Installing an External Smart Proxy Server 2.4

1. Preparing your Environment for Installation

1.1. System Requirements

The following requirements apply to the networked base operating system:

x86_64 architecture
4-core 2.0 GHz CPU at a minimum
Administrative user (root) access
A system umask of 0022
Full forward and reverse DNS resolution using a fully-qualified domain name

Before you install Smart Proxy server, ensure that your environment meets the requirements for installation.

Smart Proxy server must be installed on a freshly provisioned system that serves no other function except to run Smart Proxy server. The freshly provisioned system must not have the following users provided by external identity providers to avoid conflicts with the local users that Smart Proxy server creates:

apache
foreman
foreman-proxy
postgres
puppet
puppetserver

SELinux Mode

SELinux must be enabled, either in enforcing or permissive mode. Installation with disabled SELinux is not supported.

FIPS Mode

You can install Smart Proxy server on a Red Hat Enterprise Linux system that is operating in FIPS mode. For more information, see Enabling FIPS Mode in the Red Hat Enterprise Linux Security Guide.

1.2. Supported Operating Systems

You can install the operating system from a disc, local ISO image, or kickstart.

The following operating systems are supported by the installer, have packages, and are tested for deploying Foreman:

Table 1. Operating Systems supported by foreman-installer
Operating System	Architecture	Notes
CentOS 7	x86_64 only	EPEL is required.
CentOS 8	x86_64 only	EPEL is not supported.
Red Hat Enterprise Linux 7	x86_64 only	EPEL is required.

Before you install Foreman, apply all operating system updates if possible.

Install Smart Proxy server on a freshly provisioned system.

1.3. Ports and Firewalls Requirements

For the components of Foreman architecture to communicate, ensure that the required network ports are open and free on the base operating system. You must also ensure that the required network ports are open on any network-based firewalls.

The installation of a Smart Proxy server fails if the ports between Foreman server and Smart Proxy server are not open before installation starts.

Use this information to configure any network-based firewalls. Note that some cloud solutions must be specifically configured to allow communications between machines because they isolate machines similarly to network-based firewalls. If you use an application-based firewall, ensure that the application-based firewall permits all applications that are listed in the tables and known to your firewall. If possible, disable the application checking and allow open port communication based on the protocol.

Integrated Smart Proxy

Foreman server has an integrated Smart Proxy and any host that is directly connected to Foreman server is a Client of Foreman in the context of this section. This includes the base operating system on which Smart Proxy server is running.

Clients of Smart Proxy

Hosts which are clients of Smart Proxies, other than Foreman’s integrated Smart Proxy, do not need access to Foreman server. For more information on Foreman Topology, see Smart Proxy Networking in Planning for Foreman.

Required ports can change based on your configuration.

A matrix table of ports is available in the Red Hat Knowledgebase solution Red Hat Satellite List of Network Ports.

The following tables indicate the destination port and the direction of network traffic:

Table 2. Ports for Smart Proxy to Foreman Communication
Port	Protocol	Service	Required For
5646	TCP	amqp	Smart Proxy’s Qpid dispatch router to Qpid dispatch router in Foreman

Some of the following ports apply only to deployments that use the Katello plug-in.

Table 3. Ports for Client to Smart Proxy Communication
Port	Protocol	Service	Required for
80	TCP	HTTP	Operating System installers like Anaconda, yum, and, if you use the Katello plug-in, for obtaining Katello certificate updates
443	TCP	HTTPS	Operating System installers like Anaconda, yum, Telemetry Services, and Puppet
5646	TCP	AMQP	The Smart Proxy Qpid dispatch router to the Qpid dispatch router in Foreman
5647	TCP	amqp	For Katello plug-in users: Katello agent to communicate with Smart Proxy’s Qpid dispatch router
8000	TCP	HTTPS	Operating System installers like Anaconda to download kickstart templates to hosts, and for downloading iPXE firmware
8140	TCP	HTTPS	Puppet agent to Puppet master connections
8443	TCP	HTTPS	Subscription Management Services and Telemetry Services
9090	TCP	HTTPS	Sending SCAP reports to the Smart Proxy and for the discovery image during provisioning
53	TCP and UDP	DNS	Client DNS queries to a Smart Proxy’s DNS service (Optional)
67	UDP	DHCP	Client to Smart Proxy broadcasts, DHCP broadcasts for Client provisioning from a Smart Proxy (Optional)
69	UDP	TFTP	Clients downloading PXE boot image files from a Smart Proxy for provisioning (Optional)
5000	TCP	HTTPS	Connection to Katello for the Docker registry (Optional)

Table 4. Ports for Smart Proxy to Client Communication
Port	Protocol	Service	Required For
7	TCP and UDP	ICMP	DHCP Smart Proxy to Client network, ICMP ECHO to verify IP address is free (Optional)
68	UDP	DHCP	Smart Proxy to Client broadcasts, DHCP broadcasts for Client provisioning from a Smart Proxy (Optional)
8443	TCP	HTTP	Smart Proxy to Client "reboot" command to a discovered host during provisioning (Optional)

Any managed host that is directly connected to Foreman server is a client in this context because it is a client of the integrated Smart Proxy. This includes the base operating system on which a Smart Proxy server is running.

Table 5. Optional Network Ports
Port	Protocol	Service	Required For
22	TCP	SSH	Foreman and Smart Proxy originated communications, for Remote Execution (Rex) and Ansible.
7911	TCP	DHCP	Smart Proxy originated commands for orchestration of DHCP records (local or external). If DHCP is provided by an external service, you must open the port on the external server.

Note	A DHCP Smart Proxy sends an ICMP ECHO to confirm an IP address is free, no response of any kind is expected. ICMP can be dropped by a networked-based firewall, but any response prevents the allocation of IP addresses.

1.4. Enabling Connections from Smart Proxy server to Foreman server

On Foreman server, you must enable the incoming connection from Smart Proxy server to Foreman server and make this rule persistent across reboots.

Prerequisites

Ensure that the firewall rules on Foreman server are configured to enable connections for client to Foreman communication, because Smart Proxy server is a client of Foreman server. For more information, see Enabling Connections from a Client to Foreman server in Installing Foreman 2.4 server on Enterprise Linux.

If you do not use firewall-cmd to configure the Linux firewall, implement using the command of your choice.

Procedure

On Foreman server, enter the following command to open the port for Smart Proxy to Foreman communication:
```
# firewall-cmd --add-port="5646/tcp"
```
Make the changes persistent:
```
# firewall-cmd --runtime-to-permanent
```

1.5. Enabling Connections from Foreman server and Clients to a Smart Proxy server

On the base operating system on which you want to install Smart Proxy, you must enable incoming connections from Foreman server and clients to Smart Proxy server and make these rules persistent across reboots.

If you do not use firewall-cmd to configure the Linux firewall, implement using the command of your choice.

Procedure

On the base operating system on which you want to install Smart Proxy, enter the following command to open the ports for Foreman server and clients communication to Smart Proxy server:

# firewall-cmd --add-port="53/udp" --add-port="53/tcp" \
--add-port="67/udp" --add-port="69/udp" \
--add-port="80/tcp" --add-port="443/tcp" \
--add-port="5000/tcp" --add-port="5647/tcp" \
--add-port="8000/tcp" --add-port="8140/tcp" \
--add-port="8443/tcp" --add-port="9090/tcp"

Make the changes persistent:
```
# firewall-cmd --runtime-to-permanent
```

1.6. Verifying Firewall Settings

Use this procedure to verify your changes to the firewall settings.

If you do not use firewall-cmd to configure the Linux firewall, implement using the command of your choice.

Procedure

Enter the following command:
```
# firewall-cmd --list-all
```

For more information, see Getting Started with firewalld in the Red Hat Enterprise Linux 7 Security Guide.

2. Installing Smart Proxy server

Before you install Smart Proxy server, you must ensure that your environment meets the requirements for installation. For more information, see Preparing your Environment for Installation.

2.1. Registering to Foreman server

This procedure is only for Katello users.

Use this procedure to register the base operating system on which you want to install Smart Proxy server to Foreman server.

Subscription Manifest Prerequisites

On Foreman server, a manifest must be installed and it must contain the appropriate repositories for the organization you want Smart Proxy to belong to.
The manifest must contain repositories for the base operating system on which you want to install Smart Proxy, as well as any clients that you want to connect to Smart Proxy.
The repositories must be synchronized.

For more information on manifests and repositories, see Managing Subscriptions in the Foreman Content Management Guide.

Proxy and Network Prerequisites

Foreman server base operating system must be able to resolve the host name of the Smart Proxy base operating system and vice versa.
The base operating system on which you want to install Smart Proxy server must not be configured to use a proxy to connect to the Red Hat CDN.
You must configure the host and network-based firewalls accordingly. For more information, see Ports and Firewalls Requirements.
You must have a Foreman server user name and password. For more information, see Configuring External Authentication in Administering Foreman.

Procedure

Download the katello-ca-consumer-latest.noarch.rpm package on the base operating system on which you want to install Smart Proxy. The consumer RPM configures the host to download content from the content source that is specified in Foreman.
```
# curl --insecure --output katello-ca-consumer-latest.noarch.rpm https://foreman.example.com/pub/katello-ca-consumer-latest.noarch.rpm
```

Install the katello-ca-consumer-latest.noarch.rpm package:

# yum localinstall katello-ca-consumer-latest.noarch.rpm

Register the Smart Proxy base operating system with the environments that you want Smart Proxy to belong to. Use an activation key to simplify specifying the environments. For more information about activation keys, see Managing Activation Keys in the Content Management Guide.
```
# subscription-manager register --org=organization_name --activationkey=example_activation_key
```

2.2. Attaching the Foreman Infrastructure Subscription

After you have registered Smart Proxy server, you must identify your subscription Pool ID and attach an available subscription. The Foreman Infrastructure subscription provides access to the Foreman, Red Hat Enterprise Linux, and Red Hat Software Collections (RHSCL) content. This is the only subscription required.

Foreman Infrastructure is included with all subscriptions that include Smart Management. For more information, see the Red Hat Knowledgebase solution Foreman Infrastructure Subscriptions MCT3718 MCT3719.

Subscriptions are classified as available if they are not already attached to a system. If you are unable to find an available Foreman subscription, see the Red Hat Knowledgebase solution How do I figure out which subscriptions have been consumed by clients registered under Red Hat Subscription Manager? to run a script to see if your subscription is being consumed by another system.

Procedure

Identify the Pool ID of the Foreman Infrastructure subscription:

# subscription-manager list --all --available --matches 'Red Hat Satellite Infrastructure Subscription'

The command displays output similar to the following:

Subscription Name:   Red Hat Satellite Infrastructure Subscription
Provides:            Red Hat Satellite
                      Red Hat Software Collections (for RHEL Server)
                      Red Hat CodeReady Linux Builder for x86_64
                      Red Hat Ansible Engine
                      Red Hat Enterprise Linux Load Balancer (for RHEL Server)
                      Red Hat
                      Red Hat Software Collections (for RHEL Server)
                      Red Hat Enterprise Linux Server
                      Red Hat Satellite Capsule
                      Red Hat Enterprise Linux for x86_64
                      Red Hat Enterprise Linux High Availability for x86_64
                      Red Hat Satellite
                      Red Hat Satellite 5 Managed DB
                      Red Hat Satellite 6
                      Red Hat Discovery
SKU:                 MCT3719
Contract:            11878983
Pool ID:             8a85f99968b92c3701694ee998cf03b8
Provides Management: No
Available:           1
Suggested:           1
Service Level:       Premium
Service Type:        L1-L3
Subscription Type:   Standard
Ends:                03/04/2020
System Type:         Physical

Make a note of the subscription Pool ID. Your subscription Pool ID is different from the example provided.
Attach the Foreman Infrastructure subscription to the base operating system that your Smart Proxy server is running on:
```
# subscription-manager attach --pool=pool_id
```
The command displays output similar to the following:
```
Successfully attached a subscription for: Red Hat Satellite Infrastructure Subscription
```
Optional: Verify that the Foreman Infrastructure subscription is attached:
```
# subscription-manager list --consumed
```

2.3. Configuring Repositories

This procedure is only for Katello plug-in and Red Hat Enterprise Linux-based operating system users.

Use this procedure to enable the repositories that are required to install Smart Proxy server.

Procedure

Disable all repositories:

# subscription-manager repos --disable "*"

Enable the following repositories:

# subscription-manager repos --enable=rhel-7-server-rpms \
--enable rhel-7-server-optional-rpms \
--enable rhel-server-rhscl-7-rpms

Note

If you are installing Smart Proxy server as a virtual machine hosted on oVirt, you must also enable the Red Hat Common repository, and install oVirt guest agents and drivers. For more information, see Installing the Guest Agents and Drivers on Red Hat Enterprise Linux in the Virtual Machine Management Guide.

Clear any metadata:
```
# yum clean all
```
Optional: Verify that the required repositories are enabled:
```
# yum repolist enabled
```

Install the foreman-release.rpm package:

# yum localinstall https://yum.theforeman.org/releases/2.4/el7/x86_64/foreman-release.rpm

Install the katello-repos-latest.rpm package

# yum localinstall https://yum.theforeman.org/katello/4.0/katello/el7/x86_64/katello-repos-latest.rpm

Install the puppet6-release-el-7.noarch.rpm package:

# yum localinstall https://yum.puppet.com/puppet6-release-el-7.noarch.rpm

Install the epel-release-latest-7.noarch.rpm package:

# yum localinstall https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm

CentOS Users

If you use a CentOS operating system, complete the following steps:

Install the foreman-release.rpm package:

# yum localinstall https://yum.theforeman.org/releases/2.4/el7/x86_64/foreman-release.rpm

Install the katello-repos-latest.rpm package

# yum localinstall https://yum.theforeman.org/katello/4.0/katello/el7/x86_64/katello-repos-latest.rpm

Install the puppet6-release-el-7.noarch.rpm package:

# yum localinstall https://yum.puppet.com/puppet6-release-el-7.noarch.rpm

Install the epel-release package:
```
# yum install epel-release
```
Install the centos-release-scl-rh package:
```
# yum install centos-release-scl-rh
```

2.4. Installing Smart Proxy server Packages

Before installing Smart Proxy server packages, you must update all packages that are installed on the base operating system.

Procedure

To install Smart Proxy server, complete the following steps:

Update all packages:
```
# yum update
```
Install the foreman-proxy-content package:
```
# yum install foreman-proxy-content
```

2.5. Installing Smart Proxy server

Procedure

To install an external Smart Proxy, enter the following command:

foreman-installer \
  --no-enable-foreman \
  --no-enable-foreman-cli \
  --enable-puppet \
  --puppet-server-ca=false \
  --puppet-server-foreman-url=https://foreman.example.com \
  --enable-foreman-proxy \
  --foreman-proxy-puppetca=false \
  --foreman-proxy-tftp=false \
  --foreman-proxy-foreman-base-url=https://foreman.example.com \
  --foreman-proxy-trusted-hosts=foreman.example.com \
  --foreman-proxy-oauth-consumer-key=oAuth_Consumer_Key \
  --foreman-proxy-oauth-consumer-secret=oAuth_Consumer_Secret

2.6. Synchronizing the System Clock With chronyd

To minimize the effects of time drift, you must synchronize the system clock on the base operating system on which you want to install Smart Proxy server with Network Time Protocol (NTP) servers. If the base operating system clock is configured incorrectly, certificate verification might fail.

For more information about the chrony suite, see Configuring NTP Using the chrony Suite in the Red Hat Enterprise Linux 7 System Administrator’s Guide.

Procedure

Install the chrony package:
```
# yum install chrony
```

Start and enable the chronyd service:

# systemctl start chronyd
# systemctl enable chronyd

2.7. Assigning the Correct Organization and Location to Smart Proxy server in the Foreman web UI

After installing Smart Proxy server packages, if there is more than one organization or location, you must assign the correct organization and location to Smart Proxy to make Smart Proxy visible in the Foreman web UI.

Procedure

Log into the Foreman web UI.
From the Organization list in the upper-left of the screen, select Any Organization.
From the Location list in the upper-left of the screen, select Any Location.
Navigate to Hosts > All Hosts and select Smart Proxy server.
From the Select Actions list, select Assign Organization.
From the Organization list, select the organization where you want to assign this Smart Proxy.
Click Fix Organization on Mismatch.
Click Submit.
Select Smart Proxy server. From the Select Actions list, select Assign Location.
From the Location list, select the location where you want to assign this Smart Proxy.
Click Fix Location on Mismatch.
Click Submit.
Navigate to Administer > Organizations and click the organization to which you have assigned Smart Proxy.
Click Smart Proxies tab and ensure that Smart Proxy server is listed under the Selected items list, then click Submit.
Navigate to Administer > Locations and click the location to which you have assigned Smart Proxy.
Click Smart Proxies tab and ensure that Smart Proxy server is listed under the Selected items list, then click Submit.

Verification

Optionally, you can verify if Smart Proxy server is correctly listed in the Foreman web UI.

Select the organization from the Organization list.
Select the location from the Location list.
Navigate to Hosts > All Hosts.
Navigate to Infrastructure > Smart Proxies.

2.8. Configuring Smart Proxy server with SSL Certificates

This procedure is only for Katello plug-in users.

Foreman uses SSL certificates to enable encrypted communications between Foreman server, external Smart Proxy servers, and all hosts. Depending on the requirements of your organization, you must configure your Smart Proxy server with a default or custom certificate.

If you use a default SSL certificate, you must also configure each external Smart Proxy server with a distinct default SSL certificate. For more information, see Configuring Smart Proxy server with a Default SSL Certificate.
If you use a custom SSL certificate, you must also configure each external Smart Proxy server with a distinct custom SSL certificate. For more information, see Configuring Smart Proxy server with a Custom SSL Certificate.

2.8.1. Configuring Smart Proxy server with a Default SSL Certificate

Use this section to configure Smart Proxy server with an SSL certificate that is signed by Foreman server default Certificate Authority (CA).

Prerequisites

Smart Proxy server is registered to Foreman server. For more information, see Registering to Foreman server.
Smart Proxy server packages are installed. For more information, see Installing Smart Proxy server Packages.

Procedure

On Foreman server, to store all the source certificate files for your Smart Proxy server, create a directory that is accessible only to the root user, for example /root/smart-proxy_cert:
```
# mkdir /root/smart-proxy_cert
```

On Foreman server, generate the /root/smart-proxy_cert/smart-proxy_certs.tar certificate archive for your Smart Proxy server:

# foreman-proxy-certs-generate \
--foreman-proxy-fqdn smartproxy.example.com \
--certs-tar /root/smart-proxy_cert/smart-proxy_certs.tar

Retain a copy of the foreman-installer command that the foreman-proxy-certs-generate command returns for deploying the certificate to your Smart Proxy server.

Example output of foreman-proxy-certs-generate

output omitted
foreman-installer \
--scenario foreman-proxy-content \
--certs-tar-file                              "/root/smart-proxy_certs.tar"\
--foreman-proxy-content-parent-fqdn           "foreman.example.com"\
--foreman-proxy-register-in-foreman           "true"\
--foreman-proxy-foreman-base-url              "https://foreman.example.com"\
--foreman-proxy-trusted-hosts                 "foreman.example.com"\
--foreman-proxy-trusted-hosts                 "smartproxy.example.com"\
--foreman-proxy-oauth-consumer-key            "s97QxvUAgFNAQZNGg4F9zLq2biDsxM7f"\
--foreman-proxy-oauth-consumer-secret         "6bpzAdMpRAfYaVZtaepYetomgBVQ6ehY"\
--puppet-server-foreman-url                   "https://foreman.example.com"

On Foreman server, copy the certificate archive file to your Smart Proxy server:

# scp /root/smart-proxy_cert/smartproxy.example.com-certs.tar \
root@smartproxy.example.com:/root/smartproxy.example.com-certs.tar

On Smart Proxy server, to deploy the certificate, enter the foreman-installer command that the foreman-proxy-certs-generate command returns.

When network connections or ports to Foreman are not yet open, you can set the --foreman-proxy-register-in-foreman option to false to prevent Smart Proxy from attempting to connect to Foreman and reporting errors. Run the installer again with this option set to true when the network and firewalls are correctly configured.

Important
Do not delete the certificate archive file after you deploy the certificate. It is required, for example, when upgrading Smart Proxy server.

2.8.2. Configuring Smart Proxy server with a Custom SSL Certificate

If you configure Foreman server to use a custom SSL certificate, you must also configure each of your external Smart Proxy servers with a distinct custom SSL certificate.

To configure your Smart Proxy server with a custom certificate, complete the following procedures on each Smart Proxy server:

Creating a Custom SSL Certificate for Smart Proxy server
Deploying a Custom SSL Certificate to Smart Proxy server
Deploying a Custom SSL Certificate to Hosts

Creating a Custom SSL Certificate for Smart Proxy server

On Foreman server, create a custom certificate for your Smart Proxy server. If you already have a custom SSL certificate for Smart Proxy server, skip this procedure.

When you configure Smart Proxy server with custom certificates, note the following considerations:

You must use the Privacy-Enhanced Mail (PEM) encoding for the SSL certificates.
You cannot use the same certificate for both Foreman server and Smart Proxy server.
The same Certificate Authority must sign certificates for Foreman server and Smart Proxy server.

Procedure

To store all the source certificate files, create a directory that is accessible only to the root user.
```
# mkdir /root/smart-proxy_cert
```
Create a private key with which to sign the Certificate Signing Request (CSR).

Note that the private key must be unencrypted. If you use a password-protected private key, remove the private key password.

If you already have a private key for this Smart Proxy server, skip this step.
```
# openssl genrsa -out /root/smart-proxy_cert/smart-proxy_cert_key.pem 4096
```

Create the /root/smart-proxy_cert/openssl.cnf configuration file for the Certificate Signing Request (CSR) and include the following content:

[ req ]
req_extensions = v3_req
distinguished_name = req_distinguished_name
x509_extensions = usr_cert
prompt = no

[ req_distinguished_name ] (1)
C  = Country Name (2 letter code)
ST = State or Province Name (full name)
L  = Locality Name (eg, city)
O  = Organization Name (eg, company)
OU = The division of your organization handling the certificate
CN = smart-proxy.example.com (2)

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection
subjectAltName = @alt_names

[ usr_cert ]
basicConstraints=CA:FALSE
nsCertType = client, server, email
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection
nsComment = "OpenSSL Generated Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer

[ alt_names ]
DNS.1 = smart-proxy.example.com (3)

In the [ req_distinguished_name ] section, enter information about your organization.
Set the certificate’s Common Name CN to match the fully qualified domain name (FQDN) of your Smart Proxy server or a wildcard value *. To confirm a FQDN, on that Smart Proxy server, enter the hostname -f command. This is required to ensure that the katello-certs-check command validates the certificate correctly. If you set a wildcard value, you must add the -t foreman-proxy option when you use the katello-certs-check command.
Set the Subject Alternative Name (SAN) DNS.1 to match the fully qualified domain name (FQDN) of your server.

Generate the Certificate Signing Request (CSR):

# openssl req -new \
-key /root/smart-proxy_cert/smart-proxy_cert_key.pem \ (1)
-config /root/smart-proxy_cert/openssl.cnf \ (2)
-out /root/smart-proxy_cert/smart-proxy_cert_csr.pem (3)

Path to the private key.
Path to the configuration file.
Path to the CSR to generate.

Send the certificate signing request to the Certificate Authority. The same Certificate Authority must sign certificates for Foreman server and Smart Proxy server.

When you submit the request, specify the lifespan of the certificate. The method for sending the certificate request varies, so consult the Certificate Authority for the preferred method. In response to the request, you can expect to receive a Certificate Authority bundle and a signed certificate, in separate files.

Deploying a Custom SSL Certificate to Smart Proxy server

Use this procedure to configure your Smart Proxy server with a custom SSL certificate signed by a Certificate Authority. The foreman-installer command, which the foreman-proxy-certs-generate command returns, is unique to each Smart Proxy server. Do not use the same command on more than one Smart Proxy server.

Prerequisites

Foreman server is configured with a custom certificate. For more information, see Configuring Foreman server with a Custom SSL Certificate in Installing Foreman 2.4 server on Enterprise Linux.
Smart Proxy server is registered to Foreman server. For more information, see Registering to Foreman server.
Smart Proxy server packages are installed. For more information, see Installing Smart Proxy server Packages.

Procedure

On Foreman server, validate the custom SSL certificate input files:

# katello-certs-check \
-c /root/smart-proxy_cert/smart-proxy_cert.pem \      (1)
-k /root/smart-proxy_cert/smart-proxy_cert_key.pem \  (2)
-b /root/smart-proxy_cert/ca_cert_bundle.pem      (3)

Path to Smart Proxy server certificate file that is signed by a Certificate Authority.
Path to the private key that was used to sign Smart Proxy server certificate.
Path to the Certificate Authority bundle.

If you set a wildcard value * for the certificate’s Common Name CN = in the /root/smart-proxy_cert/openssl.cnf configuration file, you must add the -t foreman-proxy option to the katello-certs-check command.

If the command is successful, it returns two foreman-proxy-certs-generate commands, one of which you must use to generate the certificate archive file for your Smart Proxy server.

Example output of katello-certs-check

Validation succeeded.

To use them inside a NEW $FOREMAN_PROXY, run this command:
  foreman-proxy-certs-generate --foreman-proxy-fqdn "$FOREMAN_PROXY" \
    --certs-tar  "~$FOREMAN_PROXY-certs.tar" \
    --server-cert "/root/smart-proxy_cert/smart-proxy_cert.pem" \
    --server-key "/root/smart-proxy_cert/smart-proxy_cert_key.pem" \
    --server-ca-cert "/root/smart-proxy_cert/ca_cert_bundle.pem" \

To use them inside an EXISTING $FOREMAN_PROXY, run this command INSTEAD:
  foreman-proxy-certs-generate --foreman-proxy-fqdn "\$FOREMAN_PROXY" \
    --certs-tar  "~/$FOREMAN_PROXY-certs.tar" \
    --server-cert "/root/smart-proxy_cert/smart-proxy_cert.pem" \
    --server-key "/root/smart-proxy_cert/smart-proxy_cert_key.pem" \
    --server-ca-cert "/root/smart-proxy_cert/ca_cert_bundle.pem" \
    --certs-update-server

On Foreman server, from the output of the katello-certs-check command, depending on your requirements, enter the foreman-proxy-certs-generate command that generates a certificate for a new or existing Smart Proxy.

In this command, change $FOREMAN_PROXY to the FQDN of your Smart Proxy server.

Retain a copy of the foreman-installer command that the foreman-proxy-certs-generate command returns for deploying the certificate to your Smart Proxy server.

Example output of foreman-proxy-certs-generate

output omitted
foreman-installer \
--scenario foreman-proxy-content \
--certs-tar-file                              "/root/smart-proxy_certs.tar"\
--foreman-proxy-content-parent-fqdn           "foreman.example.com"\
--foreman-proxy-register-in-foreman           "true"\
--foreman-proxy-foreman-base-url              "https://foreman.example.com"\
--foreman-proxy-trusted-hosts                 "foreman.example.com"\
--foreman-proxy-trusted-hosts                 "smartproxy.example.com"\
--foreman-proxy-oauth-consumer-key            "s97QxvUAgFNAQZNGg4F9zLq2biDsxM7f"\
--foreman-proxy-oauth-consumer-secret         "6bpzAdMpRAfYaVZtaepYetomgBVQ6ehY"\
--puppet-server-foreman-url                   "https://foreman.example.com"

On Foreman server, copy the certificate archive file to your Smart Proxy server:

# scp /root/smart-proxy_cert/smartproxy.example.com-certs.tar \
root@smartproxy.example.com:/root/smartproxy.example.com-certs.tar

On Smart Proxy server, to deploy the certificate, enter the foreman-installer command that the foreman-proxy-certs-generate command returns.

When network connections or ports to Foreman are not yet open, you can set the --foreman-proxy-register-in-foreman option to false to prevent Smart Proxy from attempting to connect to Foreman and reporting errors. Run the installer again with this option set to true when the network and firewalls are correctly configured.

Important
Do not delete the certificate archive file after you deploy the certificate. It is required, for example, when upgrading Smart Proxy server.

Deploying a Custom SSL Certificate to Hosts

After you configure Smart Proxy server to use a custom SSL certificate, you must also install the katello-ca-consumer package on every host that is registered to this Smart Proxy server.

Procedure

On each host, install the katello-ca-consumer package:

# yum localinstall \
http://smart-proxy.example.com/pub/katello-ca-consumer-latest.noarch.rpm

3. Performing Additional Configuration on Smart Proxy server

Use this chapter to configure additional settings on your Smart Proxy server.

3.1. Enabling OpenSCAP on External Smart Proxies

On Foreman server and the integrated Smart Proxy of your Foreman server, OpenSCAP is enabled by default.

To use the OpenSCAP plug-in and content on an external Smart Proxy, you must enable OpenSCAP on each Smart Proxy.

Procedure

To enable OpenSCAP, enter the following command:

# foreman-installer --no-enable-foreman \
--enable-foreman-proxy-plugin-openscap

3.2. Enabling Power Management on Managed Hosts

To perform power management tasks on managed hosts using the intelligent platform management interface (IPMI) or a similar protocol, you must enable the baseboard management controller (BMC) module on Smart Proxy server.

Prerequisites

All managed hosts must have a network interface of BMC type. Smart Proxy server uses this NIC to pass the appropriate credentials to the host. For more information, see Adding a Baseboard Management Controller (BMC) Interface in Managing Hosts.

Procedure

To enable BMC, enter the following command:

# foreman-installer --no-enable-foreman \
--foreman-proxy-bmc "true" \
--foreman-proxy-bmc-default-provider "freeipmi"

3.3. Configuring DNS, DHCP, and TFTP on Smart Proxy server

To configure the DNS, DHCP, and TFTP services on Smart Proxy server, use the foreman-installer command with the options appropriate for your environment. To view a complete list of configurable options, enter the foreman-installer --scenario foreman --help command.

Any changes to the settings require entering the foreman-installer command again. You can enter the command multiple times and each time it updates all configuration files with the changed values.

To use external DNS, DHCP, and TFTP services instead, see Configuring Smart Proxy server with External Services.

Adding Multihomed DHCP details

If you want to use Multihomed DHCP, you must inform the installer.

Prerequisites

You must have the correct network name (dns-interface) for the DNS server.
You must have the correct interface name (dhcp-interface) for the DHCP server.
Contact your network administrator to ensure that you have the correct settings.

Procedure

Enter the foreman-installer command with the options appropriate for your environment. The following example shows configuring full provisioning services:

# foreman-installer --no-enable-foreman \
--foreman-proxy-dns true \
--foreman-proxy-dns-managed true \
--foreman-proxy-dns-interface eth0 \
--foreman-proxy-dns-zone example.com \
--foreman-proxy-dns-reverse 2.0.192.in-addr.arpa \
--foreman-proxy-dhcp true \
--foreman-proxy-dhcp-managed true \
--foreman-proxy-dhcp-interface eth0 \
--foreman-proxy-dhcp-additional-interfaces eth1 \
--foreman-proxy-dhcp-additional-interfaces eth2 \
--foreman-proxy-dhcp-range "192.0.2.100 192.0.2.150" \
--foreman-proxy-dhcp-gateway 192.0.2.1 \
--foreman-proxy-dhcp-nameservers 192.0.2.2 \
--foreman-proxy-tftp true \
--foreman-proxy-tftp-managed true \
--foreman-proxy-tftp-servername 192.0.2.3

For more information about configuring DHCP, DNS, and TFTP services, see the Configuring Network Services section in the Provisioning Guide.

4. Configuring Smart Proxy server with External Services

If you do not want to configure the DNS, DHCP, and TFTP services on Smart Proxy server, use this section to configure your Smart Proxy server to work with external DNS, DHCP and TFTP services.

4.1. Configuring Smart Proxy server with External DNS

You can configure Smart Proxy server with external DNS. Smart Proxy server uses the nsupdate utility to update DNS records on the remote server.

To make any changes persistent, you must enter the foreman-installer command with the options appropriate for your environment.

Prerequisites

You must have a configured external DNS server.

Procedure

Install the bind-utils package:
```
# yum install bind bind-utils
```
Copy the /etc/rndc.key file from the external DNS server to Smart Proxy server:
```
# scp root@dns.example.com:/etc/rndc.key /etc/rndc.key
```

Configure the ownership, permissions, and SELinux context:

# restorecon -v /etc/rndc.key
# chown -v root:named /etc/rndc.key
# chmod -v 640 /etc/rndc.key

To test the nsupdate utility, add a host remotely:

# echo -e "server DNS_IP_Address\n \
update add aaa.virtual.lan 3600 IN A Host_IP_Address\n \
send\n" | nsupdate -k /etc/rndc.key
# nslookup aaa.virtual.lan DNS_IP_Address
# echo -e "server DNS_IP_Address\n \
update delete aaa.virtual.lan 3600 IN A Host_IP_Address\n \
send\n" | nsupdate -k /etc/rndc.key

Assign the foreman-proxy user to the named group manually. Normally, foreman-installer ensures that the foreman-proxy user belongs to the named UNIX group, however, in this scenario Foreman does not manage users and groups, therefore you need to assign the foreman-proxy user to the named group manually.
```
# usermod -a -G named foreman-proxy
```

Enter the foreman-installer command to make the following persistent changes to the /etc/foreman-proxy/settings.d/dns.yml file:

# foreman-installer --foreman-proxy-dns=true \
--foreman-proxy-dns-managed=false \
--foreman-proxy-dns-provider=nsupdate \
--foreman-proxy-dns-server="DNS_IP_Address" \
--foreman-proxy-keyfile=/etc/rndc.key \
--foreman-proxy-dns-ttl=86400

Restart the foreman-proxy service:
```
# systemctl restart foreman-proxy
```
Log in to Foreman server web UI.
Navigate to Infrastructure > Smart Proxies, locate the Smart Proxy server, and from the list in the Actions column, select Refresh.
Associate the DNS service with the appropriate subnets and domain.

4.2. Configuring Smart Proxy server with External DHCP

To configure Smart Proxy server with external DHCP, you must complete the following procedures:

Configuring an External DHCP Server to Use with Smart Proxy server
Configuring Smart Proxy server with an External DHCP Server

4.2.1. Configuring an External DHCP Server to Use with Smart Proxy server

To configure an external DHCP server to use with Smart Proxy server, on a Red Hat Enterprise Linux server, you must install the ISC DHCP Service and Berkeley Internet Name Domain (BIND) packages. You must also share the DHCP configuration and lease files with Smart Proxy server. The example in this procedure uses the distributed Network File System (NFS) protocol to share the DHCP configuration and lease files.

Note

If you use dnsmasq as an external DHCP server, enable the dhcp-no-override setting. This is required because Foreman creates configuration files on the TFTP server under the grub2/ subdirectory. If the dhcp-no-override setting is disabled, clients fetch the bootloader and its configuration from the root directory, which might cause an error.

If you do not use firewall-cmd to configure the Linux firewall, implement using the command of your choice.

Procedure

On a Red Hat Enterprise Linux Server server, install the ISC DHCP Service and Berkeley Internet Name Domain (BIND) packages:
```
# yum install dhcp bind
```
Generate a security token:
```
# dnssec-keygen -a HMAC-MD5 -b 512 -n HOST omapi_key
```
As a result, a key pair that consists of two files is created in the current directory.

Copy the secret hash from the key:

# cat Komapi_key.+*.private |grep ^Key|cut -d ' ' -f2

Edit the dhcpd configuration file for all of the subnets and add the key. The following is an example:

# cat /etc/dhcp/dhcpd.conf
default-lease-time 604800;
max-lease-time 2592000;
log-facility local7;

subnet 192.168.38.0 netmask 255.255.255.0 {
	range 192.168.38.10 192.168.38.100;
	option routers 192.168.38.1;
	option subnet-mask 255.255.255.0;
	option domain-search "virtual.lan";
	option domain-name "virtual.lan";
	option domain-name-servers 8.8.8.8;
}

omapi-port 7911;
key omapi_key {
	algorithm HMAC-MD5;
	secret "jNSE5YI3H1A8Oj/tkV4...A2ZOHb6zv315CkNAY7DMYYCj48Umw==";
};
omapi-key omapi_key;

Note that the option routers value is the Foreman or Smart Proxy IP address that you want to use with an external DHCP service.

Delete the two key files from the directory that they were created in.
On Foreman server, define each subnet. Do not set DHCP Smart Proxy for the defined Subnet yet.

To prevent conflicts, set up the lease and reservation ranges separately. For example, if the lease range is 192.168.38.10 to 192.168.38.100, in the Foreman web UI define the reservation range as 192.168.38.101 to 192.168.38.250.

Configure the firewall for external access to the DHCP server:

# firewall-cmd --add-service dhcp \
&& firewall-cmd --runtime-to-permanent

On Foreman server, determine the UID and GID of the foreman user:
```
# id -u foreman
993
# id -g foreman
990
```
On the DHCP server, create the foreman user and group with the same IDs as determined in a previous step:
```
# groupadd -g 990 foreman
# useradd -u 993 -g 990 -s /sbin/nologin foreman
```

To ensure that the configuration files are accessible, restore the read and execute flags:

# chmod o+rx /etc/dhcp/
# chmod o+r /etc/dhcp/dhcpd.conf
# chattr +i /etc/dhcp/ /etc/dhcp/dhcpd.conf

Start the DHCP service:
```
# systemctl start dhcpd
```

Export the DHCP configuration and lease files using NFS:

# yum install nfs-utils
# systemctl enable rpcbind nfs-server
# systemctl start rpcbind nfs-server nfs-lock nfs-idmapd

Create directories for the DHCP configuration and lease files that you want to export using NFS:
```
# mkdir -p /exports/var/lib/dhcpd /exports/etc/dhcp
```

To create mount points for the created directories, add the following line to the /etc/fstab file:

/var/lib/dhcpd /exports/var/lib/dhcpd none bind,auto 0 0
/etc/dhcp /exports/etc/dhcp none bind,auto 0 0

Mount the file systems in /etc/fstab:
```
# mount -a
```

Ensure the following lines are present in /etc/exports:

/exports 192.168.38.1(rw,async,no_root_squash,fsid=0,no_subtree_check)

/exports/etc/dhcp 192.168.38.1(ro,async,no_root_squash,no_subtree_check,nohide)

/exports/var/lib/dhcpd 192.168.38.1(ro,async,no_root_squash,no_subtree_check,nohide)

Note that the IP address that you enter is the Foreman or Smart Proxy IP address that you want to use with an external DHCP service.

Reload the NFS server:
```
# exportfs -rva
```

Configure the firewall for the DHCP omapi port 7911:

# firewall-cmd --add-port="7911/tcp" \
&& firewall-cmd --runtime-to-permanent

Optional: Configure the firewall for external access to NFS. Clients are configured using NFSv3.

# firewall-cmd --zone public --add-service mountd \
&& firewall-cmd --zone public --add-service rpc-bind \
&& firewall-cmd --zone public --add-service nfs \
&& firewall-cmd --runtime-to-permanent

4.2.2. Configuring Smart Proxy server with an External DHCP Server

You can configure Smart Proxy server with an external DHCP server.

Prerequisite

Ensure that you have configured an external DHCP server and that you have shared the DHCP configuration and lease files with Smart Proxy server. For more information, see Configuring an External DHCP Server to Use with Smart Proxy server.

Procedure

Install the nfs-utils utility:
```
# yum install nfs-utils
```

Create the DHCP directories for NFS:

# mkdir -p /mnt/nfs/etc/dhcp /mnt/nfs/var/lib/dhcpd

Change the file owner:
```
# chown -R foreman-proxy /mnt/nfs
```
Verify communication with the NFS server and the Remote Procedure Call (RPC) communication paths:
```
# showmount -e DHCP_Server_FQDN
# rpcinfo -p DHCP_Server_FQDN
```

Add the following lines to the /etc/fstab file:

DHCP_Server_FQDN:/exports/etc/dhcp /mnt/nfs/etc/dhcp nfs
ro,vers=3,auto,nosharecache,context="system_u:object_r:dhcp_etc_t:s0" 0 0

DHCP_Server_FQDN:/exports/var/lib/dhcpd /mnt/nfs/var/lib/dhcpd nfs
ro,vers=3,auto,nosharecache,context="system_u:object_r:dhcpd_state_t:s0" 0 0

Mount the file systems on /etc/fstab:
```
# mount -a
```

To verify that the foreman-proxy user can access the files that are shared over the network, display the DHCP configuration and lease files:

# su foreman-proxy -s /bin/bash
bash-4.2$ cat /mnt/nfs/etc/dhcp/dhcpd.conf
bash-4.2$ cat /mnt/nfs/var/lib/dhcpd/dhcpd.leases
bash-4.2$ exit

Enter the foreman-installer command to make the following persistent changes to the /etc/foreman-proxy/settings.d/dhcp.yml file:

# foreman-installer --foreman-proxy-dhcp=true \
--foreman-proxy-dhcp-provider=remote_isc \
--foreman-proxy-plugin-dhcp-remote-isc-dhcp-config /mnt/nfs/etc/dhcp/dhcpd.conf \
--foreman-proxy-plugin-dhcp-remote-isc-dhcp-leases /mnt/nfs/var/lib/dhcpd/dhcpd.leases \
--foreman-proxy-plugin-dhcp-remote-isc-key-name=omapi_key \
--foreman-proxy-plugin-dhcp-remote-isc-key-secret=jNSE5YI3H1A8Oj/tkV4...A2ZOHb6zv315CkNAY7DMYYCj48Umw== \
--foreman-proxy-plugin-dhcp-remote-isc-omapi-port=7911 \
--enable-foreman-proxy-plugin-dhcp-remote-isc \
--foreman-proxy-dhcp-server=DHCP_Server_FQDN

Restart the foreman-proxy service:
```
# systemctl restart foreman-proxy
```
Log in to Foreman server web UI.
Navigate to Infrastructure > Smart Proxies, locate the Smart Proxy server, and from the list in the Actions column, select Refresh.
Associate the DHCP service with the appropriate subnets and domain.

4.3. Configuring Smart Proxy server with External TFTP

You can configure Smart Proxy server with external TFTP services.

Procedure

Create the TFTP directory for NFS:
```
# mkdir -p /mnt/nfs/var/lib/tftpboot
```

In the /etc/fstab file, add the following line:

TFTP_Server_IP_Address:/exports/var/lib/tftpboot /mnt/nfs/var/lib/tftpboot nfs rw,vers=3,auto,nosharecache,context="system_u:object_r:tftpdir_rw_t:s0" 0 0

Mount the file systems in /etc/fstab:
```
# mount -a
```
Enter the foreman-installer command to make the following persistent changes to the /etc/foreman-proxy/settings.d/tftp.yml file:
```
# foreman-installer --foreman-proxy-tftp=true \
--foreman-proxy-tftp-root /mnt/nfs/var/lib/tftpboot
```
If the TFTP service is running on a different server than the DHCP service, update the tftp_servername setting with the FQDN or IP address of the server that the TFTP service is running on:
```
# foreman-installer --foreman-proxy-tftp-servername=TFTP_Server_FQDN
```
Log in to Foreman server web UI.
Navigate to Infrastructure > Smart Proxies, locate the Smart Proxy server, and from the list in the Actions column, select Refresh.
Associate the TFTP service with the appropriate subnets and domain.

4.4. Configuring Smart Proxy server with External IdM DNS

When Foreman server adds a DNS record for a host, it first determines which Smart Proxy is providing DNS for that domain. It then communicates with the Smart Proxy that is configured to provide DNS service for your deployment and adds the record. The hosts are not involved in this process. Therefore, you must install and configure the IdM client on the Foreman or Smart Proxy that is currently configured to provide a DNS service for the domain you want to manage using the IdM server.

Smart Proxy server can be configured to use a Red Hat Identity Management (IdM) server to provide DNS service. For more information about Red Hat Identity Management, see the Linux Domain Identity, Authentication, and Policy Guide.

To configure Smart Proxy server to use a Red Hat Identity Management (IdM) server to provide DNS service, use one of the following procedures:

Configuring Dynamic DNS Update with GSS-TSIG Authentication
Configuring Dynamic DNS Update with TSIG Authentication

To revert to internal DNS service, use the following procedure:

Reverting to Internal DNS Service

Note

You are not required to use Smart Proxy server to manage DNS. When you are using the realm enrollment feature of Foreman, where provisioned hosts are enrolled automatically to IdM, the ipa-client-install script creates DNS records for the client. Configuring Smart Proxy server with external IdM DNS and realm enrollment are mutually exclusive. For more information about configuring realm enrollment, see External Authentication for Provisioned Hosts in Administering Foreman.

4.4.1. Configuring Dynamic DNS Update with GSS-TSIG Authentication

You can configure the IdM server to use the generic security service algorithm for secret key transaction (GSS-TSIG) technology defined in RFC3645. To configure the IdM server to use the GSS-TSIG technology, you must install the IdM client on the Smart Proxy server base operating system.

Prerequisites

You must ensure the IdM server is deployed and the host-based firewall is configured correctly. For more information, see Port Requirements in the Linux Domain Identity, Authentication, and Policy Guide.
You must contact the IdM server administrator to ensure that you obtain an account on the IdM server with permissions to create zones on the IdM server.
You must confirm whether Foreman server or Smart Proxy server is configured to provide DNS service for your deployment.
You must configure DNS, DHCP and TFTP services on the base operating system of either the Foreman or Smart Proxy that is managing the DNS service for your deployment.
You must create a backup of the answer file. You can use the backup to restore the answer file to its original state if it becomes corrupted. For more information, see Configuring Foreman server.

Procedure

To configure dynamic DNS update with GSS-TSIG authentication, complete the following steps:

Creating a Kerberos Principal on the IdM Server

Obtain a Kerberos ticket for the account obtained from the IdM administrator:
```
# kinit idm_user
```
Create a new Kerberos principal for Smart Proxy server to use to authenticate on the IdM server.
```
# ipa service-add smartproxy.example.com
```

Installing and Configuring the IdM Client

On the base operating system of either the Foreman or Smart Proxy that is managing the DNS service for your deployment, install the ipa-client package:
```
# yum install ipa-client
```
Configure the IdM client by running the installation script and following the on-screen prompts:
```
# ipa-client-install
```
Obtain a Kerberos ticket:
```
# kinit admin
```
Remove any preexisting keytab:
```
# rm /etc/foreman-proxy/dns.keytab
```

Obtain the keytab for this system:

# ipa-getkeytab -p smart-proxy/foreman.example.com@EXAMPLE.COM \
-s idm1.example.com -k /etc/foreman-proxy/dns.keytab

Note	When adding a keytab to a standby system with the same host name as the original system in service, add the `r` option to prevent generating new credentials and rendering the credentials on the original system invalid.

For the dns.keytab file, set the group and owner to foreman-proxy:

# chown foreman-proxy:foreman-proxy /etc/foreman-proxy/dns.keytab

Optional: To verify that the keytab file is valid, enter the following command:

# kinit -kt /etc/foreman-proxy/dns.keytab \
smart-proxy/foreman.example.com@EXAMPLE.COM

Configuring DNS Zones in the IdM web UI

Create and configure the zone that you want to manage:
1. Navigate to Network Services > DNS > DNS Zones.
2. Select Add and enter the zone name. For example, example.com.
3. Click Add and Edit.
4. Click the Settings tab and in the BIND update policy box, add the following to the semi-colon separated list:
  grant smart-proxy/047foreman.example.com@EXAMPLE.COM wildcard * ANY;
5. Set Dynamic update to True.
6. Enable Allow PTR sync.
7. Click Save to save the changes.
Create and configure the reverse zone:
1. Navigate to Network Services > DNS > DNS Zones.
2. Click Add.
3. Select Reverse zone IP network and add the network address in CIDR format to enable reverse lookups.
4. Click Add and Edit.
5. Click the Settings tab and in the BIND update policy box, add the following to the semi-colon separated list:
  grant smart-proxy\047foreman.example.com@EXAMPLE.COM wildcard * ANY;
6. Set Dynamic update to True.
7. Click Save to save the changes.

Configuring the Foreman or Smart Proxy server that Manages the DNS Service for the Domain

Use the foreman-installer command to configure the Foreman or Smart Proxy that manages the DNS Service for the domain:

On Foreman, enter the following command:

foreman-installer --scenario foreman \
--foreman-proxy-dns=true \
--foreman-proxy-dns-managed=true \
--foreman-proxy-dns-provider=nsupdate_gss \
--foreman-proxy-dns-server="idm1.example.com" \
--foreman-proxy-dns-tsig-principal="smart-proxy/foreman.example.com@EXAMPLE.COM" \
--foreman-proxy-dns-tsig-keytab=/etc/foreman-proxy/dns.keytab \
--foreman-proxy-dns-reverse="55.168.192.in-addr.arpa" \
--foreman-proxy-dns-zone=example.com \
--foreman-proxy-dns-ttl=86400

On Smart Proxy, enter the following command:

foreman-installer --no-enable-foreman \
--foreman-proxy-dns=true \
--foreman-proxy-dns-managed=true \
--foreman-proxy-dns-provider=nsupdate_gss \
--foreman-proxy-dns-server="idm1.example.com" \
--foreman-proxy-dns-tsig-principal="smart-proxy/foreman.example.com@EXAMPLE.COM" \
--foreman-proxy-dns-tsig-keytab=/etc/foreman-proxy/dns.keytab \
--foreman-proxy-dns-reverse="55.168.192.in-addr.arpa" \
--foreman-proxy-dns-zone=example.com \
--foreman-proxy-dns-ttl=86400

Restart the Foreman or Smart Proxy’s Proxy Service.
```
# systemctl restart foreman-proxy
```

After you run the foreman-installer command to make any changes to your Smart Proxy configuration, you must update the configuration of each affected Smart Proxy in the Foreman web UI.

Updating the Configuration in the Foreman web UI

Navigate to Infrastructure > Smart Proxies, locate the Smart Proxy server, and from the list in the Actions column, select Refresh.
Configure the domain:
1. Navigate to Infrastructure > Domains and select the domain name.
2. In the Domain tab, ensure DNS Smart Proxy is set to the Smart Proxy where the subnet is connected.
Configure the subnet:
1. Navigate to Infrastructure > Subnets and select the subnet name.
2. In the Subnet tab, set IPAM to None.
3. In the Domains tab, select the domain that you want to manage using the IdM server.
4. In the Smart Proxies tab, ensure Reverse DNS Smart Proxy is set to the Smart Proxy where the subnet is connected.
5. Click Submit to save the changes.

4.4.2. Configuring Dynamic DNS Update with TSIG Authentication

You can configure an IdM server to use the secret key transaction authentication for DNS (TSIG) technology that uses the rndc.key key file for authentication. The TSIG protocol is defined in RFC2845.

Prerequisites

You must ensure the IdM server is deployed and the host-based firewall is configured correctly. For more information, see Port Requirements in the Linux Domain Identity, Authentication, and Policy Guide.
You must obtain root user access on the IdM server.
You must confirm whether Foreman server or Smart Proxy server is configured to provide DNS service for your deployment.
You must configure DNS, DHCP and TFTP services on the base operating system of either the Foreman or Smart Proxy that is managing the DNS service for your deployment.
You must create a backup of the answer file. You can use the backup to restore the answer file to its original state if it becomes corrupted. For more information, see Configuring Foreman server.

Procedure

To configure dynamic DNS update with TSIG authentication, complete the following steps:

Enabling External Updates to the DNS Zone in the IdM Server

On the IdM Server, add the following to the top of the /etc/named.conf file:

########################################################################

include "/etc/rndc.key";
controls  {
inet _IdM_Server_IP_Address_ port 953 allow { _Foreman_IP_Address_; } keys { "rndc-key"; };
};
########################################################################

Reload the named service to make the changes take effect:
```
# systemctl reload named
```
In the IdM web UI, navigate to Network Services > DNS > DNS Zones and click the name of the zone. In the Settings tab, apply the following changes:
1. Add the following in the BIND update policy box:
  grant "rndc-key" zonesub ANY;
2. Set Dynamic update to True.
3. Click Update to save the changes.
Copy the /etc/rndc.key file from the IdM server to the base operating system of your Foreman server. Enter the following command:
```
# scp /etc/rndc.key root@satellite.example.com:/etc/rndc.key
```
To set the correct ownership, permissions, and SELinux context for the rndc.key file, enter the following command:
```
# restorecon -v /etc/rndc.key
# chown -v root:named /etc/rndc.key
# chmod -v 640 /etc/rndc.key
```
Assign the foreman-proxy user to the named group manually. Normally, foreman-installer ensures that the foreman-proxy user belongs to the named UNIX group, however, in this scenario Foreman does not manage users and groups, therefore you need to assign the foreman-proxy user to the named group manually.
```
# usermod -a -G named foreman-proxy
```

On Foreman server, enter the following satellite-installer command to configure Foreman to use the external DNS server:

# foreman-installer --scenario foreman \
--foreman-proxy-dns=true \
--foreman-proxy-dns-managed=false \
--foreman-proxy-dns-provider=nsupdate \
--foreman-proxy-dns-server="IdM_Server_IP_Address" \
--foreman-proxy-keyfile=/etc/rndc.key \
--foreman-proxy-dns-ttl=86400

Testing External Updates to the DNS Zone in the IdM Server

Install the bind-utils utility:
```
# yum install bind-utils
```
Ensure that the key in the /etc/rndc.key file on Foreman server is the same key file that is used on the IdM server:
```
key "rndc-key" {
        algorithm hmac-md5;
        secret "secret-key==";
};
```
On Foreman server, create a test DNS entry for a host. For example, host test.example.com with an A record of 192.168.25.20 on the IdM server at 192.168.25.1.
```
# echo -e "server 192.168.25.1\n \
update add test.example.com 3600 IN A 192.168.25.20\n \
send\n" | nsupdate -k /etc/rndc.key
```

On Foreman server, test the DNS entry:

# nslookup test.example.com 192.168.25.1
Server:		192.168.25.1
Address:	192.168.25.1#53

Name:	test.example.com
Address: 192.168.25.20

To view the entry in the IdM web UI, navigate to Network Services > DNS > DNS Zones. Click the name of the zone and search for the host by name.

If resolved successfully, remove the test DNS entry:

# echo -e "server 192.168.25.1\n \
update delete test.example.com 3600 IN A 192.168.25.20\n \
send\n" | nsupdate -k /etc/rndc.key

Confirm that the DNS entry was removed:
```
# nslookup test.example.com 192.168.25.1
```
The above nslookup command fails and returns the SERVFAIL error message if the record was successfully deleted.

4.4.3. Reverting to Internal DNS Service

You can revert to using Foreman server and Smart Proxy server as your DNS providers. You can use a backup of the answer file that was created before configuring external DNS, or you can create a backup of the answer file. For more information about answer files, see Configuring Foreman server.

Procedure

On the Foreman or Smart Proxy server that you want to configure to manage DNS service for the domain, complete the following steps:

Configuring Foreman or Smart Proxy as a DNS Server

If you have created a backup of the answer file before configuring external DNS, restore the answer file and then enter the foreman-installer command:
```
# foreman-installer
```
If you do not have a suitable backup of the answer file, create a backup of the answer file now. To configure Foreman or Smart Proxy as DNS server without using an answer file, enter the following foreman-installer command on Foreman and each affected Smart Proxy:
```
# foreman-installer \
--foreman-proxy-dns=true \
--foreman-proxy-dns-managed=true \
--foreman-proxy-dns-provider=nsupdate \
--foreman-proxy-dns-server="127.0.0.1"  \
--foreman-proxy-dns-tsig-principal="foremanproxy/foreman.example.com@EXAMPLE.COM" \
--foreman-proxy-dns-tsig-keytab=/etc/foreman-proxy/dns.keytab
```
For more information,see Configuring DNS, DHCP, and TFTP on Smart Proxy server.

After you run the foreman-installer command to make any changes to your Smart Proxy configuration, you must update the configuration of each affected Smart Proxy in the Foreman web UI.

Updating the Configuration in the Foreman web UI

Navigate to Infrastructure > Smart Proxies.
For each Smart Proxy that you want to update, from the Actions list, select Refresh.
Configure the domain:
1. Navigate to Infrastructure > Domains and click the domain name that you want to configure.
2. In the Domain tab, set DNS Smart Proxy to the Smart Proxy where the subnet is connected.
Configure the subnet:
1. Navigate to Infrastructure > Subnets and select the subnet name.
2. In the Subnet tab, set IPAM to DHCP or Internal DB.
3. In the Domains tab, select the domain that you want to manage using Foreman or Smart Proxy.
4. In the Smart Proxies tab, set Reverse DNS Smart Proxy to the Smart Proxy where the subnet is connected.
5. Click Submit to save the changes.

Appendix A: Smart Proxy server Scalability Considerations

The maximum number of Smart Proxy servers that Foreman server can support has no fixed limit. The tested limit is 17 Smart Proxy servers with 2 vCPUs on a Foreman server with Red Hat Enterprise Linux 7. However, scalability is highly variable, especially when managing Puppet clients.

Smart Proxy server scalability when managing Puppet clients depends on the number of CPUs, the run-interval distribution, and the number of Puppet managed resources. Smart Proxy server has a limitation of 100 concurrent Puppet agents running at any single point in time. Running more than 100 concurrent Puppet agents results in a 503 HTTP error.

For example, assuming that Puppet agent runs are evenly distributed with less than 100 concurrent Puppet agents running at any single point during a run-interval, a Smart Proxy server with 4 CPUs has a maximum of 1250-1600 Puppet clients with a moderate workload of 10 Puppet classes assigned to each Puppet client. Depending on the number of Puppet clients required, the Foreman installation can scale out the number of Smart Proxy servers to support them.

If you want to scale your Smart Proxy server when managing Puppet clients, the following assumptions are made:

There are no external Puppet clients reporting directly to the Foreman integrated Smart Proxy.
All other Puppet clients report directly to an external Smart Proxy.
There is an evenly distributed run-interval of all Puppet agents.

Note	Deviating from the even distribution increases the risk of filling the passenger request queue. The limit of 100 concurrent requests applies.

The following table describes the scalability limits using the recommended 4 CPUs.

Table 6. Puppet Scalability Using 4 CPUs
Puppet Managed Resources per Host	Run-Interval Distribution
1	3000-2500
10	2400-2000
20	1700-1400

The following table describes the scalability limits using the minimum 2 CPUs.

Table 7. Puppet Scalability Using 2 CPUs
Puppet Managed Resources per Host	Run-Interval Distribution
1	1700-1450
10	1500-1250
20	850-700