Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 5. Performing additional configuration on Satellite Server

You can use Red Hat Insights to diagnose systems and downtime related to security exploits, performance degradation and stability failures. You can use the dashboard to quickly identify key risks to stability, security, and performance. You can sort by category, view details of the impact and resolution, and then determine what systems are affected.

Note that you do not require a Red Hat Insights entitlement in your subscription manifest. For more information about Red Hat Insights, see Red Hat Insights on the Red Hat Customer Portal.

To maintain your Satellite Server, and improve your ability to monitor and diagnose problems you might have with Satellite, install Red Hat Insights on Satellite Server and register Satellite Server with Red Hat Insights.

Scheduling insights-client

Note that you can change the default schedule for running insights-client by configuring insights-client.timer on Satellite. For more information, see Changing the insights-client schedule[Changing the insights-client schedule] in the Client Configuration Guide for Red Hat Lightspeed.

Procedure

  1. To install Red Hat Insights on Satellite Server, enter the following command: 

    # satellite-maintain packages install insights-client

  2. To register Satellite Server with Red Hat Insights, enter the following command: 

    # satellite-installer --register-with-insights

5.2. Disabling Red Hat Insights registration
Copy link

If you decide that you will not use Red Hat Insights, you can unregister Satellite Server from Insights.

Prerequisites

  • You have registered Satellite to Red Hat Insights.

Procedure

  • To unregister Satellite Server from Red Hat Insights, enter the following command: 

    # insights-client --unregister
Important

Insights advisor in Satellite is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.

For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.

Insights advisor in Satellite analyzes system health and configuration by applying predefined rules to a small set of local data, such as installed packages, running services, and configuration settings. When you install Insights advisor in Satellite locally, you can generate Insights recommendations without sending system data to Red Hat services.

Important

With Insights advisor in Satellite enabled, you cannot use the hosted Insights services for hosts registered to your Satellite. Enabling Insights advisor in Satellite prevents you from using any Red Hat Hybrid Cloud Console services on the registered hosts.

You can pull the Insights advisor in Satellite from the Red Hat container registry if your Satellite Server has access to the registry.

Prerequisites

  • Ensure that the Satellite Server has access to the Red Hat container registry.
  • Ensure that Podman is installed. For more information, see Getting container tools in Red Hat Enterprise Linux 9 Building, running, and managing containers.

Procedure

  1. Log in to the Red Hat registry by using Podman: 

    $ podman login registry.redhat.io

  2. Pull the container image: 

    $ podman pull registry.redhat.io/satellite/iop-advisor-engine-rhel9:6.17

  3. Enable the plugin: 

    # satellite-installer --foreman-plugin-rh-cloud-enable-iop-advisor-engine true

The Red Hat Satellite Client 6 repository provides client integration tools, such as katello-host-tools or puppet-agent packages, for hosts registered to Satellite. You must enable the repository, synchronize the repository to your Satellite Server, and enable the repository on your hosts.

Enable the Red Hat Satellite Client 6 repository for every major version of Red Hat Enterprise Linux that you intend to run on your hosts. After enabling a Red Hat repository, Satellite creates a product for this repository automatically.

Prerequisites

Procedure

  1. In the Satellite web UI, navigate to Content > Red Hat Repositories.
  2. Ensure that the RPM repository type is selected.
  3. In the search field, type name ~ "Satellite Client" and press Enter. Optionally, enable the Recommended Repositories filter to limit the results.
  4. Click the name of the required repository to expand the repository set.
  5. For the required architecture, click the + icon to enable the repository.

Synchronize the Red Hat Satellite Client 6 repository to import the content to your Satellite Server.

Prerequisites

  • You have enabled the Red Hat Satellite Client 6 repository.

Procedure

  1. In the Satellite web UI, navigate to Content > Sync Status.
  2. Click the arrow next to the required product to view available repositories.
  3. Select the repositories you want to synchronize.
  4. Click Synchronize Now.

Additional resources

  • You can create a sync plan to update the content regularly. For more information, see Creating a sync plan in Managing content.

By default, remote execution uses push-based SSH as the transport mechanism for the Script provider. If your infrastructure prohibits outgoing connections from Satellite Server to hosts, you can use remote execution with pull-based transport instead, because the host initiates the connection to Satellite Server. The use of pull-based transport is not limited to those infrastructures.

The pull-based transport comprises pull-mqtt mode on Capsules in combination with a pull client running on hosts.

Note

The pull-mqtt mode works only with the Script provider. Ansible and other providers will continue to use their default transport settings.

Procedure

  1. Enable the pull-based transport on your Satellite Server: 

    # satellite-installer --foreman-proxy-plugin-remote-execution-script-mode pull-mqtt

  2. Configure the firewall to allow the MQTT service on port 1883: 

    # firewall-cmd --add-service=mqtt

  3. Make the changes persistent: 

    # firewall-cmd --runtime-to-permanent

  4. In pull-mqtt mode, hosts subscribe for job notifications to either your Satellite Server or any Capsule Server through which they are registered. Ensure that Satellite Server sends remote execution jobs to that same Satellite Server or Capsule Server:

    1. In the Satellite web UI, navigate to Administer > Settings.
    2. On the Content tab, set the value of Prefer registered through Capsule for remote execution to Yes.

Next steps

Use this procedure to configure Satellite to provision hosts in an IPv6 network with UEFI HTTP Boot provisioning.

Prerequisites

  • Ensure that your clients can access DHCP and HTTP servers.
  • Ensure that the UDP ports 67 and 68 are accessible by clients so clients can send DHCP requests and receive DHCP offers.
  • Ensure that the TCP port 8000 is open for clients to download files and Kickstart templates from Satellite and Capsules.
  • Ensure that the host provisioning interface subnet has an HTTP Boot Capsule, and Templates Capsule set. For more information, see Adding a Subnet to Satellite Server in Provisioning hosts.
  • In the Satellite web UI, navigate to Administer > Settings > Provisioning and ensure that the Token duration setting is not set to 0. Satellite cannot identify clients that are booting from the network by a remote IPv6 address because of unmanaged DHCPv6 service, therefore provisioning tokens must be enabled.

Procedure

  1. You must disable DHCP management in the installer or not use it.
  2. For all IPv6 subnets created in Satellite, set the DHCP Capsule to blank.
  3. Optional: If the host and the DHCP server are separated by a router, configure the DHCP relay agent and point to the DHCP server.

Use the following procedures to configure Satellite with an HTTP proxy.

5.7.1. Adding a default HTTP proxy to Satellite
Copy link

If your network uses an HTTP Proxy, you can configure Satellite Server to use an HTTP proxy for requests to the Red Hat Content Delivery Network (CDN) or another content source. Use the FQDN instead of the IP address where possible to avoid losing connectivity because of network changes.

The following procedure configures a proxy only for downloading content for Satellite. To use the CLI instead of the Satellite web UI, see the CLI procedure.

Procedure

  1. In the Satellite web UI, navigate to Infrastructure > HTTP Proxies.
  2. Click New HTTP Proxy.
  3. In the Name field, enter the name for the HTTP proxy.
  4. In the Url field, enter the URL of the HTTP proxy in the following format: https://http-proxy.example.com:8080.
  5. Optional: If authentication is required, in the Username field, enter the username to authenticate with.
  6. Optional: If authentication is required, in the Password field, enter the password to authenticate with.
  7. To test connection to the proxy, click Test Connection.
  8. Select the Default content HTTP proxy option to set the new HTTP proxy as default for content synchronization.
  9. Click Submit.

CLI procedure

  1. Verify that the http_proxy, https_proxy, and no_proxy variables are not set: 

    # unset http_proxy https_proxy no_proxy

  2. Add an HTTP proxy entry to Satellite and set the HTTP proxy as default for content synchronization: 

    $ hammer http-proxy create \
--name=My_HTTP_Proxy \
--username=My_HTTP_Proxy_User_Name \
--password=My_HTTP_Proxy_Password \
--url http://http-proxy.example.com:8080 \
--content-default-http-proxy true

SELinux ensures access of Red Hat Satellite and Subscription Manager only to specific ports. In the case of the HTTP cache, the TCP ports are 8080, 8118, 8123, and 10001 – 10010. If you use a port that does not have SELinux type http_cache_port_t, complete the following steps.

Procedure

  1. On Satellite, to verify the ports that are permitted by SELinux for the HTTP cache, enter a command as follows: 

    # semanage port -l | grep http_cache
http_cache_port_t       tcp    8080, 8118, 8123, 10001-10010
[output truncated]

  2. To configure SELinux to permit a port for the HTTP cache, for example 8088, enter a command as follows: 

    # semanage port -a -t http_cache_port_t -p tcp 8088

If your Satellite Server must remain behind a firewall that blocks HTTP and HTTPS, you can configure a proxy for communication with external systems, including compute resources.

Note that if you are using compute resources for provisioning, and you want to use a different HTTP proxy with the compute resources, the proxy that you set for all Satellite communication takes precedence over the proxies that you set for compute resources.

Procedure

  1. In the Satellite web UI, navigate to Administer > Settings.
  2. In the HTTP(S) proxy row, select the adjacent Value column and enter the proxy URL.
  3. Click the tick icon to save your changes.

CLI procedure

  • Enter the following command: 

    $ hammer settings set --name=http_proxy --value=Proxy_URL

If you use an HTTP Proxy for all Satellite HTTP or HTTPS requests, you can prevent certain hosts from communicating through the proxy.

Procedure

  1. In the Satellite web UI, navigate to Administer > Settings.
  2. In the HTTP(S) proxy except hosts row, select the adjacent Value column and enter the names of one or more hosts that you want to exclude from proxy requests.
  3. Click the tick icon to save your changes.

CLI procedure

  • Enter the following command: 

    $ hammer settings set --name=http_proxy_except_list --value=[hostname1.hostname2...]

5.7.5. Resetting the HTTP proxy
Copy link

If you want to reset the current HTTP proxy setting, unset the Default HTTP Proxy setting.

Procedure

  1. In the Satellite web UI, navigate to Administer > Settings, and click the Content tab.
  2. Set the Default HTTP Proxy setting to no global default.

CLI procedure

  • Set the content_default_http_proxy setting to an empty string: 

    $ hammer settings set --name=content_default_http_proxy --value=""

5.8. Enabling power management on hosts
Copy link

To perform power management tasks on hosts using the intelligent platform management interface (IPMI) or a similar protocol, you must enable the baseboard management controller (BMC) module on Satellite Server.

Prerequisites

Procedure

  • To enable BMC, enter the following command: 

    # satellite-installer \
--foreman-proxy-bmc "true" \
--foreman-proxy-bmc-default-provider "freeipmi"

To send email messages from Satellite Server, you can use either an SMTP server, or the sendmail command.

Prerequisites

  • Some SMTP servers with anti-spam protection or grey-listing features are known to cause problems. To setup outgoing email with such a service either install and configure a vanilla SMTP service on Satellite Server for relay or use the sendmail command instead.

Procedure

  1. In the Satellite web UI, navigate to Administer > Settings.

  2. Click the Email tab and set the configuration options to match your preferred delivery method. The changes have an immediate effect.

    1. The following example shows the configuration options for using an SMTP server:

      Expand
      Table 5.1. Using an SMTP server as a delivery method
      NameExample valueAdditional information

      Delivery method

      SMTP

      		 

      SMTP address

      smtp.example.com

      		 

      SMTP authentication

      login

      		 

      SMTP HELO/EHLO domain

      example.com

      		 

      SMTP password

      password

      Use the login credentials for the SMTP server.

      SMTP port

      25

      		 

      SMTP username

      user@example.com

      Use the login credentials for the SMTP server.

    2. The following example uses gmail.com as an SMTP server:

      Expand
      Table 5.2. Using gmail.com as an SMTP server
      NameExample valueAdditional information

      Delivery method

      SMTP

      		 

      SMTP address

      smtp.gmail.com

      		 

      SMTP authentication

      plain

      		 

      SMTP HELO/EHLO domain

      smtp.gmail.com

      		 

      SMTP enable StartTLS auto

      Yes

      		 

      SMTP password

      app password

      Use the Google app password. For more information, see Sign in with app passwords in Google Help Center.

      SMTP port

      587

      		 

      SMTP username

      user@gmail.com

      Use the Google account name.

    3. The following example uses the sendmail command as a delivery method:

      Expand
      Table 5.3. Using sendmail as a delivery method
      NameExample valueAdditional information

      Delivery method

      Sendmail

      		 

      Sendmail location

      /usr/sbin/sendmail

      For security reasons, both Sendmail location and Sendmail argument settings are read-only and can be only set in /etc/foreman/settings.yaml. Both settings currently cannot be set via satellite-installer. For more information see the sendmail 1 man page.

      Sendmail arguments

      -i

  3. If you decide to send email using an SMTP server which uses TLS authentication, also perform one of the following steps:

    • Mark the CA certificate of the SMTP server as trusted. To do so, execute the following commands on Satellite Server: 

      # cp mailca.crt /etc/pki/ca-trust/source/anchors/
# update-ca-trust extract

      Where mailca.crt is the CA certificate of the SMTP server.

    • Alternatively, in the Satellite web UI, set the SMTP enable StartTLS auto option to No.
  4. Click Test email to send a test message to the user’s email address to confirm the configuration is working. If a message fails to send, the Satellite web UI displays an error. See the log at /var/log/foreman/production.log for further details.

Additional resources

As well as providing access to Satellite Server, hosts provisioned with Satellite can also be integrated with Identity Management realms. Red Hat Satellite has a realm feature that automatically manages the lifecycle of any system registered to a realm or domain provider.

Use this section to configure Satellite Server or Capsule Server for Identity Management realm support, then add hosts to the Identity Management realm group.

Prerequisites

  • A deployed realm or domain provider such as Identity Management.

To install and configure Identity Management packages on Satellite Server or Capsule Server:

To use Identity Management for provisioned hosts, complete the following steps to install and configure Identity Management packages on Satellite Server or Capsule Server:

  1. Install the ipa-client package on Satellite Server or Capsule Server: 

    # satellite-maintain packages install ipa-client

  2. Configure the server as a Identity Management client: 

    # ipa-client-install

  3. Create a realm proxy user, realm-capsule, and the relevant roles in Identity Management: 

    # foreman-prepare-realm admin realm-capsule

    Note the principal name that returns and your Identity Management server configuration details because you require them for the following procedure.

To configure Satellite Server or Capsule Server for Identity Management realm support:

Complete the following procedure on Satellite and every Capsule that you want to use:

  1. Copy the /root/freeipa.keytab file to any Capsule Server that you want to include in the same principal and realm: 

    # scp /root/freeipa.keytab root@capsule.example.com:/etc/foreman-proxy/freeipa.keytab

  2. On your Satellite Server, move the /root/freeipa.keytab file to the /etc/foreman-proxy directory: 

    # mv /root/freeipa.keytab /etc/foreman-proxy

  3. On your Satellite Server and Capsule Servers, set ownership to the foreman-proxy user and group: 

    # chown foreman-proxy:foreman-proxy /etc/foreman-proxy/freeipa.keytab

  4. Enter the following command on all Capsules that you want to include in the realm. If you use the integrated Capsule on Satellite, enter this command on Satellite Server: 

    # satellite-installer --foreman-proxy-realm true \
--foreman-proxy-realm-keytab /etc/foreman-proxy/freeipa.keytab \
--foreman-proxy-realm-principal realm-capsule@EXAMPLE.COM \
--foreman-proxy-realm-provider freeipa

    You can also use these options when you first configure the Satellite Server.

  5. Ensure that the most updated versions of the ca-certificates package is installed and trust the Identity Management Certificate Authority: 

    # cp /etc/ipa/ca.crt /etc/pki/ca-trust/source/anchors/ipa.crt
# update-ca-trust extract

  6. Optional: If you configure Identity Management on an existing Satellite Server or Capsule Server, complete the following steps to ensure that the configuration changes take effect:

    1. Restart the foreman-proxy service: 

      # systemctl restart foreman-proxy
    2. In the Satellite web UI, navigate to Infrastructure > Capsules.
    3. Locate the Capsule you have configured for Identity Management and from the list in the Actions column, select Refresh.

To create a realm for the Identity Management-enabled Capsule

After you configure your Capsule with Identity Management, you must create a realm and add the Identity Management-configured Capsule to the realm.

Procedure

  1. In the Satellite web UI, navigate to Infrastructure > Realms and click Create Realm.
  2. In the Name field, enter a name for the realm.
  3. From the Realm Type list, select the type of realm.
  4. From the Realm Capsule list, select Capsule Server where you have configured Identity Management.
  5. Click the Locations tab and from the Locations list, select the location where you want to add the new realm.
  6. Click the Organizations tab and from the Organizations list, select the organization where you want to add the new realm.
  7. Click Submit.

Updating host groups with realm information

You must update any host groups that you want to use with the new realm information.

  1. In the Satellite web UI, navigate to Configure > Host Groups, select the host group that you want to update, and click the Network tab.
  2. From the Realm list, select the realm you create as part of this procedure, and then click Submit.

Adding hosts to a Identity Management host group

Identity Management supports the ability to set up automatic membership rules based on a system’s attributes. Red Hat Satellite’s realm feature provides administrators with the ability to map the Red Hat Satellite host groups to the Identity Management parameter userclass which allow administrators to configure automembership.

When nested host groups are used, they are sent to the Identity Management server as they are displayed in the Red Hat Satellite User Interface. For example, "Parent/Child/Child".

Satellite Server or Capsule Server sends updates to the Identity Management server, however automembership rules are only applied at initial registration.

To add hosts to a Identity Management host group:

  1. On the Identity Management server, create a host group: 

    # ipa hostgroup-add hostgroup_name --desc=hostgroup_description

  2. Create an automembership rule: 

    # ipa automember-add --type=hostgroup hostgroup_name automember_rule

    Where you can use the following options:

    • automember-add flags the group as an automember group.
    • --type=hostgroup identifies that the target group is a host group, not a user group.
    • automember_rule adds the name you want to identify the automember rule by.

  3. Define an automembership condition based on the userclass attribute: 

    # ipa automember-add-condition --key=userclass --type=hostgroup --inclusive-regex=^webserver hostgroup_name
----------------------------------
Added condition(s) to "hostgroup_name"
----------------------------------
Automember Rule: automember_rule
Inclusive Regex: userclass=^webserver
----------------------------
Number of conditions added 1
----------------------------

    Where you can use the following options:

    • automember-add-condition adds regular expression conditions to identify group members.
    • --key=userclass specifies the key attribute as userclass.
    • --type=hostgroup identifies that the target group is a host group, not a user group.
    • --inclusive-regex= ^webserver identifies matching values with a regular expression pattern.
    • hostgroup_name – identifies the target host group’s name.

When a system is added to Satellite Server’s hostgroup_name host group, it is added automatically to the Identity Management server’s "hostgroup_name" host group. Identity Management host groups allow for Host-Based Access Controls (HBAC), sudo policies and other Identity Management functions.

5.11. Configuring an alternate CNAME for Satellite
Copy link

You can configure an alternate CNAME for Satellite. This might be useful if you want to deploy the Satellite web interface on a different domain name than the one that is used by client systems to connect to Satellite. You must plan the alternate CNAME configuration in advance prior to installing Capsules and registering hosts to Satellite to avoid redeploying new certificates to hosts.

Use this procedure to configure Satellite with an alternate CNAME. Note that the procedures for users of a default Satellite certificate and custom certificate differ.

For default Satellite certificate users

  • If you have installed Satellite with a default Satellite certificate and want to configure Satellite with an alternate CNAME, enter the following command on Satellite to generate a new default Satellite SSL certificate with an additional CNAME. 

    # satellite-installer --certs-cname alternate_fqdn --certs-update-server
  • If you have not installed Satellite, you can add the --certs-cname alternate_fqdn option to the satellite-installer command to install Satellite with an alternate CNAME.

For custom certificate users

If you use Satellite with a custom certificate, when creating a custom certificate, include the alternate CNAME records to the custom certificate. For more information, see Creating a Custom SSL Certificate for Satellite Server.

If Satellite is configured with an alternate CNAME, you can configure hosts to use the alternate Satellite CNAME for content management. To do this, you must point hosts to the alternate Satellite CNAME prior to registering the hosts to Satellite. You can do this using the bootstrap script or manually.

Configuring hosts with the bootstrap script

On the host, run the bootstrap script with the --server My-Alternate-FQDN.example.com option to register the host to the alternate Satellite CNAME: 

# ./bootstrap.py --server My-Alternate-FQDN.example.com

Configuring hosts manually

On the host, edit the /etc/rhsm/rhsm.conf file to update hostname and baseurl settings to point to the alternate host name, for example: 

[server]
# Server hostname:
hostname = My-Alternate-FQDN.example.com

content omitted

[rhsm]
# Content base URL:
baseurl=https://My-Alternate-FQDN.example.com/pulp/content/

Now you can register the host with the subscription-manager.

By default, Red Hat Satellite uses a self-signed SSL certificate to enable encrypted communications between Satellite Server, Capsule Servers, and all hosts. If you cannot use a Satellite self-signed certificate, you can configure Satellite Server to use an SSL certificate signed by an external certificate authority (CA).

When you configure Red Hat Satellite with custom SSL certificates, you must fulfill the following requirements:

  • You must use the privacy-enhanced mail (PEM) encoding for the SSL certificates.
  • You must not use the same SSL certificate for both Satellite Server and Capsule Server.
  • The same CA must sign certificates for Satellite Server and Capsule Server.
  • An SSL certificate must not also be a CA certificate.
  • An SSL certificate must include a subject alt name (SAN) entry that matches the common name (CN).
  • An SSL certificate must be allowed for Key Encipherment using a Key Usage extension.
  • An SSL certificate must not have a shortname as the CN.
  • You must not set a passphrase for the private key.

To configure your Satellite Server with a custom certificate, complete the following procedures:

  1. Section 5.12.1, “Creating a custom SSL certificate for Satellite Server”
  2. Section 5.12.2, “Deploying a custom SSL certificate to Satellite Server”
  3. Section 5.12.3, “Deploying a custom SSL certificate to hosts”
  4. If you have Capsule Servers registered to Satellite Server, configure them with custom SSL certificates. For more information, see Configuring Capsule Server with a Custom SSL Certificate in Installing Capsule Server.

Use this procedure to create a custom SSL certificate for Satellite Server. If you already have a custom SSL certificate for Satellite Server, skip this procedure.

Procedure

  1. To store all the source certificate files, create a directory that is accessible only to the root user: 

    # mkdir /root/satellite_cert

  2. Create a private key with which to sign the certificate signing request (CSR).

    Note that the private key must be unencrypted. If you use a password-protected private key, remove the private key password.

    If you already have a private key for this Satellite Server, skip this step. 

    # openssl genrsa -out /root/satellite_cert/satellite_cert_key.pem 4096

  3. Create the /root/satellite_cert/openssl.cnf configuration file for the CSR and include the following content: 

    [ req ]
req_extensions = v3_req
distinguished_name = req_distinguished_name
prompt = no

[ req_distinguished_name ]
commonName = satellite.example.com

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = satellite.example.com

    For more information about the [ v3_req ] parameters and their purpose, see RFC 5280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile.

  4. Optional: If you want to add Distinguished Name (DN) details to the CSR, add the following information to the [ req_distinguished_name ] section: 

    [req_distinguished_name]
CN = satellite.example.com
countryName = My_Country_Name
    1 
    
stateOrProvinceName = My_State_Or_Province_Name
    2 
    
localityName = My_Locality_Name
    3 
    
organizationName = My_Organization_Or_Company_Name
organizationalUnitName = My_Organizational_Unit_Name
    4
    1
    Two letter code
    2
    Full name
    3
    Full name (example: New York)
    4
    Division responsible for the certificate (example: IT department)

  5. Generate CSR: 

    # openssl req -new \
-key /root/satellite_cert/satellite_cert_key.pem \
    1 
    
-config /root/satellite_cert/openssl.cnf \
    2 
    
-out /root/satellite_cert/satellite_cert_csr.pem
    3
    1
    Path to the private key
    2
    Path to the configuration file
    3
    Path to the CSR to generate

  6. Send the certificate signing request to the certificate authority (CA). The same CA must sign certificates for Satellite Server and Capsule Server.

    When you submit the request, specify the lifespan of the certificate. The method for sending the certificate request varies, so consult the CA for the preferred method. In response to the request, you can expect to receive a CA bundle and a signed certificate, in separate files.

Use this procedure to configure your Satellite Server to use a custom SSL certificate signed by a Certificate Authority.

Important

Do not store the SSL certificates or .tar bundles in /tmp or /var/tmp directory. The operating system removes files from these directories periodically. As a result, satellite-installer fails to execute while enabling features or upgrading Satellite Server.

Procedure

  • Update certificates on your Satellite Server: 

    # satellite-installer \
--certs-server-cert "/root/satellite_cert/satellite_cert.pem" \
    1 
    
--certs-server-key "/root/satellite_cert/satellite_cert_key.pem" \
    2 
    
--certs-server-ca-cert "/root/satellite_cert/ca_cert_bundle.pem" \
    3 
    
--certs-update-server --certs-update-server-ca
    1
    Path to Satellite Server certificate file that is signed by a Certificate Authority.
    2
    Path to the private key that was used to sign Satellite Server certificate.
    3
    Path to the Certificate Authority bundle.

Verification

  1. On a computer with network access to Satellite Server, navigate to the following URL: https://satellite.example.com.
  2. In your browser, view the certificate details to verify the deployed certificate.

After you configure Satellite to use a custom SSL certificate, you must deploy the certificate to hosts registered to Satellite.

Procedure

  • Update the SSL certificate on each host: 

    # dnf install http://satellite.example.com/pub/katello-ca-consumer-latest.noarch.rpm

Procedure

  • Reset the custom SSL certificate to default self-signed certificate: 

    # satellite-installer --certs-reset

Verification

Verify that the following parameters in /etc/foreman-installer/scenarios.d/satellite-answers.yaml have no values:

  • server_cert:
  • server_key:
  • server_cert_req:
  • server_ca_cert:

Additional resources

5.14. Using external databases with Satellite
Copy link

The Satellite installation process includes installing a PostgreSQL database on the same host as Satellite Server. In certain Satellite deployments, using external databases instead of the default local databases can help with the server load.

Running the satellite-installer command, used to install a Satellite Server, also installs PostgreSQL databases on the server. However, you can configure your Satellite Server to use external databases instead. Moving to external databases distributes the workload and can reduce overall Satellite memory usage.

Note

Red Hat does not provide support or tools for external database maintenance. If you deploy Satellite with external databases, you will need to support and maintain the external databases yourself.

Consider using external databases if you plan to use your Satellite deployment for the following scenarios:

  • Frequent remote execution tasks. This requires a high volume of records in PostgreSQL and generates heavy database workloads.
  • High disk I/O workloads from frequent repository synchronization or content view publishing. This requires Satellite to create a record in PostgreSQL for each job.
  • High volume of hosts.
  • High volume of synchronized content.

Foreman, Katello, and Candlepin use the PostgreSQL database. If you want to use PostgreSQL as an external database, the following information can help you decide if this option is right for your Satellite configuration. Satellite supports PostgreSQL version 13.

Advantages of external PostgreSQL

  • Increase in free memory and free CPU on Satellite
  • Flexibility to set shared_buffers on the PostgreSQL database to a high number without the risk of interfering with other services on Satellite
  • Flexibility to tune the PostgreSQL server’s system without adversely affecting Satellite operations

Disadvantages of external PostgreSQL

  • Increase in deployment complexity that can make troubleshooting more difficult
  • The external PostgreSQL server is an additional system to patch and maintain
  • If either Satellite or the PostgreSQL database server suffers a hardware or storage failure, Satellite is not operational
  • If there is latency between the Satellite server and database server, performance can suffer

If you suspect that the PostgreSQL database on your Satellite is causing performance problems, use the information in Satellite 6: How to enable postgres query logging to detect slow running queries to determine if you have slow queries. Queries that take longer than one second are typically caused by performance issues with large installations, and moving to an external database might not help. If you have slow queries, contact Red Hat Support.

5.14.3. Installing PostgreSQL
Copy link

Satellite supports PostgreSQL version 13.

Prerequisites

  • The prepared host must meet Satellite Storage requirements.
  • The prepared host has base operating system repositories enabled.

Procedure

  1. On your new database server, install PostgreSQL: 

    # dnf install postgresql-server postgresql-contrib

  2. Initialize the PostgreSQL database: 

    # postgresql-setup --initdb

  3. Edit the /var/lib/pgsql/data/postgresql.conf file: 

    # vi /var/lib/pgsql/data/postgresql.conf

    Note that the default configuration of external PostgreSQL needs to be adjusted to work with Satellite. The base recommended external database configuration adjustments are as follows:

    • checkpoint_completion_target: 0.9
    • max_connections: 500
    • shared_buffers: 512MB
    • work_mem: 4MB

  4. Remove the # and edit to listen to inbound connections: 

    listen_addresses = '*'

  5. Add the following line to the end of the file to use SCRAM for authentication: 

    password_encryption=scram-sha-256

  6. Edit the /var/lib/pgsql/data/pg_hba.conf file: 

    # vi /var/lib/pgsql/data/pg_hba.conf

  7. Add the following line to the file: 

      host  all   all   Satellite_ip/32   scram-sha-256

  8. Start and enable the PostgreSQL service: 

    # systemctl enable --now postgresql

  9. Open the postgresql port: 

    # firewall-cmd --add-service=postgresql

  10. Make the changes persistent: 

    # firewall-cmd --runtime-to-permanent

  11. Switch to the postgres user and start the PostgreSQL client: 

    $ su - postgres -c psql

  12. Create three databases and dedicated roles: one for Foreman, one for Candlepin, and one for Pulp: 

    CREATE USER "foreman" WITH PASSWORD 'Foreman_Password';
CREATE USER "candlepin" WITH PASSWORD 'Candlepin_Password';
CREATE USER "pulp" WITH PASSWORD 'Pulpcore_Password';
CREATE DATABASE foreman OWNER foreman;
CREATE DATABASE candlepin OWNER candlepin;
CREATE DATABASE pulpcore OWNER pulp;

  13. Exit the postgres user: 

    # \q

  14. From Satellite Server, test that you can access the database. If the connection succeeds, the commands return 1. 

    # PGPASSWORD='Foreman_Password' psql -h postgres.example.com -p 5432 -U foreman -d foreman -c "SELECT 1 as ping"
# PGPASSWORD='Candlepin_Password' psql -h postgres.example.com -p 5432 -U candlepin -d candlepin -c "SELECT 1 as ping"
# PGPASSWORD='Pulpcore_Password' psql -h postgres.example.com -p 5432 -U pulp -d pulpcore -c "SELECT 1 as ping"

Use the satellite-installer command to configure Satellite to connect to an external PostgreSQL database.

Prerequisites

  • You have installed and configured a PostgreSQL database on a Red Hat Enterprise Linux server.

Procedure

  1. To configure the external databases for Satellite, enter the following command: 

    # satellite-installer \
--katello-candlepin-manage-db false \
--katello-candlepin-db-host postgres.example.com \
--katello-candlepin-db-name candlepin \
--katello-candlepin-db-user candlepin \
--katello-candlepin-db-password Candlepin_Password \
--foreman-proxy-content-pulpcore-manage-postgresql false \
--foreman-proxy-content-pulpcore-postgresql-host postgres.example.com \
--foreman-proxy-content-pulpcore-postgresql-db-name pulpcore \
--foreman-proxy-content-pulpcore-postgresql-user pulp \
--foreman-proxy-content-pulpcore-postgresql-password Pulpcore_Password \
--foreman-db-manage false \
--foreman-db-host postgres.example.com \
--foreman-db-database foreman \
--foreman-db-username foreman \
--foreman-db-password Foreman_Password

    To enable the Secure Sockets Layer (SSL) protocol for these external databases, add the following options: 

    --foreman-db-root-cert <path_to_CA>
--foreman-db-sslmode verify-full
--foreman-proxy-content-pulpcore-postgresql-ssl true
--foreman-proxy-content-pulpcore-postgresql-ssl-root-ca <path_to_CA>
--katello-candlepin-db-ssl true
--katello-candlepin-db-ssl-ca <path_to_CA>
--katello-candlepin-db-ssl-verify true
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2026 Red HatBack to top