Installing Satellite Server in a connected network environment

Providing feedback on Red Hat documentation

We appreciate your feedback on our documentation. Let us know how we can improve it.

Use the Create Issue form in Red Hat Jira to provide your feedback. The Jira issue is created in the Red Hat Satellite Jira project, where you can track its progress.

Prerequisites

Ensure you have registered a Red Hat account.

Procedure

Click the following link: Create Issue. If Jira displays a login error, log in and proceed after you are redirected to the form.
Complete the Summary and Description fields. In the Description field, include the documentation URL, chapter or section number, and a detailed description of the issue. Do not modify any other fields in the form.
Click Create.

1. Preparing your environment for installation

Before you install Satellite, ensure that your environment meets the following requirements.

1.1. System requirements

The following requirements apply to the networked base operating system:

x86_64 architecture
The latest version of Red Hat Enterprise Linux 9 or Red Hat Enterprise Linux 8
4-core 2.0 GHz CPU at a minimum
A minimum of 20 GB RAM is required for Satellite Server to function. In addition, a minimum of 4 GB RAM of swap space is also recommended. Satellite running with less RAM than the minimum value might not operate correctly.
A unique host name, which can contain lower-case letters, numbers, dots (.) and hyphens (-)
A current Red Hat Satellite subscription
Administrative user (root) access
Full forward and reverse DNS resolution using a fully-qualified domain name

Satellite only supports UTF-8 encoding. If your territory is USA and your language is English, set en_US.utf-8 as the system-wide locale settings. For more information about configuring system locale in Red Hat Enterprise Linux, see Configuring the system locale in Red Hat Enterprise Linux 9 Configuring basic system settings.

Your Satellite must have the Red Hat Satellite Infrastructure Subscription manifest in your Customer Portal. Satellite must have satellite-capsule-6.x repository enabled and synced. To create, manage, and export a Red Hat Subscription Manifest in the Customer Portal, see Creating and managing manifests for a connected Satellite Server in Subscription Central.

Satellite Server and Capsule Server do not support shortnames in the hostnames. When using custom certificates, the Common Name (CN) of the custom certificate must be a fully qualified domain name (FQDN) instead of a shortname. This does not apply to the clients of a Satellite.

Before you install Satellite Server, ensure that your environment meets the requirements for installation.

Satellite Server must be installed on a freshly provisioned system that serves no other function except to run Satellite Server. The freshly provisioned system must not have the following users provided by external identity providers to avoid conflicts with the local users that Satellite Server creates:

apache
foreman
foreman-proxy
postgres
pulp
puppet
redis
tomcat

Certified hypervisors

Satellite Server is fully supported on both physical systems and virtual machines that run on hypervisors that are supported to run Red Hat Enterprise Linux. For more information about certified hypervisors, see Certified Guest Operating Systems in Red Hat OpenStack Services on OpenShift, Red Hat Virtualization, Red Hat OpenShift Virtualization and Red Hat Enterprise Linux with KVM.

SELinux mode

SELinux must be enabled, either in enforcing or permissive mode. Installation with disabled SELinux is not supported.

Synchronized system clock

The system clock on the base operating system where you are installing your Satellite Server must be synchronized across the network. If the system clock is not synchronized, SSL certificate verification might fail. For example, you can use the Chrony suite for timekeeping. For more information, see the following documents:

Configuring time synchronization in Red Hat Enterprise Linux 9 Configuring basic system settings
Configuring time synchronization in Red Hat Enterprise Linux 8 Configuring basic system settings

FIPS mode

You can install Satellite on a Red Hat Enterprise Linux system that is operating in FIPS mode. You cannot enable FIPS mode after the installation of Satellite. For more information, see Switching RHEL to FIPS mode in Red Hat Enterprise Linux 9 Security hardening or Switching RHEL to FIPS mode in Red Hat Enterprise Linux 8 Security hardening.

Note

Satellite supports DEFAULT and FIPS crypto-policies. The FUTURE crypto-policy is not supported for Satellite and Capsule installations. The FUTURE policy is a stricter forward-looking security level intended for testing a possible future policy. For more information, see Using system-wide cryptographic policies in Red Hat Enterprise Linux 9 Security hardening.

Inter-Satellite Synchronization (ISS)

In a scenario with air-gapped Satellite Servers, all your Satellite Servers must be on the same Satellite version for ISS Export Sync to work. ISS Network Sync works across all Satellite versions that support it. For more information, see Synchronizing Content Between Satellite Servers in Managing content.

1.2. Storage requirements

The following table details storage requirements for specific directories. These values are based on expected use case scenarios and can vary according to individual environments.

The runtime size was measured with Red Hat Enterprise Linux 7, 8, and 9 repositories synchronized.

Table 1. Storage requirements for a Satellite Server installation
Directory	Installation Size	Runtime Size
/var/log	10 MB	10 GB
/var/lib/pgsql	100 MB	20 GB
/usr	10 GB	Not Applicable
/opt/puppetlabs	500 MB	Not Applicable
/var/lib/pulp	1 MB	300 GB

For external database servers: /var/lib/pgsql with installation size of 100 MB and runtime size of 20 GB.

For detailed information on partitioning and size, see Disk partitions in Red Hat Enterprise Linux 9 Managing storage devices.

1.3. Storage guidelines

Consider the following guidelines when installing Satellite Server to increase efficiency.

If you mount the /tmp directory as a separate file system, you must use the exec mount option in the /etc/fstab file. If /tmp is already mounted with the noexec option, you must change the option to exec and re-mount the file system. This is a requirement for the puppetserver service to work.
Because most Satellite Server data is stored in the /var directory, mounting /var on LVM storage can help the system to scale.
Use high-bandwidth, low-latency storage for the /var/lib/pulp/ directories. As Red Hat Satellite has many operations that are I/O intensive, using high latency, low-bandwidth storage causes performance degradation. Ensure your installation has a speed in the range 60 – 80 Megabytes per second.

You can use the storage-benchmark script to get this data. For more information on using the storage-benchmark script, see Impact of Disk Speed on Satellite Operations.

File system guidelines

Do not use the GFS2 file system as the input-output latency is too high.

Log file storage

Log files are written to /var/log/messages/, /var/log/httpd/, and /var/lib/foreman-proxy/openscap/content/. You can manage the size of these files using logrotate. For more information, see How to use logrotate utility to rotate log files.

The exact amount of storage you require for log messages depends on your installation and setup.

SELinux considerations for NFS mount

When the /var/lib/pulp directory is mounted using an NFS share, SELinux blocks the synchronization process. To avoid this, specify the SELinux context of the /var/lib/pulp directory in the file system table by adding the following lines to /etc/fstab:

nfs.example.com:/nfsshare  /var/lib/pulp  nfs  context="system_u:object_r:var_lib_t:s0"  1 2

If NFS share is already mounted, remount it using the above configuration and enter the following command:

# restorecon -R /var/lib/pulp

Duplicated packages

Packages that are duplicated in different repositories are only stored once on the disk. Additional repositories containing duplicate packages require less additional storage. The bulk of storage resides in the /var/lib/pulp/ directory. These end points are not manually configurable. Ensure that storage is available on the /var file system to prevent storage problems.

Symbolic links

You cannot use symbolic links for /var/lib/pulp/.

Synchronized RHEL ISO

If you plan to synchronize RHEL content ISOs to Satellite, note that all minor versions of Red Hat Enterprise Linux also synchronize. You must plan to have adequate storage on your Satellite to manage this.

1.4. Supported operating systems

You can install the operating system from a disc, local ISO image, Kickstart, or any other method that Red Hat supports. Red Hat Satellite Server is supported on the latest versions of Red Hat Enterprise Linux 9 and Red Hat Enterprise Linux 8 that are available at the time when Satellite Server is installed. Previous versions of Red Hat Enterprise Linux including EUS or z-stream are not supported.

The following operating systems are supported by the installer, have packages, and are tested for deploying Satellite:

Table 2. Operating systems supported by satellite-installer
Operating System	Architecture	Notes
Red Hat Enterprise Linux 9	x86_64 only
Red Hat Enterprise Linux 8	x86_64 only

Red Hat advises against using an existing system because the Satellite installer will affect the configuration of several components. Red Hat Satellite Server requires a Red Hat Enterprise Linux installation with the @Base package group with no other package-set modifications, and without third-party configurations or software not directly necessary for the direct operation of the server. This restriction includes hardening and other non-Red Hat security software. If you require such software in your infrastructure, install and verify a complete working Satellite Server first, then create a backup of the system before adding any non-Red Hat software.

Red Hat does not support using the system for anything other than running Satellite Server.

1.5. Supported browsers

Satellite supports recent versions of Firefox and Google Chrome browsers.

The Satellite web UI and command-line interface support English, Simplified Chinese, Japanese, French.

1.6. Port and firewall requirements

For the components of Satellite architecture to communicate, ensure that the required network ports are open and free on the base operating system. You must also ensure that the required network ports are open on any network-based firewalls.

Use this information to configure any network-based firewalls. Note that some cloud solutions must be specifically configured to allow communications between machines because they isolate machines similarly to network-based firewalls. If you use an application-based firewall, ensure that the application-based firewall permits all applications that are listed in the tables and known to your firewall. If possible, disable the application checking and allow open port communication based on the protocol.

Integrated Capsule

Satellite Server has an integrated Capsule and any host that is directly connected to Satellite Server is a Client of Satellite in the context of this section. This includes the base operating system on which Capsule Server is running.

Clients of Capsule

Hosts which are clients of Capsules, other than Satellite’s integrated Capsule, do not need access to Satellite Server. For more information on Satellite Topology and an illustration of port connections, see Capsule Networking in Overview, concepts, and deployment considerations.

Required ports can change based on your configuration.

The following tables indicate the destination port and the direction of network traffic:

Table 3. Satellite Server incoming traffic
Destination Port	Protocol	Service	Source	Required For	Description
53	TCP and UDP	DNS	DNS Servers and clients	Name resolution	DNS (optional)
67	UDP	DHCP	Client	Dynamic IP	DHCP (optional)
69	UDP	TFTP	Client	TFTP Server (optional)
443	TCP	HTTPS	Capsule	Red Hat Satellite API	Communication from Capsule
443, 80	TCP	HTTPS, HTTP	Client	Global Registration	Registering hosts to Satellite Port 443 is required for registration initiation, uploading facts, and sending installed packages and traces Port 80 notifies Satellite on the `/unattended/built` endpoint that registration has finished
443	TCP	HTTPS	Red Hat Satellite	Content Mirroring	Management
443	TCP	HTTPS	Red Hat Satellite	Capsule API	Smart Proxy functionality
443, 80	TCP	HTTPS, HTTP	Capsule	Content Retrieval	Content
443, 80	TCP	HTTPS, HTTP	Client	Content Retrieval	Content
1883	TCP	MQTT	Client	Pull based REX (optional)	Content hosts for REX job notification (optional)
5910 – 5930	TCP	HTTPS	Browsers	Compute Resource’s virtual console
8000	TCP	HTTP	Client	Provisioning templates	Template retrieval for client installers, iPXE or UEFI HTTP Boot
8000	TCP	HTTPS	Client	PXE Boot	Installation
8140	TCP	HTTPS	Client	Puppet agent	Client updates (optional)
9090	TCP	HTTPS	Red Hat Satellite	Capsule API	Smart Proxy functionality
9090	TCP	HTTPS	Client	OpenSCAP	Configure Client (if the OpenSCAP plugin is installed)
9090	TCP	HTTPS	Discovered Node	Discovery	Host discovery and provisioning (if the discovery plugin is installed)

Any host that is directly connected to Satellite Server is a client in this context because it is a client of the integrated Capsule. This includes the base operating system on which a Capsule Server is running.

A DHCP Capsule performs ICMP ping or TCP echo connection attempts to hosts in subnets with DHCP IPAM set to find out if an IP address considered for use is free. This behavior can be turned off using satellite-installer --foreman-proxy-dhcp-ping-free-ip=false.

Note	Some outgoing traffic returns to Satellite to enable internal communication and security operations.

Table 4. Satellite Server outgoing traffic
Destination Port	Protocol	Service	Destination	Required For	Description
	ICMP	ping	Client	DHCP	Free IP checking (optional)
7	TCP	echo	Client	DHCP	Free IP checking (optional)
22	TCP	SSH	Target host	Remote execution	Run jobs
22, 16514	TCP	SSH SSH/TLS	Compute Resource	Satellite originated communications, for compute resources in libvirt
53	TCP and UDP	DNS	DNS Servers on the Internet	DNS Server	Resolve DNS records (optional)
53	TCP and UDP	DNS	DNS Server	Capsule DNS	Validation of DNS conflicts (optional)
53	TCP and UDP	DNS	DNS Server	Orchestration	Validation of DNS conflicts
68	UDP	DHCP	Client	Dynamic IP	DHCP (optional)
80	TCP	HTTP	Remote repository	Content Sync	Remote repositories
389, 636	TCP	LDAP, LDAPS	External LDAP Server	LDAP	LDAP authentication, necessary only if external authentication is enabled. The port can be customized when `LDAPAuthSource` is defined
443	TCP	HTTPS	Satellite	Capsule	Capsule Configuration management Template retrieval OpenSCAP Remote Execution result upload
443	TCP	HTTPS	Amazon EC2, Azure, Google GCE	Compute resources	Virtual machine interactions (query/create/destroy) (optional)
443	TCP	HTTPS	console.redhat.com	Red Hat Cloud plugin API calls
443	TCP	HTTPS	cdn.redhat.com	Content Sync	Red Hat CDN
443	TCP	HTTPS	cert.console.redhat.com	Red Hat Insights	When using Insights, required for Inventory upload and Cloud Connector connection
443	TCP	HTTPS	api.access.redhat.com	SOS report	Assisting support cases filed through the Red Hat Customer Portal (optional)
443	TCP	HTTPS	cert-api.access.redhat.com	Telemetry data upload and report
443	TCP	HTTPS	connect.cloud.redhat.com:443	RHCD communication with the MQTT message broker
443	TCP	HTTPS	Capsule	Content mirroring	Initiation
443	TCP	HTTPS	Infoblox DHCP Server	DHCP management	When using Infoblox for DHCP, management of the DHCP leases (optional)
623			Client	Power management	BMC On/Off/Cycle/Status
5000	TCP	HTTPS	OpenStack Compute Resource	Compute resources	Virtual machine interactions (query/create/destroy) (optional)
5900 – 5930	TCP	SSL/TLS	Hypervisor	noVNC console	Launch noVNC console
7911	TCP	DHCP, OMAPI	DHCP Server	DHCP	The DHCP target is configured using `--foreman-proxy-dhcp-server` and defaults to localhost ISC and `remote_isc` use a configurable port that defaults to 7911 and uses OMAPI
8443	TCP	HTTPS	Client	Discovery	Capsule sends reboot command to the discovered host (optional)
9090	TCP	HTTPS	Capsule	Capsule API	Management of Capsules

1.7. Enabling connections from a client to Satellite Server

Capsules and Content Hosts that are clients of a Satellite Server’s internal Capsule require access through Satellite’s host-based firewall and any network-based firewalls.

Use this procedure to configure the host-based firewall on the system that Satellite is installed on, to enable incoming connections from Clients, and to make the configuration persistent across system reboots. For more information on the ports used, see Port and firewall requirements in Installing Satellite Server in a connected network environment.

Procedure

Open the ports for clients on Satellite Server:

# firewall-cmd \
--add-port="8000/tcp" \
--add-port="9090/tcp"

Allow access to services on Satellite Server:

# firewall-cmd \
--add-service=dns \
--add-service=dhcp \
--add-service=tftp \
--add-service=http \
--add-service=https \
--add-service=puppetmaster

Make the changes persistent:
```
# firewall-cmd --runtime-to-permanent
```

Verification

Enter the following command:
```
# firewall-cmd --list-all
```

For more information, see Using and configuring firewalld in Red Hat Enterprise Linux 9 Configuring firewalls and packet filters or Using and configuring firewalld in Red Hat Enterprise Linux 8 Configuring and managing networking.

1.8. Verifying DNS resolution

Verify the full forward and reverse DNS resolution using a fully-qualified domain name to prevent issues while installing Satellite.

Procedure

Ensure that the host name and local host resolve correctly:

# ping -c1 localhost
# ping -c1 `hostname -f` # my_system.domain.com

Successful name resolution results in output similar to the following:

# ping -c1 localhost
PING localhost (127.0.0.1) 56(84) bytes of data.
64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.043 ms

--- localhost ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.043/0.043/0.043/0.000 ms

# ping -c1 `hostname -f`
PING hostname.gateway (XX.XX.XX.XX) 56(84) bytes of data.
64 bytes from hostname.gateway (XX.XX.XX.XX): icmp_seq=1 ttl=64 time=0.019 ms

--- localhost.gateway ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.019/0.019/0.019/0.000 ms

To avoid discrepancies with static and transient host names, set all the host names on the system by entering the following command:
```
# hostnamectl set-hostname name
```

For more information, see Changing a hostname using hostnamectl in Red Hat Enterprise Linux 9 Configuring and managing networking.

Warning

Name resolution is critical to the operation of Satellite. If Satellite cannot properly resolve its fully qualified domain name, tasks such as content management, subscription management, and provisioning will fail.

1.9. Tuning Satellite Server with predefined profiles

If your Satellite deployment includes more than 5000 hosts, you can use predefined tuning profiles to improve performance of Satellite.

Note that you cannot use tuning profiles on Capsules.

You can choose one of the profiles depending on the number of hosts your Satellite manages and available hardware resources.

The tuning profiles are available in the /usr/share/foreman-installer/config/foreman.hiera/tuning/sizes directory.

When you run the satellite-installer command with the --tuning option, deployment configuration settings are applied to Satellite in the following order:

The default tuning profile defined in the /usr/share/foreman-installer/config/foreman.hiera/tuning/common.yaml file
The tuning profile that you want to apply to your deployment and is defined in the /usr/share/foreman-installer/config/foreman.hiera/tuning/sizes/ directory
Optional: If you have configured a /etc/foreman-installer/custom-hiera.yaml file, Satellite applies these configuration settings.

Note that the configuration settings that are defined in the /etc/foreman-installer/custom-hiera.yaml file override the configuration settings that are defined in the tuning profiles.

Therefore, before applying a tuning profile, you must compare the configuration settings that are defined in the default tuning profile in /usr/share/foreman-installer/config/foreman.hiera/tuning/common.yaml, the tuning profile that you want to apply and your /etc/foreman-installer/custom-hiera.yaml file, and remove any duplicated configuration from the /etc/foreman-installer/custom-hiera.yaml file.

default: Number of hosts: 0 – 5000

RAM: 20G

Number of CPU cores: 4
medium: Number of hosts: 5001 – 10000

RAM: 32G

Number of CPU cores: 8
large: Number of hosts: 10001 – 20000

RAM: 64G

Number of CPU cores: 16
extra-large: Number of hosts: 20001 – 60000

RAM: 128G

Number of CPU cores: 32
extra-extra-large: Number of hosts: 60000+

RAM: 256G

Number of CPU cores: 48+

Procedure

Optional: If you have configured the custom-hiera.yaml file on Satellite Server, back up the /etc/foreman-installer/custom-hiera.yaml file to custom-hiera.original. You can use the backup file to restore the /etc/foreman-installer/custom-hiera.yaml file to its original state if it becomes corrupted:
```
# cp /etc/foreman-installer/custom-hiera.yaml \
/etc/foreman-installer/custom-hiera.original
```
Optional: If you have configured the custom-hiera.yaml file on Satellite Server, review the definitions of the default tuning profile in /usr/share/foreman-installer/config/foreman.hiera/tuning/common.yaml and the tuning profile that you want to apply in /usr/share/foreman-installer/config/foreman.hiera/tuning/sizes/. Compare the configuration entries against the entries in your /etc/foreman-installer/custom-hiera.yaml file and remove any duplicated configuration settings in your /etc/foreman-installer/custom-hiera.yaml file.
Enter the satellite-installer command with the --tuning option for the profile that you want to apply. For example, to apply the medium tuning profile settings, enter the following command:
```
# satellite-installer --tuning medium
```

1.10. Requirements for installation in an IPv4 network

The following requirements apply to installations in an IPv4 network:

An IPv6 loopback must be configured on the base system. The loopback is typically configured by default. Do not disable it.
Do not disable IPv6 in kernel by adding the ipv6.disable=1 kernel parameter.

For a supported way to disable the IPv6 protocol, see How do I disable the IPv6 protocol on Red Hat Satellite and/or Red Hat Capsule server? in Red Hat Knowledgebase.

2. Preparing your environment for Satellite installation in an IPv6 network

You can install and use Satellite in an IPv6 network. Before installing Satellite in an IPv6 network, view the limitations and ensure that you meet the requirements.

To provision hosts in an IPv6 network, after installing Satellite, you must also configure Satellite for the UEFI HTTP boot provisioning. For more information, see Configuring Satellite for UEFI HTTP boot provisioning in an IPv6 network.

2.1. Limitations of Satellite installation in an IPv6 network

Satellite installation in an IPv6 network has the following limitations:

You can install Satellite and Capsules in IPv6-only systems, dual-stack installation is not supported.
Although Satellite provisioning templates include IPv6 support for PXE and HTTP (iPXE) provisioning, the only tested and certified provisioning workflow is the UEFI HTTP Boot provisioning. This limitation only relates to users who plan to use Satellite to provision hosts.

2.2. Requirements for Satellite installation in an IPv6 network

Before installing Satellite in an IPv6 network, ensure that you meet the following requirements:

You must deploy an external DHCP IPv6 server as a separate unmanaged service to bootstrap clients into GRUB2, which then configures IPv6 networking either using DHCPv6 or assigning static IPv6 address. This is required because the DHCP server in Red Hat Enterprise Linux (ISC DHCP) does not provide an integration API for managing IPv6 records, therefore the Capsule DHCP plugin that provides DHCP management is limited to IPv4 subnets.
You must deploy an external HTTP proxy server that supports both IPv4 and IPv6. This is required because Red Hat Content Delivery Network distributes content only over IPv4 networks, therefore you must use this proxy to pull content into the Satellite on your IPv6 network.
You must configure Satellite to use this dual stack (supporting both IPv4 and IPv6) HTTP proxy server as the default proxy. For more information, see Adding a Default HTTP Proxy to Satellite.

3. Installing Satellite Server

When you install Satellite Server from a connected network, you can obtain packages and receive updates directly from the Red Hat Content Delivery Network.

Note	You cannot register Satellite Server to itself.

Use the following procedures to install Satellite Server, perform the initial configuration, and import subscription manifests. For more information on subscription manifests, see Managing Red Hat Subscriptions in Managing content.

Note that the Satellite installation script is based on Puppet, which means that if you run the installation script more than once, it might overwrite any manual configuration changes. ⁠ To avoid this and determine which future changes apply, use the --noop argument when you run the installation script. This argument ensures that no actual changes are made. Potential changes are written to /var/log/foreman-installer/satellite.log.

Files are always backed up and so you can revert any unwanted changes. For example, in the foreman-installer logs, you can see an entry similar to the following about Filebucket:

/Stage[main]/Dhcp/File[/etc/dhcp/dhcpd.conf]: Filebucketed /etc/dhcp/dhcpd.conf to puppet with sum 622d9820b8e764ab124367c68f5fa3a1

You can restore the previous file as follows:

# puppet filebucket -l \
restore /etc/dhcp/dhcpd.conf 622d9820b8e764ab124367c68f5fa3a1

3.1. Configuring the HTTP proxy to connect to Red Hat CDN

Prerequisites

Your network gateway and the HTTP proxy must allow access to the following hosts:

Host name	Port	Protocol
subscription.rhsm.redhat.com	443	HTTPS
cdn.redhat.com	443	HTTPS
cert.console.redhat.com (if using Red Hat Insights)	443	HTTPS
api.access.redhat.com (if using Red Hat Insights)	443	HTTPS
cert-api.access.redhat.com (if using Red Hat Insights)	443	HTTPS
console.redhat.com (if using Red Hat Insights)	443	HTTPS
connect.cloud.redhat.com (if using Red Hat Insights)	443	HTTPS

Host name

Port

Protocol

subscription.rhsm.redhat.com

443

HTTPS

cdn.redhat.com

443

HTTPS

cert.console.redhat.com (if using Red Hat Insights)

443

HTTPS

api.access.redhat.com (if using Red Hat Insights)

443

HTTPS

cert-api.access.redhat.com (if using Red Hat Insights)

443

HTTPS

console.redhat.com (if using Red Hat Insights)

443

HTTPS

connect.cloud.redhat.com (if using Red Hat Insights)

443

HTTPS

Satellite Server uses SSL to communicate with the Red Hat CDN securely. An SSL interception proxy interferes with this communication. These hosts must be allowlisted on your HTTP proxy.

For a list of IP addresses used by the Red Hat CDN (cdn.redhat.com), see the Knowledgebase article Public CIDR Lists for Red Hat on the Red Hat Customer Portal.

To configure the Subscription Manager with the HTTP proxy, follow the procedure below.

Procedure

On Satellite Server, complete the following details in the /etc/rhsm/rhsm.conf file:

# an http proxy server to use (enter server FQDN)
proxy_hostname = http-proxy.example.com

# port for http proxy server
proxy_port = 8080

# user name for authenticating to an http proxy, if needed
proxy_user =

# password for basic http proxy auth, if needed
proxy_password =

3.2. Registering to Red Hat Subscription Management

Registering the host to Red Hat Subscription Management enables the host to subscribe to and consume content for any subscriptions available to the user. This includes content such as Red Hat Enterprise Linux and Red Hat Satellite.

Procedure

Register your system with the Red Hat Content Delivery Network, entering your Customer Portal user name and password when prompted:
```
# subscription-manager register
```
The command displays output similar to the following:
```
# subscription-manager register
Username: user_name
Password:
The system has been registered with ID: 541084ff2-44cab-4eb1-9fa1-7683431bcf9a
```

3.3. Configuring repositories

Procedure

Select the operating system and version you are installing on:

Red Hat Enterprise Linux 9
Red Hat Enterprise Linux 8

3.3.1. Red Hat Enterprise Linux 9

Disable all repositories:

# subscription-manager repos --disable "*"

Enable the following repositories:

# subscription-manager repos \
--enable=rhel-9-for-x86_64-baseos-rpms \
--enable=rhel-9-for-x86_64-appstream-rpms \
--enable=satellite-6.16-for-rhel-9-x86_64-rpms \
--enable=satellite-maintenance-6.16-for-rhel-9-x86_64-rpms

Verification

Verify that the required repositories are enabled:
```
# dnf repolist enabled
```

3.3.2. Red Hat Enterprise Linux 8

Disable all repositories:

# subscription-manager repos --disable "*"

Enable the following repositories:

# subscription-manager repos \
--enable=rhel-8-for-x86_64-baseos-rpms \
--enable=rhel-8-for-x86_64-appstream-rpms \
--enable=satellite-6.16-for-rhel-8-x86_64-rpms \
--enable=satellite-maintenance-6.16-for-rhel-8-x86_64-rpms

Enable the DNF modules:

# dnf module enable satellite:el8

Note	If there is any warning about conflicts with Ruby or PostgreSQL while enabling `satellite:el8` module, see Troubleshooting DNF modules. For more information about modules and lifecycle streams on Red Hat Enterprise Linux 8, see Red Hat Enterprise Linux Application Streams Lifecycle.

Verification

Verify that the required repositories are enabled:
```
# dnf repolist enabled
```

3.4. Optional: Using fapolicyd on Satellite Server

By enabling fapolicyd on your Satellite Server, you can provide an additional layer of security by monitoring and controlling access to files and directories. The fapolicyd daemon uses the RPM database as a repository of trusted binaries and scripts.

You can turn on or off the fapolicyd on your Satellite Server or Capsule Server at any point.

3.4.1. Installing fapolicyd on Satellite Server

You can install fapolicyd along with Satellite Server or can be installed on an existing Satellite Server. If you are installing fapolicyd along with the new Satellite Server, the installation process will detect the fapolicyd in your Red Hat Enterprise Linux host and deploy the Satellite Server rules automatically.

Prerequisites

Ensure your host has access to the BaseOS repositories of Red Hat Enterprise Linux.

Procedure

For a new installation, install fapolicyd:
```
# dnf install fapolicyd
```
For an existing installation, install fapolicyd using satellite-maintain packages install:
```
# satellite-maintain packages install fapolicyd
```
Start the fapolicyd service:
```
# systemctl enable --now fapolicyd
```

Verification

Verify that the fapolicyd service is running correctly:
```
# systemctl status fapolicyd
```

New Satellite Server or Capsule Server installations

In case of new Satellite Server or Capsule Server installation, follow the standard installation procedures after installing and enabling fapolicyd on your Red Hat Enterprise Linux host.

Additional resources

For more information on fapolicyd, see Blocking and allowing applications using fapolicyd in Red Hat Enterprise Linux 9 Security hardening or Blocking and allowing applications using fapolicyd in Red Hat Enterprise Linux 8 Security hardening.

3.5. Installing Satellite Server packages

Procedure

Update all packages:
```
# dnf upgrade
```
Install Satellite Server packages:
```
# dnf install satellite
```

3.6. Configuring Satellite Server

Install Satellite Server using the satellite-installer installation script.

This method is performed by running the installation script with one or more command options. The command options override the corresponding default initial configuration options and are recorded in the Satellite answer file. You can run the script as often as needed to configure any necessary options.

3.6.1. Configuring Satellite installation

This initial configuration procedure creates an organization, location, user name, and password. After the initial configuration, you can create additional organizations and locations if required. The initial configuration also installs PostgreSQL databases on the same server.

The installation process can take tens of minutes to complete. If you are connecting remotely to the system, use a utility such as tmux that allows suspending and reattaching a communication session so that you can check the installation progress in case you become disconnected from the remote system. If you lose connection to the shell where the installation command is running, see the log at /var/log/foreman-installer/satellite.log to determine if the process completed successfully.

Considerations

Use the satellite-installer --scenario satellite --help command to display the most commonly used options and any default values.
Use the satellite-installer --scenario satellite --full-help command to display advanced options.
Specify a meaningful value for the option: --foreman-initial-organization. This can be your company name. An internal label that matches the value is also created and cannot be changed afterwards. If you do not specify a value, an organization called Default Organization with the label Default_Organization is created. You can rename the organization name but not the label.
By default, all configuration files configured by the installer are managed. When satellite-installer runs, it overwrites any manual changes to the managed files with the intended values. This means that running the installer on a broken system should restore it to working order, regardless of changes made. For more information on how to apply custom configuration on other services, see Applying Custom Configuration to Satellite.

Procedure

Enter the following command with any additional options that you want to use:

# satellite-installer --scenario satellite \
--foreman-initial-organization "My_Organization" \
--foreman-initial-location "My_Location" \
--foreman-initial-admin-username admin_user_name \
--foreman-initial-admin-password admin_password

The script displays its progress and writes logs to /var/log/foreman-installer/satellite.log.

3.7. Importing a Red Hat subscription manifest into Satellite Server

Use the following procedure to import a Red Hat subscription manifest into Satellite Server.

Note	Simple Content Access (SCA) is set on the organization, not the manifest. Importing a manifest does not change your organization’s Simple Content Access status.

Prerequisites

Ensure you have a Red Hat subscription manifest exported from the Red Hat Hybrid Cloud Console. For more information, see Creating and managing manifests for a connected Satellite Server in Subscription Central.

Procedure

In the Satellite web UI, ensure the context is set to the organization you want to use.
In the Satellite web UI, navigate to Content > Subscriptions and click Manage Manifest.
In the Manage Manifest window, click Choose File.
Navigate to the location that contains the Red Hat subscription manifest file, then click Open.

CLI procedure

Copy the Red Hat subscription manifest file from your local machine to Satellite Server:
```
$ scp ~/manifest_file.zip root@satellite.example.com:~/.
```
Log in to Satellite Server as the root user and import the Red Hat subscription manifest file:
```
# hammer subscription upload \
--file ~/manifest_file.zip \
--organization "My_Organization"
```

You can now enable repositories and import Red Hat content. For more information, see Importing Content in Managing content.

4. Performing additional configuration on Satellite Server

4.1. Using Red Hat Insights with Satellite Server

You can use Red Hat Insights to diagnose systems and downtime related to security exploits, performance degradation and stability failures. You can use the dashboard to quickly identify key risks to stability, security, and performance. You can sort by category, view details of the impact and resolution, and then determine what systems are affected.

Note that you do not require a Red Hat Insights entitlement in your subscription manifest. For more information about Satellite and Red Hat Insights, see Red Hat Insights on Satellite Red Hat Enterprise Linux (RHEL).

To maintain your Satellite Server, and improve your ability to monitor and diagnose problems you might have with Satellite, install Red Hat Insights on Satellite Server and register Satellite Server with Red Hat Insights.

Scheduling insights-client

Note that you can change the default schedule for running insights-client by configuring insights-client.timer on Satellite. For more information, see Changing the insights-client schedule in the Client Configuration Guide for Red Hat Insights.

Procedure

To install Red Hat Insights on Satellite Server, enter the following command:
```
# satellite-maintain packages install insights-client
```
To register Satellite Server with Red Hat Insights, enter the following command:
```
# satellite-installer --register-with-insights
```

4.2. Disabling Red Hat Insights registration

After you install or upgrade Satellite, you can choose to unregister or register Red Hat Insights as needed. For example, if you need to use Satellite in a disconnected environment, you can unregister insights-client from Satellite Server.

Prerequisites

You have registered Satellite to Red Hat Customer Portal.

Procedure

Optional: To unregister Red Hat Insights from Satellite Server, enter the following command:
```
# insights-client --unregister
```
Optional: To register Satellite Server with Red Hat Insights, enter the following command:
```
# satellite-installer --register-with-insights
```

4.3. Enabling and synchronizing the Red Hat Satellite Client 6 repository

The Red Hat Satellite Client 6 repository provides the katello-host-tools and puppet packages for hosts registered to Satellite. You must periodically synchronize the repository from the Red Hat Content Delivery Network (CDN) to your Satellite Server and enable the repository on your hosts.

4.3.1. Synchronizing the Red Hat Satellite Client 6 repository for Red Hat Enterprise Linux 9 and Red Hat Enterprise Linux 8

To use the CLI instead of the Satellite web UI, see the procedure relevant for your Red Hat Enterprise Linux version:

CLI procedure for Red Hat Enterprise Linux 9
CLI procedure for Red Hat Enterprise Linux 8

Procedure

In the Satellite web UI, navigate to Content > Sync Status.
Click the arrow next to the Red Hat Enterprise Linux for x86_64 product to view available content.
Select Red Hat Satellite Client 6 for RHEL 9 x86_64 RPMs or Red Hat Satellite Client 6 for RHEL 8 x86_64 RPMs.
Click Synchronize Now.

CLI procedure for Red Hat Enterprise Linux 9

Synchronize your Red Hat Satellite Client 6 repository:

# hammer repository synchronize \
--name "Red Hat Satellite Client 6 for RHEL 9 x86_64 RPMs" \
--organization "My_Organization" \
--product "Red Hat Enterprise Linux for x86_64"

CLI procedure for Red Hat Enterprise Linux 8

Synchronize your Red Hat Satellite Client 6 repository:

# hammer repository synchronize \
--name "Red Hat Satellite Client 6 for RHEL 8 x86_64 RPMs" \
--organization "My_Organization" \
--product "Red Hat Enterprise Linux for x86_64"

Additional resources

For details about the hammer repository synchronize command, enter hammer repository synchronize --help.

4.3.2. Synchronizing the Red Hat Satellite Client 6 repository for Red Hat Enterprise Linux 7 and Red Hat Enterprise Linux 6

Note	You require Red Hat Enterprise Linux Extended Lifecycle Support (ELS) Add-on subscription to synchronize the repositories of Red Hat Enterprise Linux 6. For more information, see Red Hat Enterprise Linux Extended Lifecycle Support (ELS) Add-on guide.

To use the CLI instead of the Satellite web UI, see the procedure relevant for your Red Hat Enterprise Linux version:

CLI procedure for Red Hat Enterprise Linux 7
CLI procedure for Red Hat Enterprise Linux 6

Procedure

In the Satellite web UI, navigate to Content > Sync Status.
Click the arrow next to the Red Hat Enterprise Linux Server or Red Hat Enterprise Linux Server - Extended Lifecycle Support.
Select Red Hat Satellite Client 6 (for RHEL 7 Server) RPMs x86_64 or Red Hat Satellite Client 6 for RHEL 6 Server - ELS RPMs x86_64 based on your operating system version.
Click Synchronize Now.

CLI procedure for Red Hat Enterprise Linux 7

Synchronize your Red Hat Satellite Client 6 repository:

# hammer repository synchronize \
--async \
--name "Red Hat Satellite Client 6 for RHEL 7 Server RPMs x86_64" \
--organization "My_Organization" \
--product "Red Hat Enterprise Linux Server"

CLI procedure for Red Hat Enterprise Linux 6

Synchronize your Red Hat Satellite Client 6 repository:

# hammer repository synchronize \
--async \
--name "Red Hat Satellite Client 6 for RHEL 6 Server - ELS RPMs x86_64" \
--organization "My_Organization" \
--product "Red Hat Enterprise Linux Server - Extended Lifecycle Support"

Additional resources

For details about the hammer repository synchronize command, enter hammer repository synchronize --help.

4.3.3. Enabling the Red Hat Satellite Client 6 repository for Red Hat Enterprise Linux 9 and Red Hat Enterprise Linux 8

To use the CLI instead of the Satellite web UI, see the procedure relevant for your Red Hat Enterprise Linux version:

CLI procedure for Red Hat Enterprise Linux 9
CLI procedure for Red Hat Enterprise Linux 8

Procedure

In the Satellite web UI, navigate to Content > Red Hat Repositories.
In the Available Repositories pane, enable the Recommended Repositories to get the list of repositories.
Click Red Hat Satellite Client 6 for RHEL 9 x86_64 (RPMs) or Red Hat Satellite Client 6 for RHEL 8 x86_64 (RPMs) to expand the repository set.
For the x86_64 architecture, click the + icon to enable the repository.

If the Red Hat Satellite Client 6 items are not visible, it may be because they are not included in the Red Hat subscription manifest obtained from the Customer Portal. To correct that, log in to the Customer Portal, add these repositories, download the Red Hat subscription manifest and import it into Satellite. For more information, see Managing Red Hat Subscriptions in Managing content.

Enable the Red Hat Satellite Client 6 repository for every supported major version of Red Hat Enterprise Linux running on your hosts. After enabling a Red Hat repository, a Product for this repository is automatically created.

CLI procedure for Red Hat Enterprise Linux 9

Enable the Red Hat Satellite Client 6 repository:

# hammer repository-set enable \
--basearch="x86_64" \
--name "Red Hat Satellite Client 6 for RHEL 9 x86_64 (RPMs)" \
--organization "My_Organization" \
--product "Red Hat Enterprise Linux for x86_64"

CLI procedure for Red Hat Enterprise Linux 8

Enable the Red Hat Satellite Client 6 repository:

# hammer repository-set enable \
--basearch="x86_64" \
--name "Red Hat Satellite Client 6 for RHEL 8 x86_64 (RPMs)" \
--organization "My_Organization" \
--product "Red Hat Enterprise Linux for x86_64"

Additional resources

For details about the hammer repository-set enable command, enter hammer repository-set enable --help.

4.3.4. Enabling the Red Hat Satellite Client 6 repository for Red Hat Enterprise Linux 7 and Red Hat Enterprise Linux 6

Note	You require Red Hat Enterprise Linux Extended Lifecycle Support (ELS) Add-on subscription to enable the repositories of Red Hat Enterprise Linux 6. For more information, see Red Hat Enterprise Linux Extended Lifecycle Support (ELS) Add-on guide.

To use the CLI instead of the Satellite web UI, see the procedure relevant for your Red Hat Enterprise Linux version:

CLI procedure for Red Hat Enterprise Linux 7
CLI procedure for Red Hat Enterprise Linux 6

Procedure

In the Satellite web UI, navigate to Content > Red Hat Repositories.
In the Available Repositories pane, enable the Recommended Repositories to get the list of repositories.
In the Available Repositories pane, click on Red Hat Satellite Client 6 (for RHEL 7 Server) (RPMs) or Red Hat Satellite Client 6 (for RHEL 6 Server - ELS) (RPMs) to expand the repository set.

If the Red Hat Satellite Client 6 items are not visible, it may be because they are not included in the Red Hat subscription manifest obtained from the Customer Portal. To correct that, log in to the Customer Portal, add these repositories, download the Red Hat subscription manifest and import it into Satellite. For more information, see Managing Red Hat Subscriptions in Managing content.
For the x86_64 architecture, click the + icon to enable the repository. Enable the Red Hat Satellite Client 6 repository for every supported major version of Red Hat Enterprise Linux running on your hosts. After enabling a Red Hat repository, a Product for this repository is automatically created.

CLI procedure for Red Hat Enterprise Linux 7

Enable the Red Hat Satellite Client 6 repository:

# hammer repository-set enable \
--basearch="x86_64" \
--name "Red Hat Satellite Client 6 (for RHEL 7 Server) (RPMs)" \
--organization "My_Organization" \
--product "Red Hat Enterprise Linux Server"

CLI procedure for Red Hat Enterprise Linux 6

Enable the Red Hat Satellite Client 6 repository:

# hammer repository-set enable \
--basearch="x86_64" \
--name "Red Hat Satellite Client 6 (for RHEL 6 Server - ELS) (RPMs)" \
--organization "My_Organization" \
--product "Red Hat Enterprise Linux Server - Extended Lifecycle Support"

Additional resources

For details about the hammer repository-set enable command, enter hammer repository-set enable --help.

4.4. Configuring pull-based transport for remote execution

By default, remote execution uses push-based SSH as the transport mechanism for the Script provider. If your infrastructure prohibits outgoing connections from Satellite Server to hosts, you can use remote execution with pull-based transport instead, because the host initiates the connection to Satellite Server. The use of pull-based transport is not limited to those infrastructures.

The pull-based transport comprises pull-mqtt mode on Capsules in combination with a pull client running on hosts.

Note	The `pull-mqtt` mode works only with the Script provider. Ansible and other providers will continue to use their default transport settings.

Procedure

Enable the pull-based transport on your Satellite Server:

# satellite-installer --foreman-proxy-plugin-remote-execution-script-mode=pull-mqtt

Configure the firewall to allow the MQTT service on port 1883:
```
# firewall-cmd --add-service=mqtt
```
Make the changes persistent:
```
# firewall-cmd --runtime-to-permanent
```
In pull-mqtt mode, hosts subscribe for job notifications to either your Satellite Server or any Capsule Server through which they are registered. Ensure that Satellite Server sends remote execution jobs to that same Satellite Server or Capsule Server:
1. In the Satellite web UI, navigate to Administer > Settings.
2. On the Content tab, set the value of Prefer registered through Capsule for remote execution to Yes.

Next steps

Configure your hosts for the pull-based transport. For more information, see Transport modes for remote execution in Managing hosts.

4.5. Configuring Satellite for UEFI HTTP boot provisioning in an IPv6 network

Use this procedure to configure Satellite to provision hosts in an IPv6 network with UEFI HTTP Boot provisioning.

Prerequisites

Ensure that your clients can access DHCP and HTTP servers.
Ensure that the UDP ports 67 and 68 are accessible by clients so clients can send DHCP requests and receive DHCP offers.
Ensure that the TCP port 8000 is open for clients to download files and Kickstart templates from Satellite and Capsules.
Ensure that the host provisioning interface subnet has an HTTP Boot Capsule, and Templates Capsule set. For more information, see Adding a Subnet to Satellite Server in Provisioning hosts.
In the Satellite web UI, navigate to Administer > Settings > Provisioning and ensure that the Token duration setting is not set to 0. Satellite cannot identify clients that are booting from the network by a remote IPv6 address because of unmanaged DHCPv6 service, therefore provisioning tokens must be enabled.

Procedure

You must disable DHCP management in the installer or not use it.
For all IPv6 subnets created in Satellite, set the DHCP Capsule to blank.
Optional: If the host and the DHCP server are separated by a router, configure the DHCP relay agent and point to the DHCP server.
On Satellite or Capsule from which you provision, update the grub2-efi package to the latest version:
```
# satellite-maintain packages update grub2-efi
```

4.6. Configuring Satellite Server with an HTTP proxy

Use the following procedures to configure Satellite with an HTTP proxy.

4.6.1. Adding a default HTTP proxy to Satellite

If your network uses an HTTP Proxy, you can configure Satellite Server to use an HTTP proxy for requests to the Red Hat Content Delivery Network (CDN) or another content source. Use the FQDN instead of the IP address where possible to avoid losing connectivity because of network changes.

The following procedure configures a proxy only for downloading content for Satellite. To use the CLI instead of the Satellite web UI, see the CLI procedure.

Procedure

In the Satellite web UI, navigate to Infrastructure > HTTP Proxies.
Click New HTTP Proxy.
In the Name field, enter the name for the HTTP proxy.
In the Url field, enter the URL of the HTTP proxy in the following format: https://http-proxy.example.com:8080.
Optional: If authentication is required, in the Username field, enter the username to authenticate with.
Optional: If authentication is required, in the Password field, enter the password to authenticate with.
To test connection to the proxy, click Test Connection.
Click Submit.
In the Satellite web UI, navigate to Administer > Settings, and click the Content tab.
Set the Default HTTP Proxy setting to the created HTTP proxy.

CLI procedure

Verify that the http_proxy, https_proxy, and no_proxy variables are not set:
```
# unset http_proxy https_proxy no_proxy
```

Add an HTTP proxy entry to Satellite:

# hammer http-proxy create \
--name=My_HTTP_Proxy \
--username=My_HTTP_Proxy_User_Name \
--password=My_HTTP_Proxy_Password \
--url http://http-proxy.example.com:8080

Configure Satellite to use this HTTP proxy by default:

# hammer settings set \
--name=content_default_http_proxy \
--value=My_HTTP_Proxy

4.6.2. Configuring SELinux to ensure access to Satellite on custom ports

SELinux ensures access of Red Hat Satellite and Subscription Manager only to specific ports. In the case of the HTTP cache, the TCP ports are 8080, 8118, 8123, and 10001 – 10010. If you use a port that does not have SELinux type http_cache_port_t, complete the following steps.

Procedure

On Satellite, to verify the ports that are permitted by SELinux for the HTTP cache, enter a command as follows:

# semanage port -l | grep http_cache
http_cache_port_t       tcp    8080, 8118, 8123, 10001-10010
[output truncated]

To configure SELinux to permit a port for the HTTP cache, for example 8088, enter a command as follows:
```
# semanage port -a -t http_cache_port_t -p tcp 8088
```

4.6.3. Using an HTTP proxy for all Satellite HTTP requests

If your Satellite Server must remain behind a firewall that blocks HTTP and HTTPS, you can configure a proxy for communication with external systems, including compute resources.

Note that if you are using compute resources for provisioning, and you want to use a different HTTP proxy with the compute resources, the proxy that you set for all Satellite communication takes precedence over the proxies that you set for compute resources.

Procedure

In the Satellite web UI, navigate to Administer > Settings.
In the HTTP(S) proxy row, select the adjacent Value column and enter the proxy URL.
Click the tick icon to save your changes.

CLI procedure

Enter the following command:

# hammer settings set --name=http_proxy --value=Proxy_URL

4.6.4. Excluding hosts from receiving proxied requests

If you use an HTTP Proxy for all Satellite HTTP or HTTPS requests, you can prevent certain hosts from communicating through the proxy.

Procedure

In the Satellite web UI, navigate to Administer > Settings.
In the HTTP(S) proxy except hosts row, select the adjacent Value column and enter the names of one or more hosts that you want to exclude from proxy requests.
Click the tick icon to save your changes.

CLI procedure

Enter the following command:

# hammer settings set --name=http_proxy_except_list --value=[hostname1.hostname2...]

4.6.5. Resetting the HTTP proxy

If you want to reset the current HTTP proxy setting, unset the Default HTTP Proxy setting.

Procedure

In the Satellite web UI, navigate to Administer > Settings, and click the Content tab.
Set the Default HTTP Proxy setting to no global default.

CLI procedure

Set the content_default_http_proxy setting to an empty string:

# hammer settings set --name=content_default_http_proxy --value=""

4.7. Enabling power management on hosts

To perform power management tasks on hosts using the intelligent platform management interface (IPMI) or a similar protocol, you must enable the baseboard management controller (BMC) module on Satellite Server.

Prerequisites

All hosts must have a network interface of BMC type. Satellite Server uses this NIC to pass the appropriate credentials to the host. For more information, see Adding a Baseboard Management Controller (BMC) Interface in Managing hosts.

Procedure

To enable BMC, enter the following command:

# satellite-installer \
--foreman-proxy-bmc "true" \
--foreman-proxy-bmc-default-provider "freeipmi"

4.8. Configuring DNS, DHCP, and TFTP

You can manage DNS, DHCP, and TFTP centrally within the Satellite environment, or you can manage them independently after disabling their maintenance on Satellite. You can also run DNS, DHCP, and TFTP externally, outside of the Satellite environment.

4.8.1. Configuring DNS, DHCP, and TFTP on Satellite Server

To configure the DNS, DHCP, and TFTP services on Satellite Server, use the satellite-installer command with the options appropriate for your environment.

Any changes to the settings require entering the satellite-installer command again. You can enter the command multiple times and each time it updates all configuration files with the changed values.

Prerequisites

Ensure that the following information is available to you:
- DHCP IP address ranges
- DHCP gateway IP address
- DHCP nameserver IP address
- DNS information
- TFTP server name
Use the FQDN instead of the IP address where possible in case of network changes.
Contact your network administrator to ensure that you have the correct settings.

Procedure

Enter the satellite-installer command with the options appropriate for your environment. The following example shows configuring full provisioning services:

# satellite-installer \
--foreman-proxy-dns true \
--foreman-proxy-dns-managed true \
--foreman-proxy-dns-zone example.com \
--foreman-proxy-dns-reverse 2.0.192.in-addr.arpa \
--foreman-proxy-dhcp true \
--foreman-proxy-dhcp-managed true \
--foreman-proxy-dhcp-range "192.0.2.100 192.0.2.150" \
--foreman-proxy-dhcp-gateway 192.0.2.1 \
--foreman-proxy-dhcp-nameservers 192.0.2.2 \
--foreman-proxy-tftp true \
--foreman-proxy-tftp-managed true \
--foreman-proxy-tftp-servername 192.0.2.3

You can monitor the progress of the satellite-installer command displayed in your prompt. You can view the logs in /var/log/foreman-installer/satellite.log.

Additional resources

For more information about the satellite-installer command, enter satellite-installer --help.

4.8.2. Disabling DNS, DHCP, and TFTP for unmanaged networks

If you want to manage TFTP, DHCP, and DNS services manually, you must prevent Satellite from maintaining these services on the operating system and disable orchestration to avoid DHCP and DNS validation errors.

Important

Disabling these Capsule features means Satellite will no longer orchestrate DNS, DHCP, and TFTP, but it does not stop or remove the corresponding services.

Procedure

Disable DHCP, DNS, and TFTP integration on your Satellite Server:

# satellite-installer --foreman-proxy-dhcp false \
--foreman-proxy-dns false \
--foreman-proxy-tftp false

Disable the Capsule integration for every subnet:
1. In the Satellite web UI, navigate to Infrastructure > Subnets.
2. Select a subnet.
3. On the Capsules tab, clear the DHCP Capsule, TFTP Capsule, and Reverse DNS Capsule fields.
In the Satellite web UI, navigate to Infrastructure > Domains and select a domain.
Clear the DNS Capsule field.
Optional: If you use a DHCP service supplied by a third party, configure your DHCP server to pass the following options:
```
Option 66: IP address of Satellite or Capsule
Option 67: /pxelinux.0
```
For more information about DHCP options, see RFC 2132.

Note

Satellite does not perform orchestration when a Capsule is not set for a given subnet and domain. When enabling or disabling Capsule associations, orchestration commands for existing hosts can fail if the expected records and configuration files are not present. When associating a Capsule to turn orchestration on, ensure the required DHCP and DNS records as well as the TFTP files are in place for the existing Satellite hosts in order to prevent host deletion failures in the future.

4.8.3. Additional resources

For more information about configuring DNS, DHCP, and TFTP externally, see Configuring Satellite Server with external services.
For more information about configuring DHCP, DNS, and TFTP services, see Configuring Network Services in Provisioning hosts.

4.9. Configuring Satellite Server for outgoing emails

To send email messages from Satellite Server, you can use either an SMTP server, or the sendmail command.

Prerequisites

Some SMTP servers with anti-spam protection or grey-listing features are known to cause problems. To setup outgoing email with such a service either install and configure a vanilla SMTP service on Satellite Server for relay or use the sendmail command instead.

Procedure

In the Satellite web UI, navigate to Administer > Settings.

Click the Email tab and set the configuration options to match your preferred delivery method. The changes have an immediate effect.

The following example shows the configuration options for using an SMTP server:

Table 5. Using an SMTP server as a delivery method
Name	Example value	Additional information
Delivery method	SMTP
SMTP address	smtp.example.com
SMTP authentication	login
SMTP HELO/EHLO domain	example.com
SMTP password	password	Use the login credentials for the SMTP server.
SMTP port	25
SMTP username	user@example.com	Use the login credentials for the SMTP server.

The following example uses gmail.com as an SMTP server:

Table 6. Using gmail.com as an SMTP server
Name	Example value	Additional information
Delivery method	SMTP
SMTP address	smtp.gmail.com
SMTP authentication	plain
SMTP HELO/EHLO domain	smtp.gmail.com
SMTP enable StartTLS auto	Yes
SMTP password	app password	Use the Google app password. For more information, see Sign in with app passwords in Google Help Center.
SMTP port	587
SMTP username	user@gmail.com	Use the Google account name.

The following example uses the sendmail command as a delivery method:

Table 7. Using sendmail as a delivery method
Name	Example value	Additional information
Delivery method	Sendmail
Sendmail location	/usr/sbin/sendmail	For security reasons, both Sendmail location and Sendmail argument settings are read-only and can be only set in `/etc/foreman/settings.yaml`. Both settings currently cannot be set via `satellite-installer`. For more information see the sendmail 1 man page.
Sendmail arguments	-i

If you decide to send email using an SMTP server which uses TLS authentication, also perform one of the following steps:
- Mark the CA certificate of the SMTP server as trusted. To do so, execute the following commands on Satellite Server:
  # cp mailca.crt /etc/pki/ca-trust/source/anchors/ # update-ca-trust enable # update-ca-trust
  Where mailca.crt is the CA certificate of the SMTP server.
- Alternatively, in the Satellite web UI, set the SMTP enable StartTLS auto option to No.
Click Test email to send a test message to the user’s email address to confirm the configuration is working. If a message fails to send, the Satellite web UI displays an error. See the log at /var/log/foreman/production.log for further details.

Additional resources

For information on configuring email notifications for individual users or user groups, see Configuring Email Notification Preferences in Administering Red Hat Satellite.

4.10. Configuring an alternate CNAME for Satellite

You can configure an alternate CNAME for Satellite. This might be useful if you want to deploy the Satellite web interface on a different domain name than the one that is used by client systems to connect to Satellite. You must plan the alternate CNAME configuration in advance prior to installing Capsules and registering hosts to Satellite to avoid redeploying new certificates to hosts.

4.10.1. Configuring Satellite with an alternate CNAME

Use this procedure to configure Satellite with an alternate CNAME. Note that the procedures for users of a default Satellite certificate and custom certificate differ.

For default Satellite certificate users

If you have installed Satellite with a default Satellite certificate and want to configure Satellite with an alternate CNAME, enter the following command on Satellite to generate a new default Satellite SSL certificate with an additional CNAME.
```
# satellite-installer --certs-cname alternate_fqdn --certs-update-server
```
If you have not installed Satellite, you can add the --certs-cname alternate_fqdn option to the satellite-installer command to install Satellite with an alternate CNAME.

For custom certificate users

If you use Satellite with a custom certificate, when creating a custom certificate, include the alternate CNAME records to the custom certificate. For more information, see Creating a Custom SSL Certificate for Satellite Server.

4.10.2. Configuring hosts to use an alternate Satellite CNAME for content management

If Satellite is configured with an alternate CNAME, you can configure hosts to use the alternate Satellite CNAME for content management. To do this, you must point hosts to the alternate Satellite CNAME prior to registering the hosts to Satellite. You can do this using the bootstrap script or manually.

Configuring hosts with the bootstrap script

On the host, run the bootstrap script with the --server alternate_fqdn.example.com option to register the host to the alternate Satellite CNAME:

# ./bootstrap.py --server alternate_fqdn.example.com

Configuring hosts manually

On the host, edit the /etc/rhsm/rhsm.conf file to update hostname and baseurl settings to point to the alternate host name, for example:

[server]
# Server hostname:
hostname = alternate_fqdn.example.com

content omitted

[rhsm]
# Content base URL:
baseurl=https://alternate_fqdn.example.com/pulp/content/

Now you can register the host with the subscription-manager.

4.11. Configuring Satellite Server with a custom SSL certificate

By default, Red Hat Satellite uses a self-signed SSL certificate to enable encrypted communications between Satellite Server, external Capsule Servers, and all hosts. If you cannot use a Satellite self-signed certificate, you can configure Satellite Server to use an SSL certificate signed by an external certificate authority (CA).

When you configure Red Hat Satellite with custom SSL certificates, you must fulfill the following requirements:

You must use the privacy-enhanced mail (PEM) encoding for the SSL certificates.
You must not use the same SSL certificate for both Satellite Server and Capsule Server.
The same CA must sign certificates for Satellite Server and Capsule Server.
An SSL certificate must not also be a CA certificate.
An SSL certificate must include a subject alt name (SAN) entry that matches the common name (CN).
An SSL certificate must be allowed for Key Encipherment using a Key Usage extension.
An SSL certificate must not have a shortname as the CN.
You must not set a passphrase for the private key.

To configure your Satellite Server with a custom certificate, complete the following procedures:

Creating a custom SSL certificate for Satellite Server
Deploying a custom SSL certificate to Satellite Server
Deploying a custom SSL certificate to hosts
If you have external Capsule Servers registered to Satellite Server, configure them with custom SSL certificates. For more information, see Configuring Capsule Server with a Custom SSL Certificate in Installing Capsule Server.

4.11.1. Creating a custom SSL certificate for Satellite Server

Use this procedure to create a custom SSL certificate for Satellite Server. If you already have a custom SSL certificate for Satellite Server, skip this procedure.

Procedure

To store all the source certificate files, create a directory that is accessible only to the root user:
```
# mkdir /root/satellite_cert
```
Create a private key with which to sign the certificate signing request (CSR).

Note that the private key must be unencrypted. If you use a password-protected private key, remove the private key password.

If you already have a private key for this Satellite Server, skip this step.
```
# openssl genrsa -out /root/satellite_cert/satellite_cert_key.pem 4096
```

Create the /root/satellite_cert/openssl.cnf configuration file for the CSR and include the following content:

[ req ]
req_extensions = v3_req
distinguished_name = req_distinguished_name
prompt = no

[ req_distinguished_name ]
commonName = satellite.example.com

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = satellite.example.com

For more information about the [ v3_req ] parameters and their purpose, see RFC 5280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile.

Optional: If you want to add Distinguished Name (DN) details to the CSR, add the following information to the [ req_distinguished_name ] section:

[req_distinguished_name]
CN = satellite.example.com
countryName =My_Country_Name (1)
stateOrProvinceName = My_State_Or_Province_Name (2)
localityName = My_Locality_Name (3)
organizationName = My_Organization_Or_Company_Name
organizationalUnitName = My_Organizational_Unit_Name (4)

Two letter code
Full name
Full name (example: New York)
Division responsible for the certificate (example: IT department)

Generate CSR:

# openssl req -new \
-key /root/satellite_cert/satellite_cert_key.pem \ (1)
-config /root/satellite_cert/openssl.cnf \ (2)
-out /root/satellite_cert/satellite_cert_csr.pem (3)

Path to the private key
Path to the configuration file
Path to the CSR to generate

Send the certificate signing request to the certificate authority (CA). The same CA must sign certificates for Satellite Server and Capsule Server.

When you submit the request, specify the lifespan of the certificate. The method for sending the certificate request varies, so consult the CA for the preferred method. In response to the request, you can expect to receive a CA bundle and a signed certificate, in separate files.

4.11.2. Deploying a custom SSL certificate to Satellite Server

Use this procedure to configure your Satellite Server to use a custom SSL certificate signed by a Certificate Authority.

Important

Do not store the SSL certificates or .tar bundles in /tmp or /var/tmp directory. The operating system removes files from these directories periodically. As a result, satellite-installer fails to execute while enabling features or upgrading Satellite Server.

Procedure

Update certificates on your Satellite Server:

# satellite-installer \
--certs-server-cert "/root/satellite_cert/satellite_cert.pem" \ (1)
--certs-server-key "/root/satellite_cert/satellite_cert_key.pem" \ (2)
--certs-server-ca-cert "/root/satellite_cert/ca_cert_bundle.pem" \ (3)
--certs-update-server --certs-update-server-ca

Path to Satellite Server certificate file that is signed by a Certificate Authority.
Path to the private key that was used to sign Satellite Server certificate.
Path to the Certificate Authority bundle.

Verification

On a computer with network access to Satellite Server, navigate to the following URL: https://satellite.example.com.
In your browser, view the certificate details to verify the deployed certificate.

4.11.3. Deploying a custom SSL certificate to hosts

After you configure Satellite to use a custom SSL certificate, you must deploy the certificate to hosts registered to Satellite.

Procedure

Update the SSL certificate on each host:

# dnf install http://satellite.example.com/pub/katello-ca-consumer-latest.noarch.rpm

4.12. Resetting custom SSL certificate to default self-signed certificate on Satellite Server

Procedure

Reset the custom SSL certificate to default self-signed certificate:
```
# satellite-installer --certs-reset
```

Verification

Verify that the following parameters in /etc/foreman-installer/scenarios.d/satellite-answers.yaml have no values:

server_cert:
server_key:
server_cert_req:
server_ca_cert:

Additional resources

Reset custom SSL certificate to default self-signed certificate on Capsule Server in Installing Capsule Server.
Reset custom SSL certificate to default self-signed certificate on hosts in Managing hosts.

4.13. Using external databases with Satellite

As part of the installation process for Red Hat Satellite, the satellite-installer command installs PostgreSQL databases on the same server as Satellite. In certain Satellite deployments, using external databases instead of the default local databases can help with the server load.

Red Hat does not provide support or tools for external database maintenance. This includes backups, upgrades, and database tuning. You must have your own database administrator to support and maintain external databases.

To create and use external databases for Satellite, you must complete the following procedures:

Preparing a host for external databases. Prepare a host for the external databases.
Installing PostgreSQL. Prepare PostgreSQL with databases for Satellite, Candlepin and Pulp with dedicated users owning them.
Configuring Satellite Server to use external databases. Edit the parameters of satellite-installer to point to the new databases, and run satellite-installer.

4.13.1. PostgreSQL as an external database considerations

Foreman, Katello, and Candlepin use the PostgreSQL database. If you want to use PostgreSQL as an external database, the following information can help you decide if this option is right for your Satellite configuration. Satellite supports PostgreSQL version 12.

Advantages of external PostgreSQL

Increase in free memory and free CPU on Satellite
Flexibility to set shared_buffers on the PostgreSQL database to a high number without the risk of interfering with other services on Satellite
Flexibility to tune the PostgreSQL server’s system without adversely affecting Satellite operations

Disadvantages of external PostgreSQL

Increase in deployment complexity that can make troubleshooting more difficult
The external PostgreSQL server is an additional system to patch and maintain
If either Satellite or the PostgreSQL database server suffers a hardware or storage failure, Satellite is not operational
If there is latency between the Satellite server and database server, performance can suffer

If you suspect that the PostgreSQL database on your Satellite is causing performance problems, use the information in Satellite 6: How to enable postgres query logging to detect slow running queries to determine if you have slow queries. Queries that take longer than one second are typically caused by performance issues with large installations, and moving to an external database might not help. If you have slow queries, contact Red Hat Support.

4.13.2. Preparing a host for external databases

Install a freshly provisioned system with the latest Red Hat Enterprise Linux 9 or Red Hat Enterprise Linux 8 to host the external databases.

Subscriptions for Red Hat Enterprise Linux do not provide the correct service level agreement for using Satellite with external databases. You must also attach a Satellite subscription to the base operating system that you want to use for the external databases.

Prerequisites

The prepared host must meet Satellite’s Storage Requirements.
You must attach a Satellite subscription to your server. For more information about subscription, see Attaching the Satellite Infrastructure Subscription in Installing Satellite Server in a connected network environment.

Procedure

Select the operating system and version you are installing external database on:

Red Hat Enterprise Linux 9
Red Hat Enterprise Linux 8

Red Hat Enterprise Linux 9

Disable all repositories:

# subscription-manager repos --disable "*"

Enable the following repositories:

# subscription-manager repos \
--enable=satellite-6.16-for-rhel-9-x86_64-rpms \
--enable=satellite-maintenance-6.16-for-rhel-9-x86_64-rpms \
--enable=rhel-9-for-x86_64-baseos-rpms \
--enable=rhel-9-for-x86_64-appstream-rpms

Verification

Verify that the required repositories are enabled:
```
# dnf repolist enabled
```

Red Hat Enterprise Linux 8

Disable all repositories:

# subscription-manager repos --disable "*"

Enable the following repositories:

# subscription-manager repos \
--enable=satellite-6.16-for-rhel-8-x86_64-rpms \
--enable=satellite-maintenance-6.16-for-rhel-8-x86_64-rpms \
--enable=rhel-8-for-x86_64-baseos-rpms \
--enable=rhel-8-for-x86_64-appstream-rpms

Enable the following module:

# dnf module enable satellite:el8

Note

Enablement of the module satellite:el8 warns about a conflict with postgresql:10 and ruby:2.5 as these modules are set to the default module versions on Red Hat Enterprise Linux 8. The module satellite:el8 has a dependency for the modules postgresql:12 and ruby:2.7 that will be enabled with the satellite:el8 module. These warnings do not cause installation process failure, hence can be ignored safely. For more information about modules and lifecycle streams on Red Hat Enterprise Linux 8, see Red Hat Enterprise Linux Application Streams Lifecycle.

Verification

Verify that the required repositories are enabled:
```
# dnf repolist enabled
```

4.13.3. Installing PostgreSQL

You can install only the same version of PostgreSQL that is installed with the satellite-installer tool during an internal database installation. Satellite supports PostgreSQL version 12.

Procedure

To install PostgreSQL, enter the following command:

# dnf install postgresql-server postgresql-evr postgresql-contrib

To initialize PostgreSQL, enter the following command:
```
# postgresql-setup initdb
```
Edit the /var/lib/pgsql/data/postgresql.conf file:
```
# vi /var/lib/pgsql/data/postgresql.conf
```
Note that the default configuration of external PostgreSQL needs to be adjusted to work with Satellite. The base recommended external database configuration adjustments are as follows:
- checkpoint_completion_target: 0.9
- max_connections: 500
- shared_buffers: 512MB
- work_mem: 4MB
Remove the # and edit to listen to inbound connections:
```
listen_addresses = '*'
```
Add the following line to the end of the file to use SCRAM for authentication:
```
password_encryption=scram-sha-256
```
Edit the /var/lib/pgsql/data/pg_hba.conf file:
```
# vi /var/lib/pgsql/data/pg_hba.conf
```

Add the following line to the file:

  host  all   all   Satellite_ip/32   scram-sha-256

To start, and enable PostgreSQL service, enter the following commands:
```
# systemctl enable --now postgresql
```
Open the postgresql port on the external PostgreSQL server:
```
# firewall-cmd --add-service=postgresql
```
Make the changes persistent:
```
# firewall-cmd --runtime-to-permanent
```
Switch to the postgres user and start the PostgreSQL client:
```
$ su - postgres -c psql
```

Create three databases and dedicated roles: one for Satellite, one for Candlepin, and one for Pulp:

CREATE USER "foreman" WITH PASSWORD 'Foreman_Password';
CREATE USER "candlepin" WITH PASSWORD 'Candlepin_Password';
CREATE USER "pulp" WITH PASSWORD 'Pulpcore_Password';
CREATE DATABASE foreman OWNER foreman;
CREATE DATABASE candlepin OWNER candlepin;
CREATE DATABASE pulpcore OWNER pulp;

Connect to the Pulp database:

postgres=# \c pulpcore
You are now connected to database "pulpcore" as user "postgres".

Create the hstore extension:

pulpcore=# CREATE EXTENSION IF NOT EXISTS "hstore";
CREATE EXTENSION

Exit the postgres user:
```
# \q
```

From Satellite Server, test that you can access the database. If the connection succeeds, the commands return 1.

# PGPASSWORD='Foreman_Password' psql -h postgres.example.com  -p 5432 -U foreman -d foreman -c "SELECT 1 as ping"
# PGPASSWORD='Candlepin_Password' psql -h postgres.example.com -p 5432 -U candlepin -d candlepin -c "SELECT 1 as ping"
# PGPASSWORD='Pulpcore_Password' psql -h postgres.example.com -p 5432 -U pulp -d pulpcore -c "SELECT 1 as ping"

4.13.4. Configuring Satellite Server to use external databases

Use the satellite-installer command to configure Satellite to connect to an external PostgreSQL database.

Prerequisites

You have installed and configured a PostgreSQL database on a Red Hat Enterprise Linux server.

Procedure

To configure the external databases for Satellite, enter the following command:

# satellite-installer \
--katello-candlepin-manage-db false \
--katello-candlepin-db-host postgres.example.com \
--katello-candlepin-db-name candlepin \
--katello-candlepin-db-user candlepin \
--katello-candlepin-db-password Candlepin_Password \
--foreman-proxy-content-pulpcore-manage-postgresql false \
--foreman-proxy-content-pulpcore-postgresql-host postgres.example.com \
--foreman-proxy-content-pulpcore-postgresql-db-name pulpcore \
--foreman-proxy-content-pulpcore-postgresql-user pulp \
--foreman-proxy-content-pulpcore-postgresql-password Pulpcore_Password \
--foreman-db-manage false \
--foreman-db-host postgres.example.com \
--foreman-db-database foreman \
--foreman-db-username foreman \
--foreman-db-password Foreman_Password

To enable the Secure Sockets Layer (SSL) protocol for these external databases, add the following options:

--foreman-db-root-cert <path_to_CA>
--foreman-db-sslmode verify-full
--foreman-proxy-content-pulpcore-postgresql-ssl true
--foreman-proxy-content-pulpcore-postgresql-ssl-root-ca <path_to_CA>
--katello-candlepin-db-ssl true
--katello-candlepin-db-ssl-ca <path_to_CA>
--katello-candlepin-db-ssl-verify true

5. Configuring external authentication and enabling single sign-on and two-factor authentication

If you store users in an external identity provider, you can connect the provider to your Satellite Server to enable these users to log in to Satellite. Some external identity providers also enable you to implement authentication features such as single sign-on or two-factor authentication in Satellite, providing an additional layer of security.

Satellite derives user and user group permissions based on user group membership defined in the external identity provider.

5.1. Configuring an LDAP server as an external identity provider for Satellite

Lightweight Directory Access Protocol (LDAP) is a set of open protocols used to access centrally stored information over a network. With Satellite, you can use one or multiple LDAP directories for external authentication.

Note

While you can configure the LDAP server integrated with Identity Management as an external authentication source, Identity Management users will not be able to log in using single sign-on. Instead, consider configuring Identity Management as an external identity provider. For more information, see Configuring Kerberos single sign-on with Identity Management in Satellite.

Important

Users cannot use both Identity Management and LDAP as an authentication method. After a user authenticates by using one of these methods, they cannot use the other method.

To change the authentication method for a user, remove the automatically created user from Satellite.

5.1.1. Configuring TLS for secure LDAP

If Satellite uses TLS to establish a secure LDAP connection (LDAPS), you must obtain the CA certificates of your LDAP server and add them to the trusted CA list on the base operating system of your Satellite Server.

If your LDAP server uses a certificate chain with intermediate certificate authorities, you must obtain all root and intermediate certificates and add them to the trusted CA list.

Procedure

Obtain the CA certificate from the LDAP Server:
1. If you use Active Directory Certificate Services, export the Enterprise PKI CA Certificate using the Base64 encoded X.509 format. See How to configure Active Directory authentication with TLS on Satellite for information on creating and exporting a CA certificate from an Active Directory server.
2. Download the LDAP server certificate to a temporary location on the Satellite Server, such as /tmp/example.crt. You will remove the certificate when finished.
  
  The filename extensions .cer and .crt are only conventions and can refer to DER binary or PEM ASCII format certificates.
Add the LDAP server certificate to the system truststore:
1. Import the certificate:
  # cp /tmp/example.crt /etc/pki/tls/source/anchors
2. Update the certificate authority truststore:
  # update-ca-trust extract
Delete the downloaded LDAP certificate from the temporary location on your Satellite Server.

Additional resources

For more information about adding certificates to the system truststore, see Using shared system certificates in Red Hat Enterprise Linux 9 Securing networks.

5.1.2. Configuring Satellite to use LDAP

Configure an LDAP authentication source to enable users to log in to Satellite with their existing LDAP credentials.

Prerequisites

Your LDAP server complies with the RFC 2307 schema.
Your user account has the following permissions:
- view_authenticators, create_authenticators, edit_authenticators
- view_locations, assign_locations
- view_organizations, assign_organizations

Procedure

On your Satellite Server, enable the Network Information System (NIS) service so that SELinux does not block outgoing LDAP connections:
```
# setsebool -P nis_enabled on
```
In the Satellite web UI, navigate to Administer > Authentication Sources.
From the LDAP menu, select Create.
On the LDAP server tab, enter the details of your LDAP server.

For TLS encrypted connections, select LDAPS to enable encryption.
On the Account tab, enter the account information and domain name details. For more information, see the following sections:
- Example settings for LDAP connections
- Example LDAP filters
On the Attribute mappings tab, map LDAP attributes to Satellite attributes.
On the Locations tab, select the locations you want Satellite to assign to users created from the LDAP authentication source. These locations are available to users after they log in for the first time.
On the Organizations tab, select the organizations you want Satellite to assign to users created from the LDAP authentication source. These locations are available to users after they log in for the first time.
Click Submit.

Next steps

If you did not select Automatically Create Accounts In Satellite on the Account tab, create user accounts manually. For more information, see Creating a User in Administering Red Hat Satellite.
If you selected Automatically Create Accounts In Satellite, LDAP users can now log in to Satellite using their LDAP accounts and passwords.
After users log in for the first time, the Satellite administrator must assign roles to them manually. For more information about assigning appropriate roles to user accounts, see Assigning Roles to a User in Administering Red Hat Satellite.

5.1.3. Example settings for LDAP connections

Example 1. Example settings for Active Directory LDAP connections

This example uses a dedicated service account called redhat that has bind, read, and search permissions on the user and group entries.

Account Username: DOMAIN\redhat
Account password: P@ssword
Base DN: DC=example,DC=COM
Login name attribute: userPrincipalName
First name attribute: givenName
Last name attribute: sn
Email address attribute: mail
Photo attribute: thumbnailPhoto

The userPrincipalName attribute allows the use of whitespace in usernames. The sAMAccountName attribute, which provides backwards compatibility with legacy Microsoft systems, does not allow the use of whitespace in usernames.

Example 2. Example settings for Identity Management LDAP connections

This example uses a dedicated service account called redhat that has bind, read, and search permissions on the user and group entries.

Account Username: uid=redhat,cn=users,cn=accounts,dc=example,dc=com
Base DN: dc=example,dc=com
Groups Base DN: cn=groups,cn=accounts,dc=example,dc=com
Login name attribute: uid
First name attribute: givenName
Last name attribute: sn
Email address attribute: mail

Example 3. Example settings for POSIX LDAP connections

This example uses a dedicated service account called redhat that has bind, read, and search permissions on the user and group entries.

Account Username: uid=redhat,ou=users,dc=example,dc=com
Base DN: dc=example,dc=com
Groups Base DN: cn=employee,ou=userclass,dc=example,dc=com
Login name attribute: uid
First name attribute: givenName
Last name attribute: sn
Email address attribute: mail

5.1.4. Example LDAP filters

Example 4. Example LDAP filters for allowing specific users to login

You are using the following LDAP directory structure:

DC=Domain,DC=Example
   |
   |----- CN=Users
         |
         |----- CN=Group1
         |----- CN=Group2
         |----- CN=User1
         |----- CN=User2
         |----- CN=User3

Group membership is defined as follows:

Group1 includes users User1 and User3
Group2 includes users User2 and User3

For example, you can define the following search filters:

Search result (users)	Filter
User1	(distinguishedName=cn=User1,cn=Users,dc=domain,dc=example)
User1, User3	(memberOf=cn=Group1,cn=Users,dc=domain,dc=example)
User2, User3	(memberOf=cn=Group2,cn=Users,dc=domain,dc=example)
User1, User2, User3	(\|(memberOf=cn=Group1,cn=Users,dc=domain,dc=example)(memberOf=cn=Group2,cn=Users,dc=domain,dc=example))
User1, User2, User3	(memberOf:1.2.840.113556.1.4.1941:=cn=Users,dc=domain,dc=example)

Search result (users)

Filter

User1

(distinguishedName=cn=User1,cn=Users,dc=domain,dc=example)

User1, User3

(memberOf=cn=Group1,cn=Users,dc=domain,dc=example)

User2, User3

(memberOf=cn=Group2,cn=Users,dc=domain,dc=example)

User1, User2, User3

(|(memberOf=cn=Group1,cn=Users,dc=domain,dc=example)(memberOf=cn=Group2,cn=Users,dc=domain,dc=example))

User1, User2, User3

(memberOf:1.2.840.113556.1.4.1941:=cn=Users,dc=domain,dc=example)

Because group Users is a nested group that contains groups Group1 and Group2, the filter must include memberOf:1.2.840.113556.1.4.1941:= before the nested group name. This enables you to filter all users from the nested group.

5.2. Configuring Kerberos single sign-on with Identity Management in Satellite

Identity Management is an open-source identity management solution that provides centralized authentication, authorization, and account management services. With Satellite, you can integrate Satellite Server with your existing Identity Management server to enable Identity Management users to authenticate to Satellite.

With your Identity Management server configured as an external identity provider, users defined in Identity Management can log in to Satellite with their Identity Management credentials. If a cross-forest trust is configured between Identity Management and Active Directory, Active Directory users can also log in to Satellite.

The following login methods are available for Identity Management users:

Username and password
Kerberos single sign-on

When a cross-forest trust is configured between Identity Management and Active Directory, Active Directory users can log in to Satellite with their user principal name (UPN) and password.

For information about Identity Management, including its cross-forest trust functionality, see Red Hat Enterprise Linux 8 Planning Identity Management and Red Hat Enterprise Linux 8 Installing Identity Management.

5.2.1. Enrolling Satellite Server in a Identity Management domain

Create a host entry for your Satellite Server system in the Identity Management LDAP and configure the system to be a client in your Identity Management domain.

Prerequisites

An existing Identity Management server
Identity Management user account with privileges to enroll new Identity Management hosts

Procedure

On the Identity Management server:
1. Create a host entry for the Satellite Server system.
  
  For more information, see Red Hat Enterprise Linux 8 Configuring and managing Identity Management or Red Hat Enterprise Linux 9 Managing IdM users, groups, hosts, and access control rules.
2. Create an entry for the HTTP service for Satellite Server. This enables access to the keytab file by creating a service principal for your Satellite Server.
  
  For more information on creating a service entry in Identity Management, see Red Hat Enterprise Linux 8 Managing IdM users, groups, hosts, and access control rules or Red Hat Enterprise Linux 9 Managing IdM users, groups, hosts, and access control rules.
On your Satellite Server, configure the system as client in the Identity Management domain. This includes ensuring that the system meets the necessary prerequisites, installing the necessary packages, and running the ipa-client-install utility.

For more information, see Red Hat Enterprise Linux 8 Installing Identity Management or Red Hat Enterprise Linux 9 Installing Identity Management.

Note

To install packages on your Satellite Server, use the satellite-installer utility.

Verification

On your Satellite Server, check that you are able to resolve a user defined on the Identity Management server. For example, to check the admin user that Identity Management creates by default:
```
$ id admin
```

Example 5. Enrolling a Satellite Server system as a Identity Management client from the command line by using a one-time password

On the Identity Management server, a user named admin who has administrative privileges on the Identity Management server prepares a host entry for the Satellite Server system:

Authenticate as the Identity Management admin user:
```
# kinit admin
```
Optional: Verify that you have authenticated successfully:
```
# klist
```

Create a host entry from the command line. Specify that you want to use a random password for the enrollment.

# ipa host-add --random satellite-server.example.com
--------------------------------------------------
 Added host "satellite-server.example.com"
 --------------------------------------------------
  Host name: satellite-server.example.com
  Random password: W5YpARl=7M.n
  Password: True
  Keytab: False
  Managed by: ipa-server.example.com

Enable access to the keytab file by creating a service principal for your Satellite Server:
```
# ipa service-add HTTP/satellite-server.example.com
```

On the Satellite Server system, a user with Satellite administrative privileges enrolls the system into the Identity Management domain:

Install the Identity Management client packages:
```
# satellite-maintain packages install ipa-client
```
Configure the Satellite Server system a client in Identity Management by using the random password produced by ipa host-add in a previous step:
```
# ipa-client-install --password 'W5YpARl=7M.n'
```
Verify that you are able to resolve the Identity Management admin user from your Satellite Server:
```
$ id admin
```

5.2.2. Configuring the Identity Management authentication source on Satellite Server

Enable Identity Management users to access Satellite by configuring Identity Management as an authentication provider on your Satellite Server.

Prerequisites

Satellite Server running on a system that is enrolled in the Identity Management domain.

Procedure

To enable access to the Satellite web UI only:

# satellite-installer \
--foreman-ipa-authentication=true

To enable access to the Satellite web UI and the Satellite API, including Hammer CLI:

# satellite-installer \
--foreman-ipa-authentication-api=true \
--foreman-ipa-authentication=true

Warning

Enabling access to both the Satellite web UI and the Satellite API poses a security risk. After the Identity Management user enters kinit to receive a Kerberos ticket-granting ticket (TGT), an attacker might obtain an API session. The attack is possible even if the user did not previously enter the Satellite login credentials anywhere, for example in the browser.

To disable external authentication with Identity Management, reset the options. For example, to disable access to the Satellite API and Hammer CLI:
```
# satellite-installer --reset-foreman-ipa-authentication-api
```

Verification

5.2.3. Configuring host-based access control for Identity Management users logging in to Satellite

You can use host-based access control (HBAC) rules to manage access control within your Identity Management domain. In Identity Management, HBAC rules define which users can access which hosts and which services can be used to gain access.

For example, you can configure HBAC on the Identity Management server to limit access to Satellite Server only to selected users or user groups. By configuring a HBAC rule in the Identity Management domain, you can ensure Satellite does not create database entries for users who should not have access.

Prerequisites

Identity Management user account with privileges to configure HBAC rules

Procedure

On the Identity Management server, configure HBAC control. For more information, see Red Hat Enterprise Linux 9 Managing IdM users, groups, hosts, and access control rules or Red Hat Enterprise Linux 8 Managing IdM users, groups, hosts, and access control rules.
1. Create a HBAC service for Satellite Server.
2. Create a new HBAC rule to define the required access control. Add the following Identity Management entities to the HBAC rule:
  1. The HBAC service for Satellite Server
  2. The Satellite Server host
  3. The users or user groups to whom you want to grant access
3. Make sure the default Identity Management allow_all rule is disabled. For information about how to disable allow_all without disrupting other services, see the How to configure HBAC rules in IdM article on the Red Hat Customer Portal.
On your Satellite Server, load the host-based access control rules from Identity Management:
```
# satellite-installer --foreman-pam-service=foreman-prod
```

Verification

Log in to the Satellite web UI as a user defined in Identity Management.
- If the user is included in the HBAC rule, Satellite web UI will grant access.
- If the user is not included in the HBAC rule, Satellite web UI will not grant access.

Example 6. Configuring host-based access control to allow access to Satellite only for selected Identity Management users by using the command line

On the Identity Management server, a user with administrative privileges configures a HBAC rule to allow selected users access to Satellite Server:

Authenticate as the user with privileges required to configure HBAC rules:
```
$ kinit admin
```
Optional: Verify that you have authenticated successfully:
```
$ klist
```
Create a new HBAC service named satellite-prod:
```
$ ipa hbacsvc-add satellite-prod
```
Create a new HBAC rule:
```
$ ipa hbacrule-add allow-satellite-prod
```

Add the following Identity Management entities to the HBAC rule:

The satellite-prod HBAC service:

$ ipa hbacrule-add-service allow-satellite-prod --hbacsvcs=satellite-prod

The Satellite Server host:

$ ipa hbacrule-add-host allow-satellite-prod --hosts=satellite.example.com

The users or user groups to whom you want to grant access:

$ ipa hbacrule-add-user allow-satellite-prod --user=ipa-user

Optional: Verify the status of the rule:

$ ipa hbacrule-find satellite-prod
$ ipa hbactest --user=ipa-user --host=satellite.example.com --service=satellite-prod

Disable the default allow_all rule:

$ ipa hbacrule-disable allow_all

On Satellite Server, a Satellite administrator re-runs satellite-installer to load the host-based access control rules from Identity Management:

# satellite-installer --foreman-pam-service=satellite-prod

5.2.4. Configuring Hammer CLI to accept Identity Management credentials

Configure the Satellite Hammer CLI tool to use Identity Management to authenticate users.

Prerequisites

You have enabled Identity Management access to the Satellite API. For more information, see Configuring the Identity Management authentication source on Satellite Server.

Procedure

Open the ~/.hammer/cli.modules.d/foreman.yml file on your Satellite Server and update the list of foreman parameters:
- To enforce session usage, enable :use_sessions::
  :foreman: :use_sessions: true
  With this configuration, you will need to initiate an authentication session manually with hammer auth login negotiate.
- Alternatively, to enforce session usage and also negotiate authentication by default:
  :foreman: :default_auth_type: 'Negotiate_Auth' :use_sessions: true
  With this configuration, Hammer will negotiate authentication automatically when you enter the first hammer command.

5.2.5. Logging in to Hammer CLI with Identity Management credentials

Authenticate to the Satellite Hammer CLI with your Identity Management username and password.

Prerequisites

You have configured Hammer CLI to accept Identity Management credentials. See Configuring Hammer CLI to accept Identity Management credentials.

Procedure

Authenticate as a user defined in Identity Management to obtain a Kerberos ticket-granting ticket (TGT):

$ kinit Identity_Management_user

Warning

If you enabled access to the Satellite API and the Satellite web UI when you were configuring Identity Management as the authentication provider for Satellite, an attacker might now obtain an API session after the user receives the Kerberos TGT. The attack is possible even if the user did not previously enter the Satellite login credentials anywhere, for example in the browser.

If Hammer is not configured to negotiate authentication, initiate an authentication session manually:
```
$ hammer auth login negotiate
```

Note	If you destroy the active Kerberos ticket, for example with `kdestroy`, you will still be logged in to Hammer. To log out, enter `hammer auth logout`.

Verification

Use any hammer command to check that the system does not ask you to authenticate. For example:
```
$ hammer host list
```

Additional resources

For more information about authenticating with Hammer, see Hammer CLI guide or hammer auth --help.

5.2.6. Logging in to the Satellite web UI with Identity Management credentials in Mozilla Firefox

You can use Mozilla Firefox to log in to the Satellite web UI with your Identity Management credentials.

Use the latest stable Mozilla Firefox browser.

Prerequisites

You have Identity Management authentication configured in your Satellite environment.
The host on which you are using Mozilla Firefox is a client in the Identity Management domain.
Your Mozilla Firefox is configured for Single Sign-On (SSO). For more information, see Configuring Firefox to use Kerberos for single sign-on in Configuring authentication and authorization in Red Hat Enterprise Linux 9.

Procedure

Obtain the Kerberos ticket granting ticket (TGT):
```
$ kinit user
Password for user@EXAMPLE.COM:
```
In Mozilla Firefox, go to the URL of your Satellite Server.
You are logged in automatically.

Alternatively:

In your browser address bar, enter the URL of your Satellite Server.
Enter your username and password.

5.2.7. Logging in to the Satellite web UI with Identity Management credentials in Chrome

You can use Chrome to log in to the Satellite web UI with your Identity Management credentials.

Use the latest stable Chrome browser.

Prerequisites

You have Identity Management authentication configured in your Satellite environment.
The host on which you are using Chrome is a client in the Identity Management domain.

Procedure

Enable the Chrome browser to use Kerberos authentication:
```
$ google-chrome --auth-server-whitelist="*.example.com" --auth-negotiate-delegate-whitelist="*.example.com"
```
Note

Instead of allowlisting the whole domain, you can also allowlist a specific Satellite Server.
Obtain the Kerberos ticket-granting ticket (TGT):
```
$ kinit user
Password for user@EXAMPLE.COM:
```
In Chrome, go to the URL of your Satellite Server.
You are logged in automatically.

Alternatively:

In your browser address bar, enter the URL of your Satellite Server.
Enter your username and password.

5.2.8. Configuring a cross-forest trust between Identity Management and Active Directory for Satellite

When your Identity Management deployment includes a cross-forest trust with Active Directory (AD), configure host-based access control (HBAC) and the System Security Services Daemon (SSSD) to enable AD users to log in to Satellite.

Prerequisites

An existing Identity Management server with a cross-forest trust with AD established. For more information, see Red Hat Enterprise Linux 8 Installing trust between IdM and AD.

Procedure

On your Identity Management server:

Enable HBAC:
1. Create an external group and add the AD group to it.
2. Add the new external group to a POSIX group.
3. Use the POSIX group in a HBAC rule.

On your Identity Management server and all replicas in your Identity Management topology, configure SSSD to transfer additional attributes of AD users:

Add the AD user attributes to the nss and domain sections in /etc/sssd/sssd.conf. For example:

[domain/EXAMPLE.com]
...
krb5_store_password_if_offline = True
ldap_user_extra_attrs=email:mail, lastname:sn, firstname:givenname

[nss]
user_attributes=+email, +firstname, +lastname

[ifp]
allowed_uids = ipaapi, root
user_attributes=+email, +firstname, +lastname

Clear the SSSD cache:
1. Stop SSSD:
  # systemctl stop sssd
2. Clear the cache:
  # sss_cache -E
3. Start SSSD:
  # systemctl start sssd

Verify the AD attributes value by using the dbus-send command on your Satellite Server and on your Identity Management server. Make sure that both outputs match.

# dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe org.freedesktop.sssd.infopipe.GetUserAttr string:ad-user@ad-domain array:string:email,firstname,lastname

5.3. Configuring Red Hat Single Sign-On authentication for Satellite

Red Hat Single Sign-On is an open-source identity and access management solution that provides authentication features, such as single sign-on functionality, user federation, or centralized authentication management. With Red Hat Single Sign-On, you can integrate Satellite Server with your existing Red Hat Single Sign-On server to delegate user authentication and authorization to Red Hat Single Sign-On. The following login methods are available:

User name and password in Satellite web UI
User name and password in Hammer CLI

Note	Red Hat Single Sign-On users cannot use both Satellite web UI and Hammer CLI authentication in Satellite at the same time.

Time-based one-time password (TOTP)

For information about Red Hat Single Sign-On, see Red Hat Single Sign-On documentation.

5.3.1. Prerequisites for configuring Satellite with Red Hat Single Sign-On authentication

A Red Hat Single Sign-On account with administrative privileges.
A Red Hat Single Sign-On server that uses HTTPS instead of HTTP.
If the certificates or the CA are self-signed, ensure that they are added to the end-user certificate truststore.
A Red Hat Single Sign-On realm created for Satellite user accounts, for example Satellite_Realm.
Users imported or added to Red Hat Single Sign-On. For more information about importing or creating users, see the Red Hat Single Sign-On Server Administration Guide.

5.3.2. Registering Satellite as a client of Red Hat Single Sign-On

Users defined in Red Hat Single Sign-On can authenticate to Satellite by using one of the following methods:

The Satellite web UI
Hammer CLI

Choose one of these methods to enable in your Satellite deployment.

Procedure

On your Satellite Server:

Install the packages required for registering a Red Hat Single Sign-On client:

# satellite-maintain packages install mod_auth_openidc keycloak-httpd-client-install python3-lxml

Choose the authentication method you want Red Hat Single Sign-On users to use when authenticating to Satellite:

If you want users to authenticate by using the Satellite web UI:

Create a client for Satellite. Use foreman-openidc as the application name.

# keycloak-httpd-client-install --app-name foreman-openidc \
--keycloak-server-url "https://rhsso.example.com" \
--keycloak-admin-username "admin" \
--keycloak-realm "Satellite_Realm" \
--keycloak-admin-realm master \
--keycloak-auth-role root-admin \
-t openidc -l /users/extlogin --force

Configure Satellite to use Red Hat Single Sign-On as an authentication source for Satellite web UI:

# satellite-installer --foreman-keycloak true \
--foreman-keycloak-app-name "foreman-openidc" \
--foreman-keycloak-realm "Satellite_Realm"

If you want users to authenticate by using the Hammer CLI:

Create a client for Satellite. Use hammer-openidc as the application name.

# keycloak-httpd-client-install --app-name hammer-openidc \
--keycloak-server-url "https://rhsso.example.com" \
--keycloak-admin-username "admin" \
--keycloak-realm "Satellite_Realm" \
--keycloak-admin-realm master \
--keycloak-auth-role root-admin \
-t openidc -l /users/extlogin --force

Configure Satellite to use Red Hat Single Sign-On as an authentication source for Hammer CLI:

# satellite-installer --foreman-keycloak true \
--foreman-keycloak-app-name "hammer-openidc" \
--foreman-keycloak-realm "Satellite_Realm"

Reset Red Hat Single Sign-On support to the default value to ensure that users are not authenticated also in Satellite web UI:
```
# satellite-installer --reset-foreman-keycloak
```

Restart the httpd service:
```
# systemctl restart httpd
```

5.3.3. Configuring the Satellite client in Red Hat Single Sign-On

Configure the Satellite client in Red Hat Single Sign-On with valid redirect URIs and mappers.

Procedure

In the Red Hat Single Sign-On web UI:

Go to the realm created for Satellite users. Navigate to Clients and click the Satellite client.
Configure access type:
- If you are configuring a client that will provide Satellite web UI authentication, select confidential from the Access Type list.
- If you are configuring a client that will provide Hammer CLI authentication, select public from the Access Type list.
Configure Valid redirect URI addresses:
- If you are configuring a client that will provide Satellite web UI authentication:
  - You will see a pre-defined URI: https://satellite.example.com/users/extlogin/redirect_uri. Do not change or remove this URI.
  - Add another URI below the pre-defined URI: https://satellite.example.com/users/extlogin
- If you are configuring a client that will provide Hammer CLI authentication:
  - You will see a pre-defined URI: https://satellite.example.com/users/extlogin/redirect_uri. Do not change or remove this URI.
  - Add another URI below the pre-defined URI: urn:ietf:wg:oauth:2.0:oob
Click Save.
On the Mappers tab, click Create to add an audience mapper.
1. From the Mapper Type list, select Audience.
2. From the Included Client Audience list, select the Satellite client.
Click Save.
On the Mappers tab, click Create to add a group mapper so that you can specify authorization in Satellite based on group membership.
1. From the Mapper Type list, select Group Membership.
2. In the Token Claim Name field, enter groups.
3. Set the Full group path setting to OFF.
Click Save.

Additional resources

For more information about configuring Red Hat Single Sign-On clients, see Red Hat Single Sign-On Server Administration Guide.

5.3.4. Configuring a Satellite client to provide Satellite web UI authentication with Red Hat Single Sign-On

If you are configuring a client that will provide Satellite web UI authentication to your Satellite deployment, delegate authentication to the Red Hat Single Sign-On server and add Red Hat Single Sign-On as an external authentication source in Satellite.

Prerequisites

Ensure that the Access Type setting in the Satellite client in the Red Hat Single Sign-On web UI is set to confidential. For more information, see Configuring the Satellite client in Red Hat Single Sign-On.

Procedure

In the Satellite web UI:

Navigate to Administer > Settings.
On the Authentication tab, configure the following settings:
1. Authorize login delegation: Set to Yes.
2. Authorize login delegation auth source user autocreate: Set to External.
3. Login delegation logout URL: Set to https://satellite.example.com/users/extlogout.
4. OIDC Algorithm: For example, set to RS256.
5. OIDC Audience: Set to the client ID for Red Hat Single Sign-On.
6. OIDC Issuer: Set to https://rhsso.example.com/auth/realms/Satellite_Realm.
7. OIDC JWKs URL: Set to https://rhsso.example.com/auth/realms/Satellite_Realm/protocol/openid-connect/certs.
Navigate to Administer > Authentication Sources.
1. From the External menu, select Edit.
2. On the Locations tab, add the locations that you want to be able to use the Red Hat Single Sign-On authentication source.
3. On the Organizations tab, add the organizations that you want to be able to use the Red Hat Single Sign-On authentication source.
4. Click Submit.

5.3.5. Configuring a Satellite client to provide Hammer CLI authentication with Red Hat Single Sign-On

If you are configuring a client that will provide Hammer CLI authentication to your Satellite deployment, delegate authentication to the Red Hat Single Sign-On server and add Red Hat Single Sign-On as an external authentication source in Satellite.

Prerequisites

Ensure that the Access Type setting in the Satellite client in the Red Hat Single Sign-On web UI is set to public. For more information, see Configuring the Satellite client in Red Hat Single Sign-On.
Obtain the values to configure Satellite settings from the following URL: https://rhsso.example.com/auth/realms/Satellite_Realm/.well-known/openid-configuration. Replace Satellite_Realm with the name of the Red Hat Single Sign-On realm created for your Satellite server.

Procedure

On the Satellite client registered to Red Hat Single Sign-On:

Set the login delegation to true so that users can authenticate using the Open IDC protocol:
```
# hammer settings set --name authorize_login_delegation --value true
```

Set the login delegation logout URL:

# hammer settings set --name login_delegation_logout_url \
--value https://satellite.example.com/users/extlogout

Set the algorithm for encoding: For example, to use the RS256 algorithm:
```
# hammer settings set --name oidc_algorithm --value 'RS256'
```

Add the value for the Hammer client in the Open IDC audience:

# hammer settings set --name oidc_audience \
--value "['satellite.example.com-hammer-openidc']"

Set the value for the Open IDC issuer:

# hammer settings set --name oidc_issuer \
--value "https://rhsso.example.com/auth/realms/KEYCLOAK_REALM"

Set the value for Open IDC Java Web Token (JWT):

# hammer settings set --name oidc_jwks_url \
--value "https://rhsso.example.com/auth/realms/KEYCLOAK_REALM/protocol/openid-connect/certs"

Retrieve the ID of the Red Hat Single Sign-On authentication source:
```
# hammer auth-source external list
```

Set the location and organization:

# hammer auth-source external update \
--id My_Authentication_Source_ID \
--location-ids My_Location_ID \
--organization-ids My_Organization_ID

5.3.6. Configuring Satellite with Red Hat Single Sign-On for TOTP authentication

If you want users to authenticate with time-based one-time passwords (TOTP), configure an OTP policy for the Satellite realm in Red Hat Single Sign-On.

Procedure

In the Red Hat Single Sign-On web UI, navigate to the Satellite realm.
Navigate to Authentication.
On the Policies tab, click the OTP Policy tab. Ensure that the Supported Applications field includes FreeOTP or Google Authenticator.
Configure the OTP settings to suit your requirements.
On Required Actions tab, enable the Set as default action setting for the Configure OTP action.

Additional resources

For more information, see Red Hat Single Sign-On Server Administration Guide or Red Hat build of Keycloak Server Administration Guide.

5.3.7. Optional: Configuring external group mapping for Red Hat Single Sign-On authentication

To implement the role-based access control (RBAC), create a group in Satellite, assign a role to this group, and then map an Red Hat Single Sign-On group to the Satellite group. As a result, anyone in the given group in Red Hat Single Sign-On will log in under the corresponding Satellite group.

For example, you can configure users of the Satellite-admin user group defined in Active Directory to authenticate as users with administrator privileges on Satellite.

If you do not configure group mapping, every user will receive the Default role permissions.

Procedure

In the Satellite web UI, navigate to Administer > User Groups.
Click Create User Group.
1. In the Name field, enter a name for the user group. Enter a name that is different from the Active Directory user group name.
2. Do not add any users or user groups to the new group in Satellite web UI.
On the Roles tab, select Administer.
On the External Groups tab, click Add external user group.
1. In the Name field, enter the name of the Active Directory group.
2. From the Auth Source drop-down menu, select EXTERNAL.
Click Submit.

5.3.8. Logging in to Satellite configured with Red Hat Single Sign-On as an authentication source

With Red Hat Single Sign-On configured as an external authentication source for Satellite, users defined in a Red Hat Single Sign-On realm can log in to Satellite Server. The particular login methods available to users depend on how you configured integration between Red Hat Single Sign-On and Satellite.

Procedure

To authenticate to the Satellite web UI:

In your browser, go to https://satellite.example.com and enter your credentials.

To authenticate to the Satellite web UI by using Red Hat Single Sign-On TOTP:

In your browser, log in to Satellite. Satellite redirects you to the Red Hat Single Sign-On login screen.
Enter your username and password, and click Log In.
On your first login attempt, Red Hat Single Sign-On requests you to configure your client by scanning the bar code and entering your PIN. Once authenticated, your browser redirects you back to Satellite and logs you in.

To authenticate to the Satellite CLI with Hammer:

Ensure that Hammer is configured to enforce session usage in ~/.hammer/cli.modules.d/foreman.yml:
```
:foreman:
  :use_sessions: true
```

Initiate an authentication session with hammer auth login oauth:

# hammer auth login oauth \
--oidc-token-endpoint 'https://rhsso.example.com/auth/realms/Satellite_realm/protocol/openid-connect/token' \
--oidc-authorization-endpoint 'https://rhsso.example.com/auth' \
--oidc-client-id 'satellite.example.com-hammer-openidc' \
--oidc-redirect-uri urn:ietf:wg:oauth:2.0:oob

To authenticate to the Satellite CLI with Hammer by using Red Hat Single Sign-On TOTP:

Ensure that Hammer is configured to enforce session usage in ~/.hammer/cli.modules.d/foreman.yml:
```
:foreman:
  :use_sessions: true
```

Initiate an authentication session by using --two-factor with hammer auth login oauth:

# hammer auth login oauth \
--two-factor \
--oidc-token-endpoint 'https://rhsso.example.com/auth/realms/Satellite_realm/protocol/openid-connect/token' \
--oidc-authorization-endpoint 'https://rhsso.example.com/auth' \
--oidc-client-id 'satellite.example.com-hammer-openidc' \
--oidc-redirect-uri urn:ietf:wg:oauth:2.0:oob

You will be prompted to enter a success code. To retrieve the success code, navigate to the URL that the command returns.
Enter the success code in CLI.

5.4. Configuring Active Directory as an external identity provider for Satellite

If the base system of your Satellite Server is connected directly to Active Directory (AD), you can configure AD as an external authentication source for Satellite. Direct AD integration means that a Linux system is joined directly to the AD domain where the identity is stored. The following login methods are available for AD users:

Username and password
Kerberos single sign-on

Note

You can also connect your Satellite deployment to AD in the following ways:

By using indirect AD integration. With indirect integration, your Satellite Server is connected to a Identity Management server which is then connected to AD. For more information, see Configuring Kerberos single sign-on with Identity Management in Satellite.
By attaching the LDAP server of the AD domain as an external authentication source with no single sign-on support. For more information, see Configuring an LDAP server as an external identity provider for Satellite. For an example configuration, see How to configure Active Directory authentication with TLS on Satellite.

5.4.1. Configuring the Active Directory authentication source on Satellite Server

Enable Active Directory (AD) users to access Satellite by configuring the corresponding authentication provider on your Satellite Server.

Prerequisites

The base system of your Satellite Server must be joined to an Active Directory (AD) domain. To enable AD users to sign in with Kerberos single sign-on, use the System Security Services Daemon (SSSD) and Samba services to join the base system to the AD domain:

Install the following packages on Satellite Server:
```
# satellite-maintain packages install adcli krb5-workstation oddjob-mkhomedir oddjob realmd samba-winbind-clients samba-winbind samba-common-tools samba-winbind-krb5-locator sssd
```
Specify the required software when joining the AD domain:
```
# realm join AD.EXAMPLE.COM --membership-software=samba --client-software=sssd
```
For more information on direct AD integration, see Connecting RHEL systems directly to AD using Samba Winbind.

Procedure

Define AD realm configuration in a location where satellite-installer expects it:
1. Create a directory named /etc/ipa/:
  # mkdir /etc/ipa/
2. Create the /etc/ipa/default.conf file with the following contents to configure the Kerberos realm for the AD domain:
  [global] realm = AD.EXAMPLE.COM
Configure the Apache keytab for Kerberos connections:
1. Update the /etc/samba/smb.conf file with the following settings to configure how Samba interacts with AD:
  [global] workgroup = AD.EXAMPLE realm = AD.EXAMPLE.COM kerberos method = system keytab security = ads
2. Add the Kerberos service principal to the keytab file at /etc/httpd/conf/http.keytab:
  # KRB5_KTNAME=FILE:/etc/httpd/conf/http.keytab net ads keytab add HTTP -U Administrator -s /etc/samba/smb.conf
Configure the System Security Services Daemon (SSSD) to use the AD access control provider to evaluate and enforce Group Policy Object (GPO) access control rules for the foreman PAM service:
1. In the [domain/ad.example.com] section of your /etc/sssd/sssd.conf file, configure the ad_gpo_access_control and ad_gpo_map_service options as follows:
  [domain/ad.example.com] ad_gpo_access_control = enforcing ad_gpo_map_service = +foreman
  For more information on GPOs, see the following documents:
  - How SSSD interprets GPO access control rules in Integrating RHEL systems directly with Windows Active Directory (RHEL 9)
  - How SSSD interprets GPO access control rules in Integrating RHEL systems directly with Windows Active Directory (RHEL 8)
2. Restart SSSD:
  # systemctl restart sssd

Enable the authentication source:

# satellite-installer --foreman-ipa-authentication=true

Verification

To verify that AD users can log in to Satellite by entering their credentials, log in to Satellite web UI at https://satellite.example.com. Enter the user name in the user principal name (UPN) format, for example: ad_user@AD.EXAMPLE.COM.

To verify that AD users can authenticate by using Kerberos single sign-on:

Obtain a Kerberos ticket-granting ticket (TGT) on behalf of an AD user:
```
$ kinit ad_user@AD.EXAMPLE.COM
```

Verify user authentication by using your TGT:

$ curl -k -u : --negotiate https://satellite.example.com/users/extlogin

<html><body>You are being <a href="satellite.example.com/hosts">redirected</a>.</body></html>

Troubleshooting

Connecting to the AD LDAP can sometimes fail with an error such as the following appearing in the logs:
```
Authentication failed with status code: {
  "error": { "message": "ERF77-7629 [Foreman::LdapException]: Error while connecting to 'server.com' LDAP server at 'ldap.example.com' during authentication ([Net::LDAP::Error]: Connection reset by peer - SSL_connect)" } }
```
If you see this error, verify which cipher is used for the connection:
```
# openssl s_client -connect ldap.example.com:636
```
If the TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 cipher is used, disable it on either the Satellite Server side or on the AD side. The TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 cipher is known to cause incompatibilities.

For more information, see the Red Hat Knowledgebase solution API calls to Red Hat Satellite 6 fail intermittently on LDAP authentication.

Additional resources

sssd-ad(5) man page on your system
For information about configuring Mozilla Firefox for Kerberos, see Configuring Firefox to use Kerberos for single sign-on in Red Hat Enterprise Linux 9 Configuring authentication and authorization in RHEL.

5.5. Configuring Satellite to manage the lifecycle of a host registered to a Identity Management realm

As well as providing access to Satellite Server, hosts provisioned with Satellite can also be integrated with Identity Management realms. Red Hat Satellite has a realm feature that automatically manages the lifecycle of any system registered to a realm or domain provider.

Use this section to configure Satellite Server or Capsule Server for Identity Management realm support, then add hosts to the Identity Management realm group.

Prerequisites

Satellite Server that is registered to the Content Delivery Network or an external Capsule Server that is registered to Satellite Server.
A deployed realm or domain provider such as Identity Management.

To install and configure Identity Management packages on Satellite Server or Capsule Server:

To use Identity Management for provisioned hosts, complete the following steps to install and configure Identity Management packages on Satellite Server or Capsule Server:

Install the ipa-client package on Satellite Server or Capsule Server:
```
# satellite-maintain packages install ipa-client
```
Configure the server as a Identity Management client:
```
# ipa-client-install
```
Create a realm proxy user, realm-capsule, and the relevant roles in Identity Management:
```
# foreman-prepare-realm admin realm-capsule
```
Note the principal name that returns and your Identity Management server configuration details because you require them for the following procedure.

To configure Satellite Server or Capsule Server for Identity Management realm support:

Complete the following procedure on Satellite and every Capsule that you want to use:

Copy the /root/freeipa.keytab file to any Capsule Server that you want to include in the same principal and realm:
```
# scp /root/freeipa.keytab root@capsule.example.com:/etc/foreman-proxy/freeipa.keytab
```
On your Satellite Server, move the /root/freeipa.keytab file to the /etc/foreman-proxy directory:
```
# mv /root/freeipa.keytab /etc/foreman-proxy
```
On your Satellite Server and Capsule Servers, set ownership to the foreman-proxy user and group:
```
# chown foreman-proxy:foreman-proxy /etc/foreman-proxy/freeipa.keytab
```
Enter the following command on all Capsules that you want to include in the realm. If you use the integrated Capsule on Satellite, enter this command on Satellite Server:
```
# satellite-installer --foreman-proxy-realm true \
--foreman-proxy-realm-keytab /etc/foreman-proxy/freeipa.keytab \
--foreman-proxy-realm-principal realm-capsule@EXAMPLE.COM \
--foreman-proxy-realm-provider freeipa
```
You can also use these options when you first configure the Satellite Server.
Ensure that the most updated versions of the ca-certificates package is installed and trust the Identity Management Certificate Authority:
```
# cp /etc/ipa/ca.crt /etc/pki/ca-trust/source/anchors/ipa.crt
# update-ca-trust enable
# update-ca-trust
```
Optional: If you configure Identity Management on an existing Satellite Server or Capsule Server, complete the following steps to ensure that the configuration changes take effect:
1. Restart the foreman-proxy service:
  # systemctl restart foreman-proxy
2. In the Satellite web UI, navigate to Infrastructure > Capsules.
3. Locate the Capsule you have configured for Identity Management and from the list in the Actions column, select Refresh.

To create a realm for the Identity Management-enabled Capsule

After you configure your integrated or external Capsule with Identity Management, you must create a realm and add the Identity Management-configured Capsule to the realm.

Procedure

In the Satellite web UI, navigate to Infrastructure > Realms and click Create Realm.
In the Name field, enter a name for the realm.
From the Realm Type list, select the type of realm.
From the Realm Capsule list, select Capsule Server where you have configured Identity Management.
Click the Locations tab and from the Locations list, select the location where you want to add the new realm.
Click the Organizations tab and from the Organizations list, select the organization where you want to add the new realm.
Click Submit.

Updating host groups with realm information

You must update any host groups that you want to use with the new realm information.

In the Satellite web UI, navigate to Configure > Host Groups, select the host group that you want to update, and click the Network tab.
From the Realm list, select the realm you create as part of this procedure, and then click Submit.

Adding hosts to a Identity Management host group

Identity Management supports the ability to set up automatic membership rules based on a system’s attributes. Red Hat Satellite’s realm feature provides administrators with the ability to map the Red Hat Satellite host groups to the Identity Management parameter userclass which allow administrators to configure automembership.

When nested host groups are used, they are sent to the Identity Management server as they are displayed in the Red Hat Satellite User Interface. For example, "Parent/Child/Child".

Satellite Server or Capsule Server sends updates to the Identity Management server, however automembership rules are only applied at initial registration.

To add hosts to a Identity Management host group:

On the Identity Management server, create a host group:

# ipa hostgroup-add hostgroup_name --desc=hostgroup_description

Create an automembership rule:
```
# ipa automember-add --type=hostgroup hostgroup_name automember_rule
```
Where you can use the following options:
- automember-add flags the group as an automember group.
- --type=hostgroup identifies that the target group is a host group, not a user group.
- automember_rule adds the name you want to identify the automember rule by.
Define an automembership condition based on the userclass attribute:
```
# ipa automember-add-condition --key=userclass --type=hostgroup --inclusive-regex=^webserver hostgroup_name
----------------------------------
Added condition(s) to "hostgroup_name"
----------------------------------
Automember Rule: automember_rule
Inclusive Regex: userclass=^webserver
----------------------------
Number of conditions added 1
----------------------------
```
Where you can use the following options:
- automember-add-condition adds regular expression conditions to identify group members.
- --key=userclass specifies the key attribute as userclass.
- --type=hostgroup identifies that the target group is a host group, not a user group.
- --inclusive-regex= ^webserver identifies matching values with a regular expression pattern.
- hostgroup_name – identifies the target host group’s name.

When a system is added to Satellite Server’s hostgroup_name host group, it is added automatically to the Identity Management server’s "hostgroup_name" host group. Identity Management host groups allow for Host-Based Access Controls (HBAC), sudo policies and other Identity Management functions.

5.6. Important user and group account information for Active Directory accounts

All user and group accounts must be local accounts. This is to ensure that there are no authentication conflicts between local accounts on your Satellite Server and accounts in your Active Directory domain.

Your system is not affected by this conflict if your user and group accounts exist in both /etc/passwd and /etc/group files. For example, to check if entries for puppet, apache, foreman and foreman-proxy groups exist in both /etc/passwd and /etc/group files, enter the following commands:

# grep 'puppet\|apache\|foreman\|foreman-proxy' /etc/passwd /etc/group

5.7. Configuring external user groups

Satellite does not associate external users with their user group automatically. You must create a user group with the same name as in the external source on Satellite. Members of the external user group then automatically become members of the Satellite user group and receive the associated permissions.

The configuration of external user groups depends on the type of external authentication.

To assign additional permissions to an external user, add this user to an internal user group that has no external mapping specified. Then assign the required roles to this group.

Prerequisites

If you use an LDAP server, configure Satellite to use LDAP authentication. For more information, see Configuring an LDAP server as an external identity provider for Satellite.

When using external user groups from an LDAP source, you cannot use the $login variable as a substitute for the account user name. You must use either an anonymous or dedicated service user.
If you use a Identity Management or AD server, configure Satellite to use Identity Management or AD authentication. For more information, see Configuring External Authentication in Installing Satellite Server in a connected network environment.
Ensure that at least one external user authenticates for the first time.
Retain a copy of the external group names you want to use. To find the group membership of external users, enter the following command:
```
# id username
```

Procedure

In the Satellite web UI, navigate to Administer > User Groups, and click Create User Group.
Specify the name of the new user group. Do not select any users to avoid adding users automatically when you refresh the external user group.
Click the Roles tab and select the roles you want to assign to the user group. Alternatively, select the Administrator checkbox to assign all available permissions.
Click the External groups tab, then click Add external user group, and select an authentication source from the Auth source drop-down menu.

Specify the exact name of the external group in the Name field.
Click Submit.

5.8. Refreshing external user groups for LDAP

To set the LDAP source to synchronize user group membership automatically on user login, in the Auth Source page, select the Usergroup Sync option. If this option is not selected, LDAP user groups are refreshed automatically through a scheduled cron job synchronizing the LDAP Authentication source every 30 minutes by default.

If the user groups in the LDAP Authentication source change in the lapse of time between scheduled tasks, the user can be assigned to incorrect external user groups. This is corrected automatically when the scheduled task runs.

Use this procedure to refresh the LDAP source manually.

Procedure

In the Satellite web UI, navigate to Administer > Usergroups and select a user group.
On the External Groups tab, click Refresh to the right of the required user group.

CLI procedure

Enter the following command:
```
# foreman-rake ldap:refresh_usergroups
```

5.9. Refreshing external user groups for Identity Management or AD

External user groups based on Identity Management or AD are refreshed only when a group member logs in to Satellite. It is not possible to alter user membership of external user groups in the Satellite web UI, such changes are overwritten on the next group refresh.

6. Configuring Satellite Server with external services

If you do not want to configure the DNS, DHCP, and TFTP services on Satellite Server, use this section to configure your Satellite Server to work with external DNS, DHCP, and TFTP services.

6.1. Configuring Satellite Server with external DNS

You can configure Satellite Server with external DNS. Satellite Server uses the nsupdate utility to update DNS records on the remote server.

To make any changes persistent, you must enter the satellite-installer command with the options appropriate for your environment.

Prerequisites

You must have a configured external DNS server.
This guide assumes you have an existing installation.

Procedure

Copy the /etc/rndc.key file from the external DNS server to Satellite Server:
```
# scp root@dns.example.com:/etc/rndc.key /etc/foreman-proxy/rndc.key
```

Configure the ownership, permissions, and SELinux context:

# restorecon -v /etc/foreman-proxy/rndc.key
# chown -v root:foreman-proxy /etc/foreman-proxy/rndc.key
# chmod -v 640 /etc/foreman-proxy/rndc.key

To test the nsupdate utility, add a host remotely:

# echo -e "server DNS_IP_Address\n \
update add aaa.example.com 3600 IN A Host_IP_Address\n \
send\n" | nsupdate -k /etc/foreman-proxy/rndc.key
# nslookup aaa.example.com DNS_IP_Address
# echo -e "server DNS_IP_Address\n \
update delete aaa.example.com 3600 IN A Host_IP_Address\n \
send\n" | nsupdate -k /etc/foreman-proxy/rndc.key

Enter the satellite-installer command to make the following persistent changes to the /etc/foreman-proxy/settings.d/dns.yml file:

# satellite-installer --foreman-proxy-dns=true \
--foreman-proxy-dns-managed=false \
--foreman-proxy-dns-provider=nsupdate \
--foreman-proxy-dns-server="DNS_IP_Address" \
--foreman-proxy-keyfile=/etc/foreman-proxy/rndc.key

In the Satellite web UI, navigate to Infrastructure > Capsules.
Locate the Satellite Server and select Refresh from the list in the Actions column.
Associate the DNS service with the appropriate subnets and domain.

6.2. Configuring Satellite Server with external DHCP

To configure Satellite Server with external DHCP, you must complete the following procedures:

Configuring an external DHCP server to use with Satellite Server
Configuring Satellite Server with an external DHCP server

6.2.1. Configuring an external DHCP server to use with Satellite Server

To configure an external DHCP server running Red Hat Enterprise Linux to use with Satellite Server, you must install the ISC DHCP Service and Berkeley Internet Name Domain (BIND) utilities packages. You must also share the DHCP configuration and lease files with Satellite Server. The example in this procedure uses the distributed Network File System (NFS) protocol to share the DHCP configuration and lease files.

Note

If you use dnsmasq as an external DHCP server, enable the dhcp-no-override setting. This is required because Satellite creates configuration files on the TFTP server under the grub2/ subdirectory. If the dhcp-no-override setting is disabled, hosts fetch the bootloader and its configuration from the root directory, which might cause an error.

Procedure

On your Red Hat Enterprise Linux host, install the ISC DHCP Service and Berkeley Internet Name Domain (BIND) utilities packages:
```
# dnf install dhcp-server bind-utils
```
Generate a security token:
```
# tsig-keygen -a hmac-md5 omapi_key
```

Edit the dhcpd configuration file for all subnets and add the key generated by tsig-keygen. The following is an example:

# cat /etc/dhcp/dhcpd.conf
default-lease-time 604800;
max-lease-time 2592000;
log-facility local7;

subnet 192.168.38.0 netmask 255.255.255.0 {
	range 192.168.38.10 192.168.38.100;
	option routers 192.168.38.1;
	option subnet-mask 255.255.255.0;
	option domain-search "virtual.lan";
	option domain-name "virtual.lan";
	option domain-name-servers 8.8.8.8;
}

omapi-port 7911;
key omapi_key {
	algorithm hmac-md5;
	secret "My_Secret";
};
omapi-key omapi_key;

Note that the option routers value is the IP address of your Satellite Server or Capsule Server that you want to use with an external DHCP service.

On Satellite Server, define each subnet. Do not set DHCP Capsule for the defined Subnet yet.

To prevent conflicts, set up the lease and reservation ranges separately. For example, if the lease range is 192.168.38.10 to 192.168.38.100, in the Satellite web UI define the reservation range as 192.168.38.101 to 192.168.38.250.
Configure the firewall for external access to the DHCP server:
```
# firewall-cmd --add-service dhcp
```
Make the changes persistent:
```
# firewall-cmd --runtime-to-permanent
```
On Satellite Server, determine the UID and GID of the foreman user:
```
# id -u foreman
993
# id -g foreman
990
```
On the DHCP server, create the foreman user and group with the same IDs as determined in a previous step:
```
# groupadd -g 990 foreman
# useradd -u 993 -g 990 -s /sbin/nologin foreman
```

To ensure that the configuration files are accessible, restore the read and execute flags:

# chmod o+rx /etc/dhcp/
# chmod o+r /etc/dhcp/dhcpd.conf
# chattr +i /etc/dhcp/ /etc/dhcp/dhcpd.conf

Enable and start the DHCP service:
```
# systemctl enable --now dhcpd
```

Export the DHCP configuration and lease files using NFS:

# dnf install nfs-utils
# systemctl enable --now nfs-server

Create directories for the DHCP configuration and lease files that you want to export using NFS:
```
# mkdir -p /exports/var/lib/dhcpd /exports/etc/dhcp
```

To create mount points for the created directories, add the following line to the /etc/fstab file:

/var/lib/dhcpd /exports/var/lib/dhcpd none bind,auto 0 0
/etc/dhcp /exports/etc/dhcp none bind,auto 0 0

Mount the file systems in /etc/fstab:
```
# mount -a
```

Ensure the following lines are present in /etc/exports:

/exports 192.168.38.1(rw,async,no_root_squash,fsid=0,no_subtree_check)

/exports/etc/dhcp 192.168.38.1(ro,async,no_root_squash,no_subtree_check,nohide)

/exports/var/lib/dhcpd 192.168.38.1(ro,async,no_root_squash,no_subtree_check,nohide)

Note that the IP address that you enter is the Satellite or Capsule IP address that you want to use with an external DHCP service.

Reload the NFS server:
```
# exportfs -rva
```
Configure the firewall for DHCP omapi port 7911:
```
# firewall-cmd --add-port=7911/tcp
```

Optional: Configure the firewall for external access to NFS. Clients are configured using NFSv3.

# firewall-cmd \
--add-service mountd \
--add-service nfs \
--add-service rpc-bind \
--zone public

Make the changes persistent:
```
# firewall-cmd --runtime-to-permanent
```

6.2.2. Configuring Satellite Server with an external DHCP server

You can configure Satellite Server with an external DHCP server.

Prerequisites

Ensure that you have configured an external DHCP server and that you have shared the DHCP configuration and lease files with Satellite Server. For more information, see Configuring an external DHCP server to use with Satellite Server.

Procedure

Install the nfs-utils package:

# satellite-maintain packages install nfs-utils

Create the DHCP directories for NFS:

# mkdir -p /mnt/nfs/etc/dhcp /mnt/nfs/var/lib/dhcpd

Change the file owner:
```
# chown -R foreman-proxy /mnt/nfs
```
Verify communication with the NFS server and the Remote Procedure Call (RPC) communication paths:
```
# showmount -e DHCP_Server_FQDN
# rpcinfo -p DHCP_Server_FQDN
```

Add the following lines to the /etc/fstab file:

DHCP_Server_FQDN:/exports/etc/dhcp /mnt/nfs/etc/dhcp nfs
ro,vers=3,auto,nosharecache,context="system_u:object_r:dhcp_etc_t:s0" 0 0

DHCP_Server_FQDN:/exports/var/lib/dhcpd /mnt/nfs/var/lib/dhcpd nfs
ro,vers=3,auto,nosharecache,context="system_u:object_r:dhcpd_state_t:s0" 0 0

Mount the file systems on /etc/fstab:
```
# mount -a
```
To verify that the foreman-proxy user can access the files that are shared over the network, display the DHCP configuration and lease files:
```
# su foreman-proxy -s /bin/bash
$ cat /mnt/nfs/etc/dhcp/dhcpd.conf
$ cat /mnt/nfs/var/lib/dhcpd/dhcpd.leases
$ exit
```

Enter the satellite-installer command to make the following persistent changes to the /etc/foreman-proxy/settings.d/dhcp.yml file:

# satellite-installer \
--enable-foreman-proxy-plugin-dhcp-remote-isc \
--foreman-proxy-dhcp-provider=remote_isc \
--foreman-proxy-dhcp-server=My_DHCP_Server_FQDN \
--foreman-proxy-dhcp=true \
--foreman-proxy-plugin-dhcp-remote-isc-dhcp-config /mnt/nfs/etc/dhcp/dhcpd.conf \
--foreman-proxy-plugin-dhcp-remote-isc-dhcp-leases /mnt/nfs/var/lib/dhcpd/dhcpd.leases \
--foreman-proxy-plugin-dhcp-remote-isc-key-name=omapi_key \
--foreman-proxy-plugin-dhcp-remote-isc-key-secret=My_Secret \
--foreman-proxy-plugin-dhcp-remote-isc-omapi-port=7911

Associate the DHCP service with the appropriate subnets and domain.

6.3. Configuring Satellite Server with external TFTP

You can configure Satellite Server with external TFTP services.

Procedure

Create the TFTP directory for NFS:
```
# mkdir -p /mnt/nfs/var/lib/tftpboot
```

In the /etc/fstab file, add the following line:

TFTP_Server_IP_Address:/exports/var/lib/tftpboot /mnt/nfs/var/lib/tftpboot nfs rw,vers=3,auto,nosharecache,context="system_u:object_r:tftpdir_rw_t:s0" 0 0

Mount the file systems in /etc/fstab:
```
# mount -a
```
Enter the satellite-installer command to make the following persistent changes to the /etc/foreman-proxy/settings.d/tftp.yml file:
```
# satellite-installer \
--foreman-proxy-tftp-root /mnt/nfs/var/lib/tftpboot \
--foreman-proxy-tftp=true
```
If the TFTP service is running on a different server than the DHCP service, update the tftp_servername setting with the FQDN or IP address of the server that the TFTP service is running on:
```
# satellite-installer --foreman-proxy-tftp-servername=TFTP_Server_FQDN
```
In the Satellite web UI, navigate to Infrastructure > Capsules.
Locate the Satellite Server and select Refresh from the list in the Actions column.
Associate the TFTP service with the appropriate subnets and domain.

6.4. Configuring Satellite Server with external IdM DNS

When Satellite Server adds a DNS record for a host, it first determines which Capsule is providing DNS for that domain. It then communicates with the Capsule that is configured to provide DNS service for your deployment and adds the record. The hosts are not involved in this process. Therefore, you must install and configure the IdM client on the Satellite or Capsule that is currently configured to provide a DNS service for the domain you want to manage using the IdM server.

Satellite Server can be configured to use a Red Hat Identity Management (IdM) server to provide DNS service. For more information about Red Hat Identity Management, see the Red Hat Enterprise Linux 7 Linux Domain Identity, Authentication, and Policy Guide.

To configure Satellite Server to use a Red Hat Identity Management (IdM) server to provide DNS service, use one of the following procedures:

Configuring dynamic DNS update with GSS-TSIG authentication
Configuring dynamic DNS update with TSIG authentication

To revert to internal DNS service, use the following procedure:

Reverting to internal DNS service

Note

You are not required to use Satellite Server to manage DNS. When you are using the realm enrollment feature of Satellite, where provisioned hosts are enrolled automatically to IdM, the ipa-client-install script creates DNS records for the client. Configuring Satellite Server with external IdM DNS and realm enrollment are mutually exclusive. For more information about configuring realm enrollment, see Configuring Satellite to manage the lifecycle of a host registered to a Identity Management realm.

6.4.1. Configuring dynamic DNS update with GSS-TSIG authentication

You can configure the IdM server to use the generic security service algorithm for secret key transaction (GSS-TSIG) technology defined in RFC3645. To configure the IdM server to use the GSS-TSIG technology, you must install the IdM client on the Satellite Server base operating system.

Prerequisites

You must ensure the IdM server is deployed and the host-based firewall is configured correctly. For more information, see Port requirements for IdM in Red Hat Enterprise Linux 9 Installing Identity Management or Port requirements for IdM in Red Hat Enterprise Linux 8 Installing Identity Management.
You must contact the IdM server administrator to ensure that you obtain an account on the IdM server with permissions to create zones on the IdM server.
You should create a backup of the answer file. You can use the backup to restore the answer file to its original state if it becomes corrupted. For more information, see Configuring Satellite Server.

Procedure

To configure dynamic DNS update with GSS-TSIG authentication, complete the following steps:

Creating a Kerberos principal on the IdM server

Obtain a Kerberos ticket for the account obtained from the IdM administrator:
```
# kinit idm_user
```
Create a new Kerberos principal for Satellite Server to use to authenticate on the IdM server:
```
# ipa service-add capsule/satellite.example.com
```

Installing and configuring the idM client

On the base operating system of either the Satellite or Capsule that is managing the DNS service for your deployment, install the ipa-client package:
```
# satellite-maintain packages install ipa-client
```
Configure the IdM client by running the installation script and following the on-screen prompts:
```
# ipa-client-install
```
Obtain a Kerberos ticket:
```
# kinit admin
```
Remove any preexisting keytab:
```
# rm /etc/foreman-proxy/dns.keytab
```

Obtain the keytab for this system:

# ipa-getkeytab -p capsule/satellite.example.com@EXAMPLE.COM \
-s idm1.example.com -k /etc/foreman-proxy/dns.keytab

Note	When adding a keytab to a standby system with the same host name as the original system in service, add the `r` option to prevent generating new credentials and rendering the credentials on the original system invalid.

For the dns.keytab file, set the group and owner to foreman-proxy:

# chown foreman-proxy:foreman-proxy /etc/foreman-proxy/dns.keytab

Optional: To verify that the keytab file is valid, enter the following command:

# kinit -kt /etc/foreman-proxy/dns.keytab \
capsule/satellite.example.com@EXAMPLE.COM

Configuring DNS zones in the IdM web UI

Create and configure the zone that you want to manage:
1. Navigate to Network Services > DNS > DNS Zones.
2. Select Add and enter the zone name. For example, example.com.
3. Click Add and Edit.
4. Click the Settings tab and in the BIND update policy box, add the following to the semi-colon separated list:
  grant capsule\047satellite.example.com@EXAMPLE.COM wildcard * ANY;
5. Set Dynamic update to True.
6. Enable Allow PTR sync.
7. Click Save to save the changes.
Create and configure the reverse zone:
1. Navigate to Network Services > DNS > DNS Zones.
2. Click Add.
3. Select Reverse zone IP network and add the network address in CIDR format to enable reverse lookups.
4. Click Add and Edit.
5. Click the Settings tab and in the BIND update policy box, add the following to the semi-colon separated list:
  grant capsule\047satellite.example.com@EXAMPLE.COM wildcard * ANY;
6. Set Dynamic update to True.
7. Click Save to save the changes.

Configuring the Satellite or Capsule Server that manages the DNS service for the domain

Configure your Satellite Server or Capsule Server to connect to your DNS service:

# satellite-installer \
--foreman-proxy-dns-managed=false \
--foreman-proxy-dns-provider=nsupdate_gss \
--foreman-proxy-dns-server="idm1.example.com" \
--foreman-proxy-dns-tsig-keytab=/etc/foreman-proxy/dns.keytab \
--foreman-proxy-dns-tsig-principal="capsule/satellite.example.com@EXAMPLE.COM" \
--foreman-proxy-dns=true

For each affected Capsule, update the configuration of that Capsule in the Satellite web UI:
1. In the Satellite web UI, navigate to Infrastructure > Capsules, locate the Satellite Server, and from the list in the Actions column, select Refresh.
2. Configure the domain:
  1. In the Satellite web UI, navigate to Infrastructure > Domains and select the domain name.
  2. In the Domain tab, ensure DNS Capsule is set to the Capsule where the subnet is connected.
3. Configure the subnet:
  1. In the Satellite web UI, navigate to Infrastructure > Subnets and select the subnet name.
  2. In the Subnet tab, set IPAM to None.
  3. In the Domains tab, select the domain that you want to manage using the IdM server.
  4. In the Capsules tab, ensure Reverse DNS Capsule is set to the Capsule where the subnet is connected.
  5. Click Submit to save the changes.

6.4.2. Configuring dynamic DNS update with TSIG authentication

You can configure an IdM server to use the secret key transaction authentication for DNS (TSIG) technology that uses the rndc.key key file for authentication. The TSIG protocol is defined in RFC2845.

Prerequisites

You must ensure the IdM server is deployed and the host-based firewall is configured correctly. For more information, see Port Requirements in the Red Hat Enterprise Linux 7 Linux Domain Identity, Authentication, and Policy Guide.
You must obtain root user access on the IdM server.
You must confirm whether Satellite Server or Capsule Server is configured to provide DNS service for your deployment.
You must configure DNS, DHCP and TFTP services on the base operating system of either the Satellite or Capsule that is managing the DNS service for your deployment.
You must create a backup of the answer file. You can use the backup to restore the answer file to its original state if it becomes corrupted. For more information, see Configuring Satellite Server.

Procedure

To configure dynamic DNS update with TSIG authentication, complete the following steps:

Enabling external updates to the DNS zone in the IdM server

On the IdM Server, add the following to the top of the /etc/named.conf file:

########################################################################

include "/etc/rndc.key";
controls  {
inet _IdM_Server_IP_Address_ port 953 allow { _Satellite_IP_Address_; } keys { "rndc-key"; };
};
########################################################################

Reload the named service to make the changes take effect:
```
# systemctl reload named
```
In the IdM web UI, navigate to Network Services > DNS > DNS Zones and click the name of the zone. In the Settings tab, apply the following changes:
1. Add the following in the BIND update policy box:
  grant "rndc-key" zonesub ANY;
2. Set Dynamic update to True.
3. Click Update to save the changes.
Copy the /etc/rndc.key file from the IdM server to the base operating system of your Satellite Server. Enter the following command:
```
# scp /etc/rndc.key root@satellite.example.com:/etc/rndc.key
```
To set the correct ownership, permissions, and SELinux context for the rndc.key file, enter the following command:
```
# restorecon -v /etc/rndc.key
# chown -v root:named /etc/rndc.key
# chmod -v 640 /etc/rndc.key
```
Assign the foreman-proxy user to the named group manually. Normally, satellite-installer ensures that the foreman-proxy user belongs to the named UNIX group, however, in this scenario Satellite does not manage users and groups, therefore you need to assign the foreman-proxy user to the named group manually.
```
# usermod -a -G named foreman-proxy
```

On Satellite Server, enter the following satellite-installer command to configure Satellite to use the external DNS server:

# satellite-installer \
--foreman-proxy-dns-managed=false \
--foreman-proxy-dns-provider=nsupdate \
--foreman-proxy-dns-server="IdM_Server_IP_Address" \
--foreman-proxy-dns-ttl=86400 \
--foreman-proxy-dns=true \
--foreman-proxy-keyfile=/etc/rndc.key

Testing external updates to the DNS zone in the IdM server

Ensure that the key in the /etc/rndc.key file on Satellite Server is the same key file that is used on the IdM server:
```
key "rndc-key" {
        algorithm hmac-md5;
        secret "secret-key==";
};
```
On Satellite Server, create a test DNS entry for a host. For example, host test.example.com with an A record of 192.168.25.20 on the IdM server at 192.168.25.1.
```
# echo -e "server 192.168.25.1\n \
update add test.example.com 3600 IN A 192.168.25.20\n \
send\n" | nsupdate -k /etc/rndc.key
```

On Satellite Server, test the DNS entry:

# nslookup test.example.com 192.168.25.1

Example output:

Server:		192.168.25.1
Address:	192.168.25.1#53

Name:	test.example.com
Address: 192.168.25.20

To view the entry in the IdM web UI, navigate to Network Services > DNS > DNS Zones. Click the name of the zone and search for the host by name.

If resolved successfully, remove the test DNS entry:

# echo -e "server 192.168.25.1\n \
update delete test.example.com 3600 IN A 192.168.25.20\n \
send\n" | nsupdate -k /etc/rndc.key

Confirm that the DNS entry was removed:
```
# nslookup test.example.com 192.168.25.1
```
The above nslookup command fails and returns the SERVFAIL error message if the record was successfully deleted.

6.4.3. Reverting to internal DNS service

You can revert to using Satellite Server and Capsule Server as your DNS providers. You can use a backup of the answer file that was created before configuring external DNS, or you can create a backup of the answer file. For more information about answer files, see Configuring Satellite Server.

Procedure

On the Satellite or Capsule Server that you want to configure to manage DNS service for the domain, complete the following steps:

Configuring Satellite or Capsule as a DNS server

If you have created a backup of the answer file before configuring external DNS, restore the answer file and then enter the satellite-installer command:
```
# satellite-installer
```
If you do not have a suitable backup of the answer file, create a backup of the answer file now. To configure Satellite or Capsule as DNS server without using an answer file, enter the following satellite-installer command on Satellite or Capsule:
```
# satellite-installer \
--foreman-proxy-dns-managed=true \
--foreman-proxy-dns-provider=nsupdate \
--foreman-proxy-dns-server="127.0.0.1" \
--foreman-proxy-dns=true
```
For more information, see Configuring DNS, DHCP, and TFTP on Capsule Server.

After you run the satellite-installer command to make any changes to your Capsule configuration, you must update the configuration of each affected Capsule in the Satellite web UI.

Updating the configuration in the Satellite web UI

In the Satellite web UI, navigate to Infrastructure > Capsules.
For each Capsule that you want to update, from the Actions list, select Refresh.
Configure the domain:
1. In the Satellite web UI, navigate to Infrastructure > Domains and click the domain name that you want to configure.
2. In the Domain tab, set DNS Capsule to the Capsule where the subnet is connected.
Configure the subnet:
1. In the Satellite web UI, navigate to Infrastructure > Subnets and select the subnet name.
2. In the Subnet tab, set IPAM to DHCP or Internal DB.
3. In the Domains tab, select the domain that you want to manage using Satellite or Capsule.
4. In the Capsules tab, set Reverse DNS Capsule to the Capsule where the subnet is connected.
5. Click Submit to save the changes.

Appendix A: Troubleshooting DNF modules

If DNF modules fails to enable, it can mean an incorrect module is enabled. In that case, you have to resolve dependencies manually as follows. List the enabled modules:

# dnf module list --enabled

Ruby

If Ruby module fails to enable, it can mean an incorrect module is enabled. In that case, you have to resolve dependencies manually as follows:

List the enabled modules:

# dnf module list --enabled

If the Ruby 2.5 module has already been enabled, perform a module reset:

# dnf module reset ruby

PostgreSQL

If PostgreSQL module fails to enable, it can mean an incorrect module is enabled. In that case, you have to resolve dependencies manually as follows:

List the enabled modules:

# dnf module list --enabled

If the PostgreSQL 10 module has already been enabled, perform a module reset:

# dnf module reset postgresql

If a database was previously created using PostgreSQL 10, perform an upgrade:

Enable the DNF modules:
```
# dnf module enable satellite:el8
```
Install the PostgreSQL upgrade package:
```
# dnf install postgresql-upgrade
```
Perform the upgrade:
```
# postgresql-setup --upgrade
```

Appendix B: Applying custom configuration to Red Hat Satellite

When you install and configure Satellite for the first time using satellite-installer, you can specify that the DNS and DHCP configuration files are not to be managed by Puppet using the installer flags --foreman-proxy-dns-managed=false and --foreman-proxy-dhcp-managed=false. If these flags are not specified during the initial installer run, rerunning of the installer overwrites all manual changes, for example, rerun for upgrade purposes. If changes are overwritten, you must run the restore procedure to restore the manual changes. For more information, see Restoring Manual Changes Overwritten by a Puppet Run.

To view all installer flags available for custom configuration, run satellite-installer --scenario satellite --full-help. Some Puppet classes are not exposed to the Satellite installer. To manage them manually and prevent the installer from overwriting their values, specify the configuration values by adding entries to configuration file /etc/foreman-installer/custom-hiera.yaml. This configuration file is in YAML format, consisting of one entry per line in the format of <puppet class>::<parameter name>: <value>. Configuration values specified in this file persist across installer reruns.

Common examples include:

For Apache, to set the ServerTokens directive to return only the product name:
```
apache::server_tokens: Prod
```
To turn off the Apache server signature entirely:
```
apache::server_signature: Off
```

The Puppet modules for the Satellite installer are stored under /usr/share/foreman-installer/modules. Check the .pp files (for example: moduleName/manifests/example.pp) to look up the classes, parameters, and values. Alternatively, use the grep command to do keyword searches.

Setting some values may have unintended consequences that affect the performance or functionality of Red Hat Satellite. Consider the impact of the changes before you apply them, and test the changes in a non-production environment first. If you do not have a non-production Satellite environment, run the Satellite installer with the --noop and --verbose options. If your changes cause problems, remove the offending lines from custom-hiera.yaml and rerun the Satellite installer. If you have any specific questions about whether a particular value is safe to alter, contact Red Hat support.

Appendix C: Restoring manual changes overwritten by a Puppet run

If your manual configuration has been overwritten by a Puppet run, you can restore the files to the previous state. The following example shows you how to restore a DHCP configuration file overwritten by a Puppet run.

Procedure

Copy the file you intend to restore. This allows you to compare the files to check for any mandatory changes required by the upgrade. This is not common for DNS or DHCP services.
```
# cp /etc/dhcp/dhcpd.conf /etc/dhcp/dhcpd.backup
```

Check the log files to note down the md5sum of the overwritten file. For example:

# journalctl -xe
...
/Stage[main]/Dhcp/File[/etc/dhcp/dhcpd.conf]: Filebucketed /etc/dhcp/dhcpd.conf to puppet with sum 622d9820b8e764ab124367c68f5fa3a1
...

Restore the overwritten file:

# puppet filebucket restore --local --bucket \
/var/lib/puppet/clientbucket /etc/dhcp/dhcpd.conf \ 622d9820b8e764ab124367c68f5fa3a1

Compare the backup file and the restored file, and edit the restored file to include any mandatory changes required by the upgrade.