Chapter 6. Performing Additional Configuration on Satellite Server

Procedure

1. Download and mount the Satellite ISO image: For more information, see Section 4.3, “Installing the Satellite packages from the offline repositories”.
2. Set up the local repositories for disconnected environments. For more information, see Section 4.3, “Installing the Satellite packages from the offline repositories”.

3. Set up containers on your Satellite Server:

   # /media/sat6/setup_containers

4. Enable the plugin:

   # satellite-installer --enable-iop

5. Download and populate the Common Vulnerabilities and Exposures (CVE) mapping file:

   $ curl -o cvemap.xml https://security.access.redhat.com/data/meta/v1/cvemap.xml

6. Transfer the cvemap.xml file to your disconnected Satellite Server.

7. Copy the file to /var/lib/foreman/:

   # cp cvemap.xml /var/lib/foreman/

   Satellite detects the file and automatically publishes it to /var/www/html/pub/iop/data/meta/v1/cvemap.xml.

Procedure

1. On the connected system, log in to the container registry:

   $ podman login --username My_Username --password My_Password registry.redhat.io

2. Export the container images. Save the following script to a file and execute it on the connected system:

   #!/bin/bash
   
   images=(
     "satellite/iop-ingress-rhel9:6.18"
     "satellite/iop-advisor-frontend-rhel9:6.18"
     "satellite/iop-host-inventory-rhel9:6.18"
     "satellite/iop-vmaas-rhel9:6.18"
     "satellite/iop-remediations-rhel9:6.18"
     "satellite/iop-vulnerability-frontend-rhel9:6.18"
     "satellite/iop-host-inventory-frontend-rhel9:6.18"
     "satellite/iop-advisor-backend-rhel9:6.18"
     "satellite/iop-puptoo-rhel9:6.18"
     "satellite/iop-yuptoo-rhel9:6.18"
     "satellite/iop-insights-engine-rhel9:6.18"
     "satellite/iop-vulnerability-engine-rhel9:6.18"
     "satellite/iop-gateway-rhel9:6.18"
     "amq-streams/kafka-39-rhel9:2.9.1-1"
   )
   
   for image in "${images[@]}"; do
     name=$(basename "${image}" | cut -d: -f1)
     image_url="registry.redhat.io/${image}"
     echo "Processing ${image}..."
     # Pull the image
     podman pull ${image_url}
     # Save image to archive
     podman save --output /tmp/${name}.tar ${image_url}
   done

3. Transfer the archive files to the disconnected Satellite Server. Place the archive files in the /tmp directory.

4. On the disconnected Satellite Server, import the container images. Save the following script to a file and execute it on the disconnected Satellite Server:

   #!/bin/bash
   
   images=(
     "satellite/iop-ingress-rhel9:6.18"
     "satellite/iop-advisor-frontend-rhel9:6.18"
     "satellite/iop-host-inventory-rhel9:6.18"
     "satellite/iop-vmaas-rhel9:6.18"
     "satellite/iop-remediations-rhel9:6.18"
     "satellite/iop-vulnerability-frontend-rhel9:6.18"
     "satellite/iop-host-inventory-frontend-rhel9:6.18"
     "satellite/iop-advisor-backend-rhel9:6.18"
     "satellite/iop-puptoo-rhel9:6.18"
     "satellite/iop-yuptoo-rhel9:6.18"
     "satellite/iop-insights-engine-rhel9:6.18"
     "satellite/iop-vulnerability-engine-rhel9:6.18"
     "satellite/iop-gateway-rhel9:6.18"
     "amq-streams/kafka-39-rhel9:2.9.1-1"
   )
   
   for image in "${images[@]}"; do
     name=$(basename "${image}" | cut -d: -f1)
     image_url="registry.redhat.io/${image}"
     echo "Processing ${image}..."
     # Import the image
     podman load --input /tmp/${name}.tar
   done

5. Enable the Red Hat Lightspeed in Satellite plugin:

   # satellite-installer --enable-iop

Procedure

1. In the Satellite web UI, navigate to Content > Subscriptions.
2. Click Manage Manifest.
3. Switch to the CDN Configuration tab.
4. Select the Export Sync tab.
5. Click Update.

Procedure

1. Log in to your Satellite Server by using SSH.

2. Set CDN configuration to sync by using exports:

   $ hammer organization configure-cdn \
   --name="My_Organization" \
   --type=export_sync

Procedure

1. Navigate to Content > Subscriptions.
2. Click Manage Manifest.
3. Navigate to the CDN Configuration tab.
4. Select the Network Sync tab.
5. In the URL field, enter the address of the upstream Satellite Server.
6. In the Username, enter your username for upstream login.
7. In the Password, enter your password or personal access token for upstream login.
8. In the Organization label field, enter the label of the upstream organization.
9. Optional: In the Lifecycle Environment Label field, enter the label of the upstream lifecycle environment. Default is Library.
10. Optional: In the Content view label field, enter the label of the upstream content view. Default is Default_Organization_View.
11. From the SSL CA Content Credential menu, select a CA certificate used by the upstream Satellite Server.
12. Click Update.
13. In the Satellite web UI, navigate to Content > Products.
14. Select the product that contains the repositories that you want to synchronize.

15. From the Select Action menu, select Sync Now to synchronize all repositories within the product.

    You can also create a synchronization plan to ensure updates on a regular basis. For more information, see Creating a Synchronization Plan in Managing content.

Procedure

1. Connect to your downstream Satellite Server using SSH.

2. View information about the upstream CA certificate:

   $ hammer content-credential show \
   --name="My_Upstream_CA_Cert" \
   --organization="My_Downstream_Organization"

   Note the ID of the CA certificate for the next step.

3. Set CDN configuration to an upstream Satellite Server:

   $ hammer organization configure-cdn \
   --name="My_Downstream_Organization" \
   --type=network_sync \
   --url https://upstream-satellite.example.com \
   --username upstream_username --password upstream_password \
   --ssl-ca-credential-id "My_Upstream_CA_Cert_ID" \ --upstream-organization-label="_My_Upstream_Organization" \
   [--upstream-lifecycle-environment-label="My_Lifecycle_Environment"] \
   [--upstream-content-view-label="My_Content_View"]

   The default lifecycle environment label is Library. The default content view label is Default_Organization_View.

Procedure

1. Install the ipa-client package on Satellite Server or Capsule Server:

   # satellite-maintain packages install ipa-client

2. Configure the server as a Identity Management client:

   # ipa-client-install

3. Create a realm proxy user, realm-capsule, and the relevant roles in Identity Management:

   # foreman-prepare-realm admin realm-capsule

   Note the principal name that returns and your Identity Management server configuration details because you require them for the following procedure.

Procedure

1. Copy the /root/freeipa.keytab file to any Capsule Server that you want to include in the same principal and realm:

   # scp /root/freeipa.keytab root@capsule.example.com:/etc/foreman-proxy/freeipa.keytab

2. On your Satellite Server, move the /root/freeipa.keytab file to the /etc/foreman-proxy directory:

   # mv /root/freeipa.keytab /etc/foreman-proxy

3. On your Satellite Server and Capsule Servers, set ownership to the foreman-proxy user and group:

   # chown foreman-proxy:foreman-proxy /etc/foreman-proxy/freeipa.keytab

4. Enter the following command on all Capsules that you want to include in the realm. If you use the integrated Capsule on Satellite, enter this command on Satellite Server:

   # satellite-installer --foreman-proxy-realm true \
   --foreman-proxy-realm-keytab /etc/foreman-proxy/freeipa.keytab \
   --foreman-proxy-realm-principal realm-capsule@EXAMPLE.COM \
   --foreman-proxy-realm-provider freeipa

   You can also use these options when you first configure the Satellite Server.

5. Ensure that the most updated versions of the ca-certificates package is installed and trust the Identity Management Certificate Authority:

   # cp /etc/ipa/ca.crt /etc/pki/ca-trust/source/anchors/ipa.crt
   # update-ca-trust extract

6. Optional: If you configure Identity Management on an existing Satellite Server or Capsule Server, complete the following steps to ensure that the configuration changes take effect:

   1. Restart the foreman-proxy service:

      # systemctl restart foreman-proxy

   2. In the Satellite web UI, navigate to Infrastructure > Capsules.
   3. Locate the Capsule you have configured for Identity Management and from the list in the Actions column, select Refresh.

Procedure

1. In the Satellite web UI, navigate to Infrastructure > Realms and click Create Realm.
2. In the Name field, enter a name for the realm.
3. From the Realm Type list, select the type of realm.
4. From the Realm Capsule list, select Capsule Server where you have configured Identity Management.
5. Click the Locations tab and from the Locations list, select the location where you want to add the new realm.
6. Click the Organizations tab and from the Organizations list, select the organization where you want to add the new realm.
7. Click Submit.

Procedure

1. In the Satellite web UI, navigate to Configure > Host Groups.
2. Select the host group that you want to update.
3. Select the Network tab.
4. From the Realm list, select the realm you create as part of this procedure.
5. Click Submit.

Procedure

1. On the Identity Management server, create a host group:

   # ipa hostgroup-add hostgroup_name --desc=hostgroup_description

2. Create an automembership rule:

   # ipa automember-add --type=hostgroup hostgroup_name automember_rule

   Where you can use the following options:

   • automember-add flags the group as an automember group.
   • --type=hostgroup identifies that the target group is a host group, not a user group.
   • automember_rule adds the name you want to identify the automember rule by.

3. Define an automembership condition based on the userclass attribute:

   # ipa automember-add-condition --key=userclass --type=hostgroup --inclusive-regex=^webserver hostgroup_name
   ----------------------------------
   Added condition(s) to "hostgroup_name"
   ----------------------------------
   Automember Rule: automember_rule
   Inclusive Regex: userclass=^webserver
   ----------------------------
   Number of conditions added 1
   ----------------------------

   Where you can use the following options:

   • automember-add-condition adds regular expression conditions to identify group members.
   • --key=userclass specifies the key attribute as userclass.
   • --type=hostgroup identifies that the target group is a host group, not a user group.
   • --inclusive-regex= ^webserver identifies matching values with a regular expression pattern.

   • hostgroup_name – identifies the target host group’s name.

     Note

     When a system is added to Satellite Server’s hostgroup_name host group, it is added automatically to the Identity Management server’s "hostgroup_name" host group. Identity Management host groups allow for Host-Based Access Controls (HBAC), sudo policies and other Identity Management functions.

Procedure

1. To store all the source certificate files, create a directory that is accessible only to the root user:

   # mkdir /root/satellite_cert

2. Create a private key with which to sign the certificate signing request (CSR). The private key must be unencrypted:

   # openssl genrsa -out /root/satellite_cert/satellite_cert_key.pem 4096

   If you already have a private key, skip this step.

3. Optional: Verify that the key is unencrypted:

   # openssl pkey -noout -in /root/satellite_cert/satellite_cert_key.pem

   If the command does not ask for a password, the key is unencrypted. If your private key is password-protected, remove the password.

4. Create the /root/satellite_cert/openssl.cnf configuration file for the CSR and include the following content:

   [ req ]
   req_extensions = v3_req
   distinguished_name = req_distinguished_name
   prompt = no
   
   [ req_distinguished_name ]
   commonName = satellite.example.com
   
   [ v3_req ]
   basicConstraints = CA:FALSE
   keyUsage = digitalSignature, keyEncipherment
   extendedKeyUsage = serverAuth, clientAuth
   subjectAltName = @alt_names
   
   [ alt_names ]
   DNS.1 = satellite.example.com

   For more information about the [ v3_req ] parameters and their purpose, see RFC 5280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile.

5. Optional: If you want to add Distinguished Name (DN) details to the CSR, add the following information to the [ req_distinguished_name ] section:

   [req_distinguished_name]
   CN = satellite.example.com
   countryName = My_Country_Name
   stateOrProvinceName = My_State_Or_Province_Name
   localityName = My_Locality_Name
   organizationName = My_Organization_Or_Company_Name
   organizationalUnitName = My_Organizational_Unit_Name

   The options used in the configuration file include the following:

   countryName

   The country represented by a two-letter code

   stateOrProvinceName

   Full name of the state or province

   localityName

   Full name of the locality (example: New York)

   organizationalUnitName

   Division responsible for the certificate (example: IT department)

6. Generate CSR:

   # openssl req -new \
   -key /root/satellite_cert/satellite_cert_key.pem \
   -config /root/satellite_cert/openssl.cnf \
   -out /root/satellite_cert/satellite_cert_csr.pem

   The options used in the configuration file include the following:

   -key

   Path to the private key

   -config

   Path to the configuration file

   -out

   Path to the CSR to generate

7. Send the certificate signing request to the certificate authority (CA). The same CA must sign certificates for Satellite Server and Capsule Server.

   When you submit the request, specify the lifespan of the certificate. The method for sending the certificate request varies, so consult the CA for the preferred method. In response to the request, you can expect to receive a CA bundle and a signed certificate, in separate files.

Verification

1. On a computer with network access to Satellite Server, navigate to the following URL: https://satellite.example.com.
2. In your browser, view the certificate details to verify the deployed certificate.