Chapter 3. Red Hat Update Infrastructure Installer


The Red Hat Update Infrastructure Installer is used to configure Red Hat Update Infrastructure and get it started. This is achieved through an answers file which you complete with information describing the environment in which Red Hat Update Infrastructure will be installed. Red Hat Update Infrastructure Installer will then create the configuration RPMs it needs. This configures and starts all the necessary services.
The Red Hat Update Infrastructure Installer performs the following tasks:
  • Configures httpd on the Red Hat Update Appliance and any CDS instances with SSL certificates
  • Installs a custom CA certificate that is used for authentication of users
  • Configures the Red Hat Update Appliance
  • Configures secure communication between the Red Hat Update Appliance and the CDS instances
Once Red Hat Update Infrastructure Installer has completed, use Red Hat Update Infrastructure Manager to interact with Red Hat Update Infrastructure.
This chapter explains how to perform an initial installation of Red Hat Update Infrastructure using Red Hat Update Infrastructure Installer. Ensure all the prerequisites described in Chapter 2, Installation Requirements have been met before attempting to install Red Hat Update Infrastructure.

3.1. Setting Up SSL

In order to use Red Hat Update Infrastructure you will need to purchase a root SSL certificate and a private key, and be able generate SSL certificates of your own. This section outlines the basic skills you require to be able to perform these tasks.

Important

It is recommended that you sign the SSL certificates and the client entitlement certificates with different certificate authorities (CAs). However, if you choose to use the same CA to sign both certificates, ensure the serial numbers for all server-side SSL certificates are below 0100 to avoid conflicts within Red Hat Update Infrastructure.

3.1.1. Configuring SSL Certificates Manually

Users must be able to generate SSL certificates for secure communication between CDS instances and clients. The following steps detail the process of acquiring and generating SSL certificates for use in Red Hat Update Infrastructure manually.

Procedure 3.1. Configuring Red Hat Update Appliance SSL Certificates

  1. Acquire your company's root certificate and private key. Alternatively you can purchase one from a certificate authority (CA), or generate your own using tools such as openssl or genkey.
    The CA key and certificate enables you to create SSL keys and certificates for the Red Hat Update Appliance and the CDS, as well as sign the entitlement certificates for the clients to access the CDS instances.

    Note

    In this section, ca.key and ca.crt are the example names for the CA key and certificate.
  2. Create a file with the same name and in the same location as the CA certificate you have but using a .srl extension. The file should contain the text 10 only. This can be performed using the following command:
    # echo 10 > /home/example/certs/ca.srl
  3. Generate the Red Hat Update Appliance Server SSL key, using the following command:
    # openssl genrsa -out ssl_RHUA.key 2048
    
  4. Generate a certificate request using the openssl command:
    # openssl req -new -key ssl_RHUA.key -out ssl_RHUA.csr
    The tool will prompt you for further information, and then create an output file called ssl_RHUA.csr.
  5. Use the CSR file to create a SSL certificate for the Red Hat Update Appliance instance with the following command:
    # openssl x509 -req -days 365 -CA ca.crt -CAkey ca.key -in ssl_RHUA.csr -out ssl_RHUA.crt
    In this example, ssl_RHUA.csr is the file created in the previous step, ca.crt is the certificate generated by the CA, ca.key is the CA certificate private key, and ssl_RHUA.crt is the name of the certificate file that will result from running this command.

Procedure 3.2. Configuring Content Delivery Server (CDS) SSL Certificates

  1. Generate the CDS SSL key, using the following command:
    # openssl genrsa -out ssl_cds01.key 2048
    
  2. Generate a certificate request using the openssl command:
    # openssl req -new -key ssl_cds01.key -out ssl_cds01.csr
    The tool will prompt you for further information, and then create an output file called ssl_cds01.csr.

    Important

    When entering the hostname for .csr file, the hostname needs to be the same hostname clients will use to access the CDS. This is also the client hostname used in Procedure 3.3 Add a CDS Instance of the Administration guide.
  3. Use the CSR file to create SSL certificates for each CDS instance with the following command:
    # openssl x509 -req -days 365 -CA ca.crt -CAkey ca.key -in ssl_cds01.csr -out ssl_cds01.crt

    Note

    It is recommended that you name the output files correspondent with the hostname of the CDS instance for which the request was created. For example, if the hostname for the CDS is cds01.example.com, the output files could be named ssl-cds01.key, ssl_cds01.csr, and ssl_cds01.crt. This will help avoiding confusion when creating multiple CDS instances.

3.1.2. Configuring SSL Certificates Using the Automated Script

Users must be able to generate SSL certificates for secure communication between CDS instances and clients. The following steps detail the process of acquiring and generating SSL certificates for use in Red Hat Update Infrastructure using the automated script. Using the script reduces install time and reduces the chance of errors during the entry of the repetitive SSL information.

Procedure 3.3. Configuring SSL Certificates Using the Automated Script

  1. Generate the SSL certificates required for the Red Hat Update Infrastructure installation using the following command:
    # /usr/share/rh-rhua/rhui_certs/create_rhui_ssl_certs.sh RHUA_HOSTNAME CDS1_HOSTNAME

    Note

    If you do not wish to encrypt the keys use the --noencrypt option.
    Additional hostnames can be added to the end of the command if SSL certificates are required for more than one CDS.
  2. You will be prompted for three separate passwords. These are for the root CA, the server CA and the client CA. Enter and confirm the passwords when prompted.

    Important

    Use different passwords for each CA and record the passwords in a secure location.
Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.