configuration RPM for each entitlement certificate, but you can reuse the same client configuration RPM for all clients that share the same entitlements.
This chapter explains how to perform an initial installation of Red Hat Update Infrastructure using RHUI Installer. Ensure all the prerequisites described in Chapter 2, Installation Requirements have been met before attempting to install Red Hat Update Infrastructure.
Note
You must be using Red Hat Enterprise Linux 6 in order to successfully install and run Red Hat Update Infrastructure. For more information on installing Red Hat Enterprise Linux, refer to the Red Hat Enterprise Linux Installation Guide.
3.1. Setting up SSL
In order to use Red Hat Update Infrastructure you will need to purchase a root SSL certificate and a private key, and be able generate SSL certificates of your own. This section outlines the basic skills you require to be able to perform these tasks.
Important
It is recommended that you sign the SSL certificates and the client entitlement certificates with different certificate authorities (CAs), in order to help mitigate any security risk should one of the certificates become compromised. However, if you choose to use the same CA to sign both certificates, ensure the serial numbers for all server-side SSL certificates are below
0100
to avoid conflicts within Red Hat Update Infrastructure.
Procedure 3.1. Configuring SSL Certificates
Users must be able to generate SSL certificates for secure communication between CDS instances and clients. The following steps detail the process of acquiring and generating SSL certificates for use in Red Hat Update Infrastructure:
- Acquire a root certificate and private key. You can purchase one from a certificate authority (CA), or you can generate your own using a tool like
genkey
, which can be found in thecrypto-utils
package in Red Hat Enterprise Linux.This certificate and key enables you to create SSL keys and certificates for the RHUA and the CDS, as well as sign the entitlement certificates for the clients to access the CDS instances. - Create a file with the same name and in the same location as the CA certificate you have but using a
.srl
extension. The file should contain the text10
only. This can be performed using the following command:$ echo 10 > /home/example/certs/ca.srl
- Generate the server SSL key, using the following command:
$ openssl genrsa -out server.key 2048
- Generate a certificate request using the
openssl
command:$ openssl req -new -key server.key -out server.csr
The tool will prompt you for further information, and then create an output file calledserver.csr
.Note
It is recommended that you name the output.csr
file to correspond with the hostname of the CDS instance for which the request was created. For example, if the hostname for the CDS iscds1.example.com
, the output file could be namedcds1-example-com.csr
. This will help avoid confusion when creating multiple CDS instances. - Once the CSR request file is created, create SSL certificates for each CDS instance with the following command:
$ openssl x509 -req -days 365 -CA ca.crt -CAkey ca.key -in server.csr -out server.crt
In this example,server.csr
is the file created in the previous step,ca.crt
is the certificate generated by the CA,ca.key
is the CA certificate private key, andserver.crt
is the name of the certificate file that will result from running this command.
Procedure 3.2. Generating a Qpid SSL Certificate
Red Hat Update Infrastructure uses a qpid message broker for internal communications. These communication processes are secured by SSL, which is set up using a script called
nss-db-gen
. When the script is run, it will prompt you for some information.
- Run the
nss-db-gen
script by switching to the root user and issuing the command:# /usr/bin/nss-db-gen Working in: /tmp/tmp24055
- Specify a directory for the new database and certificates to be stored, or press enter to accept the default value of
/tmp/rhua/qpid
:Please specify a directory into which the created NSS database and associated certificates will be installed. Enter a directory [/tmp/rhua/qpid]: /tmp/rhua/qpid
- Enter a password to be used by qpid to secure the database:
Enter NSS database password: Password file created.
- The script will create the database and generate the necessary keys and certificates:
Database created. Creating CA certificate: Generating key. This may take a few moments... CA created Creating BROKER certificate: Generating key. This may take a few moments... Broker certificate created. Creating CLIENT certificate: Generating key. This may take a few moments... Client certificate created.
- Enter the NSS database password again. This is so that the database created in the last step can be accessed:
Enter Password or Pin for "NSS Certificate DB":
- Enter a password to be used for the pkcs12 file, and re-enter it to confirm:
Enter password for PKCS12 file: Re-enter password: pk12util: PKCS12 EXPORT SUCCESSFUL
- Enter the pkcs12 password again. This is so that the certificate created in the last step can be accessed. The script will export the key and certificate, and finish:
Enter Import Password: MAC verified OK Client key & certificate exported Artifacts copied to: /tmp/rhua/qpid.