红帽全球峰会此内容没有您所选择的语言版本。
10.3. Post-installation Tasks
After Satellite has been upgraded, optionally configure the installation to be compliant with FIPS 140-2 standard, and remove unused versions of Java runtime. You can choose to complete either, or both tasks, depending on your requirements.
10.3.1. Configuring for FIPS 140-2 Compliance
复制链接链接已复制到粘贴板!
Red Hat Satellite 5.7 introduced support for Federal Information Processing Standard (FIPS) 140-2, which is a US Government standard for accrediting cryptographic modules. This support includes the following changes:
- User passwords, previously encrypted with MD5 method, will be encrypted with SHA-256 algorithm
- Client certificates (
/etc/sysconfig/rhn/systemid), which the registered systems use to authenticate with the parent server, are changed from MD5 to SHA-256 encryption
New Red Hat Satellite installations on FIPS 140-2 enabled systems do not require any manual changes. Satellite will use FIPS 140-2 standards automatically.
However, if upgrading a system and you intend to enable FIPS 140-2, you must first update existing user passwords and client certificates using MD5 encryption.
Procedure 10.7. Updating User Passwords
- Export a list of users with MD5-encrypted passwords:
spacewalk-report users-md5 > users-md5.csv
# spacewalk-report users-md5 > users-md5.csvCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Change the password of each user using the following for loop:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Alternatively, instruct all users in the fileusers-md5.csvto log into Satellite's Web UI. Satellite will automatically change their passwords in the database to use SHA-256.
Procedure 10.8. Updating Client Certificates
- Export a list of client systems using certificates using MD5-encryption:
spacewalk-report system-md5-certificates > system-md5-certificates.csv
# spacewalk-report system-md5-certificates > system-md5-certificates.csvCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Use the
spacewalk-fips-toolto schedule an update of systems in an organization. You need to repeat this process for each organization in your Satellite environment. First use the following commands for organization with ID 1:ORG_ID=1 for system in $(awk -F, "NR>1 { if (\$3 == $ORG_ID) print \$1 }" system-md5-certificates.csv); do systems="$systems $system"; done spacewalk-fips-tool -i -u admin -d "2014-12-01 14:00:00" -o /tmp/scheduled-installations.csv $systems# ORG_ID=1 # for system in $(awk -F, "NR>1 { if (\$3 == $ORG_ID) print \$1 }" system-md5-certificates.csv); do systems="$systems $system"; done # spacewalk-fips-tool -i -u admin -d "2014-12-01 14:00:00" -o /tmp/scheduled-installations.csv $systemsCopy to Clipboard Copied! Toggle word wrap Toggle overflow This schedules the installation of packages requires for the certificate update on December 1, 2014 at 2pm.Next, Either runrhn_check -von each client or wait untilosadpicks up the event.Finally, use thespacewalk-fips-toolagain to schedule an update of certificates:ORG_ID=1 for system in $(awk -F, "NR>1 { if (\$3 == $ORG_ID) print \$1 }" system-md5-certificates.csv); do systems="$systems $system"; done spacewalk-fips-tool -c -u admin -d "2014-12-01 14:00:00" -o /tmp/scheduled-installations.csv $systems# ORG_ID=1 # for system in $(awk -F, "NR>1 { if (\$3 == $ORG_ID) print \$1 }" system-md5-certificates.csv); do systems="$systems $system"; done # spacewalk-fips-tool -c -u admin -d "2014-12-01 14:00:00" -o /tmp/scheduled-installations.csv $systemsCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Repeat this process for each organization ID.
Once the passwords and client certificates are updated, enable FIPS 140-2 on your Satellite server's operating system.
10.3.2. Removing Redundant Java Versions
复制链接链接已复制到粘贴板!
The Satellite upgrade process includes upgrades to several prerequisites, including the Java runtime. The previous versions of Java runtime remain installed, but are redundant. If you would prefer to reclaim the disk space occupied by these versions, remove the packages.
For example, on a Satellite 5.8 installation which had been upgraded from Satellite 5.6, the following Java runtime packages could be removed.
yum remove java-1.6.0-ibm java-1.7.1-ibm
# yum remove java-1.6.0-ibm java-1.7.1-ibm
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}