Installing Foreman nightly Server on Debian/Ubuntu

Install the wget and ca-certificates packages:

# apt-get install wget ca-certificates

Change directory to /tmp and retrieve the puppet7-release-bullseye.deb package:

# cd /tmp && wget https://apt.puppet.com/puppet7-release-bullseye.deb

Install the puppet7-release-bullseye.deb package:

# apt-get install /tmp/puppet7-release-bullseye.deb

Enable the Foreman repository:

# wget https://deb.theforeman.org/foreman.asc -O /etc/apt/trusted.gpg.d/foreman.asc
# echo "deb http://deb.theforeman.org/ bullseye nightly" | sudo tee /etc/apt/sources.list.d/foreman.list
# echo "deb http://deb.theforeman.org/ plugins nightly" | sudo tee -a /etc/apt/sources.list.d/foreman.list

Install the wget and ca-certificates packages:

# apt-get install wget ca-certificates

Change directory to /tmp and retrieve the puppet7-release-focal.deb package:

# cd /tmp && wget https://apt.puppet.com/puppet7-release-focal.deb

Install the puppet7-release-focal.deb package:

# apt-get install /tmp/puppet7-release-focal.deb

Enable the Foreman repository:

# wget https://deb.theforeman.org/foreman.asc -O /etc/apt/trusted.gpg.d/foreman.asc
# echo "deb http://deb.theforeman.org/ focal nightly" | sudo tee /etc/apt/sources.list.d/foreman.list
# echo "deb http://deb.theforeman.org/ plugins nightly" | sudo tee -a /etc/apt/sources.list.d/foreman.list

Enter the following command with any additional options that you want to use:

# foreman-installer \
--foreman-initial-organization "My_Organization" \
--foreman-initial-location "My_Location" \
--foreman-initial-admin-username admin_user_name \
--foreman-initial-admin-password admin_password

In the Foreman web UI, navigate to Infrastructure > HTTP Proxies.

Click New HTTP Proxy.

In the Name field, enter the name for the HTTP proxy.

In the Url field, enter the URL of the HTTP proxy in the following format: https://proxy.example.com:8080.

Optional: If authentication is required, in the Username field, enter the username to authenticate with.

Optional: If authentication is required, in the Password field, enter the password to authenticate with.

To test connection to the proxy, click the Test Connection button.

Click Submit.

In the Foreman web UI, navigate to Administer > Settings, and click the Content tab.

Set the Default HTTP Proxy setting to the created HTTP proxy.

Verify that the http_proxy, https_proxy, and no_proxy variables are not set.

# unset http_proxy
# unset https_proxy
# unset no_proxy

Add an HTTP proxy entry to Foreman:

# hammer http-proxy create --name=myproxy \
--url http://myproxy.example.com:8080  \
--username=proxy_username \
--password=proxy_password

Configure Foreman to use this HTTP proxy by default:

# hammer settings set --name=content_default_http_proxy --value=myproxy

In the Foreman web UI, navigate to Administer > Settings.

In the HTTP(S) proxy row, select the adjacent Value column and enter the proxy URL.

Click the tick icon to save your changes.

In the Foreman web UI, navigate to Administer > Settings.

In the HTTP(S) proxy except hosts row, select the adjacent Value column and enter the names of one or more hosts that you want to exclude from proxy requests.

Click the tick icon to save your changes.

On Smart Proxy with the TFTP feature, to verify the ports that are permitted by SELinux for the HTTP cache, enter the following command:

# systemctl edit foreman-proxy

Insert the following test into the editor:

[Service]
Environment="http_proxy=http://proxy.example.com:8888"
Environment="https_proxy=https://proxy.example.com:8888"

Save the file. Verify that the file appears as /etc/systemd/system/foreman-proxy.service.d/overrides.conf.

Restart the foreman-proxy service:

# systemctl restart foreman-proxy

Create a host or enter build mode for an existing host to re-download PXE files to the TFTP Smart Proxy.

In the Foreman web UI, navigate to Administer > Settings, and click the Content tab.

Set the Default HTTP Proxy setting to no global default.

Obtain the Certificate from the LDAP Server.

Trust the Certificate from the LDAP Server.

Set the Network Information System (NIS) service boolean to true to prevent SELinux from stopping outgoing LDAP connections:

# setsebool -P nis_enabled on

In the Foreman web UI, navigate to Administer > LDAP Authentication.

Click Create Authentication Source.

On the LDAP server tab, enter the LDAP server’s name, host name, port, and server type. The default port is 389, the default server type is POSIX (alternatively you can select FreeIPA or Active Directory depending on the type of authentication server). For TLS encrypted connections, select the LDAPS checkbox to enable encryption. The port should change to 636, which is the default for LDAPS.

On the Account tab, enter the account information and domain name details. See Description of LDAP Settings for descriptions and examples.

On the Attribute mappings tab, map LDAP attributes to Foreman attributes. You can map login name, first name, last name, email address, and photo attributes. See Example Settings for LDAP Connections for examples.

On the Locations tab, select locations from the left table. Selected locations are assigned to users created from the LDAP authentication source, and available after their first login.

On the Organizations tab, select organizations from the left table. Selected organizations are assigned to users created from the LDAP authentication source, and available after their first login.

Click Submit.

Configure new accounts for LDAP users:

On the FreeIPA server, to authenticate, enter the following command and enter your password when prompted:

# kinit admin

To verify that you have authenticated, enter the following command:

# klist

On the FreeIPA server, create a host entry for Foreman server and generate a one-time password, for example:

# ipa host-add --random hostname

Create an HTTP service for Foreman server, for example:

# ipa service-add HTTP/hostname

On Foreman server, install the IPA client:

# apt-get install ipa-client

On Foreman server, enter the following command as root to configure FreeIPA-enrollment:

# ipa-client-install --password OTP

Ensure that the hostname is set to the fully qualified domain name (FQDN); the short name is not sufficient:

# hostname
foreman.example.com

Set foreman-ipa-authentication to true, using the following command:

# foreman-installer --foreman-ipa-authentication=true

Restart Foreman services:

# foreman-maintain service restart

On the FreeIPA server, to authenticate, enter the following command and enter your password when prompted:

# kinit admin

To verify that you have authenticated, enter the following command:

# klist

Create HBAC service and rule on the FreeIPA server and link them together. The following examples use the PAM service name foreman-prod. Execute the following commands on the FreeIPA server:

# ipa hbacsvc-add foreman-prod
# ipa hbacrule-add allow_foreman_prod
# ipa hbacrule-add-service allow_foreman_prod --hbacsvcs=foreman-prod

Add the user who is to have access to the service foreman-prod, and the hostname of Foreman server:

# ipa hbacrule-add-user allow_foreman_prod --user=username
# ipa hbacrule-add-host allow_foreman_prod --hosts=foreman.example.com

To check the status of the rule, execute:

# ipa hbacrule-find foreman-prod
# ipa hbactest --user=username --host=foreman.example.com --service=foreman-prod

Ensure the allow_all rule is disabled on the FreeIPA server. For instructions on how to do so without disrupting other services see the How to configure HBAC rules in IdM article on the Red Hat Customer Portal.

Configure the FreeIPA integration with Foreman server as described in Configuring FreeIPA Authentication on Foreman server. On Foreman server, define the PAM service as root:

# foreman-installer --foreman-pam-service=foreman-prod

Install the required packages:

# apt-get install sssd adcli realmd ipa-python-compat krb5-workstation samba-common-tools

Enroll Foreman server with the AD server. You may need to have administrator permissions to perform the following command:

# realm join -v EXAMPLE.ORG --membership-software=samba -U Administrator

Create the /etc/ipa/ directory and the default.conf file:

# mkdir /etc/ipa
# touch /etc/ipa/default.conf

To the default.conf file, add the following content:

[global]
server = unused
realm = EXAMPLE.ORG

Create the /etc/net-keytab.conf file with the following content:

[global]
workgroup = EXAMPLE
realm = EXAMPLE.ORG
kerberos method = system keytab
security = ads

Determine the effective user ID of the Apache user:

# id apache

Create the /etc/gssproxy/00-http.conf file with the following content:

[service/HTTP]
mechs = krb5
cred_store = keytab:/etc/krb5.keytab
cred_store = ccache:/var/lib/gssproxy/clients/krb5cc_%U
euid = ID_of_Apache_User

Create a keytab entry:

# KRB5_KTNAME=FILE:/etc/httpd/conf/http.keytab net ads keytab add HTTP -U administrator -d3 -s /etc/net-keytab.conf
# chown root.apache /etc/httpd/conf/http.keytab
# chmod 640 /etc/httpd/conf/http.keytab

Enable IPA authenication in Foreman:

# foreman-installer --foreman-ipa-authentication=true

Start and enable the gssproxy service:

# systemctl restart gssproxy
# systemctl enable --now gssproxy

To configure the Apache server to use the gssproxy service, create a systemd drop-in file and add the following content to it:

# mkdir -p /etc/systemd/system/httpd.service.d/
# vi /etc/systemd/system/httpd.service.d/gssproxy.conf
[Service]
Environment=GSS_USE_PROXY=1

Apply changes to the service:

# systemctl daemon-reload

Start and enable the httpd service:

# systemctl restart httpd

Verify that SSO is working as expected.

Enable HBAC:

Configure sssd to transfer additional attributes of AD users.

Users authenticate to Foreman using the Foreman web UI.

Users authenticate to Foreman using the Foreman CLI.

On the Foreman server, install the following packages:

# apt-get install mod_auth_openidc keycloak-httpd-client-install

Register Foreman to Keycloak as a client. Note that you the registration process for logging in using the web UI and the CLI are different. You can register two clients Foreman clients to Keycloak to be able to log in to Foreman from the web UI and the CLI.

Restart the httpd service:

# systemctl restart httpd

In the Keycloak web UI, navigate to Clients and click the Foreman client.

Configure access type:

In the Valid redirect URI fields, add a valid redirect URI.

Click Save.

Click the Mappers tab and click Create to add an audience mapper.

In the Name field, enter a name for the audience mapper.

From the Mapper Type list, select Audience.

From the Included Client Audience list, select the Foreman client.

Click Save.

Click Create to add a group mapper so that you can specify authorization in Foreman based on group membership.

In the Name field, enter a name for the group mapper.

From the Mapper Type list, select Group Membership.

In the Token Claim Name field, enter groups.

Set the Full group path setting to OFF.

Click Save.

To authenticate to the Foreman CLI using the code grant type, enter the following command:

# hammer auth login oauth \
--two-factor \
--oidc-token-endpoint 'https://Keycloak.example.com/auth/realms/ssl-realm/protocol/openid-connect/token' \
--oidc-authorization-endpoint 'https://Keycloak.example.com/auth' \
--oidc-client-id 'foreman.example.com-foreman-openidc' \
--oidc-redirect-uri urn:ietf:wg:oauth:2.0:oob

To retrieve the success code, navigate to the URL that the command returns and provide the required information.

Copy the success code that the web UI returns.

In the command prompt of hammer auth login oauth, enter the success code to authenticate to the Foreman CLI.

In the Foreman web UI, navigate to Administer > User Groups, and click the Create User Group button.

In the Name field, enter a name for the user group. The name should not be the same as in the Active Directory.

Do not add users and user groups to the right-hand columns. Click the Roles tab.

Select the Administer checkbox.

Click the External Groups tab.

Click Add external user group.

In the Name field, enter the name of the Active Directory group.

From the list, select EXTERNAL.

Users authenticate to Foreman using the Foreman web UI.

Users authenticate to Foreman using the Foreman CLI.

On the Foreman server, install the following packages:

# apt-get install mod_auth_openidc keycloak-httpd-client-install

Register Foreman to Keycloak as a client. Note that you the registration process for logging in using the web UI and the CLI are different. You can register two clients Foreman clients to Keycloak to be able to log in to Foreman from the web UI and the CLI.

Restart the httpd service:

# systemctl restart httpd

In the Keycloak web UI, navigate to Clients and click the Foreman client.

Configure access type:

In the Valid redirect URI fields, add a valid redirect URI.

Click Save.

Click the Mappers tab and click Create to add an audience mapper.

In the Name field, enter a name for the audience mapper.

From the Mapper Type list, select Audience.

From the Included Client Audience list, select the Foreman client.

Click Save.

Click Create to add a group mapper so that you can specify authorization in Foreman based on group membership.

In the Name field, enter a name for the group mapper.

From the Mapper Type list, select Group Membership.

In the Token Claim Name field, enter groups.

Set the Full group path setting to OFF.

Click Save.

In the Keycloak web UI, navigate to the Foreman realm.

Navigate to Authentication, and click the OTP Policy tab.

Ensure that the Supported Applications field includes FreeOTP or Google Authenticator.

Configure the OTP settings to suit your requirements.

Optional: If you want to use TOTP authentication as a default authentication method for all users, click the Flows tab, and to the right of the OTP Form setting, select REQUIRED.

Click the Required Actions tab.

To the right of the Configure OTP row, select the Default Action checkbox.

Log in to Foreman, Foreman redirects you to the Keycloak login screen.

Enter your username and password, and click Log In.

The first attempt to log in, Keycloak requests you to configure your client by scanning the barcode and entering the pin displayed.

After you configure your client and enter a valid PIN, Keycloak redirects you to Foreman and logs you in.

To authenticate to the Foreman CLI using the code grant type, enter the following command:

# hammer auth login oauth \
--two-factor \
--oidc-token-endpoint 'https://Keycloak.example.com/auth/realms/ssl-realm/protocol/openid-connect/token' \
--oidc-authorization-endpoint 'https://Keycloak.example.com/auth' \
--oidc-client-id 'foreman.example.com-foreman-openidc' \
--oidc-redirect-uri urn:ietf:wg:oauth:2.0:oob

To retrieve the success code, navigate to the URL that the command returns and provide the required information.

Copy the success code that the web UI returns.

In the command prompt of hammer auth login oauth, enter the success code to authenticate to the Foreman CLI.

In the Foreman web UI, navigate to Administer > User Groups, and click the Create User Group button.

In the Name field, enter a name for the user group. The name should not be the same as in the Active Directory.

Do not add users and user groups to the right-hand columns. Click the Roles tab.

Select the Administer checkbox.

Click the External Groups tab.

Click Add external user group.

In the Name field, enter the name of the Active Directory group.

From the list, select EXTERNAL.

Users authenticate to Foreman using the Foreman web UI.

Users authenticate to Foreman using the Foreman CLI.

On the Foreman server, install the following packages:

# apt-get install mod_auth_openidc keycloak-httpd-client-install

Register Foreman to Keycloak as a client. Note that you the registration process for logging in using the web UI and the CLI are different. You can register two clients Foreman clients to Keycloak to be able to log in to Foreman from the web UI and the CLI.

Restart the httpd service:

# systemctl restart httpd

In the Keycloak web UI, navigate to Clients and click the Foreman client.

Configure access type:

In the Valid redirect URI fields, add a valid redirect URI.

Click Save.

Click the Mappers tab and click Create to add an audience mapper.

In the Name field, enter a name for the audience mapper.

From the Mapper Type list, select Audience.

From the Included Client Audience list, select the Foreman client.

Click Save.

Click Create to add a group mapper so that you can specify authorization in Foreman based on group membership.

In the Name field, enter a name for the group mapper.

From the Mapper Type list, select Group Membership.

In the Token Claim Name field, enter groups.

Set the Full group path setting to OFF.

Click Save.

In the Keycloak web UI, navigate to the Authentication tab.

From the Flows list, select Browser.

Click Copy to copy this flow.

In the Copy Authentication Flow window, enter a new name for the flow and click OK.

In the copied flow, delete Username Password Form and OTP Form entries.

Click Add execution.

From the Provider list, select X509/Validate Username Form.

Click Save.

In the X509/Validate Username Form raw, select ALTERNATIVE.

In the X509/Validate Username Form raw, click Actions > Config.

In the Alias field, enter a name for this configuration.

From the User Identity Source list, select Subject’s Common Name,

From the User mapping method list, select Username or Email.

Click Save.

Navigate to Authentication > Bindings.

From the Browser Flow list, select the created flow.

Install required packages:

apt-get install opensc -y

Install the Firefox browser if not installed.

Launch Firefox and navigate to Preferences.

Click the Privacy and Security tab.

Click Security Devices.

Click Load.

In the Load PKCS#11 Device Driver window, in the Module Name field, enter a name for this device.

In the Module filename field, enter /usr/lib64/pkcs11/opensc-pkcs11.so.

Click OK.

If the PIV card is connected to system, restart the pcscd service.

In Firefox, log in to Foreman and enter your credentials.

When prompted, enter the PIN of the PIV card.

Choose the certificate for authentication. Browser verifies this certificate with Keycloak. Once authenticated, browser redirects you back to Foreman and logs you in.

To authenticate to the Foreman CLI using the code grant type, enter the following command:

# hammer auth login oauth \
--two-factor \
--oidc-token-endpoint 'https://Keycloak.example.com/auth/realms/ssl-realm/protocol/openid-connect/token' \
--oidc-authorization-endpoint 'https://Keycloak.example.com/auth' \
--oidc-client-id 'foreman.example.com-foreman-openidc' \
--oidc-redirect-uri urn:ietf:wg:oauth:2.0:oob

To retrieve the success code, navigate to the URL that the command returns and provide the required information.

Copy the success code that the web UI returns.

In the command prompt of hammer auth login oauth, enter the success code to authenticate to the Foreman CLI.

In the Foreman web UI, navigate to Administer > User Groups, and click the Create User Group button.

In the Name field, enter a name for the user group. The name should not be the same as in the Active Directory.

Do not add users and user groups to the right-hand columns. Click the Roles tab.

Select the Administer checkbox.

Click the External Groups tab.

Click Add external user group.

In the Name field, enter the name of the Active Directory group.

From the list, select EXTERNAL.

On your Enterprise Linux host, install the ISC DHCP Service and Berkeley Internet Name Domain (BIND) packages:

# apt-get install dhcp bind

Generate a security token:

# dnssec-keygen -a HMAC-MD5 -b 512 -n HOST omapi_key

Copy the secret hash from the key:

# cat Komapi_key.+*.private |grep ^Key|cut -d ' ' -f2

Edit the dhcpd configuration file for all of the subnets and add the key. The following is an example:

# cat /etc/dhcp/dhcpd.conf
default-lease-time 604800;
max-lease-time 2592000;
log-facility local7;

subnet 192.168.38.0 netmask 255.255.255.0 {
	range 192.168.38.10 192.168.38.100;
	option routers 192.168.38.1;
	option subnet-mask 255.255.255.0;
	option domain-search "virtual.lan";
	option domain-name "virtual.lan";
	option domain-name-servers 8.8.8.8;
}

omapi-port 7911;
key omapi_key {
	algorithm HMAC-MD5;
	secret "jNSE5YI3H1A8Oj/tkV4...A2ZOHb6zv315CkNAY7DMYYCj48Umw==";
};
omapi-key omapi_key;

Delete the two key files from the directory that they were created in.

On Foreman server, define each subnet. Do not set DHCP Smart Proxy for the defined Subnet yet.

Configure the firewall for external access to the DHCP server:

# firewall-cmd --add-service dhcp \
&& firewall-cmd --runtime-to-permanent

On Foreman server, determine the UID and GID of the foreman user:

# id -u foreman
993
# id -g foreman
990

On the DHCP server, create the foreman user and group with the same IDs as determined in a previous step:

# groupadd -g 990 foreman
# useradd -u 993 -g 990 -s /sbin/nologin foreman

To ensure that the configuration files are accessible, restore the read and execute flags:

# chmod o+rx /etc/dhcp/
# chmod o+r /etc/dhcp/dhcpd.conf
# chattr +i /etc/dhcp/ /etc/dhcp/dhcpd.conf

Enable and start the DHCP service:

# systemctl enable --now dhcpd

Export the DHCP configuration and lease files using NFS:

# apt-get install nfs-kernel-server
# systemctl enable --now nfs-server

Create directories for the DHCP configuration and lease files that you want to export using NFS:

# mkdir -p /exports/var/lib/dhcpd /exports/etc/dhcp

To create mount points for the created directories, add the following line to the /etc/fstab file:

/var/lib/dhcpd /exports/var/lib/dhcpd none bind,auto 0 0
/etc/dhcp /exports/etc/dhcp none bind,auto 0 0

Mount the file systems in /etc/fstab:

# mount -a

Ensure the following lines are present in /etc/exports:

/exports 192.168.38.1(rw,async,no_root_squash,fsid=0,no_subtree_check)

/exports/etc/dhcp 192.168.38.1(ro,async,no_root_squash,no_subtree_check,nohide)

/exports/var/lib/dhcpd 192.168.38.1(ro,async,no_root_squash,no_subtree_check,nohide)

Reload the NFS server:

# exportfs -rva

Configure the firewall for the DHCP omapi port 7911:

# firewall-cmd --add-port="7911/tcp" \
&& firewall-cmd --runtime-to-permanent

Optional: Configure the firewall for external access to NFS. Clients are configured using NFSv3.

# firewall-cmd --zone public --add-service mountd \
&& firewall-cmd --zone public --add-service rpc-bind \
&& firewall-cmd --zone public --add-service nfs \
&& firewall-cmd --runtime-to-permanent

Install the nfs-common package:

# apt-get install nfs-common

Create the DHCP directories for NFS:

# mkdir -p /mnt/nfs/etc/dhcp /mnt/nfs/var/lib/dhcpd

Change the file owner:

# chown -R foreman-proxy /mnt/nfs

Verify communication with the NFS server and the Remote Procedure Call (RPC) communication paths:

# showmount -e DHCP_Server_FQDN
# rpcinfo -p DHCP_Server_FQDN

Add the following lines to the /etc/fstab file:

DHCP_Server_FQDN:/exports/etc/dhcp /mnt/nfs/etc/dhcp nfs
ro,vers=3,auto,nosharecache,context="system_u:object_r:dhcp_etc_t:s0" 0 0

DHCP_Server_FQDN:/exports/var/lib/dhcpd /mnt/nfs/var/lib/dhcpd nfs
ro,vers=3,auto,nosharecache,context="system_u:object_r:dhcpd_state_t:s0" 0 0

Mount the file systems on /etc/fstab:

# mount -a

To verify that the foreman-proxy user can access the files that are shared over the network, display the DHCP configuration and lease files:

# su foreman-proxy -s /bin/bash
bash-4.2$ cat /mnt/nfs/etc/dhcp/dhcpd.conf
bash-4.2$ cat /mnt/nfs/var/lib/dhcpd/dhcpd.leases
bash-4.2$ exit

Enter the foreman-installer command to make the following persistent changes to the /etc/foreman-proxy/settings.d/dhcp.yml file:

# foreman-installer --foreman-proxy-dhcp=true \
--foreman-proxy-dhcp-provider=remote_isc \
--foreman-proxy-plugin-dhcp-remote-isc-dhcp-config /mnt/nfs/etc/dhcp/dhcpd.conf \
--foreman-proxy-plugin-dhcp-remote-isc-dhcp-leases /mnt/nfs/var/lib/dhcpd/dhcpd.leases \
--foreman-proxy-plugin-dhcp-remote-isc-key-name=omapi_key \
--foreman-proxy-plugin-dhcp-remote-isc-key-secret=jNSE5YI3H1A8Oj/tkV4...A2ZOHb6zv315CkNAY7DMYYCj48Umw== \
--foreman-proxy-plugin-dhcp-remote-isc-omapi-port=7911 \
--enable-foreman-proxy-plugin-dhcp-remote-isc \
--foreman-proxy-dhcp-server=DHCP_Server_FQDN

Associate the DHCP service with the appropriate subnets and domain.

Obtain a Kerberos ticket for the account obtained from the IdM administrator:

# kinit idm_user

Create a new Kerberos principal for Foreman server to use to authenticate on the IdM server.

# ipa service-add smart-proxy/foreman.example.com

On the base operating system of either the Foreman or Smart Proxy that is managing the DNS service for your deployment, install the ipa-client package:

# apt-get install ipa-client

Configure the IdM client by running the installation script and following the on-screen prompts:

# ipa-client-install

Obtain a Kerberos ticket:

# kinit admin

Remove any preexisting keytab:

# rm /etc/foreman-proxy/dns.keytab

Obtain the keytab for this system:

# ipa-getkeytab -p smart-proxy/foreman.example.com@EXAMPLE.COM \
-s idm1.example.com -k /etc/foreman-proxy/dns.keytab

For the dns.keytab file, set the group and owner to foreman-proxy:

# chown foreman-proxy:foreman-proxy /etc/foreman-proxy/dns.keytab

Optional: To verify that the keytab file is valid, enter the following command:

# kinit -kt /etc/foreman-proxy/dns.keytab \
smart-proxy/foreman.example.com@EXAMPLE.COM

Create and configure the zone that you want to manage:

Create and configure the reverse zone:

Use the foreman-installer command to configure the Foreman or Smart Proxy that manages the DNS Service for the domain:

In the Foreman web UI, navigate to Infrastructure > Smart Proxies, locate the Foreman server, and from the list in the Actions column, select Refresh.

Configure the domain:

Configure the subnet:

On the IdM Server, add the following to the top of the /etc/named.conf file:

########################################################################

include "/etc/rndc.key";
controls  {
inet _IdM_Server_IP_Address_ port 953 allow { _Foreman_IP_Address_; } keys { "rndc-key"; };
};
########################################################################

Reload the named service to make the changes take effect:

# systemctl reload named

In the IdM web UI, navigate to Network Services > DNS > DNS Zones and click the name of the zone. In the Settings tab, apply the following changes:

Copy the /etc/rndc.key file from the IdM server to the base operating system of your Foreman server. Enter the following command:

# scp /etc/rndc.key root@satellite.example.com:/etc/rndc.key

To set the correct ownership, permissions, and SELinux context for the rndc.key file, enter the following command:

# restorecon -v /etc/rndc.key
# chown -v root:named /etc/rndc.key
# chmod -v 640 /etc/rndc.key

Assign the foreman-proxy user to the named group manually. Normally, foreman-installer ensures that the foreman-proxy user belongs to the named UNIX group, however, in this scenario Foreman does not manage users and groups, therefore you need to assign the foreman-proxy user to the named group manually.

# usermod -a -G named foreman-proxy

On Foreman server, enter the following foreman-installer command to configure Foreman to use the external DNS server:

# foreman-installer \
--foreman-proxy-dns=true \
--foreman-proxy-dns-managed=false \
--foreman-proxy-dns-provider=nsupdate \
--foreman-proxy-dns-server="IdM_Server_IP_Address" \
--foreman-proxy-keyfile=/etc/rndc.key \
--foreman-proxy-dns-ttl=86400

Ensure that the key in the /etc/rndc.key file on Foreman server is the same key file that is used on the IdM server:

key "rndc-key" {
        algorithm hmac-md5;
        secret "secret-key==";
};

On Foreman server, create a test DNS entry for a host. For example, host test.example.com with an A record of 192.168.25.20 on the IdM server at 192.168.25.1.

# echo -e "server 192.168.25.1\n \
update add test.example.com 3600 IN A 192.168.25.20\n \
send\n" | nsupdate -k /etc/rndc.key

On Foreman server, test the DNS entry:

# nslookup test.example.com 192.168.25.1
Server:		192.168.25.1
Address:	192.168.25.1#53

Name:	test.example.com
Address: 192.168.25.20

To view the entry in the IdM web UI, navigate to Network Services > DNS > DNS Zones. Click the name of the zone and search for the host by name.

If resolved successfully, remove the test DNS entry:

# echo -e "server 192.168.25.1\n \
update delete test.example.com 3600 IN A 192.168.25.20\n \
send\n" | nsupdate -k /etc/rndc.key

Confirm that the DNS entry was removed:

# nslookup test.example.com 192.168.25.1

In the Foreman web UI, navigate to Infrastructure > Smart Proxies.

For each Smart Proxy that you want to update, from the Actions list, select Refresh.

Configure the domain:

Configure the subnet: