Installing orcharhino Server

For a new installation, install fapolicyd:

# dnf install fapolicyd

For an existing installation, install fapolicyd using dnf install:

# dnf install fapolicyd

Start the fapolicyd service:

# systemctl enable --now fapolicyd

Enter the following command with any additional options that you want to use:

# foreman-installer --scenario katello \
--foreman-initial-organization "My_Organization" \
--foreman-initial-location "My_Location" \
--foreman-initial-admin-username admin_user_name \
--foreman-initial-admin-password admin_password

In the orcharhino management UI, navigate to Infrastructure > HTTP Proxies.

Click New HTTP Proxy.

In the Name field, enter the name for the HTTP proxy.

In the Url field, enter the URL of the HTTP proxy in the following format: https://proxy.example.com:8080.

Optional: If authentication is required, in the Username field, enter the username to authenticate with.

Optional: If authentication is required, in the Password field, enter the password to authenticate with.

To test connection to the proxy, click Test Connection.

Click Submit.

In the orcharhino management UI, navigate to Administer > Settings, and click the Content tab.

Set the Default HTTP Proxy setting to the created HTTP proxy.

Verify that the http_proxy, https_proxy, and no_proxy variables are not set.

# unset http_proxy
# unset https_proxy
# unset no_proxy

Add an HTTP proxy entry to orcharhino:

# hammer http-proxy create --name=myproxy \
--url http://myproxy.example.com:8080  \
--username=proxy_username \
--password=proxy_password

Configure orcharhino to use this HTTP proxy by default:

# hammer settings set --name=content_default_http_proxy --value=myproxy

On orcharhino, to verify the ports that are permitted by SELinux for the HTTP cache, enter a command as follows:

# semanage port -l | grep http_cache
http_cache_port_t       tcp    8080, 8118, 8123, 10001-10010
[output truncated]

To configure SELinux to permit a port for the HTTP cache, for example 8088, enter a command as follows:

# semanage port -a -t http_cache_port_t -p tcp 8088

In the orcharhino management UI, navigate to Administer > Settings.

In the HTTP(S) proxy row, select the adjacent Value column and enter the proxy URL.

Click the tick icon to save your changes.

In the orcharhino management UI, navigate to Administer > Settings.

In the HTTP(S) proxy except hosts row, select the adjacent Value column and enter the names of one or more hosts that you want to exclude from proxy requests.

Click the tick icon to save your changes.

On orcharhino Proxy with the TFTP feature, to verify the ports that are permitted by SELinux for the HTTP cache, enter the following command:

# systemctl edit foreman-proxy

Insert the following test into the editor:

[Service]
Environment="http_proxy=http://proxy.example.com:8888"
Environment="https_proxy=https://proxy.example.com:8888"

Save the file. Verify that the file appears as /etc/systemd/system/foreman-proxy.service.d/overrides.conf.

Restart the foreman-proxy service:

# systemctl restart foreman-proxy

Create a host or enter build mode for an existing host to re-download PXE files to the TFTP orcharhino Proxy.

In the orcharhino management UI, navigate to Administer > Settings, and click the Content tab.

Set the Default HTTP Proxy setting to no global default.

Disable DHCP, DNS, and TFTP integration on your orcharhino Server:

# foreman-installer --foreman-proxy-dhcp false \
--foreman-proxy-dns false \
--foreman-proxy-tftp false

Disable the orcharhino Proxy integration for every subnet:

In the orcharhino management UI, navigate to Infrastructure > Domains and select a domain.

Clear the DNS orcharhino Proxy field.

Optional: If you use a DHCP service supplied by a third party, configure your DHCP server to pass the following options:

Option 66: IP address of orcharhino or orcharhino Proxy
Option 67: /pxelinux.0

To store all the source certificate files, create a directory that is accessible only to the root user:

# mkdir /root/orcharhino_cert

Create a private key with which to sign the certificate signing request (CSR).

# openssl genrsa -out /root/orcharhino_cert/orcharhino_cert_key.pem 4096

Create the /root/orcharhino_cert/openssl.cnf configuration file for the CSR and include the following content:

[ req ]
req_extensions = v3_req
distinguished_name = req_distinguished_name
prompt = no

[ req_distinguished_name ]
commonName = orcharhino.example.com

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = orcharhino.example.com

Optional: If you want to add Distinguished Name (DN) details to the CSR, add the following information to the [ req_distinguished_name ] section:

[req_distinguished_name]
CN = orcharhino.example.com
countryName =My_Country_Name (1)
stateOrProvinceName = My_State_Or_Province_Name (2)
localityName = My_Locality_Name (3)
organizationName = My_Organization_Or_Company_Name
organizationalUnitName = My_Organizational_Unit_Name (4)

Generate CSR:

# openssl req -new \
-key /root/orcharhino_cert/orcharhino_cert_key.pem \ (1)
-config /root/orcharhino_cert/openssl.cnf \ (2)
-out /root/orcharhino_cert/orcharhino_cert_csr.pem (3)

Send the certificate signing request to the certificate authority (CA). The same CA must sign certificates for orcharhino Server and orcharhino Proxy.

On a computer with network access to orcharhino Server, navigate to the following URL: https://orcharhino.example.com.

In your browser, view the certificate details to verify the deployed certificate.

To install PostgreSQL, enter the following command:

# dnf install postgresql-server postgresql-evr postgresql-contrib

To initialize PostgreSQL, enter the following command:

# postgresql-setup initdb

Edit the /var/lib/pgsql/data/postgresql.conf file:

# vi /var/lib/pgsql/data/postgresql.conf

Remove the # and edit to listen to inbound connections:

listen_addresses = '*'

Edit the /var/lib/pgsql/data/pg_hba.conf file:

# vi /var/lib/pgsql/data/pg_hba.conf

Add the following line to the file:

  host  all   all   orcharhino_ip/32   md5

To start, and enable PostgreSQL service, enter the following commands:

# systemctl enable --now postgresql

Open the postgresql port on the external PostgreSQL server:

# firewall-cmd --add-service=postgresql

Make the changes persistent:

# firewall-cmd --runtime-to-permanent

Switch to the postgres user and start the PostgreSQL client:

$ su - postgres -c psql

Create three databases and dedicated roles: one for orcharhino, one for Candlepin, and one for Pulp:

CREATE USER "foreman" WITH PASSWORD 'Foreman_Password';
CREATE USER "candlepin" WITH PASSWORD 'Candlepin_Password';
CREATE USER "pulp" WITH PASSWORD 'Pulpcore_Password';
CREATE DATABASE foreman OWNER foreman;
CREATE DATABASE candlepin OWNER candlepin;
CREATE DATABASE pulpcore OWNER pulp;

Connect to the Pulp database:

postgres=# \c pulpcore
You are now connected to database "pulpcore" as user "postgres".

Create the hstore extension:

pulpcore=# CREATE EXTENSION IF NOT EXISTS "hstore";
CREATE EXTENSION

Exit the postgres user:

# \q

From orcharhino Server, test that you can access the database. If the connection succeeds, the commands return 1.

# PGPASSWORD='Foreman_Password' psql -h postgres.example.com  -p 5432 -U foreman -d foreman -c "SELECT 1 as ping"
# PGPASSWORD='Candlepin_Password' psql -h postgres.example.com -p 5432 -U candlepin -d candlepin -c "SELECT 1 as ping"
# PGPASSWORD='Pulpcore_Password' psql -h postgres.example.com -p 5432 -U pulp -d pulpcore -c "SELECT 1 as ping"

To configure the external databases for orcharhino, enter the following command:

# foreman-installer \
--katello-candlepin-manage-db false \
--katello-candlepin-db-host postgres.example.com \
--katello-candlepin-db-name candlepin \
--katello-candlepin-db-user candlepin \
--katello-candlepin-db-password Candlepin_Password \
--foreman-proxy-content-pulpcore-manage-postgresql false \
--foreman-proxy-content-pulpcore-postgresql-host postgres.example.com \
--foreman-proxy-content-pulpcore-postgresql-db-name pulpcore \
--foreman-proxy-content-pulpcore-postgresql-user pulp \
--foreman-proxy-content-pulpcore-postgresql-password Pulpcore_Password \
--foreman-db-manage false \
--foreman-db-host postgres.example.com \
--foreman-db-database foreman \
--foreman-db-username foreman \
--foreman-db-password Foreman_Password

--foreman-db-root-cert <path_to_CA>
--foreman-db-sslmode verify-full
--foreman-proxy-content-pulpcore-postgresql-ssl true
--foreman-proxy-content-pulpcore-postgresql-ssl-root-ca <path_to_CA>
--katello-candlepin-db-ssl true
--katello-candlepin-db-ssl-ca <path_to_CA>
--katello-candlepin-db-ssl-verify true

Obtain the CA certificate from the LDAP Server:

Add the LDAP server certificate to the system truststore:

Delete the downloaded LDAP certificate from the temporary location on your orcharhino Server.

Set the Network Information System (NIS) service boolean to true to prevent SELinux from stopping outgoing LDAP connections:

# setsebool -P nis_enabled on

In the orcharhino management UI, navigate to Administer > Authentication Sources.

Click Create LDAP Authentication Source.

On the LDAP server tab, enter the LDAP server’s name, host name, port, and server type. The default port is 389, the default server type is POSIX (alternatively you can select FreeIPA or Active Directory depending on the type of authentication server). For TLS encrypted connections, select the LDAPS checkbox to enable encryption. The port should change to 636, which is the default for LDAPS.

On the Account tab, enter the account information and domain name details. See Description of LDAP settings for descriptions and examples.

On the Attribute mappings tab, map LDAP attributes to orcharhino attributes. You can map login name, first name, last name, email address, and photo attributes. See Example settings for LDAP connections for examples.

On the Locations tab, select locations from the left table. Selected locations are assigned to users created from the LDAP authentication source, and available after their first login.

On the Organizations tab, select organizations from the left table. Selected organizations are assigned to users created from the LDAP authentication source, and available after their first login.

Click Submit.

Configure new accounts for LDAP users:

On the FreeIPA server, to authenticate, enter the following command and enter your password when prompted:

# kinit admin

To verify that you have authenticated, enter the following command:

# klist

On the FreeIPA server, create a host entry for orcharhino Server and generate a one-time password, for example:

# ipa host-add --random hostname

Create an HTTP service for orcharhino Server, for example:

# ipa service-add HTTP/hostname

On orcharhino Server, install the IPA client:

# dnf install ipa-client

On orcharhino Server, enter the following command as root to configure FreeIPA-enrollment:

# ipa-client-install --password OTP

Set FreeIPA as the authentication provider, using one of the following commands:

Restart orcharhino services:

# foreman-maintain service restart

On the FreeIPA server, to authenticate, enter the following command and enter your password when prompted:

# kinit admin

To verify that you have authenticated, enter the following command:

# klist

Create HBAC service and rule on the FreeIPA server and link them together. The following examples use the PAM service name orcharhino-prod. Execute the following commands on the FreeIPA server:

# ipa hbacsvc-add orcharhino-prod
# ipa hbacrule-add allow_orcharhino_prod
# ipa hbacrule-add-service allow_orcharhino_prod --hbacsvcs=orcharhino-prod

Add the user who is to have access to the service orcharhino-prod, and the hostname of orcharhino Server:

# ipa hbacrule-add-user allow_orcharhino_prod --user=username
# ipa hbacrule-add-host allow_orcharhino_prod --hosts=orcharhino.example.com

To check the status of the rule, execute:

# ipa hbacrule-find orcharhino-prod
# ipa hbactest --user=username --host=orcharhino.example.com --service=orcharhino-prod

Ensure the allow_all rule is disabled on the FreeIPA server.

Configure the FreeIPA integration with orcharhino Server as described in Configuring FreeIPA authentication on orcharhino Server. On orcharhino Server, define the PAM service as root:

# foreman-installer --foreman-pam-service=orcharhino-prod

Define AD realm configuration in a location where foreman-installer expects it:

Configure the Apache keytab for Kerberos connections:

Configure the System Security Services Daemon (SSSD) to use the AD access control provider to evaluate and enforce Group Policy Object (GPO) access control rules for the foreman PAM service:

Enable the authentication source:

# foreman-installer --foreman-ipa-authentication=true

Enable HBAC:

Configure sssd to transfer additional attributes of AD users.

Users authenticate to orcharhino using the orcharhino management UI.

Users authenticate to orcharhino using the orcharhino CLI.

On orcharhino Server, install the following packages:

# dnf install mod_auth_openidc keycloak-httpd-client-install python3-lxml

Register orcharhino to Keycloak as a client. Note that you the registration process for logging in using the web UI and the CLI are different.

Restart the httpd service:

# systemctl restart httpd

In the Keycloak web UI, navigate to Clients and click the orcharhino client.

Configure access type:

In the Valid redirect URI fields, add a valid redirect URI.

Click Save.

Click the Mappers tab and click Create to add an audience mapper.

In the Name field, enter a name for the audience mapper.

From the Mapper Type list, select Audience.

From the Included Client Audience list, select the orcharhino client.

Click Save.

Click Create to add a group mapper so that you can specify authorization in orcharhino based on group membership.

In the Name field, enter a name for the group mapper.

From the Mapper Type list, select Group Membership.

In the Token Claim Name field, enter groups.

Set the Full group path setting to OFF.

Click Save.

To authenticate to the orcharhino CLI using the code grant type, enter the following command:

# hammer auth login oauth \
--two-factor \
--oidc-token-endpoint 'https://Keycloak.example.com/auth/realms/ssl-realm/protocol/openid-connect/token' \
--oidc-authorization-endpoint 'https://Keycloak.example.com/auth' \
--oidc-client-id 'orcharhino.example.com-foreman-openidc' \
--oidc-redirect-uri urn:ietf:wg:oauth:2.0:oob

To retrieve the success code, navigate to the URL that the command returns and provide the required information.

Copy the success code that the web UI returns.

In the command prompt of hammer auth login oauth, enter the success code to authenticate to the orcharhino CLI.

In the orcharhino management UI, navigate to Administer > User Groups.

Click Create User Group.

In the Name field, enter a name for the user group. The name should not be the same as in the Active Directory.

Do not add users and user groups to the right-hand columns. Click the Roles tab.

Select the Administer checkbox.

Click the External Groups tab.

Click Add external user group.

In the Name field, enter the name of the Active Directory group.

From the list, select EXTERNAL.

Users authenticate to orcharhino using the orcharhino management UI.

Users authenticate to orcharhino using the orcharhino CLI.

On orcharhino Server, install the following packages:

# dnf install mod_auth_openidc keycloak-httpd-client-install python3-lxml

Register orcharhino to Keycloak as a client. Note that you the registration process for logging in using the web UI and the CLI are different.

Restart the httpd service:

# systemctl restart httpd

In the Keycloak web UI, navigate to Clients and click the orcharhino client.

Configure access type:

In the Valid redirect URI fields, add a valid redirect URI.

Click Save.

Click the Mappers tab and click Create to add an audience mapper.

In the Name field, enter a name for the audience mapper.

From the Mapper Type list, select Audience.

From the Included Client Audience list, select the orcharhino client.

Click Save.

Click Create to add a group mapper so that you can specify authorization in orcharhino based on group membership.

In the Name field, enter a name for the group mapper.

From the Mapper Type list, select Group Membership.

In the Token Claim Name field, enter groups.

Set the Full group path setting to OFF.

Click Save.

In the Keycloak web UI, navigate to the orcharhino realm.

Navigate to Authentication, and click the OTP Policy tab.

Ensure that the Supported Applications field includes FreeOTP or Google Authenticator.

Configure the OTP settings to suit your requirements.

Optional: If you want to use TOTP authentication as a default authentication method for all users, click the Flows tab, and to the right of the OTP Form setting, select REQUIRED.

Click the Required Actions tab.

To the right of the Configure OTP row, select the Default Action checkbox.

Log in to orcharhino, orcharhino redirects you to the Keycloak login screen.

Enter your username and password, and click Log In.

The first attempt to log in, Keycloak requests you to configure your client by scanning the barcode and entering the pin displayed.

After you configure your client and enter a valid PIN, Keycloak redirects you to orcharhino and logs you in.

To authenticate to the orcharhino CLI using the code grant type, enter the following command:

# hammer auth login oauth \
--two-factor \
--oidc-token-endpoint 'https://Keycloak.example.com/auth/realms/ssl-realm/protocol/openid-connect/token' \
--oidc-authorization-endpoint 'https://Keycloak.example.com/auth' \
--oidc-client-id 'orcharhino.example.com-foreman-openidc' \
--oidc-redirect-uri urn:ietf:wg:oauth:2.0:oob

To retrieve the success code, navigate to the URL that the command returns and provide the required information.

Copy the success code that the web UI returns.

In the command prompt of hammer auth login oauth, enter the success code to authenticate to the orcharhino CLI.

In the orcharhino management UI, navigate to Administer > User Groups.

Click Create User Group.

In the Name field, enter a name for the user group. The name should not be the same as in the Active Directory.

Do not add users and user groups to the right-hand columns. Click the Roles tab.

Select the Administer checkbox.

Click the External Groups tab.

Click Add external user group.

In the Name field, enter the name of the Active Directory group.

From the list, select EXTERNAL.

On your Enterprise Linux host, install the ISC DHCP Service and Berkeley Internet Name Domain (BIND) utilities packages:

# dnf install dhcp-server bind-utils

Generate a security token:

# tsig-keygen -a hmac-md5 omapi_key

Edit the dhcpd configuration file for all subnets and add the key generated by tsig-keygen. The following is an example:

# cat /etc/dhcp/dhcpd.conf
default-lease-time 604800;
max-lease-time 2592000;
log-facility local7;

subnet 192.168.38.0 netmask 255.255.255.0 {
	range 192.168.38.10 192.168.38.100;
	option routers 192.168.38.1;
	option subnet-mask 255.255.255.0;
	option domain-search "virtual.lan";
	option domain-name "virtual.lan";
	option domain-name-servers 8.8.8.8;
}

omapi-port 7911;
key omapi_key {
	algorithm hmac-md5;
	secret "My_Secret";
};
omapi-key omapi_key;

On orcharhino Server, define each subnet. Do not set DHCP orcharhino Proxy for the defined Subnet yet.

Configure the firewall for external access to the DHCP server:

# firewall-cmd --add-service dhcp

Make the changes persistent:

# firewall-cmd --runtime-to-permanent

On orcharhino Server, determine the UID and GID of the foreman user:

# id -u foreman
993
# id -g foreman
990

On the DHCP server, create the foreman user and group with the same IDs as determined in a previous step:

# groupadd -g 990 foreman
# useradd -u 993 -g 990 -s /sbin/nologin foreman

To ensure that the configuration files are accessible, restore the read and execute flags:

# chmod o+rx /etc/dhcp/
# chmod o+r /etc/dhcp/dhcpd.conf
# chattr +i /etc/dhcp/ /etc/dhcp/dhcpd.conf

Enable and start the DHCP service:

# systemctl enable --now dhcpd

Export the DHCP configuration and lease files using NFS:

# dnf install nfs-utils
# systemctl enable --now nfs-server

Create directories for the DHCP configuration and lease files that you want to export using NFS:

# mkdir -p /exports/var/lib/dhcpd /exports/etc/dhcp

To create mount points for the created directories, add the following line to the /etc/fstab file:

/var/lib/dhcpd /exports/var/lib/dhcpd none bind,auto 0 0
/etc/dhcp /exports/etc/dhcp none bind,auto 0 0

Mount the file systems in /etc/fstab:

# mount -a

Ensure the following lines are present in /etc/exports:

/exports 192.168.38.1(rw,async,no_root_squash,fsid=0,no_subtree_check)

/exports/etc/dhcp 192.168.38.1(ro,async,no_root_squash,no_subtree_check,nohide)

/exports/var/lib/dhcpd 192.168.38.1(ro,async,no_root_squash,no_subtree_check,nohide)

Reload the NFS server:

# exportfs -rva

Configure the firewall for DHCP omapi port 7911:

# firewall-cmd --add-port=7911/tcp

Optional: Configure the firewall for external access to NFS. Clients are configured using NFSv3.

# firewall-cmd \
--add-service mountd \
--add-service nfs \
--add-service rpc-bind \
--zone public

Make the changes persistent:

# firewall-cmd --runtime-to-permanent

Install the nfs-utils package:

# dnf install nfs-utils

Create the DHCP directories for NFS:

# mkdir -p /mnt/nfs/etc/dhcp /mnt/nfs/var/lib/dhcpd

Change the file owner:

# chown -R foreman-proxy /mnt/nfs

Verify communication with the NFS server and the Remote Procedure Call (RPC) communication paths:

# showmount -e DHCP_Server_FQDN
# rpcinfo -p DHCP_Server_FQDN

Add the following lines to the /etc/fstab file:

DHCP_Server_FQDN:/exports/etc/dhcp /mnt/nfs/etc/dhcp nfs
ro,vers=3,auto,nosharecache,context="system_u:object_r:dhcp_etc_t:s0" 0 0

DHCP_Server_FQDN:/exports/var/lib/dhcpd /mnt/nfs/var/lib/dhcpd nfs
ro,vers=3,auto,nosharecache,context="system_u:object_r:dhcpd_state_t:s0" 0 0

Mount the file systems on /etc/fstab:

# mount -a

To verify that the foreman-proxy user can access the files that are shared over the network, display the DHCP configuration and lease files:

# su foreman-proxy -s /bin/bash
$ cat /mnt/nfs/etc/dhcp/dhcpd.conf
$ cat /mnt/nfs/var/lib/dhcpd/dhcpd.leases
$ exit

Enter the foreman-installer command to make the following persistent changes to the /etc/foreman-proxy/settings.d/dhcp.yml file:

# foreman-installer \
--enable-foreman-proxy-plugin-dhcp-remote-isc \
--foreman-proxy-dhcp-provider=remote_isc \
--foreman-proxy-dhcp-server=My_DHCP_Server_FQDN \
--foreman-proxy-dhcp=true \
--foreman-proxy-plugin-dhcp-remote-isc-dhcp-config /mnt/nfs/etc/dhcp/dhcpd.conf \
--foreman-proxy-plugin-dhcp-remote-isc-dhcp-leases /mnt/nfs/var/lib/dhcpd/dhcpd.leases \
--foreman-proxy-plugin-dhcp-remote-isc-key-name=omapi_key \
--foreman-proxy-plugin-dhcp-remote-isc-key-secret=My_Secret \
--foreman-proxy-plugin-dhcp-remote-isc-omapi-port=7911

Associate the DHCP service with the appropriate subnets and domain.

Obtain a Kerberos ticket for the account obtained from the IdM administrator:

# kinit idm_user

Create a new Kerberos principal for orcharhino Server to use to authenticate on the IdM server:

# ipa service-add orcharhinoproxy/orcharhino.example.com

On the base operating system of either the orcharhino or orcharhino Proxy that is managing the DNS service for your deployment, install the ipa-client package:

# dnf install ipa-client

Configure the IdM client by running the installation script and following the on-screen prompts:

# ipa-client-install

Obtain a Kerberos ticket:

# kinit admin

Remove any preexisting keytab:

# rm /etc/foreman-proxy/dns.keytab

Obtain the keytab for this system:

# ipa-getkeytab -p orcharhinoproxy/orcharhino.example.com@EXAMPLE.COM \
-s idm1.example.com -k /etc/foreman-proxy/dns.keytab

For the dns.keytab file, set the group and owner to foreman-proxy:

# chown foreman-proxy:foreman-proxy /etc/foreman-proxy/dns.keytab

Optional: To verify that the keytab file is valid, enter the following command:

# kinit -kt /etc/foreman-proxy/dns.keytab \
orcharhinoproxy/orcharhino.example.com@EXAMPLE.COM

Create and configure the zone that you want to manage:

Create and configure the reverse zone:

Configure your orcharhino Server or orcharhino Proxy to connect to your DNS service:

# foreman-installer \
--foreman-proxy-dns-managed=false \
--foreman-proxy-dns-provider=nsupdate_gss \
--foreman-proxy-dns-server="idm1.example.com" \
--foreman-proxy-dns-tsig-keytab=/etc/foreman-proxy/dns.keytab \
--foreman-proxy-dns-tsig-principal="orcharhinoproxy/orcharhino.example.com@EXAMPLE.COM" \
--foreman-proxy-dns=true

For each affected orcharhino Proxy, update the configuration of that orcharhino Proxy in the orcharhino management UI:

On the IdM Server, add the following to the top of the /etc/named.conf file:

########################################################################

include "/etc/rndc.key";
controls  {
inet _IdM_Server_IP_Address_ port 953 allow { _orcharhino_IP_Address_; } keys { "rndc-key"; };
};
########################################################################

Reload the named service to make the changes take effect:

# systemctl reload named

In the IdM web UI, navigate to Network Services > DNS > DNS Zones and click the name of the zone. In the Settings tab, apply the following changes:

Copy the /etc/rndc.key file from the IdM server to the base operating system of your orcharhino Server. Enter the following command:

# scp /etc/rndc.key root@orcharhino.example.com:/etc/rndc.key

To set the correct ownership, permissions, and SELinux context for the rndc.key file, enter the following command:

# restorecon -v /etc/rndc.key
# chown -v root:named /etc/rndc.key
# chmod -v 640 /etc/rndc.key

Assign the foreman-proxy user to the named group manually. Normally, foreman-installer ensures that the foreman-proxy user belongs to the named UNIX group, however, in this scenario orcharhino does not manage users and groups, therefore you need to assign the foreman-proxy user to the named group manually.

# usermod -a -G named foreman-proxy

On orcharhino Server, enter the following foreman-installer command to configure orcharhino to use the external DNS server:

# foreman-installer \
--foreman-proxy-dns-managed=false \
--foreman-proxy-dns-provider=nsupdate \
--foreman-proxy-dns-server="IdM_Server_IP_Address" \
--foreman-proxy-dns-ttl=86400 \
--foreman-proxy-dns=true \
--foreman-proxy-keyfile=/etc/rndc.key

Ensure that the key in the /etc/rndc.key file on orcharhino Server is the same key file that is used on the IdM server:

key "rndc-key" {
        algorithm hmac-md5;
        secret "secret-key==";
};

On orcharhino Server, create a test DNS entry for a host. For example, host test.example.com with an A record of 192.168.25.20 on the IdM server at 192.168.25.1.

# echo -e "server 192.168.25.1\n \
update add test.example.com 3600 IN A 192.168.25.20\n \
send\n" | nsupdate -k /etc/rndc.key

On orcharhino Server, test the DNS entry:

# nslookup test.example.com 192.168.25.1
Server:		192.168.25.1
Address:	192.168.25.1#53

Name:	test.example.com
Address: 192.168.25.20

To view the entry in the IdM web UI, navigate to Network Services > DNS > DNS Zones. Click the name of the zone and search for the host by name.

If resolved successfully, remove the test DNS entry:

# echo -e "server 192.168.25.1\n \
update delete test.example.com 3600 IN A 192.168.25.20\n \
send\n" | nsupdate -k /etc/rndc.key

Confirm that the DNS entry was removed:

# nslookup test.example.com 192.168.25.1

In the orcharhino management UI, navigate to Infrastructure > orcharhino Proxies.

For each orcharhino Proxy that you want to update, from the Actions list, select Refresh.

Configure the domain:

Configure the subnet: