Red Hat and the Red Hat "Shadow Man" logo are registered trademarks of Red Hat, Inc. in the United States
and other countries.
All other trademarks referencedherein are the property of their respective owners.
The GPG fingerprint of the security@redhat.comkey is:
CA 20 86 86 2B D6 9D FC 65 F6 EC C4 21 91 80 CD DB 42 A6 0E
Red Hat Network (RHN) is the environment for system-level support and management of
Red Hat systems and networks of systems. Red Hat Network brings together the tools,
services, and information repositories needed to maximize the reliability, security, and performance of their systems. To use RHN, system administrators register the software and
hardware profiles, known as System Profiles, of their client systems with Red Hat Network.
When a client system requests package updates, only the applicable packages for the client
are returned (based upon the software profile stored on the RHN Servers).
Advantages of using Red Hat Network include:
• Scalability — with Red Hat Network, a single system administrator can set up and main-
tain hundreds or thousands of Red Hat systems more easily, accurately, and quickly than
they could maintain a single system without Red Hat Network.
• Standard Protocols — standard protocols are used to maintain security and increase
capability. For example, XML-RPC gives Red Hat Network the ability to do much more
than merely download files.
• Security — all communication between registered systems and Red Hat Network takes
place over secure Internet connections.
• View Errata Alerts — easily view Errata Alerts for all your client systems through one
website.
• Scheduled Actions — use the website to schedule actions, including Errata Updates,
package installs, and software profile updates.
• Simplification — maintaining Red Hat systems becomes a simple, automated process.
1.2. RHN Proxy Server
An RHN Proxy Server is a package-caching mechanism that reduces the bandwidth requirements for RHN and enables custom package deployment. Proxy customers cache
RPMs, such as Errata Updates from Red Hat or custom RPMs generated by their organization, on an internal, centrally-located server. Client systems then receive these updates
from the Proxy rather than by accessing the Internet individually.
2Chapter 1. Introduction
Although the packages are served by the Proxy, clients’ System Profiles and user information are stored on the secure, central RHN Servers1, which also serve the RHN website
(rhn.redhat.com). The Proxy acts as a go-between for client systems and Red Hat Network (or an RHN Satellite Server). Only the package files are stored on the RHN Proxy
Server. Every transaction is authenticated, and the Red Hat Update Agent checks the GPG
signature of each package retrieved from the local RHN Proxy Server.
In addition to storing official Red Hat packages, the RHN Proxy Server can be configured
to deliver an organization’s own custom packages from private RHN channels, using the
RHN Package Manager. For instance, an organization could develop its own software,
package it in an RPM, sign it with its own GPG signature, and have the local RHN Proxy
Server update all of the individual systems in the network with the latest versions of the
custom software.
Advantages of using RHN Proxy Server include:
• Scalability — there can be multiple local RHN Proxy Servers within one organization.
• Security — an end-to-end secure connection is maintained: from the client systems, to
the local RHN Proxy Server, to the Red Hat Network servers.
• Saves time — packages are delivered significantly faster over a local area network than
the Internet.
• Saves bandwidth — packages are downloaded from RHN only once (per local Proxy
Server’s caching mechanism) instead of downloading each package to each client system.
• Customized updates — create a truly automated package delivery system for custom
software packages, as well as official Red Hat packages required for the client systems.
Custom private RHN channels allow an organization to automate delivery of in-house
packages.
• Customized configuration — restrict or grant updates to specific architectures and OS
versions.
• Only one Internet connection required — Because clients connect only to the RHN
Proxy Server and not the Internet, they require only a Local Area Network connection
to the Proxy. Only the RHN Proxy Server needs an Internet connection to contact the
RHN Servers, unless the RHN Proxy Server is using a RHN Satellite Server, in which
case only the RHN Satellite Server requires an Internet connection.
1. Throughout thisdocument, "RHN" may refer to either RHN’s Hosted site (http://rhn.redhat.com)
or an RHN Satellite Server.
Chapter 1. Introduction3
1.3. Terms to Understand
Before understanding RHN Proxy Server, it is important to become familiar with the following Red Hat Network terms:
Channel
A channel is a list of software packages. There are two types of channels: base channels and child channels. A base channel consists of a list of packages based on a
specific architecture and Red Hat release. A child channel is a channel associated
with a base channel that contains extra packages.
Organization Administrator
An Organization Administrator is a user role with the highest level of control over an
organization’s Red Hat Network account. Members with this role can add other users,
other systems, and system groups to the organization, as well as remove them. A Red
Hat Network organization must have at least one Organization Administrator.
Channel Administrator
A Channel Administrator is a user role with full access to channel management capabilities. Users with this role are capable of creating channels and assigning packages
to channels. This role can be assigned by an Organization Administrator through the
Users tab of the RHN website.
Red Hat Update Agent<
The Red Hat Update Agent is the Red Hat Network client application (up2date) that
allows users to retrieve and install new or updated packages for the client system on
which the application is run.
Traceback
A traceback is a detailed description of "what went wrong" that is useful for troubleshooting the RHN Proxy Server. Tracebacks are automatically generated when a
critical error occurs and are emailed to the individual(s) designated in the RHN Proxy
Server’s configuration file.
For more detailed explanations of these terms and others, refer to the Red Hat NetworkReference Guide available at http://www.redhat.com/docs/ and http://rhn.redhat.com/help.
1.4. How it Works
The Red Hat Update Agent on the client systems does not directly contact a Red Hat
Network Server. Instead, the client (or clients) connects in turn to an RHN Proxy Server
that connects to the Red Hat Network Servers or to a RHN Satellite Server. Thus, the client
4Chapter 1. Introduction
systems do not need direct access to the Internet. They need access only to the RHN Proxy
Server.
Important
Red Hat strongly recommends that clients connected to an RHN Proxy Server be running
the latest update of Red Hat Enter prise Linux to ensure proper connectivity.
Clients that access RHN directly are authenticated by the RHN servers. Clients that access
an RHN Proxy Server are still authenticated by RHN; however, in this case the Proxy provides both authentication and route information to RHN. After a successful authentication,
the Red Hat Network Server informs the RHN Proxy Server that it is permitted to execute a
specific action for the client. The RHN Proxy Server downloads all of the updated packages
(if they are not already present in its cache) and delivers them to the client system.
Requests from the Red Hat Update Agent on the client systems are still authenticated on
the server side, but package delivery is significantly faster since the packages are cached in
the HTTP Proxy Caching Server or the RHN Proxy Server (for local packages); the RHN
Proxy Server and client system are connected via the LAN and are limited only by the
speed of the local network.
Authentication is done in the following order:
1. The client performs a login action at the beginning of a client session. This login is
passed through one or more RHN Proxy Servers until it reaches a Red Hat Network
Server.
2. The Red Hat Network Server attempts to authenticate the client. If authentication is
successful, the server then passes back a session token via the chain of RHN Proxy
Servers. This token, which has a signature and expiration, contains user information,
including channel subscriptions, username, etc.
3. Each RHN Proxy Server caches this token on its local file system in
/var/cache/rhn/. Caching reduces some of the overhead of authenticating with
Red Hat Network Servers and greatly improves the performance of Red Hat
Network.
4. This session token is passed back to the client machine and is used in subsequent
actions on Red Hat Network.
From the client’s point of view, there is no difference between an RHN Proxy Server and
a Red Hat Network Server. From the Red Hat Network Server’s point of view, an RHN
Proxy Server is a special type of RHN client. Clients are thus not affected by the route a
request takes to reach a Red Hat Network Server. All the logic is implemented in the RHN
Proxy Servers and Red Hat Network Servers.
Chapter 1. Introduction5
Optionally, the RHN Package Manager can be installed and configured to serve custom
packages. Any package that is not an official Red Hat package, including custom packages
written specifically for an organization, can only be served from a private software channel
(also referred to as a custom software channel). After creating a private RHN channel, the
custom RPM packages are associated with that channel by uploading the package headers to the RHN Servers. Only the headers are uploaded, not the actual package files. The
headers are required because they contain crucial RPM information, such as software dependencies, that allows RHN to automate package installation. The actual custom RPM
packages are stored on the RHN Proxy Server and sent to the client systems from inside
the organization’s local area network.
Configuring a computer network to use RHN Proxy Servers is straightforward. The Red
Hat Network applications on the client systems must be configured to connect to the RHN
Proxy Server instead of the Red Hat Network Servers. Refer to the RHN Client Configu-ration Guide for details. On the proxy side, one has to specify the next proxy in the chain
(which eventually ends with a Red Hat Network Server). If the RHN Package Manager is
used, the client systems must be subscribed to the private RHN channel.
6Chapter 1. Introduction
Chapter 2.
Requirements
These requirements must be met before installation. To install RHN Proxy Server version
3.6 or later from RHN Satellite Server, the Satellite itself must be version 3.6 or later.
2.1. Software Requirements
To perform an installation, the following software-related components must be available:
• Base operating system — RHN Proxy Server is supported with Red Hat Enterprise
Linux AS 3 Update 5 or later, or Red Hat Enterprise Linux AS 4 only. The operating system can be installed from disc, local ISO image, kickstart, or any of the methods
supported by Red Hat.
Important
If you plan to obtain Monitoring-level service, you must install your RHN Proxy Server
on Red Hat Enterprise Linux AS 3 Update 5 or Red Hat Enterprise Linux AS 4. These
are the only supported base operating systems for Proxies serving Monitoring-entitled
systems.
Each version of Red Hat Enterprise Linux AS requires a certain package set to support
RHN Proxy Server. Anything more can cause errors during installation. Therefore, Red
Hat recommends obtaining the desired package set in the following ways:
Note
For kickstarting either Red Hat Enterprise Linux AS 4 or Red Hat Enterprise Linux AS
3 Update 5, specify the following package group: @ Base
For installing Red Hat Enterprise Linux AS 4 or Red Hat Enterprise Linux AS 3 Update
5 via CD or ISO image, select the following package group: Minimal
Warning
Security-enhanced Linux (SELinux) must be disabled in Red Hat Enterprise Linux AS
4 prior to installation of RHN Proxy Server. This may be done in one of several ways:
• During CD or ISO image installation, select Disabled when presented with options
for SELinux support.
8Chapter 2. Requirements
• To do this for kickstart installation, include the command selinux --disabled
• After the installation is complete, edit the /etc/selinux/config file to read
SELINUX=disabled and reboot the system.
• Finally, you can use the system-config-securitylevel-tui command and reboot
the system.
• An available RHN Proxy Server entitlement within your Red Hat Network account.
• An available Provisioning entitlement within your Red Hat Network account (which
should come packaged with your RHN Proxy Server entitlement).
• Access to the Red Hat Network Tools channel for the installed version of Red Hat En-
terprise Linux AS.
• All rhncfg* packages installed on the Proxy (from the RHN Tools channel).
• Either the rhns-certs-tools package installed on the Proxy (from the RHN Tools
channel) or the secure sockets layer (SSL) CA certificate password used to generate the
parent server certificate (such as on an RHN Satellite Server).
• Configuration of the system to accept remote commands and configuration management
through Red Hat Network. Refer to Section 4.2 RHN Proxy Server Installation Process
for instructions.
2.2. Hardware Requirements
The following hardware configuration is required for the RHN Proxy Server:
• Pentium III processor, 1.26GHz, 512K cache or equivalent
• 512 MB of memory
• 3 GB storage for base install of Red Hat Enterprise Linux AS
• 6 GB storage per distribution/channel
The load on the Apache HTTP Server is directly related to the frequency with which client
systems connect to the Proxy. If you reduce the default interval of four hours (or 240 minutes) as set in the /etc/sysconfig/rhn/rhnsd configuration file of the client systems,
you will increase the load on this component significantly.
2.3. Disk Space Requirements
The caching mechanism used by RHN Proxy Server is the Squid HTTPproxy, which saves
significant bandwidth for the clients. It should have a reasonable amount of space available.
The cached packages are stored in /var/spool/squid. The required free space allotment
is 6 GB storage per distribution/channel.
Chapter 2. Requirements9
If the RHN Proxy Server is configured to distribute custom, or local packages, make sure
that the /var mount point on the system storing local packages has sufficient disk space
to hold all of the custom packages, which are stored in /var/spool/rhn-proxy. The
required disk space for local packages depends on the number of custom packages served.
2.4. Additional Requirements
The following additional requirements must be met before the RHN Proxy Server installation can be considered complete:
Full Access
Client systems need full network access to the RHN Proxy Server services and ports.
Firewall Rules
The RHN Proxy Server solution can be firewalled from the Internet, but it must be
able to issue outbound connections to the Internet on ports 80 and 443. In addition,
if the Proxy will be connected to an RHN Satellite Server that will be configured to
push actions to client systems and the Proxy, you must allow inbound connections on
port 5222.
Synchronized System Times
There is great time sensitivity when connecting to a Web server running SSL (Secure Sockets Layer); it is imperative the time settings on the clients and server are
reasonably close together so the that SSL certificate does not expire before or during
use. It is recommended that Network Time Protocol (NTP) be used to synchronize the
clocks.
Fully Qualified Domain Name (FQDN)
The system upon which the RHN Proxy Server will be installed must resolve its own
FQDN properly.
A Red Hat Network Account
Customers who will be connecting to the central Red Hat Network Servers to receive
incremental updates must have a Red Hat Network account. The sales representative
assists with the setup of this account at the time of purchase.
Backups of Login Information
It is imperative that customers keep track of all primary login information. For RHN
Proxy Server, this includes usernames and passwords for the Organization Administrator account and SSL certificate generation. Red Hat strongly recommends this information be copied onto two separate floppy disks, printed out on paper, and stored
in a fireproof safe.
10Chapter 2. Requirements
Distribution Locations
Since the Proxy forwards virtually all local HTTP requests to the central RHN
Servers, you must take care to put files destined for distribution (such as in a
kickstart installation tree) in the non-forwarding location on the Proxy:
/var/www/html/pub/. Files placed in this directory can be downloaded directly
from the Proxy. This can be especially useful for distributing GPG keys or
establishing installation trees for kickstarts.
In addition, Red Hat recommends that the system running the code not be publicly available. No users but the system administrators should have shell access to these machines.
All unnecessary services should be disabled. You can use ntsysv or chkconfig to disable
services.
Finally, you should have the following technical documents in hand for use in roughly this
order:
1. The RHN Proxy Server Installation Guide — This guide, which you are now reading,
provides the essential steps necessary to get an RHN Proxy Server up and running.
2. The RHN Client Configuration Guide — This guide explains how to configure the
systems to be served by an RHN Proxy Server or RHN Satellite Server. (This will
also likely require referencing The RHN Reference Guide, which contains steps for
registering and updating systems.)
3. The RHN Channel Management Guide — This guide identifies in great detail the
recommended methods for building custom packages, creating custom channels, and
managing private Errata.
4. The RHN Reference Guide — This guide describes how to create RHN accounts, register and update systems, and use the RHN website to its utmost potential. This guide
will probably come in handy throughout the installation and configuration process.
Loading...
+ 30 hidden pages
You need points to download manuals.
1 point = 1 manual.
You can buy points or you can get point for every manual you upload.