Chapter 1. Getting started using the RHEL web console
Learn how to install the Red Hat Enterprise Linux 8 web console, how to add and manage remote hosts through its convenient graphical interface, and how to monitor the systems managed by the web console.
1.1. What is the RHEL web console
The RHEL web console is a web-based interface designed for managing and monitoring your local system, as well as Linux servers located in your network environment.
The RHEL web console enables you to perform a wide range of administration tasks, including:
- Managing services
- Managing user accounts
- Managing and monitoring system services
- Configuring network interfaces and firewall
- Reviewing system logs
- Managing virtual machines
- Creating diagnostic reports
- Setting kernel dump configuration
- Configuring SELinux
- Updating software
- Managing system subscriptions
The RHEL web console uses the same system APIs as you would use in a terminal, and actions performed in a terminal are immediately reflected in the RHEL web console.
You can monitor the logs of systems in the network environment, as well as their performance, displayed as graphs. In addition, you can change the settings directly in the web console or through the terminal.
1.2. Installing and enabling the web console
To access the RHEL web console, first enable the cockpit.socket
service.
Red Hat Enterprise Linux 8 includes the web console installed by default in many installation variants. If this is not the case on your system, install the cockpit
package before enabling the cockpit.socket
service.
Procedure
If the web console is not installed by default on your installation variant, manually install the
cockpit
package:# yum install cockpit
Enable and start the
cockpit.socket
service, which runs a web server:# systemctl enable --now cockpit.socket
If the web console was not installed by default on your installation variant and you are using a custom firewall profile, add the
cockpit
service tofirewalld
to open port 9090 in the firewall:# firewall-cmd --add-service=cockpit --permanent # firewall-cmd --reload
Verification
- To verify the previous installation and configuration, open the web console.
1.3. Logging in to the web console
When the cockpit.socket
service is running and the corresponding firewall port is open, you can log in to the web console in your browser for the first time.
Prerequisites
Use one of the following browsers to open the web console:
- Mozilla Firefox 52 and later
- Google Chrome 57 and later
- Microsoft Edge 16 and later
System user account credentials
The RHEL web console uses a specific pluggable authentication modules (PAM) stack at
/etc/pam.d/cockpit
. The default configuration allows logging in with the user name and password of any local account on the system.- Port 9090 is open in your firewall.
Procedure
In your web browser, enter the following address to access the web console:
https://localhost:9090
NoteThis provides a web-console login on your local machine. If you want to log in to the web console of a remote system, see Section 1.5, “Connecting to the web console from a remote machine”
If you use a self-signed certificate, the browser displays a warning. Check the certificate, and accept the security exception to proceed with the login.
The console loads a certificate from the
/etc/cockpit/ws-certs.d
directory and uses the last file with a.cert
extension in alphabetical order. To avoid having to grant security exceptions, install a certificate signed by a certificate authority (CA).- In the login screen, enter your system user name and password.
- Click Log In.
After successful authentication, the RHEL web console interface opens.
To switch between limited and administrative access, click Administrative access or Limited access in the top panel of the web console page. You must provide your user password to gain administrative access.
1.4. Disabling basic authentication in the web console
You can modify the behavior of an authentication scheme by modifying the cockpit.conf
file. Use the none
action to disable an authentication scheme and only allow authentication through GSSAPI and forms.
Prerequisites
You have installed the RHEL 8 web console.
For instructions, see Installing and enabling the web console.
-
You have
root
privileges or permissions to enter administrative commands withsudo
.
Procedure
Open or create the
cockpit.conf
file in the/etc/cockpit/
directory in a text editor of your preference, for example:# vi cockpit.conf
Add the following text:
[basic] action = none
- Save the file.
Restart the web console for changes to take effect.
# systemctl try-restart cockpit
1.5. Connecting to the web console from a remote machine
You can connect to your web console interface from any client operating system and also from mobile phones or tablets.
Prerequisites
A device with a supported internet browser, such as:
- Mozilla Firefox 52 and later
- Google Chrome 57 and later
- Microsoft Edge 16 and later
The RHEL 8 you want to access with an installed and accessible web console.
For instructions, see Installing and enabling the web console.
Procedure
- Open your web browser.
Type the remote server’s address in one of the following formats:
With the server’s host name:
https://<server.hostname.example.com>:<port-number>
For example:
https://example.com:9090
With the server’s IP address:
https://<server.IP_address>:<port-number>
For example:
https://192.0.2.2:9090
- After the login interface opens, log in with your RHEL system credentials.
1.6. Logging in to the web console using a one-time password
If your system is part of an Identity Management (IdM) domain with enabled one-time password (OTP) configuration, you can use an OTP to log in to the RHEL web console.
It is possible to log in using a one-time password only if your system is part of an Identity Management (IdM) domain with enabled OTP configuration. For more information about OTP in IdM, see One-time password in Identity Management.
Prerequisites
You have installed the RHEL 8 web console.
For instructions, see Installing and enabling the web console.
An Identity Management server with enabled OTP configuration.
For details, see One-time password in Identity Management.
- A configured hardware or software device generating OTP tokens.
Procedure
Open the RHEL web console in your browser:
-
Locally:
https://localhost:PORT_NUMBER
-
Remotely with the server hostname:
https://example.com:PORT_NUMBER
Remotely with the server IP address:
https://EXAMPLE.SERVER.IP.ADDR:PORT_NUMBER
If you use a self-signed certificate, the browser issues a warning. Check the certificate and accept the security exception to proceed with the login.
The console loads a certificate from the
/etc/cockpit/ws-certs.d
directory and uses the last file with a.cert
extension in alphabetical order. To avoid having to grant security exceptions, install a certificate signed by a certificate authority (CA).
-
Locally:
- The Login window opens. In the Login window, enter your system user name and password.
- Generate a one-time password on your device.
- Enter the one-time password into a new field that appears in the web console interface after you confirm your password.
- Click Log in.
- Successful login takes you to the Overview page of the web console interface.
1.7. Joining a RHEL 8 system to an IdM domain using the web console
You can use the web console to join the Red Hat Enterprise Linux 8 system to the Identity Management (IdM) domain.
Prerequisites
- The IdM domain is running and reachable from the client you want to join.
- You have the IdM domain administrator credentials.
You have installed the RHEL 8 web console.
For instructions, see Installing and enabling the web console.
Procedure
Log in to the RHEL 8 web console.
For details, see Logging in to the web console.
- In the Configuration field of the Overview tab click Join Domain.
- In the Join a Domain dialog box, enter the host name of the IdM server in the Domain Address field.
- In the Domain administrator name field, enter the user name of the IdM administration account.
- In the Domain administrator password, add a password.
- Click .
Verification
- If the RHEL 8 web console did not display an error, the system has been joined to the IdM domain and you can see the domain name in the System screen.
To verify that the user is a member of the domain, click the Terminal page and type the
id
command:$ id euid=548800004(example_user) gid=548800004(example_user) groups=548800004(example_user) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
1.8. Adding a banner to the login page
You can set the web console to show a content of a banner file on the login screen.
Prerequisites
You have installed the RHEL 8 web console.
For instructions, see Installing and enabling the web console.
-
You have
root
privileges or permissions to enter administrative commands withsudo
.
Procedure
Open the
/etc/issue.cockpit
file in a text editor of your preference:# vi /etc/issue.cockpit
Add the content you want to display as the banner to the file, for example:
This is an example banner for the RHEL web console login page.
You cannot include any macros in the file, but you can use line breaks and ASCII art.
- Save the file.
Open the
cockpit.conf
file in the/etc/cockpit/
directory in a text editor of your preference, for example:# vi /etc/cockpit/cockpit.conf
Add the following text to the file:
[Session] Banner=/etc/issue.cockpit
- Save the file.
Restart the web console for changes to take effect.
# systemctl try-restart cockpit
Verification
Open the web console login screen again to verify that the banner is now visible:
1.9. Configuring automatic idle lock in the web console
You can enable the automatic idle lock and set the idle timeout for your system through the web console interface.
Prerequisites
You have installed the RHEL 8 web console.
For instructions, see Installing and enabling the web console.
-
You have
root
privileges or permissions to enter administrative commands withsudo
.
Procedure
Open the
cockpit.conf
file in the/etc/cockpit/
directory in a text editor of your preference, for example:# vi /etc/cockpit/cockpit.conf
Add the following text to the file:
[Session] IdleTimeout=<X>
Substitute <X> with a number for a time period of your choice in minutes.
- Save the file.
Restart the web console for changes to take effect.
# systemctl try-restart cockpit
Verification
- Check if the session logs you out after a set period of time.
1.10. Changing the web console listening port
By default, the RHEL web console communicates through TCP port 9090. You can change the port number by overriding the default socket settings.
Prerequisites
You have installed the RHEL 8 web console.
For instructions, see Installing and enabling the web console.
-
You have
root
privileges or permissions to enter administrative commands withsudo
. -
The
firewalld
service is running.
Procedure
Pick an unoccupied port, for example, <4488/tcp>, and instruct SELinux to allow the
cockpit
service to bind to that port:# semanage port -a -t websm_port_t -p tcp <4488>
Note that a port can be used only by one service at a time, and thus an attempt to use an already occupied port implies the
ValueError: Port already defined
error message.Open the new port and close the former one in the firewall:
# firewall-cmd --service cockpit --permanent --add-port=<4488>/tcp # firewall-cmd --service cockpit --permanent --remove-port=9090/tcp
Create an override file for the
cockpit.socket
service:# systemctl edit cockpit.socket
In the following editor screen, which opens an empty
override.conf
file located in the/etc/systemd/system/cockpit.socket.d/
directory, change the default port for the web console from 9090 to the previously picked number by adding the following lines:[Socket] ListenStream= ListenStream=<4488>
Note that the first
ListenStream=
directive with an empty value is intentional. You can declare multipleListenStream
directives in a single socket unit and the empty value in the drop-in file resets the list and disables the default port 9090 from the original unit.ImportantInsert the previous code snippet between the lines starting with
# Anything between here
and# Lines below this
. Otherwise, the system discards your changes.- Save the changes by pressing + and . Exit the editor by pressing + .
Reload the changed configuration:
# systemctl daemon-reload
Check that your configuration is working:
# systemctl show cockpit.socket -p Listen Listen=[::]:4488 (Stream)
Restart
cockpit.socket
:# systemctl restart cockpit.socket
Verification
Open your web browser, and access the web console on the updated port, for example:
https://machine1.example.com:4488
Additional resources
-
firewall-cmd(1)
,semanage(8)
,systemd.unit(5)
, andsystemd.socket(5)
man pages on your system