Installing Satellite Server in a disconnected network environment

Providing feedback on Red Hat documentation

We appreciate your feedback on our documentation. Let us know how we can improve it.

Use the Create Issue form in Red Hat Jira to provide your feedback. The Jira issue is created in the Red Hat Satellite Jira project, where you can track its progress.

Prerequisites

Ensure you have registered a Red Hat account.

Procedure

Click the following link: Create Issue. If Jira displays a login error, log in and proceed after you are redirected to the form.
Complete the Summary and Description fields. In the Description field, include the documentation URL, chapter or section number, and a detailed description of the issue. Do not modify any other fields in the form.
Click Create.

Red Hat Offline Knowledge Portal

You can install the Red Hat Offline Knowledge Portal to access Red Hat documentation and search the Red Hat Knowledgebase offline in a restricted or secure network environment. For more information, see Red Hat Offline Knowledge Portal documentation.

1. Red Hat Satellite Installation Helper app

For interactive instructions for performing the installation, you can use the Red Hat Satellite Installation Helper on the Red Hat Customer Portal. This application provides you with an interactive way to prepare installation instructions customized for your required Satellite version number and configuration. For more information, see Red Hat Satellite Installation Helper on the Red Hat Customer Portal.

2. Planning Satellite Server installation

Review the following guidelines, requirements, and considerations before proceeding with the installation.

2.1. Operating system requirements

The following operating system is supported for deploying Satellite:

Red Hat Enterprise Linux 9 (x86_64)

You can install the operating system from a disc, local ISO image, Kickstart, or any other method that Red Hat supports.

Red Hat Satellite Server is supported on the latest version of Red Hat Enterprise Linux 9 available at the time of installation. Previous versions of Red Hat Enterprise Linux including EUS or z-stream are not supported.

Red Hat Satellite Server requires a Red Hat Enterprise Linux installation with the @Base package group with no other package-set modifications, and without third-party configurations or software not directly necessary for the direct operation of the server. This restriction includes hardening and other non-Red Hat security software. If you require such software in your infrastructure, install and verify a complete working Satellite Server first, then create a backup of the system before adding any non-Red Hat software.

2.2. System requirements

Satellite Server is fully supported on both physical systems and virtual machines that run on hypervisors that are supported to run Red Hat Enterprise Linux. For more information about certified hypervisors, see Certified Guest Operating Systems in Red Hat OpenStack Platform, Red Hat Virtualization, Red Hat OpenShift Virtualization and Red Hat Enterprise Linux with KVM.

Follow these system requirements when installing Satellite Server:

Install Satellite Server on a freshly provisioned system that serves no other function except to run Satellite Server. Do not use an existing system because the Satellite installer will affect the configuration of several components.
Ensure you have administrative user (root) access to the system.
Ensure the system meets the following requirements:
- 4 CPU cores
- 20 GB RAM or higher
- 4 GB RAM of swap space or higher
- A unique host name, which can contain lower-case letters, numbers, dots (.) and hyphens (-)
If you use custom certificates, ensure that the Common Name (CN) of the custom certificate is a fully qualified domain name (FQDN). Satellite Server and Capsule Server do not support shortnames in the hostnames.
Ensure SELinux is enabled, either in enforcing or permissive mode. Installation with disabled SELinux is not supported. For more information, see Security considerations in Overview, concepts, and deployment considerations.
Ensure the system clock on the system is synchronized across the network. If the system clock is not synchronized, SSL certificate verification might fail. For example, you can use the Chrony suite for timekeeping. For more information, see Configuring time synchronization in Red Hat Enterprise Linux 9 Configuring basic system settings
If you are installing in an environment with air-gapped Satellite Servers, ensure that all your Satellite Servers are on the same Satellite version for ISS Export Sync to work. ISS Network Sync works across all Satellite versions that support it. For more information, see Synchronizing Content Between Satellite Servers in Managing content.
Ensure the system uses the UTF-8 encoding. If your territory is USA and your language is English, set en_US.utf-8 as the system-wide locale settings. For more information about configuring system locale in Red Hat Enterprise Linux, see Configuring the system locale in Red Hat Enterprise Linux 9 Configuring basic system settings.
If you use an external identity provider in your deployment, ensure the provider did not create the following user accounts on the system. These user accounts can cause conflicts with the local users that Satellite Server creates:
- apache
- foreman
- foreman-proxy
- postgres
- pulp
- puppet
- redis
- tomcat

2.3. Storage requirements

Follow these storage requirements when installing Satellite Server:

Ensure that the directories used by Satellite Server have sufficient disk space available:

Table 1. Storage requirements for a Satellite Server installation
Directory	Installation Size	Runtime Size
/var/log	10 MB	10 GB
/var/lib/pgsql	1 GB	20 GB
/usr	10 GB	Not Applicable
/opt/puppetlabs	500 MB	Not Applicable
/var/lib/pulp	1 MB	300 GB
/var/lib/containers if using Red Hat Lightspeed in Satellite	20 GB	30 GB

These values are based on expected use case scenarios and can vary according to individual environments. The runtime size was measured with Red Hat Enterprise Linux 7, 8, and 9 repositories synchronized.

If you mount the /tmp directory as a separate file system, use the exec mount option in the /etc/fstab file.

If /tmp is already mounted with the noexec option, change the option to exec and remount the file system. This is a requirement for the puppetserver service to work.
If you mount the /var/lib/pulp directory as an NFS share, specify the SELinux context of the /var/lib/pulp directory in the file system table. Add the following lines to /etc/fstab:
```
nfs.example.com:/nfsshare  /var/lib/pulp  nfs  context="system_u:object_r:pulpcore_var_lib_t:s0"  1 2
```
If the NFS share is already mounted, remount it using the above configuration and restore the SELinux context:
```
# restorecon -R /var/lib/pulp
```
Do not use symbolic links for /var/lib/pulp/.

Additional resources

Disk partitions in Red Hat Enterprise Linux 9 Managing storage devices

2.4. Best practices for optimizing storage

Consider the following storage guidelines for increased storage efficiency:

The exact amount of storage you require for log messages depends on your installation and setup. You can manage the size of the log files by using logrotate.
Consider mounting /var on LVM storage. This can help the system to scale because most Satellite Server data is stored in the /var directory.
Use high-bandwidth, low-latency storage for the /var/lib/pulp/ and /var/lib/pgsql directories. Using high latency, low-bandwidth storage causes performance degradation because Red Hat Satellite has many operations that are I/O intensive.
Use a file system with low input-output latency. Do not use the GFS2 file system because the input-output latency is too high.

Additional resources

2.5. AWS Requirements

Installing and running Satellite Server and Capsule Servers on Amazon Web Services (AWS) has additional requirements to your environment.

Amazon Web Service requirements

Use Storage requirements in Installing Satellite Server in a connected network environment to understand and assign the correct storage to your AWS EBS volumes. See also an AWS storage optimized instance for further guidance.
Create EBS volumes for directories expected to contain larger amounts of data like /var/lib/pulp and ensure they are correctly mounted on start-up and before continuing the installation.
Optional: Store other data on a separate EBS volume.
If you want Satellite Server and Capsule Server to communicate using external DNS hostnames, open the required ports for communication in the AWS Security Group that is associated with the instance.

AWS permission requirements

Create and access Red Hat Enterprise Linux images in AWS
Edit network access in AWS Security
Create EC2 instances and EBS volumes
Launch EC2 instances
Import and export of virtual machines in AWS
Usage of AWS Direct Connect

Satellite requirements

Ensure that your Amazon EC2 instance meets or exceeds requirements for Satellite:

For Satellite Server, see Preparing environment for Satellite Server installation in Installing Satellite Server in a connected network environment.
For Capsule Servers, see Preparing your environment for installation in Installing Capsule Server.

Red Hat Cloud prerequisites

Register with Red Hat Cloud Access.
Migrate any Red Hat subscriptions that you want to use.
Create an AWS instance and deploy a virtual machine running Red Hat Enterprise Linux to the instance. For more information about deploying Red Hat Enterprise Linux in AWS, see How to Locate Red Hat Cloud Access Gold Images on AWS EC2.
Ensure that your subscriptions are eligible for transfer to Red Hat Cloud. For more information, see Red Hat Cloud Access Program Details.

Additional resources

For more information about Amazon Web Services and terminology, see Amazon Elastic Compute Cloud Documentation.
For more information about Amazon Web Services Direct Connect, see What is AWS Direct Connect?.

3. Preparing environment for Satellite Server installation

Ensure that your network environment is ready for the Satellite Server installation.

3.1. Opening required ports

By opening the required ports, you ensure that the components of Satellite architecture can communicate. You must also ensure that the required network ports are open on any network-based firewalls.

Note

Some cloud solutions must be specifically configured to allow communications between machines because they isolate machines similarly to network-based firewalls. If you use an application-based firewall, ensure that the application-based firewall permits all applications that are listed in the tables and known to your firewall. If possible, disable the application checking and allow open port communication based on the protocol.

Procedure

If you need to prevent the DHCP Capsule from pinging hosts to check for available IP addresses, disable DHCP IP address pinging:
```
# satellite-installer --foreman-proxy-dhcp-ping-free-ip false
```
By default, a DHCP Capsule performs ICMP ping and TCP echo connection attempts to hosts in subnets with DHCP IPAM set to find out if an IP address considered for use is free.

Open the ports for clients on Satellite Server:

# firewall-cmd \
--add-port="8000/tcp" \
--add-port="9090/tcp"

Allow access to services on Satellite Server:

# firewall-cmd \
--add-service=dns \
--add-service=dhcp \
--add-service=tftp \
--add-service=http \
--add-service=https \
--add-service=puppetmaster

Make the changes persistent:
```
# firewall-cmd --runtime-to-permanent
```

Verification

View all firewall zones and allowed services:
```
# firewall-cmd --list-all
```

Additional resources

3.2. Verifying DNS resolution

Verify the full forward and reverse DNS resolution using a fully-qualified domain name to prevent issues while installing Satellite.

Procedure

Ensure that the host name and local host resolve correctly:

# ping -c1 localhost
# ping -c1 `hostname -f` # my_system.domain.com

Successful name resolution results in output similar to the following:

# ping -c1 localhost
PING localhost (127.0.0.1) 56(84) bytes of data.
64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.043 ms

--- localhost ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.043/0.043/0.043/0.000 ms

# ping -c1 `hostname -f`
PING hostname.gateway (XX.XX.XX.XX) 56(84) bytes of data.
64 bytes from hostname.gateway (XX.XX.XX.XX): icmp_seq=1 ttl=64 time=0.019 ms

--- localhost.gateway ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.019/0.019/0.019/0.000 ms

To avoid discrepancies with static and transient host names, set all the host names on the system by entering the following command:
```
# hostnamectl set-hostname name
```

For more information, see Changing a hostname using hostnamectl in Red Hat Enterprise Linux 9 Configuring and managing networking.

Warning

Name resolution is critical to the operation of Satellite. If Satellite cannot properly resolve its fully qualified domain name, tasks such as content management, subscription management, and provisioning will fail.

3.3. Preparing Satellite for using external databases

By default, the Satellite installation process includes installing a PostgreSQL database on the same host as Satellite Server. However, in certain Satellite deployments, using external databases instead of the default local databases can help with the server load or have other benefits.

Prerequisites

You have considered whether using an external database is beneficial for your use case. For more information, see PostgreSQL as an external database considerations in Administering Red Hat Satellite.

Procedure

Install PostgreSQL on an external database host you prepared. For more information, see Installing PostgreSQL in Administering Red Hat Satellite.

Next steps

To set up an external database when installing Satellite, see Configuring Satellite installation.

Additional resources

Migrating an existing Satellite deployment to an external database in Administering Red Hat Satellite.

4. Tuning Satellite Server with predefined profiles

If your Satellite deployment includes more than 5000 hosts, you can use predefined tuning profiles to improve performance of Satellite.

Note that you cannot use tuning profiles on Capsules.

You can choose one of the profiles depending on the number of hosts your Satellite manages and available hardware resources.

The tuning profiles are available in the /usr/share/foreman-installer/config/foreman.hiera/tuning/sizes directory.

When you run the satellite-installer command with the --tuning option, deployment configuration settings are applied to Satellite in the following order:

The default tuning profile defined in the /usr/share/foreman-installer/config/foreman.hiera/tuning/common.yaml file
The tuning profile that you want to apply to your deployment and is defined in the /usr/share/foreman-installer/config/foreman.hiera/tuning/sizes/ directory
Optional: If you have configured a /etc/foreman-installer/custom-hiera.yaml file, Satellite applies these configuration settings.

Note that the configuration settings that are defined in the /etc/foreman-installer/custom-hiera.yaml file override the configuration settings that are defined in the tuning profiles.

Therefore, before applying a tuning profile, you must compare the configuration settings that are defined in the default tuning profile in /usr/share/foreman-installer/config/foreman.hiera/tuning/common.yaml, the tuning profile that you want to apply and your /etc/foreman-installer/custom-hiera.yaml file, and remove any duplicated configuration from the /etc/foreman-installer/custom-hiera.yaml file.

default: Number of hosts: 0 – 5000

RAM: 20G

Number of CPU cores: 4
medium: Number of hosts: 5001 – 10000

RAM: 32G

Number of CPU cores: 8
large: Number of hosts: 10001 – 20000

RAM: 64G

Number of CPU cores: 16
extra-large: Number of hosts: 20001 – 60000

RAM: 128G

Number of CPU cores: 32
extra-extra-large: Number of hosts: 60000+

RAM: 256G

Number of CPU cores: 48+

Procedure

Optional: If you have configured the custom-hiera.yaml file on Satellite Server, back up the /etc/foreman-installer/custom-hiera.yaml file to custom-hiera.original. You can use the backup file to restore the /etc/foreman-installer/custom-hiera.yaml file to its original state if it becomes corrupted:
```
# cp /etc/foreman-installer/custom-hiera.yaml \
/etc/foreman-installer/custom-hiera.original
```
Optional: If you have configured the custom-hiera.yaml file on Satellite Server, review the definitions of the default tuning profile in /usr/share/foreman-installer/config/foreman.hiera/tuning/common.yaml and the tuning profile that you want to apply in /usr/share/foreman-installer/config/foreman.hiera/tuning/sizes/. Compare the configuration entries against the entries in your /etc/foreman-installer/custom-hiera.yaml file and remove any duplicated configuration settings in your /etc/foreman-installer/custom-hiera.yaml file.
Enter the satellite-installer command with the --tuning option for the profile that you want to apply. For example, you can apply the medium tuning profile settings:
```
# satellite-installer --tuning medium
```

5. Installing Satellite Server

When the intended host for Satellite Server is in a disconnected environment, you can install Satellite Server by using an external computer to download an ISO image of the packages, and copying the packages to the system you want to install Satellite Server on. This method is not recommended for any other situation as ISO images might not contain the latest updates, bug fixes, and functionality.

Use the following procedures to install Satellite Server, perform the initial configuration, and import subscription manifests.

Before you continue, consider which manifests are relevant for your environment. For more information on manifests, see Managing Red Hat Subscriptions in Managing content.

Note	You cannot register Satellite Server to itself.

5.1. Downloading the binary DVD images

Use this procedure to download the ISO images for Red Hat Enterprise Linux and Red Hat Satellite.

Procedure

Go to Red Hat Customer Portal and log in.
Click DOWNLOADS.
Select Red Hat Enterprise Linux.
Click All Red Hat Enterprise Linux Downloads.
Ensure that you have the correct product and version for your environment.
- Product Variant is set to Red Hat Enterprise Linux for x86_64.
- Version is set to the latest minor version of the product you plan to use as the base operating system.
- Architecture is set to the 64 bit version.
On the Product Software tab, download the Binary DVD image for the latest Red Hat Enterprise Linux for x86_64 version.
Click DOWNLOADS and select Red Hat Satellite.
Ensure that you have the correct product and version for your environment.
- Product Variant is set to Red Hat Satellite.
- Version is set to the latest minor version of the product you plan to use.
On the Product Software tab, download the Binary DVD image for the latest Red Hat Satellite version.
Copy the ISO files to /var/tmp on the Satellite base operating system or other accessible storage device.
```
# scp localfile username@hostname:remotefile
```

5.2. Configuring the base operating system with offline repositories

Use this procedure to configure offline repositories for Red Hat Enterprise Linux 9 and Red Hat Satellite ISO images.

Procedure

Create a directory to serve as the mount point for the ISO file corresponding to the version of the base operating system.
```
# mkdir /media/rhel
```
Mount the ISO image for Red Hat Enterprise Linux to the mount point.
```
# mount -o loop rhel-DVD.iso /media/rhel
```

To copy the ISO file’s repository data file and change permissions, enter:

# cp /media/rhel/media.repo /etc/yum.repos.d/rhel.repo
# chmod u+w /etc/yum.repos.d/rhel.repo

Edit the repository data file and add the baseurl directive.

[RHEL-BaseOS]
name=Red Hat Enterprise Linux BaseOS
mediaid=None
metadata_expire=-1
gpgcheck=0
cost=500
baseurl=file:///media/rhel/BaseOS/

[RHEL-AppStream]
name=Red Hat Enterprise Linux AppStream
mediaid=None
metadata_expire=-1
gpgcheck=0
cost=500
baseurl=file:///media/rhel/AppStream/

Verify that the repository has been configured.
```
# yum repolist
```
Create a directory to serve as the mount point for the ISO file of Satellite Server.
```
# mkdir /media/sat6
```
Mount the ISO image for Satellite Server to the mount point.
```
# mount -o loop sat6-DVD.iso /media/sat6
```

5.3. Installing the Satellite packages from the offline repositories

Use this procedure to install the Satellite packages from the offline repositories.

Procedure

Ensure the ISO images for Red Hat Enterprise Linux Server and Red Hat Satellite are mounted:
```
# findmnt -t iso9660
```

Import the Red Hat GPG keys:

# rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release

Ensure the base operating system is up to date with the Binary DVD image:
```
# dnf upgrade
```
Change to the directory where the Satellite ISO is mounted:
```
# cd /media/sat6/
```
Run the installation script in the mounted directory:
```
# ./install_packages
```
If you have successfully installed the Satellite packages, the following message is displayed: Install is complete. Please run satellite-installer --scenario satellite.

5.4. Resolving package dependency errors

If there are package dependency errors during installation of Satellite Server packages, you can resolve the errors by downloading and installing packages from Red Hat Customer Portal. For more information about resolving dependency errors, see the KCS solution How can I use the yum output to solve yum dependency errors?.

If you have successfully installed the Satellite packages, skip this procedure.

Procedure

Go to the Red Hat Customer Portal and log in.
Click DOWNLOADS.
Click the product that contains the package that you want to download.
Ensure that you have the correct Product Variant, Version, and Architecture for your environment.
Click the Packages tab.
In the Search field, enter the name of the package.
Click the package.
From the Version list, select the version of the package.
At the bottom of the page, click Download Now.
Copy the package to the Satellite base operating system.
On Satellite Server, change to the directory where the package is located:
```
# cd /path-to-package/
```
Install the package locally:
```
# dnf install package_name
```
Change to the directory where the Satellite ISO is mounted:
```
# cd /media/sat6/
```
Verify that you have resolved the package dependency errors by installing Satellite Server packages. If there are further package dependency errors, repeat this procedure.
```
# ./install_packages
```
If you have successfully installed the Satellite packages, the following message is displayed: Install is complete. Please run satellite-installer --scenario satellite.

5.5. Configuring Satellite Server

Install Satellite Server using the satellite-installer installation script. Choose from one of the following methods:

Configuring Satellite installation. This method is performed by running the installation script with one or more command options. The command options override the corresponding default initial configuration options and are recorded in the Satellite answer file. You can run the script as often as needed to configure any necessary options.

5.5.1. Configuring Satellite installation

This initial configuration procedure creates an organization, location, user name, and password. After the initial configuration, you can create additional organizations and locations if required. The initial configuration also installs PostgreSQL databases on the same server.

The installation process can take tens of minutes to complete. If you are connecting remotely to the system, use a utility such as tmux that allows suspending and reattaching a communication session so that you can check the installation progress in case you become disconnected from the remote system. If you lose connection to the shell where the installation command is running, see the log at /var/log/foreman-installer/satellite.log to determine if the process completed successfully.

Considerations

Use the satellite-installer --scenario satellite --help command to display the most commonly used options and any default values.
Use the satellite-installer --scenario satellite --full-help command to display advanced options.
Specify a meaningful value for the option: --foreman-initial-organization. This can be your company name. An internal label that matches the value is also created and cannot be changed afterwards. If you do not specify a value, an organization called Default Organization with the label Default_Organization is created. You can rename the organization name but not the label.
By default, all configuration files configured by the installer are managed. When satellite-installer runs, it overwrites any manual changes to the managed files with the intended values. This means that running the installer on a broken system should restore it to working order, regardless of changes made. For more information on how to apply custom configuration on other services, see Applying Custom Configuration to Satellite.

Prerequisites

If you want to use an external PostgreSQL database for your Satellite Server, you must have a corresponding PostgreSQL access available, for example on a dedicated host. For more information, see Preparing Satellite for using external databases.

Procedure

Depending on what type of database you want to use on your Satellite deployment, do one of the following:

To install Satellite Server with the default local database, enter the following command with any additional options that you want to use:

# satellite-installer --scenario satellite \
--foreman-initial-organization "My_Organization" \
--foreman-initial-location "My_Location" \
--foreman-initial-admin-username admin_user_name \
--foreman-initial-admin-password admin_password

To install Satellite Server with an external PostgreSQL server, enter the following command:

# satellite-installer --scenario satellite \
--foreman-initial-organization "My_Organization" \
--foreman-initial-location "My_Location" \
--foreman-initial-admin-username admin_user_name \
--foreman-initial-admin-password admin_password \
--katello-candlepin-manage-db false \
--katello-candlepin-db-host postgres.example.com \
--katello-candlepin-db-name candlepin \
--katello-candlepin-db-user candlepin \
--katello-candlepin-db-password Candlepin_Password \
--foreman-proxy-content-pulpcore-manage-postgresql false \
--foreman-proxy-content-pulpcore-postgresql-host postgres.example.com \
--foreman-proxy-content-pulpcore-postgresql-db-name pulpcore \
--foreman-proxy-content-pulpcore-postgresql-user pulp \
--foreman-proxy-content-pulpcore-postgresql-password Pulpcore_Password \
--foreman-db-manage false \
--foreman-db-host postgres.example.com \
--foreman-db-database foreman \
--foreman-db-username foreman \
--foreman-db-password Foreman_Password>*

To also enable encrypted connections for these external databases, use the following command instead:

# satellite-installer --scenario satellite \
--foreman-initial-organization "My_Organization" \
--foreman-initial-location "My_Location" \
--foreman-initial-admin-username admin_user_name \
--foreman-initial-admin-password admin_password \
--katello-candlepin-manage-db false \
--katello-candlepin-db-host postgres.example.com \
--katello-candlepin-db-name candlepin \
--katello-candlepin-db-user candlepin \
--katello-candlepin-db-password Candlepin_Password \
--katello-candlepin-db-ssl true \
--katello-candlepin-db-ssl-ca My_CA_Certificate \
--katello-candlepin-db-ssl-verify true \
--foreman-proxy-content-pulpcore-manage-postgresql false \
--foreman-proxy-content-pulpcore-postgresql-host postgres.example.com \
--foreman-proxy-content-pulpcore-postgresql-db-name pulpcore \
--foreman-proxy-content-pulpcore-postgresql-user pulp \
--foreman-proxy-content-pulpcore-postgresql-password Pulpcore_Password \
--foreman-proxy-content-pulpcore-postgresql-ssl true \
--foreman-proxy-content-pulpcore-postgresql-ssl-root-ca My_CA_Certificate \
--foreman-db-manage false \
--foreman-db-host postgres.example.com \
--foreman-db-database foreman \
--foreman-db-username foreman \
--foreman-db-password Foreman_Password
--foreman-db-root-cert My_CA_Certificate \
--foreman-db-sslmode verify-full

The script displays its progress and writes logs to /var/log/foreman-installer/satellite.log.

Unmount the ISO images:

# umount /media/sat6
# umount /media/rhel

5.6. Disabling subscription connection

Disable subscription connection on disconnected Satellite Server to avoid connecting to the Red Hat Portal. This will also prevent you from refreshing the manifest and updating upstream entitlements.

Procedure

In the Satellite web UI, navigate to Administer > Settings.
Click the Content tab.
Set the Subscription Connection Enabled value to No.

CLI procedure

Enter the following command on Satellite Server:

$ hammer settings set --name subscription_connection_enabled --value false

5.7. Importing a Red Hat subscription manifest into Satellite Server

Use the following procedure to import a Red Hat subscription manifest into Satellite Server.

Note	Simple Content Access (SCA) is set on the organization, not the manifest. Importing a manifest does not change your organization’s Simple Content Access status.

Simple Content Access simplifies the subscription experience for administrators. For more information, see the Subscription Management Administration Guide for Red Hat Enterprise Linux on the Red Hat Customer Portal.

Prerequisites

Ensure you have a Red Hat subscription manifest exported from the Red Hat Customer Portal. You will use the same manifest in Configuring Satellite Server to synchronize content over a network. For more information, see Creating and managing manifests for a disconnected Satellite Server in Subscription Central.
Ensure that you disable subscription connection on your Satellite Server. For more information, see Disabling subscription connection.

Procedure

In the Satellite web UI, ensure the context is set to the organization you want to use.
In the Satellite web UI, navigate to Content > Subscriptions and click Manage Manifest.
In the Manage Manifest window, click Choose File.
Navigate to the location that contains the Red Hat subscription manifest file, then click Open.

CLI procedure

Copy the Red Hat subscription manifest file from your local machine to Satellite Server:
```
$ scp ~/manifest_file.zip root@satellite.example.com:~/.
```
Log in to Satellite Server as the root user and import the Red Hat subscription manifest file:
```
$ hammer subscription upload \
--file ~/manifest_file.zip \
--organization "My_Organization"
```

You can now enable repositories and import Red Hat content. For more information, see Importing Content in Managing content.

6. Performing Additional Configuration on Satellite Server

6.1. Installing and configuring Red Hat Lightspeed in Satellite

Red Hat Lightspeed in Satellite analyzes system health and configuration by applying predefined rules to a small set of local data, such as installed packages, running services, and configuration settings. When you install Red Hat Lightspeed in Satellite locally, you can generate Red Hat Lightspeed recommendations without sending system data to Red Hat services.

Important

With Red Hat Lightspeed in Satellite enabled, you cannot use the hosted Red Hat Lightspeed services for hosts registered to your Satellite. Enabling Red Hat Lightspeed in Satellite prevents you from using any Red Hat Hybrid Cloud Console services on hosts registered to Satellite.
If you install Satellite with external databases, you cannot enable Red Hat Lightspeed in Satellite. Enabling Red Hat Lightspeed in Satellite prevents you from using external databases.

6.1.1. Installing Red Hat Lightspeed in Satellite with the Satellite ISO image

You can use the Satellite installation ISO image to access the required container content.

Prerequisites

Ensure that skopeo is installed. For more information, see Getting container tools in Red Hat Enterprise Linux 9 Building, running, and managing containers.

Procedure

Download and mount the Satellite ISO image: For more information, see Installing the Satellite packages from the offline repositories.
Set up the local repositories for disconnected environments. For more information, see Installing the Satellite packages from the offline repositories.
Set up containers on your Satellite Server:
```
# /media/sat6/setup_containers
```
Enable the plugin:
```
# satellite-installer --enable-iop
```
Download and populate the Common Vulnerabilities and Exposures (CVE) mapping file:
```
$ curl -o cvemap.xml https://security.access.redhat.com/data/meta/v1/cvemap.xml
```
Transfer the cvemap.xml file to your disconnected Satellite Server.
Copy the file to /var/lib/foreman/:
```
# cp cvemap.xml /var/lib/foreman/
```
Satellite detects the file and automatically publishes it to /var/www/html/pub/iop/data/meta/v1/cvemap.xml.

6.1.2. Installing Red Hat Lightspeed in Satellite by using export and import

You can transfer the container images from a connected system to a disconnected Satellite Server.

Prerequisites

The container images are downloaded on a connected system.
Ensure that skopeo is installed. For more information, see Getting container tools in Red Hat Enterprise Linux 9 Building, running, and managing containers.
You have prepared a disconnected Satellite Server.

Procedure

On the connected system, log in to the container registry:

$ skopeo login --username My_Username --password My_Password registry.redhat.io

Export the container images. Save the following script to a file and execute it on the connected system:

#!/bin/bash

images=(
  "satellite/iop-ingress-rhel9:6.18"
  "satellite/iop-advisor-frontend-rhel9:6.18"
  "satellite/iop-host-inventory-rhel9:6.18"
  "satellite/iop-vmaas-rhel9:6.18"
  "satellite/iop-remediations-rhel9:6.18"
  "satellite/iop-vulnerability-frontend-rhel9:6.18"
  "satellite/iop-host-inventory-frontend-rhel9:6.18"
  "satellite/iop-advisor-backend-rhel9:6.18"
  "satellite/iop-puptoo-rhel9:6.18"
  "satellite/iop-yuptoo-rhel9:6.18"
  "satellite/iop-insights-engine-rhel9:6.18"
  "satellite/iop-vulnerability-engine-rhel9:6.18"
  "satellite/iop-gateway-rhel9:6.18"
  "amq-streams/kafka-39-rhel9:2.9.1-1"
)

for image in "${images[@]}"; do
  name=$(basename "${image}" | cut -d: -f1)
  image_url="registry.redhat.io/${image}"
  echo "Processing ${image}..."
  # Pull the image
  skopeo copy docker://${image_url} containers-storage:${image_url}
  # Copy image to archive
  skopeo copy containers-storage:${image_url} oci-archive:/tmp/${name}.tar
done

Transfer the archive files to the disconnected Satellite Server. Place the archive files in the /tmp directory.

On the disconnected Satellite Server, import the container images. Save the following script to a file and execute it on the disconnected Satellite Server:

#!/bin/bash

images=(
  "satellite/iop-ingress-rhel9:6.18"
  "satellite/iop-advisor-frontend-rhel9:6.18"
  "satellite/iop-host-inventory-rhel9:6.18"
  "satellite/iop-vmaas-rhel9:6.18"
  "satellite/iop-remediations-rhel9:6.18"
  "satellite/iop-vulnerability-frontend-rhel9:6.18"
  "satellite/iop-host-inventory-frontend-rhel9:6.18"
  "satellite/iop-advisor-backend-rhel9:6.18"
  "satellite/iop-puptoo-rhel9:6.18"
  "satellite/iop-yuptoo-rhel9:6.18"
  "satellite/iop-insights-engine-rhel9:6.18"
  "satellite/iop-vulnerability-engine-rhel9:6.18"
  "satellite/iop-gateway-rhel9:6.18"
  "amq-streams/kafka-39-rhel9:2.9.1-1"
)

for image in "${images[@]}"; do
  name=$(basename "${image}" | cut -d: -f1)
  image_url="registry.redhat.io/${image}"
  echo "Processing ${image}..."
  # Import the image
  skopeo copy oci-archive:/tmp/${name}.tar containers-storage:${image_url}
done

Enable the Red Hat Lightspeed in Satellite plugin:
```
# satellite-installer --enable-iop
```

6.2. Configuring Satellite Server to consume content from a custom CDN

If you have an internal Content Delivery Network (CDN) or serve content on an accessible web server, you can configure your Satellite Server to consume Red Hat repositories from this CDN server instead of the Red Hat CDN. A CDN server can be any web server that mirrors repositories in the same directory structure as the Red Hat CDN.

You can configure the source of content for each organization. Satellite recognizes automatically which Red Hat repositories from the subscription manifest in your organization are available on your CDN server.

Prerequisites

You have a CDN server that provides Red Hat content and is accessible by Satellite Server.
If your CDN server uses HTTPS, ensure you have uploaded the SSL certificate into Satellite. For more information, see Importing Custom SSL Certificates in Managing content.
You have uploaded a manifest to your organization.

Procedure

In the Satellite web UI, navigate to Content > Subscriptions.
Click Manage Manifest.
Select the CDN Configuration tab.
Select the Custom CDN tab.
In the URL field, enter the URL of your CDN server from which you want Satellite Server to consume Red Hat repositories.
Optional: In the SSL CA Content Credential, select the SSL certificate of the CDN server.
Click Update.
You can now enable Red Hat repositories consumed from your internal CDN server.

CLI procedure

Connect to your Satellite Server using SSH.

Set CDN configuration to your custom CDN server:

$ hammer organization configure-cdn --name="My_Organization" \
--type=custom_cdn \
--url https://my-cdn.example.com \
--ssl-ca-credential-id "My_CDN_CA_Cert_ID"

Additional resources

Content Delivery Network Structure in Overview, concepts, and deployment considerations

6.3. Configuring Inter-Satellite Synchronization (ISS)

Configure Inter-Satellite Synchronization on your disconnected Satellite Server to provide content in your disconnected network.

6.3.1. Configuring Satellite Server to synchronize content by using exports

If you deployed your downstream Satellite Server as air gapped, configure your Satellite Server as such to avoid attempts to consume content from a network.

Procedure

In the Satellite web UI, navigate to Content > Subscriptions.
Click Manage Manifest.
Switch to the CDN Configuration tab.
Select the Export Sync tab.
Click Update.

CLI procedure

Set CDN configuration to sync by using exports:

$ hammer organization configure-cdn --name="My_Organization" --type=export_sync

Additional resources

For more information, see Content synchronization by using export and import in Managing content.

6.3.2. Configuring Satellite Server to synchronize content over a network

Configure a downstream Satellite Server to synchronize repositories from a connected upstream Satellite Server over HTTPS.

Prerequisites

A network connection exists between the upstream Satellite Server and the downstream Satellite Server.
You imported the same subscription manifest on both the upstream and downstream Satellite Server. For more information, see Importing a Red Hat subscription manifest into Satellite Server.
On the upstream Satellite Server, you enabled the required repositories for the organization. For more information, see Enabling Red Hat Repositories in Managing content.
The upstream user is an admin or has the following permissions:
- view_organizations
- view_products
- export_content
- view_lifecycle_environments
- view_content_views
On the downstream Satellite Server, you have imported the SSL certificate of the upstream Satellite Server using the contents of http://upstream-satellite.example.com/pub/katello-server-ca.crt. For more information, see Importing SSL Certificates in Managing content.
The downstream user is an admin or has the permissions to create product repositories and organizations.

Procedure

Navigate to Content > Subscriptions.
Click Manage Manifest.
Navigate to the CDN Configuration tab.
Select the Network Sync tab.
In the URL field, enter the address of the upstream Satellite Server.
In the Username, enter your username for upstream login.
In the Password, enter your password or personal access token for upstream login.
In the Organization label field, enter the label of the upstream organization.
Optional: In the Lifecycle Environment Label field, enter the label of the upstream lifecycle environment. Default is Library.
Optional: In the Content view label field, enter the label of the upstream content view. Default is Default_Organization_View.
From the SSL CA Content Credential menu, select a CA certificate used by the upstream Satellite Server.
Click Update.
In the Satellite web UI, navigate to Content > Products.
Select the product that contains the repositories that you want to synchronize.
From the Select Action menu, select Sync Now to synchronize all repositories within the product.

You can also create a synchronization plan to ensure updates on a regular basis. For more information, see Creating a Synchronization Plan in Managing content.

CLI procedure

Connect to your downstream Satellite Server using SSH.

View information about the upstream CA certificate:

$ hammer content-credential show \
--name="My_Upstream_CA_Cert" \
--organization="My_Downstream_Organization"

Note the ID of the CA certificate for the next step.

Set CDN configuration to an upstream Satellite Server:

$ hammer organization configure-cdn --name="My_Downstream_Organization" \
--type=network_sync \
--url https://upstream-satellite.example.com \
--username upstream_username --password upstream_password \
--ssl-ca-credential-id "My_Upstream_CA_Cert_ID" \
--upstream-organization-label="_My_Upstream_Organization" \
[--upstream-lifecycle-environment-label="My_Lifecycle_Environment"] \
[--upstream-content-view-label="My_Content_View"]

The default lifecycle environment label is Library. The default content view label is Default_Organization_View.

6.4. Configuring pull-based transport for remote execution

By default, remote execution uses push-based SSH as the transport mechanism for the Script provider. If your infrastructure prohibits outgoing connections from Satellite Server to hosts, you can use remote execution with pull-based transport instead, because the host initiates the connection to Satellite Server. The use of pull-based transport is not limited to those infrastructures.

The pull-based transport comprises pull-mqtt mode on Capsules in combination with a pull client running on hosts.

Note	The `pull-mqtt` mode works only with the Script provider. Ansible and other providers will continue to use their default transport settings.

Procedure

Enable the pull-based transport on your Satellite Server:

# satellite-installer --foreman-proxy-plugin-remote-execution-script-mode pull-mqtt

Configure the firewall to allow the MQTT service on port 1883:
```
# firewall-cmd --add-service=mqtt
```
Make the changes persistent:
```
# firewall-cmd --runtime-to-permanent
```
In pull-mqtt mode, hosts subscribe for job notifications to either your Satellite Server or any Capsule Server through which they are registered. Ensure that Satellite Server sends remote execution jobs to that same Satellite Server or Capsule Server:
```
$ hammer settings set \
--name remote_execution_prefer_registered_through_proxy \
--value true
```

Next steps

Configure your hosts for the pull-based transport. For more information, see Transport modes for remote execution in Managing hosts.

6.5. Enabling power management on hosts

To perform power management tasks on hosts using the intelligent platform management interface (IPMI) or a similar protocol, you must enable the baseboard management controller (BMC) module on Satellite Server.

Red Hat Satellite supports the following BMC providers:

freeipmi
ipmitool
redfish

Prerequisites

Your host has a network interface of the BMC type. Satellite Server uses this NIC to pass credentials to the host.

Procedure

Enable the BMC module and select the default provider:

# satellite-installer \
--foreman-proxy-bmc "true" \
--foreman-proxy-bmc-default-provider "freeipmi"

In the Satellite web UI, navigate to Infrastructure > Subnets.
Select the subnet of your host.
On the Capsules tab, select your Satellite Server as BMC Capsule.
Click Submit.

Next steps

Configure a BMC interface on your host. For more information, see Configuring a baseboard management controller (BMC) interface in Managing hosts.

6.6. Configuring Satellite Server for outgoing emails

To send email messages from Satellite Server, you can use an SMTP server or the sendmail command.

Important

The sendmail command is a deprecated feature. Deprecated functionality is still included in Satellite and continues to be supported. However, it will be removed in a future release of this product and is not recommended for new deployments.

Use the SMTP service on Satellite Server instead.

For the most recent list of major functionality that has been deprecated or removed within Satellite, refer to the Deprecated features section of the Satellite release notes.

Prerequisites

Some SMTP servers with anti-spam protection or greylisting features are known to cause problems. To set up outgoing email with such a service, install and configure an SMTP service on Satellite Server for relay or use the sendmail command.

Procedure

In the Satellite web UI, navigate to Administer > Settings.

Click the Email tab and set the configuration options to match your preferred delivery method. The changes have an immediate effect.

The following example shows the configuration options for using an SMTP server:

Table 2. Using an SMTP server as a delivery method
Name	Example value	Additional information
Delivery method	SMTP
SMTP address	smtp.example.com
SMTP authentication	login
SMTP HELO/EHLO domain	example.com
SMTP password	password	Use the login credentials for the SMTP server.
SMTP port	25
SMTP username	user@example.com	Use the login credentials for the SMTP server.

The following example uses gmail.com as an SMTP server:

Table 3. Using gmail.com as an SMTP server
Name	Example value	Additional information
Delivery method	SMTP
SMTP address	smtp.gmail.com
SMTP authentication	plain
SMTP HELO/EHLO domain	smtp.gmail.com
SMTP enable StartTLS auto	Yes
SMTP password	app password	Use the Google app password. For more information, see Sign in with app passwords in Google Help Center.
SMTP port	587
SMTP username	user@gmail.com	Use the Google account name.

The following example uses the sendmail command as a delivery method:

Table 4. Using sendmail as a delivery method
Name	Example value	Additional information
Delivery method	Sendmail
Sendmail location	/usr/sbin/sendmail	For security reasons, both Sendmail location and Sendmail argument settings are read-only and can be only set in `/etc/foreman/settings.yaml`. Both settings currently cannot be set via `satellite-installer`. For more information see the sendmail 1 man page.
Sendmail arguments	-i

To send email by using an SMTP server that uses TLS authentication, also perform one of the following steps:
- Mark the CA certificate of the SMTP server as trusted. To do so, execute the following commands on Satellite Server:
  # cp mailca.crt /etc/pki/ca-trust/source/anchors/ # update-ca-trust extract
  Where mailca.crt is the CA certificate of the SMTP server.
- Alternatively, in the Satellite web UI, set the SMTP enable StartTLS auto option to No.
Click Test email to send a test message to the user’s email address to confirm the configuration is working. If a message fails to send, the Satellite web UI displays an error. See the log at /var/log/foreman/production.log for further details.

Additional resources

For information on configuring email notifications for individual users or user groups, see Configuring Email Notification Preferences in Administering Red Hat Satellite.

6.7. Configuring Satellite to manage the lifecycle of a host registered to a Identity Management realm

As well as providing access to Satellite Server, hosts provisioned with Satellite can also be integrated with Identity Management realms. Red Hat Satellite has a realm feature that automatically manages the lifecycle of any system registered to a realm or domain provider.

Use this section to configure Satellite Server or Capsule Server for Identity Management realm support, then add hosts to the Identity Management realm group.

Prerequisites

A deployed realm or domain provider such as Identity Management.

To install and configure Identity Management packages on Satellite Server or Capsule Server:

To use Identity Management for provisioned hosts, complete the following steps to install and configure Identity Management packages on Satellite Server or Capsule Server:

Install the ipa-client package on Satellite Server or Capsule Server:
```
# satellite-maintain packages install ipa-client
```
Configure the server as a Identity Management client:
```
# ipa-client-install
```
Create a realm proxy user, realm-capsule, and the relevant roles in Identity Management:
```
# foreman-prepare-realm admin realm-capsule
```
Note the principal name that returns and your Identity Management server configuration details because you require them for the following procedure.

To configure Satellite Server or Capsule Server for Identity Management realm support:

Complete the following procedure on Satellite and every Capsule that you want to use:

Copy the /root/freeipa.keytab file to any Capsule Server that you want to include in the same principal and realm:
```
# scp /root/freeipa.keytab root@capsule.example.com:/etc/foreman-proxy/freeipa.keytab
```
On your Satellite Server, move the /root/freeipa.keytab file to the /etc/foreman-proxy directory:
```
# mv /root/freeipa.keytab /etc/foreman-proxy
```
On your Satellite Server and Capsule Servers, set ownership to the foreman-proxy user and group:
```
# chown foreman-proxy:foreman-proxy /etc/foreman-proxy/freeipa.keytab
```
Enter the following command on all Capsules that you want to include in the realm. If you use the integrated Capsule on Satellite, enter this command on Satellite Server:
```
# satellite-installer --foreman-proxy-realm true \
--foreman-proxy-realm-keytab /etc/foreman-proxy/freeipa.keytab \
--foreman-proxy-realm-principal realm-capsule@EXAMPLE.COM \
--foreman-proxy-realm-provider freeipa
```
You can also use these options when you first configure the Satellite Server.
Ensure that the most updated versions of the ca-certificates package is installed and trust the Identity Management Certificate Authority:
```
# cp /etc/ipa/ca.crt /etc/pki/ca-trust/source/anchors/ipa.crt
# update-ca-trust extract
```
Optional: If you configure Identity Management on an existing Satellite Server or Capsule Server, complete the following steps to ensure that the configuration changes take effect:
1. Restart the foreman-proxy service:
  # systemctl restart foreman-proxy
2. In the Satellite web UI, navigate to Infrastructure > Capsules.
3. Locate the Capsule you have configured for Identity Management and from the list in the Actions column, select Refresh.

To create a realm for the Identity Management-enabled Capsule

After you configure your Capsule with Identity Management, you must create a realm and add the Identity Management-configured Capsule to the realm.

Procedure

In the Satellite web UI, navigate to Infrastructure > Realms and click Create Realm.
In the Name field, enter a name for the realm.
From the Realm Type list, select the type of realm.
From the Realm Capsule list, select Capsule Server where you have configured Identity Management.
Click the Locations tab and from the Locations list, select the location where you want to add the new realm.
Click the Organizations tab and from the Organizations list, select the organization where you want to add the new realm.
Click Submit.

Updating host groups with realm information

You must update any host groups that you want to use with the new realm information.

In the Satellite web UI, navigate to Configure > Host Groups, select the host group that you want to update, and click the Network tab.
From the Realm list, select the realm you create as part of this procedure, and then click Submit.

Adding hosts to a Identity Management host group

Identity Management supports the ability to set up automatic membership rules based on a system’s attributes. Red Hat Satellite’s realm feature provides administrators with the ability to map the Red Hat Satellite host groups to the Identity Management parameter userclass which allow administrators to configure automembership.

When nested host groups are used, they are sent to the Identity Management server as they are displayed in the Red Hat Satellite User Interface. For example, "Parent/Child/Child".

Satellite Server or Capsule Server sends updates to the Identity Management server, however automembership rules are only applied at initial registration.

To add hosts to a Identity Management host group:

On the Identity Management server, create a host group:

# ipa hostgroup-add hostgroup_name --desc=hostgroup_description

Create an automembership rule:
```
# ipa automember-add --type=hostgroup hostgroup_name automember_rule
```
Where you can use the following options:
- automember-add flags the group as an automember group.
- --type=hostgroup identifies that the target group is a host group, not a user group.
- automember_rule adds the name you want to identify the automember rule by.
Define an automembership condition based on the userclass attribute:
```
# ipa automember-add-condition --key=userclass --type=hostgroup --inclusive-regex=^webserver hostgroup_name
----------------------------------
Added condition(s) to "hostgroup_name"
----------------------------------
Automember Rule: automember_rule
Inclusive Regex: userclass=^webserver
----------------------------
Number of conditions added 1
----------------------------
```
Where you can use the following options:
- automember-add-condition adds regular expression conditions to identify group members.
- --key=userclass specifies the key attribute as userclass.
- --type=hostgroup identifies that the target group is a host group, not a user group.
- --inclusive-regex= ^webserver identifies matching values with a regular expression pattern.
- hostgroup_name – identifies the target host group’s name.

When a system is added to Satellite Server’s hostgroup_name host group, it is added automatically to the Identity Management server’s "hostgroup_name" host group. Identity Management host groups allow for Host-Based Access Controls (HBAC), sudo policies and other Identity Management functions.

6.8. Configuring Satellite Server with a custom SSL certificate

By default, Red Hat Satellite uses a self-signed SSL certificate to enable encrypted communications between Satellite Server, Capsule Servers, and all hosts. If you cannot use a Satellite self-signed certificate, you can configure Satellite Server to use an SSL certificate signed by an external certificate authority (CA).

When you configure Red Hat Satellite with custom SSL certificates, you must fulfill the following requirements:

You must use the privacy-enhanced mail (PEM) encoding for the SSL certificates.
You must not use the same SSL certificate for both Satellite Server and Capsule Server.
The same CA must sign certificates for Satellite Server and Capsule Server.
An SSL certificate must not also be a CA certificate.
An SSL certificate must include a subject alt name (SAN) entry that matches the common name (CN).
An SSL certificate must be allowed for Key Encipherment using a Key Usage extension.
An SSL certificate must not have a shortname as the CN.
You must not set a passphrase for the private key.

To configure your Satellite Server with a custom certificate, complete the following procedures:

Creating a custom SSL certificate for Satellite Server
Deploying a custom SSL certificate to Satellite Server
Deploying a custom SSL certificate to hosts
If you have Capsule Servers registered to Satellite Server, configure them with custom SSL certificates. For more information, see Configuring Capsule Server with a Custom SSL Certificate in Installing Capsule Server.

6.8.1. Creating a custom SSL certificate for Satellite Server

Use this procedure to create a custom SSL certificate for Satellite Server. If you already have a custom SSL certificate for Satellite Server, skip this procedure.

Procedure

To store all the source certificate files, create a directory that is accessible only to the root user:
```
# mkdir /root/satellite_cert
```
Create a private key with which to sign the certificate signing request (CSR).

Note that the private key must be unencrypted. If you use a password-protected private key, remove the private key password.

If you already have a private key for this Satellite Server, skip this step.
```
# openssl genrsa -out /root/satellite_cert/satellite_cert_key.pem 4096
```

Create the /root/satellite_cert/openssl.cnf configuration file for the CSR and include the following content:

[ req ]
req_extensions = v3_req
distinguished_name = req_distinguished_name
prompt = no

[ req_distinguished_name ]
commonName = satellite.example.com

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = satellite.example.com

For more information about the [ v3_req ] parameters and their purpose, see RFC 5280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile.

Optional: If you want to add Distinguished Name (DN) details to the CSR, add the following information to the [ req_distinguished_name ] section:
```
[req_distinguished_name]
CN = satellite.example.com
countryName = My_Country_Name
stateOrProvinceName = My_State_Or_Province_Name
localityName = My_Locality_Name
organizationName = My_Organization_Or_Company_Name
organizationalUnitName = My_Organizational_Unit_Name
```
The options used in the configuration file include the following:

countryName

The country represented by a two-letter code

stateOrProvinceName

Full name of the state or province

localityName

Full name of the locality (example: New York)

organizationalUnitName

Division responsible for the certificate (example: IT department)
Generate CSR:
```
# openssl req -new \
-key /root/satellite_cert/satellite_cert_key.pem \
-config /root/satellite_cert/openssl.cnf \
-out /root/satellite_cert/satellite_cert_csr.pem
```
The options used in the configuration file include the following:

-key

Path to the private key

-config

Path to the configuration file

-out

Path to the CSR to generate
Send the certificate signing request to the certificate authority (CA). The same CA must sign certificates for Satellite Server and Capsule Server.

When you submit the request, specify the lifespan of the certificate. The method for sending the certificate request varies, so consult the CA for the preferred method. In response to the request, you can expect to receive a CA bundle and a signed certificate, in separate files.

6.8.2. Deploying a custom SSL certificate to Satellite Server

Use this procedure to configure your Satellite Server to use a custom SSL certificate signed by a Certificate Authority.

Important

Do not store the SSL certificates or .tar bundles in /tmp or /var/tmp directory. The operating system removes files from these directories periodically. As a result, satellite-installer fails to execute while enabling features or upgrading Satellite Server.

Procedure

Update certificates on your Satellite Server:

# satellite-installer \
--certs-server-cert "/root/satellite_cert/satellite_cert.pem" \ (1)
--certs-server-key "/root/satellite_cert/satellite_cert_key.pem" \ (2)
--certs-server-ca-cert "/root/satellite_cert/ca_cert_bundle.pem" \ (3)
--certs-update-server --certs-update-server-ca

Path to Satellite Server certificate file that is signed by a Certificate Authority.
Path to the private key that was used to sign Satellite Server certificate.
Path to the Certificate Authority bundle.

Verification

On a computer with network access to Satellite Server, navigate to the following URL: https://satellite.example.com.
In your browser, view the certificate details to verify the deployed certificate.

6.8.3. Deploying a custom SSL certificate to hosts

After you configure Satellite to use a custom SSL certificate, you must deploy the certificate to hosts registered to Satellite.

Procedure

Update the SSL certificate on each host:

# dnf install http://satellite.example.com/pub/katello-ca-consumer-latest.noarch.rpm

Appendix A: Restoring manual changes overwritten by a Puppet run

If your manual configuration has been overwritten by a Puppet run, you can restore the files to the previous state.

For example, when you install and configure Satellite for the first time by using satellite-installer, you can use the --foreman-proxy-dns-managed false and --foreman-proxy-dhcp-managed false options to specify that the DNS and DHCP configuration files are not to be managed by Puppet. If you do not use these options during the initial satellite-installer run, rerunning satellite-installer overwrites all manual changes. The following example shows you how to restore a DHCP configuration file overwritten by a Puppet run.

Procedure

Copy the file you intend to restore. This allows you to compare the files to check for any mandatory changes required by the upgrade. This is not common for DNS or DHCP services.
```
# cp /etc/dhcp/dhcpd.conf /etc/dhcp/dhcpd.backup
```

Check the log files to note down the md5sum of the overwritten file. For example:

# journalctl -xe
...
/Stage[main]/Dhcp/File[/etc/dhcp/dhcpd.conf]: Filebucketed /etc/dhcp/dhcpd.conf to puppet with sum 622d9820b8e764ab124367c68f5fa3a1
...

Restore the overwritten file:

# puppet filebucket restore --local --bucket \
/var/lib/puppet/clientbucket /etc/dhcp/dhcpd.conf \ 622d9820b8e764ab124367c68f5fa3a1

Compare the backup file and the restored file, and edit the restored file to include any mandatory changes required by the upgrade.

Appendix B: Reverting Satellite Server to download content from Red Hat CDN

If your environment changes from disconnected to connected, you can reconfigure a disconnected Satellite Server to download content directly from the Red Hat CDN.

Procedure

In the Satellite web UI, navigate to Content > Subscriptions.
Click Manage Manifest.
Switch to the CDN Configuration tab.
Select Red Hat CDN.
Edit the URL field to point to the Red Hat CDN URL:

https://cdn.redhat.com
Click Update.

Satellite Server is now configured to download content from the Red Hat CDN the next time that it synchronizes repositories.

CLI procedure

Use Hammer to reconfigure the CDN:

$ hammer organization configure-cdn --name="My_Organization" --type=redhat_cdn