Redhat NETWORK 4.0 User Manual

Red Hat Network 4.0
Client Configuration Guide
Red Hat Network 4.0: Client Configuration Guide
Copyright © 2001 - 2005 Red Hat, Inc.
Red Hat, Inc.
1801 Varsity Drive Raleigh NC 27606-2072 USA Phone: +1 919 754 3700 Phone: 888 733 4281 Fax: +1 919 754 3701 PO Box 13588 Research Triangle Park NC 27709 USA
RHNclient-config(EN)-4.0-RHI (2005-04-20T13:40) Copyright © 2005 by Red Hat, Inc. This material may be distributedonly subject to the terms and conditions set forth in the Open PublicationLicense, V1.0 or later (the latest version is presently available at http://www.opencontent.org/openpub/). Distribution of substantively modified versions of this document is prohibitedwithout the explicit permission of the copyright holder. Distribution of the work or derivative of the work in any standard (paper)book form for commercial purposes is prohibited unless prior permission is obtained from the copyrightholder.
Red Hat and the Red Hat "Shadow Man" logo are registered trademarks of Red Hat, Inc. in the United States and other countries. All other trademarks referencedherein are the property of their respective owners. The GPG fingerprint of the security@redhat.comkey is: CA 20 86 86 2B D6 9D FC 65 F6 EC C4 21 91 80 CD DB 42 A6 0E

Table of Contents

1. Introduction.................................................................................................................... 1
2. Client Applications.........................................................................................................3
2.1. Deploying the Latest Red Hat Network Client RPMs ......................................3
2.2. Configuring the Client Applications .................................................................4
2.2.1. Registering with Activation Keys ......................................................5
2.2.2. Using the --configure Option .......................................................5
2.2.3. Updating the Configuration Files Manually ......................................8
2.2.4. Implementing Server Failover............................................................9
2.3. Configuring the Red Hat Network Alert Notification Tool with Satellite...10
3. SSL Infrastructure.......................................................................................................13
3.1. A Brief Introduction To SSL...........................................................................13
3.2. The RHN SSL Maintenance Tool.................................................................14
3.2.1. SSL Generation Explained...............................................................15
3.2.2. RHN SSL Maintenance Tool Options ...........................................16
3.2.3. Generating the Certificate Authority SSL Key Pair .........................21
3.2.4. Generating Web Server SSL Key Sets.............................................22
3.3. Deploying the CA SSL Public Certificate to Clients ......................................23
3.4. Configuring Client Systems ............................................................................23
4. Importing Custom GPG Keys.....................................................................................25
5. Using RHN Bootstrap ..................................................................................................27
5.1. Preparation ......................................................................................................27
5.2. Generation.......................................................................................................28
5.3. Script Use........................................................................................................29
5.4. RHN Bootstrap Options ................................................................................30
6. Manually Scripting the Configuration .......................................................................33
7. Implementing Kickstart ..............................................................................................35
A. Sample Bootstrap Script.............................................................................................37
Index..................................................................................................................................43

Chapter 1.

Introduction

This best practices guide is intended to help customers of RHN Satellite Server and RHN Proxy Server configure their client systems more easily.
By default, all Red Hat Network client applications are configured to communicate with central Red Hat Network Servers. When connecting clients to RHN Satellite Server or RHN Proxy Server instead, many of these settings must be altered. Altering client settings for a system or two may be relatively simple. A large enterprise environment, containing hundreds or thousands of systems, will likely benefit from the mass reconfiguration steps described here.
Due to the complexity of this undertaking, customers may utilize a pre-populated script that automates many of the tasks necessary to access their Satellite or Proxy server; refer to Chapter 5 Using RHN Bootstrap for details. Red Hat believes that understanding the implications fo these changes is helpful and therefore describes the manual steps for re­configuration in the opening chapters. Use your best judgement in determining the ideal solution for your organization.
Although many of the commands provided within this guide can be applied as they ap­pear, it is impossible to predict all potential network configurations adopted by customers. Therefore, Red Hat encourages you to use these commands as references that must take into account your organization’s individual settings.
Note
Unix client configuration information may be found in the RHN 4.0 Reference Guide in the Unix Support chapter.
2 Chapter 1. Introduction

Chapter 2.

Client Applications

In order to utilize most enterprise-class features of Red Hat Network, such as registering with a RHN Satellite, configuration of the latest client applications is required. Obtaining these applications before the client has registered with Red Hat Network can be difficult. This paradox is especially problematic for customers migrating large numbers of older systems to Red Hat Network. This chapter identifies techniques to resolve this dilemma.
Important
Red Hat strongly recommends that clients connected to a RHN Proxy Server or RHN Satellite Server be running the latest update of Red Hat Enterprise Linux to ensure proper connectivity.

2.1. Deploying the Latest Red Hat Network Client RPMs

Red Hat Update Agent (up2date) and Red Hat Network Registration Client (rhn_register) are prerequisites for using much of Red Hat Network’s enterprise functionality. It is crucial to install them on client systems before attempting to use RHN Proxy Server or RHN Satellite Server in your environment.
There are several sensible approaches to accomplish this update of the RHN client soft­ware. One of which involves storing the RPMs in a location that is accessible by all client systems and deploying the packages with the simplest command possible. In nearly all cases, a manual deployment of up2date and rhn_register (if RHEL 2.1) do not need to be performed. Those client tools should have no issues connecting to your RHN Satellite or Proxy environment. These discussion below assumes that the "out of box" up2date and
rhn_register are not the latest and do not work for your environment.
Remember, only systems running Red Hat Enterprise Linux 2.1 must use the Red Hat Network Registration Client to register with RHN. Systems running Red Hat Enterprise Linux 3 and later can use the registration functionality built into the Red Hat Update Agent.
This document presumes that the customer has installed at least one RHN Satellite Server and/or RHN Proxy Server on their network. The example below demonstrates a simple ap­proach of deploying up2date and rhn_register for the first time by an administrator as­suming the machines don’t already have a working RHN. The administrator has populated the /var/www/html/pub/ directory with a copy of the up2date and rhn_register (for RHEL 2.1 systems) RPMs that his client systems need, and then has simply deployed
4 Chapter 2. Client Applications
those RPMs onto his client systems with a simple rpm -Uvh command. Run from a client, this command installs the RPMs to that client, assuming the domain name, paths, and RPM versions are correct:
rpm -Uvh \ http://your_proxy_or_sat.your_domain.com/p ub/rhn_register-2.9.12-1.2.1AS.i386.rpm \ http://your_proxy_or_sat.your_domain.com/p ub/rhn_register-gnome-2.9.12-1.2.1AS.i386.rpm \ http://your_proxy_or_sat.your_domain.com/p ub/up2date-2.9.14-1.2.1AS.i386.rpm \ http://your_proxy_or_sat.your_domain.com/p ub/up2date-gnome-2.9.14-1.2.1AS.i386.rpm
Note the inclusion of the associated gnome RPMs. Keep in mind, the architecture (in this case, i386) may need to be altered depending on the systems to be served.
2.2. Configuring the Client Applications
Not every customer must connect securely to a RHN Satellite Server or RHN Proxy Server within their organization. Not every customer needs to build and deploy a GPG key for cus­tom packages. (Both of these topics are explained in detail later.) Every customer who uses RHN Satellite Server or RHN Proxy Server must reconfigure the Red Hat Update Agent (up2date) and possibly the Red Hat Network Registration Client (rhn_register) to redirect it from Red Hat Network to their RHN Satellite Server or RHN Proxy Server.
Important
Although this is not configurable, note that the port used by the Red Hat Update Agent is 443 for SSL (HTTPS) and 80 for non-SSL (HTTP). By default, up2date uses SSL only. For this reason, users should ensure that their firewalls allow connections over port 443. To bypass SSL, change the protocol for serverURL from https to http in
/etc/sysconfig/rhn/up2date. Similarly, to use RHN’s Monitoring feature and probes
requiring the Red Hat Network Monitoring Daemon, note that client systems must allow connections on port 4545 (or port 22, if using sshd instead).
By default, the Red Hat Network Registration Client and the Red Hat Update Agent refer to the main Red Hat Network Servers. Users must reconfigure client systems to refer to their RHN Satellite Server or RHN Proxy Server.
Note that the latest versions of the Red Hat Update Agent can be configured to accommo­date several RHN Servers, thereby providing failover protection in case the primary server is inaccessible. Refer to Section 2.2.4 Implementing Server Failover for instructions on en­abling this feature.
The next sections describe three methods of configuring the client systems to access your RHN Satellite Server or RHN Proxy Server: using an Activation Key, up2date
Chapter 2. Client Applications 5
--configure, and manually updating the configuration files.( To see how virtually all
reconfiguration can be scripted, see Chapter 6 Manually Scripting the Configuration.)

2.2.1. Registering with Activation Keys

Red Hat recommends using activation keys for registering and configuring client systems that access RHN Proxy Server or RHN Satellite Server. Activation keys can be used to register, entitle, and subscribe systems in a batch. Refer to the Activation Keys section of the Red Hat Update Agent chapter within the RHN Management Reference Guide for instructions on use.
Registering with an activation key has four basic steps:
1. Generate an Activation Key as described in the Activation Keys section of the Red Hat Update Agent chapter within the RHN Management Reference Guide
2. Import custom GPG keys.
3. Download and install the SSL Certificate RPM from the /pub/ directory of the RHN Proxy Server or RHN Satellite Server. The command for this step could look some­thing like this:
rpm -Uvh\ http://your-satellite.com/pub/rhn-org-tru sted-ssl-cert-1.0-1.noarch.rpm
4. Register the system with your RHN Proxy Server or RHN Satellite Server. The com­mand for this step could look something like:
rhnreg_ks --activationkey mykey --serverUrl https://your-satellite.com/XMLRPC
Alternatively, most of the above steps can be combined in a shell script that includes the following lines:
wget -0 - http://your-satellite-DQDN/pub/boots trap.sh | bash \ && rhnreg_ks --activation-key my_key --serverUrl \ https://your-satellite-FQDN/XMLRPC
The bootstrap script, generated at installation and available for both RHN Satellite Server and RHN Proxy Server, is such a script. The script and the RHN Bootstrap that generates it are discussed in detail in Chapter 5 Using RHN Bootstrap.
Warning
Systems running Red Hat Enterprise Linux 2.1 and versions of Red Hat Linux prior to 8.0 may experience problems using Activation Keys to migrate SSL certificate settings from
rhn_register to up2date. Therefore, the SSL certificate information on those systems
must be set manually. All other settings, such as the server URL, transfer properly.
6 Chapter 2. Client Applications
2.2.2. Using the --configure Option
Both the Red Hat Network Registration Client and the Red Hat Update Agent that ship with Red Hat Enterprise Linux provide interfaces for configuring various settings. For full listings of these settings, refer to the chapters dedicated to the applications in the RHN Management Reference Guide.
Each application offers a graphical user interface (GUI) for configuration that enables you to change the settings required by RHN Proxy Server or RHN Satellite Server. The GUI requires that the client system run the X Window System. The command to launch the GUI configuration interface will look like:
application_filename --configure
To reconfigure the Red Hat Update Agent, issue the following command as root:
up2date --configure
You are presented with a dialog box offering various settings that may be reconfigured. In the General tab, under Select a Red Hat Network
Server to use replace the default value with the fully qualified domain
name (FQDN) of the RHN Satellite Server or RHN Proxy Server, such as https://your_proxy_or_sat.your_domain.com/XMLRPC. Retain the
/XMLRPC at the end. When finished, click OK.
Chapter 2. Client Applications 7
Figure 2-1. Red Hat Update Agent GUI Configuration
Make sure you enter the domain name of your RHN Satellite Server or RHN Proxy Server correctly. Entering an incorrect domain or leaving the field blank may prevent up2date --configure from launching. This may be resolved, however, by editing the value in the up2date configuration file. Refer to Section 2.2.3 Updating the Configuration Files Manually for precise instructions.
Warning
Systems running Red Hat Enterprise Linux 3 or newer have registration functionality built into the Red Hat Update Agent and therefore do not install the Red Hat Network Regis- tration Client. Systems running Red Hat Enterprise Linux 2.1 (and versions of Red Hat Linux prior to 8.0) must reconfigure and use the Red Hat Network Registration Client, as well as the Red Hat Update Agent.
To reconfigure the Red Hat Network Registration Client, perform an almost identical set of steps. As root, run the following command:
8 Chapter 2. Client Applications
/usr/bin/rhn_register --configure
You are presented with a dialog box offering basic settings that may be reconfigured. Under Select a Red Hat Network server to use replace the default value with the fully qualified domain name (FQDN) of the RHN Satellite Server or RHN Proxy Server, such as https://your_proxy_or_sat.your_domain.com/XMLRPC. Retain the /XMLRPC at the end. Click OK when finished.
Figure 2-2. Red Hat Network Registration Client GUI Configuration
If your version of rhn_register does not display the server field, and you cannot upgrade to a later version, you may enter the domain name of your RHN Satellite Server or RHN Proxy Server directly into the rhn_register configuration file. Refer to Section 2.2.3 Updating the Configuration Files Manually for precise instructions.
2.2.3. Updating the Configuration Files Manually
As an alternative to the GUI interface described in the previous section, users may also reconfigure the Red Hat Network Registration Client and the Red Hat Update Agent by editing the applications’ configuration files.
To configure Red Hat Update Agent on the client systems connecting to the RHN Proxy Server or RHN Satellite Server, edit the values of the serverURL and noSSLServerURL
Chapter 2. Client Applications 9
settings in the /etc/sysconfig/rhn/up2date configuration file (as root). Replace the default Red Hat Network URL with the fully qualified domain name (FQDN) for the RHN Proxy Server or RHN Satellite Server. For example:
serverURL[comment]=Remote server URL serverURL=https://your_primary.your_domain .com/XMLRPC
noSSLServerURL[comment]=Remote server URL without SSL noSSLServerhttp://your_primary.your_domain .com/XMLRPC
Warning
The httpProxy setting in /etc/sysconfig/rhn/up2 date does not refer to the RHN Proxy Server. It is used to configure an optional HTTP proxy for the client. With an RHN Proxy Server in place, the httpProxy setting must be blank (not set to any value).
Skip this section if you are running Red Hat Enterprise Linux 3 or later on the client system.
Note
You must use version 2.7.11 or higher of rhn_register on client systems so they can recognize new cer tificates. This RPM should be available in /var/spool/up2date on your proxy system after running up2date for the Proxy.
To configure the Red Hat Network Registration Client on the client systems connecting to the RHN Proxy Server or RHN Satellite Server, edit the values of the serverURL and
noSSLServerURL options in the /etc/sysconfig/rhn/rhn_register configuration
file (as root). Replace the default Red Hat Network URL with the fully qualified domain name (FQDN) for the RHN Proxy Server or RHN Satellite Server. For example:
serverURL[comment]=Remote server URL serverURL=https://your_proxy_or_sat.your_d omain.com/XMLRPC
noSSLServerURL[comment]=Remote server URL without SSL noSSLServerURL=http://your_proxy_or_sat.yo ur_domain.com/XMLRPC
10 Chapter 2. Client Applications

2.2.4. Implementing Server Failover

Beginning with up2date-4.2.38, the Red Hat Update Agent can be configured to seek updates from a series of RHN Servers. This can be especially helpful in sustaining constant updates if your primary RHN Proxy Server or RHN Satellite Server may be taken offline.
To use this feature, first ensure that you are running the required version of up2date. Then manually add the secondary servers to the serverURL and noSSLServerURL settings in the /etc/sysconfig/rhn/up2date configuration file (as root). Add the fully qualified domain names (FQDN) for the Proxy or Satellite immediately after the primary server, separated by a semicolon (;). For example:
serverURL[comment]=Remote server URL serverURL=https://your_primary.your_domain .com/XMLRPC; \ https://your_secondary.your_domain.com/XML RPC;
noSSLServerURL[comment]=Remote server URL without SSL noSSLServerhttp://your_primary.your_domain .com/XMLRPC; \ https://your_secondary.your_domain.com/XML RPC;
Connection to the servers is attempted in the order provided here. You can include as many servers as you wish. You may list the central RHN Servers, as well. This makes sense, however, only if the client systems can reach the Internet.
2.3. Configuring the Red Hat Network Alert Notification Tool with Satellite
The Red Hat Network Alert Notification Tool, the round icon in the panel of your Red Hat desktop, can be configured on systems running Red Hat Enterprise Linux 3 or later to recognize updates available from custom channels on your RHN Satellite Server. You must ensure the RHN Satellite Server is configured to support this feature. (RHN Proxy Server supports the applet without modification of client or server.) The steps to configure the Red Hat Network Alert Notification Tool are as follows:
1. Ensure that your RHN Satellite Server is version 3.4 or later and that you have the
rhns-applet package installed on the Satellite. The package can be found in the
RHN Satellite software channel for versions 3.4 and newer.
2. Retrieve the rhn-applet-actions package with up2date or through the Red Hat Network Tools software channel. Install the package on all Red Hat Enterprise Linux 3 and newer client systems to be notified of custom updates with the Red Hat Net- work Alert Notification Tool. The client systems must be entitled to the Manage­ment or Provisioning service levels.
Chapter 2. Client Applications 11
3. Within the Satellite’s version of the RHN website, go to the System Details page for each system and click the link within the RHN Applet area to redirect the Red Hat Network Alert Notification Tool to the Satellite.
The next time the applet is started, it will apply its new configuration and connect to the RHN Satellite Server for updates.
+ 33 hidden pages