Chapter 1 Installing and Upgrading Oracle Linux Manager Servers

This chapter describes how to install and upgrade Oracle Linux Manager servers.

For information about the types of support that Oracle provides for Oracle Linux Manager 2.10, refer to the About Oracle Linux Manager Server and Client Support section of the Oracle® Linux Manager: Release Notes.

1.1 Oracle Linux Manager Server Requirements

As the primary component in the entire setup, Oracle Linux Manager sever has different sets of requirements to efficiently manage client systems that are registered to the server.

1.1.1 Oracle Linux Requirements

Complete the following requirements for the designated Oracle Linux Manager server:

  • Install Oracle Linux 7 by using either the Minimal or Basic Server profile.

  • Before installing Oracle Linux Manager, remove the jta package which prevents Oracle Linux Manager services from starting.

  • Use only those packages that are provided by Oracle from the Oracle Linux yum server at https://yum.oracle.com. No third-party package repositories are required.

  • Update your system with the latest packages from the Oracle Linux yum server.

  • Do not register an Oracle Linux Manager 2.10 server or client with ULN. Instead, register an Oracle Linux Manager 2.10 server as a client of itself to receive updates.

1.1.2 Memory Requirements

An Oracle Linux Manager server should have a minimum of 8 GB of memory. If the server also runs the database that stores the Oracle Linux Manager repository, this memory requirement is in addition to what is required to run the database.

In large deployments where Oracle Linux Manager server services and maintains a large number of clients, custom channels, and so on, consider installing 16 GB of RAM. Increasing RAM improves performance in operations such as building repositories, which requires sizeable amounts of memory. See Memory Considerations When Building Repositories in Oracle® Linux Manager: Client Life Cycle Management Guide.

1.1.3 Storage Requirements

To preserve errata mapping, by default, Oracle Linux Manager maintains all of the available versions of available packages in each software channel that you configure. As a result, the storage requirements for an Oracle Linux Manager server can be significant, depending on the number of major versions and architectures that you choose to support. Typically, the Oracle Linux binary repositories require approximately 60 GB for each combination of Oracle Linux release and architecture. An extra 40 GB is required for source packages and 80 GB is required for Ksplice updates for each combination of Oracle Linux release and architecture.

With Oracle Linux Manager 2.10, you can reduce the storage requirements considerably by using the following command when synchronizing packages:

$ sudo spacewalk-repo-sync --latest

The server then synchronizes only the latest packages that are available at the time of synchronization. It does not remove older packages from the channel.

Caution

If the synchronization interval is large, you might miss a particular version of a package. Errata handling, which manages errata that are associated with specific package versions, would be affected. If errata consistency is important to you, Oracle recommends that you do not use the --latest option. However, using the option with a Ksplice channel is an exception because its packages are always cumulative.

Important

DO NOT use the --latest option when synchronizing module-enabled channels such as ol8_AppStream. The mechanism that underlies this option is not module-aware and if used, will skip required packages.

An Oracle Linux Manager server stores the packages that it hosts under the /var/satellite/redhat directory hierarchy. You should plan how to best configure the /var file system before installing Oracle Linux Manager. For example, if you set up /var as an ext4 or XFS file system by using Logical Volume Manager (LVM), you can expand the storage when required.

Packages are never removed from Oracle Linux repositories. Thus, the space that is required for each repository always increases. You should actively monitor the available disk space on the server.

1.1.4 Networking Requirements

The following are network requirements to install an Oracle Linux Manager server:

  • Static IP address

  • Correctly configured forward and reverse DNS host name, with the following specifications:

    Caution

    Noncompliance with these specifications for the server's host name can cause Oracle Linux Manager to fail in proxy communications, inter-server synchronization (ISS), certificate validation, and other areas of operation.

    • The host name of the server must not contain uppercase letters.

    • While the /etc/hostname file contains the short name of the host, the /etc/hosts file must specify the host's FQDN, as shown in bold in the following example:

      $ cat /etc/hostname
      olmsvr
      
      $ cat /etc/hosts
      127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
      ::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
      192.168.1.3 olmsvr.mydom.com olmsvr
      

      Note that Oracle Linux Manager does not consider .local and .localdomain to be valid domain names.

  • Port numbers

    The following table describes the network ports that an Oracle Linux Manager server uses, depending on its configuration.

    Port/Protocol

    Direction

    Purpose

    69/udp

    Inbound

    TFTP (if PXE provisioning support is required)

    80/tcp

    Inbound and outbound

    HTTP access

    443/tcp

    Inbound and outbound

    HTTPS access

    5222/tcp

    Inbound

    Push support to Oracle Linux Manager clients (if required)

    5269/tcp

    Inbound

    Push support to Oracle Linux Manager proxies (if required)

  • Configured network time synchronization

    Configure Oracle Linux Manager server, proxies, and clients to use a network time synchronization mechanism such as the Network Time Protocol (NTP) or the Precision Time Protocol (PTP). To establish a Secure Socket Layer (SSL) based connection, Oracle Linux Manager requires that the system times on server and client systems be consistent to within 120 seconds.

    For more information, see Configuring Network Time in Oracle® Linux 7: Setting Up Networking.

1.1.5 Database Requirements and Configuration Instructions

Oracle supports only Oracle Database for use with Oracle Linux Manager. Thus, while you can use PostgreSQL with the software, this setup is not covered by Oracle support. Additionally, Oracle does not provide any tools for migrating from an unsupported database.

In general, you should use supported Oracle databases when using Oracle Linux Manager 2.10. For specific supported versions, see Oracle Database Support in Oracle® Linux Manager: Release Notes.

For more information about Oracle licenses, see Oracle® Linux 7: Licensing Information User Manual.

Important

Providing comprehensive information about operating supported databases is outside the scope of this documentation. For any database operation such as installation, configuration, upgrade, and other related tasks, consult your Oracle Database administrator and the Oracle Database documentation at https://docs.oracle.com/en/database/database.html.

1.1.5.1 Oracle Database Installation Requirements

Prior to installing Oracle Linux Manager server, you must install an Oracle Database server, make this server available, and ensure that it is operational.

You can download Oracle database software from Oracle at https://www.oracle.com/database/technologies/oracle-database-software-downloads.html.

The following database installation requirements apply to Oracle Linux Manager server installations:

  • For fresh installations of the server, use Oracle Database 19c or Oracle Database 12c.

  • For upgrades to the server, Oracle strongly suggests that you use Oracle Database 19c.

1.1.5.2 Database Sizing Requirements

When determining the amount of space Oracle Linux Manager database requires, be sure to include sizing estimates in your overall calculation for the following:

  • Number of client systems that will be served by the server (typically, 250 KiB per client system).

  • Number of channels allocated to each client system (about 500 KiB per channel).

  • Number of packages that each channel will contain (approximately 230 KiB per package in the channel. A channel with 5000 packages would require 1.1 GiB).

For example, if you have a large Oracle Linux Manager server that is serving 10,000 systems, and each system has four channels containing 12,000 packages per-channel, then 2.5 GiB would be required for the clients, and 11 GiB would be required for the channels.

1.1.5.3 Oracle Database Configuration

The following are general guidelines for configuring Oracle Database. You can perform these steps during or after the database installation. Always consult with your Oracle database administrator for matters related to installing or configuring the database for your particular environment.

  • The database must use the AL32UTF8 character set that supports Unicode.

  • The database must have an Oracle Linux Manager user.

    For every Oracle Linux Manager server that shares the same database server, you must create a separate Oracle Linux Manager user.

  • The Oracle Linux Manager user must be assigned the CONNECT and RESOURCE roles.

  • The Oracle Linux Manager user must have the following system privileges:

    • ALTER SESSION

    • CREATE SYNONYM

    • CREATE TABLE

    • CREATE TRIGGER

    • CREATE VIEW

    • UNLIMITED TABLESPACE

Creating an Oracle Linux Manager User on an On-Premise Database

The steps to follow depend on whether you connect to the container database first or directly to the pluggable database.

For all cases, you must log in to your Oracle account first before performing these steps.

  • If you are connecting to the container database first, choose one of the following methods:

    • Running the ALTER SESSION command before creating the user

      1. Log in to the container database as a database administrator (typically, SYS or SYSDBA).

        $ cd $ORACLE_HOME/bin
        $ sqlplus / as SYSDBA
      2. Type the following command:

        SQL> ALTER SESSION SET CONTAINER = DEVPDB;
      3. For each Oracle Linux Manager user that you need to set up, run the following commands:

        SQL> create user olm_user identified by olm_passwd;
        SQL> grant connect,resource to olm_user;
        SQL> grant alter session, create synonym, create table, create trigger, create view to olm_user; 
        SQL> grant unlimited tablespace to olm_user; 
    • Creating the user directly

      1. Log in to the container database as a database administrator (typically, SYS or SYSDBA).

        $ cd $ORACLE_HOME/bin
        $ sqlplus / as SYSDBA
      2. For each Oracle Linux Manager user that you need to set up, run the following commands:

        Important

        Make sure to use the required c## prefix for the user name.

        SQL> create user c##olm_user identified by olm_passwd;
        SQL> grant connect,resource to c##olm_user;
        SQL> grant alter session, create synonym, create table, create trigger, create view to c##olm_user; 
        SQL> grant unlimited tablespace to c##olm_user; 
  • If you are connecting directly to the pluggable database:

    1. Log in to the PDB as a database administrator (typically, SYS or SYSDBA).

      $ cd $ORACLE_HOME/bin
      $ sqlplus / as SYSDBA
    2. For each Oracle Linux Manager user that you need to set up, run the following commands:

      SQL> create user olm_user identified by olm_passwd;
      SQL> grant connect,resource to olm_user;
      SQL> grant alter session, create synonym, create table, create trigger, create view to olm_user; 
      SQL> grant unlimited tablespace to olm_user; 

1.2 Installing Oracle Linux Manager Server

Follow these steps to install Oracle Linux Manager server software:

  1. Ensure that the Oracle Database is running.

    See Section 1.1.5.1, “Oracle Database Installation Requirements”.

  2. Install Oracle Instant Client.

    1. Download the latest 18.5 release of the following Instant Client RPM packages.

      • Instant Client Package (Basic)

      • Instant Client Package (SQL*Plus)

      The packages can be downloaded from https://www.oracle.com/database/technologies/instant-client.html.

    2. Install the Instant Client packages.

      $ sudo yum install oracle-instantclient18.5-basic-18.5.0.0.0-3.x86_64.rpm \
      oracle-instantclient18.5-sqlplus-18.5.0.0.0-3.x86_64.rpm
    3. Add the library path to ldconfig.

      $ echo "/usr/lib/oracle/18.5/client64/lib" | sudo tee /etc/ld.so.conf.d/oracle-instantclient18.5.conf 
      $ sudo ldconfig
  3. Ensure that the jta package is not installed.

    1. Remove the jta package if it is installed on the system.

      $ sudo yum list installed | grep jta  
      $ sudo yum remove jta
    2. To prevent any future accidental installation of the package, do one of the following:

      • Add the jta package to the exclude directive in the /etc/yum.conf file as follows:

        exclude=jta*
      • Disable the Oracle Linux 7 addons channel ([ol7_addons]).

        $ sudo yum-config-manager --disable ol7_addons
  4. Configure the system firewall.

    $ sudo firewall-cmd --permanent --add-port=69/udp
    $ sudo firewall-cmd --permanent --add-port=80/tcp
    $ sudo firewall-cmd --permanent --add-port=443/tcp
    $ sudo firewall-cmd --permanent --add-port=5222/tcp
    $ sudo firewall-cmd --permanent --add-port=5269/tcp
    $ sudo systemctl reload firewalld
  5. Install the latest oracle-release-el7 package.

    $ sudo yum install oracle-release-el7

    If your system is running an Oracle Linux release that is earlier than Oracle Linux 7 Update 7, run the following additional command to make the system use the modular yum repository configuration.

    $ sudo /usr/bin/ol_yum_configure.sh
  6. Install and enable the Oracle Linux Manager yum repository.

    $ sudo yum install oracle-linux-manager-server-release-el7
    $ sudo yum-config-manager --enable ol7_optional_latest
  7. Install the following packages for enabling Oracle Linux Manager server to use Oracle Database.

    $ sudo yum install spacewalk-oracle spacecmd spacewalk-utils

    Note

    As part of Oracle Linux Manager installation process, all of the Oracle Linux yum server configuration, as well as ULN configuration, are disabled. After the installation, Oracle Linux Manager handles this configuration henceforth.

    If you need to re-enable yum repository configuration after an installation, but before you have configured any repositories in Oracle Linux Manager, you can temporarily rename any affected yum repository configuration files to enable them again, for example:

    $ sudo mv /etc/yum.repos.d/oracle-linux-ol7.repo.rpmsave \
    /etc/yum.repos.d/oracle-linux-ol7.repo

    Remember to disable the yum repository configuration files again after you have configured repositories within Oracle Linux Manager.

  8. Configure Oracle Linux Manager to use the Oracle Database.

    $ sudo spacewalk-setup --external-oracle

    The command initiates an interactive session that prompts you for information about your current database.

    Global Database Name or SID

    Name of the database when it was set up. If necessary, inquire with your database administrator for the information.

    Database hostname [localhost]

    FQDN of the database system if that system is separate from Oracle Linux Manager server. Otherwise, this prompt is skipped.

    Username and Password

    Credentials of the database Oracle Linux Manager user.

    Caution

    The user name you specify must match the name you previously created when following the steps in Section 1.1.5.3, “Oracle Database Configuration”. For example, if the name has the c## prefix, that name must also be specified here.

    Admin Email Address

    Email address of the Oracle Linux Manager administrator.

    Organization

    Name of your Oracle Linux Manager organization.

    Organization Unit

    Oracle Linux Manager server's FQDN.

    Email address

    Email address of person managing the certificates, if different from the Admin Email Address.

    Location prompts

    Information identifying the location of Oracle Linux Manager server.

    The following is an example of the interactive session:

    $ sudo spacewalk-setup --external-oracle
    * Setting up SELinux..
    * Setting up Oracle environment.
    * Setting up database.
    ** Database: Setting up database connection for Oracle backend.
    Global Database Name or SID (requires tnsnames.ora)? company.mydom.com
    Database hostname [localhost]? olmmanager-db.mydom.com
    Username? olm_user
    Password? olm_passwd 
    ** Database: Testing database connection. 
    ** Database: Populating database. 
    *** Progress: ############################################################ 
    * Configuring tomcat.
    * Setting up users and groups.
    ** GPG: Initializing GPG and importing key.
    ** GPG: Creating /root/.gnupg directory
    You must enter an email address. 
    Admin Email Address? my.email@mydom.com
    * Performing initial configuration.
    ** Package installation: Locking required rpm versions. 
    * Configuring apache SSL virtual host. 
    Should setup configure apache's default ssl server for you
                                            (saves original ssl.conf) [Y]? y 
    ** /etc/httpd/conf.d/ssl.conf has been backed up to ssl.conf-swsave 
    * Configuring jabberd.
    * Creating SSL certificates. 
    CA certificate password? cert_passwd
    Re-enter CA certificate password? cert_passwd
    Cname alias of the machine (comma separated)?
    Organization? Company Demo 
    Organization Unit [olmsvr.mydom.com]? olmsvr.mydom.com
    Email Address [your.email@domain.com]? my.email@mydom.com 
    City? Redwood Shores
    State? CA
    Country code (Examples: "US", "JP", "IN", or type "?" to see a list)? US
    ** SSL: Generating CA certificate. 
    ** SSL: Deploying CA certificate. 
    ** SSL: Generating server certificate. 
    ** SSL: Storing SSL certificates. 
    * Deploying configuration files. 
    * Update configuration in database. 
    * Setting up Cobbler..
    Cobbler requires tftp and xinetd services be turned on for PXE provisioning functionality.
    Enable these services [Y]? y
    * Restarting services. 
    Installation complete. 
    Visit https://olmsvr.mydom.com to create the Oracle Linux Manager administrator account.
  9. Verify that Oracle Linux Manager services are running, as indicated in the sample output in bold.

    $ sudo /usr/sbin/spacewalk-service status
    ● tomcat.service - Apache Tomcat Web Application Container
       Loaded: loaded (/usr/lib/systemd/system/tomcat.service; enabled; vendor preset: disabled)
       Active: active (running) since Thu 2020-01-16 22:37:14 UTC; 18h ago
     Main PID: 29861 (java)
       CGroup: /system.slice/tomcat.service
               └─29861 /usr/lib/jvm/jre/bin/java -ea -Xms256m -Xmx256m -Djava.awt.headless=true 
    -Dorg.xml.sax.driver=org.apache.xerces.parsers.SAXParser -
    ...
    
    ● httpd.service - The Apache HTTP Server
       Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
       Active: active (running) since Thu 2020-01-16 22:37:28 UTC; 18h ago
         Docs: man:httpd(8)
               man:apachectl(8)
     Main PID: 30034 (httpd)
       Status: "Total requests: 2504; Current requests/sec: 0; Current traffic:   0 B/sec"
       CGroup: /system.slice/httpd.service
               ├─30034 /usr/sbin/httpd -DFOREGROUND
               ├─30036 /usr/sbin/httpd -DFOREGROUND
               ...
    
    ● rhn-search.service - Oracle Linux Manager search engine
       Loaded: loaded (/usr/lib/systemd/system/rhn-search.service; enabled; vendor preset: disabled)
       Active: inactive (dead) since Thu 2020-01-16 22:37:32 UTC; 18h ago
      Process: 30181 ExecStop=/usr/sbin/rhn-search stop (code=exited, status=0/SUCCESS)
      Process: 30040 ExecStart=/usr/sbin/rhn-search start (code=exited, status=0/SUCCESS)
     Main PID: 30073 (code=exited, status=0/SUCCESS)
    
    ● cobblerd.service - Cobbler daemon
       Loaded: loaded (/usr/lib/systemd/system/cobblerd.service; enabled; vendor preset: disabled)
       Active: active (running) since Thu 2020-01-16 22:37:28 UTC; 18h ago
     Main PID: 30038 (cobblerd)
       CGroup: /system.slice/cobblerd.service
               └─30038 /usr/bin/python2 -s /usr/bin/cobblerd --no-daemonize
    ...
  10. At the completion of the installation, ensure that only the following repositories are enabled on the system:

    • UEKR5 or UEKR6

    • ol7_latest

    • ol7_optional_latest

    • ol7_oraclelinuxmanager210_client

    • ol7_oraclelinuxmanager210_server

    You can verify enabled repositories by running the following command:

    $ sudo yum repolist

1.3 Configuring a Newly Installed Oracle Linux Manager Server

Of the configuration tasks described in this section, configuring the initial organization and the Oracle Linux Manager administrator is mandatory. The other tasks are optional but recommended.

1.3.1 Creating the Initial Organization and Oracle Linux Manager Administrator Account

After completing the installation, you must create an initial organization and the main Oracle Linux Manageradministrator account.

For more information about the concept of organization, see Oracle® Linux Manager: Concepts Guide.

  1. Open a browser and access Oracle Linux Manager server's URL, which is the server's FQDN, such as https://olmsvr.mydom.com.

  2. If prompted, select to trust the SSL certificate.

    The Create Organization page opens automatically.

  3. Enter the required values in the appropriate fields to create the organization and its administrator.

  4. Click Create Organization.

    The administrator you created is automatically logged in and the Overview page is displayed.

    Use the web interface to perform additional configuration tasks. For example, see Section 3.4, “Setting Up Primary-Worker Configurations With Oracle Linux Manager Web Interface” as well as Oracle® Linux Manager: Client Life Cycle Management Guide.

1.3.2 Replacing a Self-Signed SSL Certificate

You can use certificates for individual Oracle Linux Manager servers or proxies. Alternatively, you can also use wildcard certificates for all Oracle Linux Manager servers or proxies in the domains that the wildcard certificates cover.

The following procedure describes how to replace self-signed certificates or expired CA-signed certificates with certificates that have been signed by a Certificate Authority (CA).

  1. Create a backup of the system's existing SSL configuration.

    $ sudo tar -cvf SSLconfig.tar \ 
    /etc/httpd/conf/ssl.* \
    /etc/pki/spacewalk/jabberd/server.pem \
    /root/ssl-build \
    /var/www/html/pub 
  2. Obtain a server certificate by using one of the following methods:

    • Obtain a server certificate from a CA and install this certificate in the SSL build hierarchy on the system:

      1. Send the Certificate Signing Request (CSR) file /root/ssl-build/olmsvr/server.csr to the CA, where olmsvr is the simple name, not the FQDN, of Oracle Linux Manager server or the proxy.

        After validating your request, the CA returns a signed server certificate file.

      2. Create a backup of the signed server certificate file.

      3. If necessary, convert the certificate to a Privacy Enhanced Mail (PEM) format.

        • If your certificate is DER-formatted, convert it to PEM format.

          $ sudo openssl x509 -inform der -text -in certificate_file
          Readable content
          $ sudo openssl x509 -inform der -in server.cer -out server.pem
        • If a PEM-formatted certificate is not generated from a Linux or UNIX based system, remove ^M characters that might exist in that certificate.

          $ sudo sed -i -e 's/\r//' server.pem

          As an alternative, you can also run the following command, provided you installed the dos2unix package:

          $ sudo dos2unix server.pem
      4. Copy the PEM-formatted server certificate file to /root/ssl-build/olmsvr/server.crt.

        $ sudo cp server.pem /root/ssl-build/olmsvr/server.crt

        This command overwrites the original file in that destination directory.

    • Obtain a server certificate using an external tool:

      1. Obtain both the private key and the signed certificate from the external tool in PEM format, then copy both to /root/ssl-build/olmsvr.

      2. If the private key has an existing password, replace that key as follows:

        $ sudo openssl rsa -in keyfilewithpasswd.key -out /root/ssl-build/olmsvr/server.key

        This step ensures that Oracle Linux Manager services can start unattended.

  3. Add the CA public certificate to the /root/ssl-build directory as the RHN-ORG-TRUSTED-SSL-CERT file by using one of the following methods:

    • If available, obtain the CA chain certificate from the CA that issued the server certificate. Copy this certificate file to /root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT:

      $ sudo cp ca_chain.pem /root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT
    • If the CA chain certificate is not available from the issuing CA, create the CA chain certificate as follows:

      1. Obtain the root CA public certificate and the intermediate CA public certificates from the issuing CA.

      2. Concateneate the two certificates you just downloaded to /root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT.

        Use the followng command exactly as shown:

        $ sudo cat intermediate_ca.pem root_ca.pem > /root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT
        • intermediate_ca.pem: intermediate public certificate file of the CA that issued your server certificate

        • root_ca.pem: public certificate file of the root CA

        In the the chain certificate, the intermediate certificate must precede the certificate of the root CA. The CA chain certificate does not work if its component certificates are not in the correct order.

        Note

        In the rare case where a root CA signed the server certificate directly, then only the root_ca.pem would be contained in the chain certificate:

        $ sudo cp root_ca.pem /root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT
  4. Validate the server certificate against the CA public certificate.

    $ sudo openssl verify -CAfile /root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT \
    /root/ssl-build/olmsvr/server.crt
    /root/ssl-build/olmsvr/server.crt: OK

    If the command returns an error, verify that you correctly created RHN-ORG-TRUSTED-SSL-CERT and also verify that the date and time on the server are configured correctly.

  5. Store the CA public certificate in the Oracle Linux Manager database so that it is available for provisioning client systems.

    $ sudo rhn-ssl-dbstore -v --ca-cert=/root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT
    Public CA SSL certificate:  /root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT

    If the command returns an error, run the command again, specifying a higher level of debugging, such as -vvv, to gather more information about the problem.

  6. Prepare the web server SSL package for installation:

    1. Generate the web server SSL package.

      $ sudo rhn-ssl-tool --gen-server --rpm-only --dir /root/ssl-build
      
      ...working...
      
      Generating web server's SSL key pair/set RPM:
          /root/ssl-build/olmsvr/rhn-org-httpd-ssl-key-pair-olmsvr-1.0-rev.src.rpm
          /root/ssl-build/olmsvr/rhn-org-httpd-ssl-key-pair-olmsvr-1.0-rev.noarch.rpm
      
      The most current Oracle Linux Manager Proxy Server installation process against RHN hosted
      requires the upload of an SSL tar archive that contains the CA SSL public
      certificate and the web server's key set.
      
      Generating the web server's SSL key set and CA SSL public certificate archive:
          /root/ssl-build/olmsvr/rhn-org-httpd-ssl-archive-olmsvr-1.0-rev.tar
      
      Deploy the server's SSL key pair/set RPM:
          (NOTE: the Red Hat Satellite or Proxy installers may do this step for you.)
          The "noarch" RPM needs to be deployed to the machine working as a
          web server, or Red Hat Satellite, or Oracle Linux Manager Proxy.
          Presumably 'olmsvr.mydom.com'.
    2. (Optional) List the files that the packages install.

      $ sudo rpm -qlp /root/ssl-build/olmsvr/rhn-org-httpd-ssl-key-pair-olmsvr-1.0-rev.src.rpm
      rhn-org-httpd-ssl-key-pair-olmsvr-1.0.tar.gz
      rhn-org-httpd-ssl-key-pair-olmsvr.spec
      $ sudo rpm -qlp /root/ssl-build/olmsvr/rhn-org-httpd-ssl-key-pair-olmsvr-1.0-rev.noarch.rpm
      /etc/httpd/conf/ssl.crt/server.crt
      /etc/httpd/conf/ssl.csr/server.csr
      /etc/httpd/conf/ssl.key/server.key
      /etc/pki/spacewalk/jabberd/server.pem
    3. Install the web server SSL noarch package.

      $ sudo yum install /root/ssl-build/olmsvr/rhn-org-httpd-ssl-key-pair-olmsvr-1.0-rev.noarch.rpm
  7. Generate the public CA certificate package and make both the package and the CA public certificate file available to clients.

    1. Generate the public CA certificate package.

      $ sudo rhn-ssl-tool --gen-ca --dir=/root/ssl-build --rpm-only
      
      ...working...
      Generating CA public certificate RPM:
          /root/ssl-build/rhn-org-trusted-ssl-cert-1.0-rev.src.rpm
          /root/ssl-build/rhn-org-trusted-ssl-cert-1.0-rev.noarch.rpm
      
      Make the public CA certificate publicly available:
          (NOTE: the Red Hat Satellite or Proxy installers may do this step for you.)
          The "noarch" RPM and raw CA certificate can be made publicly accessible
          by copying it to the /var/www/html/pub directory of your Red Hat Satellite or
          Proxy server.
    2. (Optional) List the files that the packages install.

      $ sudo rpm -qlp /root/ssl-build/rhn-org-trusted-ssl-cert-1.0-rev.src.rpm
      rhn-org-trusted-ssl-cert-1.0.tar.gz
      rhn-org-trusted-ssl-cert.spec
      $ sudo rpm -qlp /root/ssl-build/rhn-org-trusted-ssl-cert-1.0-rev.noarch.rpm 
      /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT
    3. If an Oracle Linux Manager server or proxy is also configured as a client, install the public CA certificate noarch package on this system.

      $ sudo yum install /root/ssl-build/pub/rhn-org-trusted-ssl-cert-1.0-rev.noarch.rpm

      The public CA certificate is installed as /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT.

    4. Copy the rhn-org-trusted-ssl-cert-1.0-rev.noarch.rpm package and CA public certificate file to /var/www/html/pub for access by clients.

      $ sudo cp /root/ssl-build/rhn-org-trusted-ssl-cert-1.0-rev.noarch.rpm /var/www/html/pub
      $ sudo cp /root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT /var/www/html/pub
    5. Verify that the installed copies of RHN-ORG-TRUSTED-SSL-CERT are identical by comparing their digest values as follows:

      $ sudo sha1sum /root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT \
      /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT \
      /var/www/html/pub/RHN-ORG-TRUSTED-SSL-CERT
      74380a372bfa55d8ab7579bf01502c874b8aae84
                            /root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT
      74380a372bfa55d8ab7579bf01502c874b8aae84
                            /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT
      74380a372bfa55d8ab7579bf01502c874b8aae84
                            /var/www/html/pub/RHN-ORG-TRUSTED-SSL-CERT
  8. On an Oracle Linux Manager server, stop Oracle Linux Manager services, clear the jabberd database, then restart the services.

    $ sudo /usr/sbin/spacewalk-service stop
    $ sudo rm -Rf /var/lib/jabberd/db/*
    $ sudo /usr/sbin/spacewalk-service start
  9. On Oracle Linux Manager proxies, restart the proxy services.

    $ sudo /usr/sbin/rhn-proxy restart
  10. On the remaining Oracle Linux Manager clients, download and install the public CA certificate package.

    $ sudo wget https://olmsvr.mydom.com/pub/rhn-org-trusted-ssl-cert-1.0-rev.noarch.rpm
    --2015-06-05 15:15:44--  https://olmsvr.mydom.com/pub/rhn-org-trusted-ssl-cert-1.0-rev.noarch.rpm
    Resolving olmsvr.mydom.com... 192.168.1.3
    Connecting to olmsvr.mydom.com|192.168.1.3|:443... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 4840 (4.7K) [application/x-rpm]
    Saving to: “rhn-org-trusted-ssl-cert-1.0-2.noarch.rpm”
    
    100%[======================================>] 4,840       --.-K/s   in 0s      
    
    2015-06-05 15:15:44 (57.5 MB/s) - “rhn-org-trusted-ssl-cert-1.0-rev.noarch.rpm” saved [4840/4840]
    
    $ sudo yum install /root/ssl-build/pub/rhn-org-trusted-ssl-cert-1.0-rev.noarch.rpm
    Note

    If you subsequently replace the server certificate because it is revoked or expired, you do not need to update the public CA certificate on the clients unless you change the CA that signs the server certificate.

1.3.3 Configuring a Web Proxy for an Oracle Linux Manager Server

If needed, configure the web proxy by using one of the following methods after you have installed Oracle Linux Manager:

  • Edit the /etc/rhn/rhn.conf file and configure the specific web proxy parameters as shown by the settings in bold:

    server.satellite.http_proxy = webproxy.mydom.com:80
    server.satellite.http_proxy_username = proxy-username
    server.satellite.http_proxy_password = proxy-password
  • In the Oracle Linux Manager web interface, select the Admin tab, then Oracle Linux Manager Configuration, and enter the appropriate values to the HTTP proxy fields.

1.4 Upgrading to Oracle Linux Manager Server

This section provides information for upgrading Spacewalk 2.7 server to Oracle Linux Manager 2.10.

Warning

If you are currently running earlier Spacewalk versions, such as Spacewalk 2.4 or Spacewalk 2.6, you must first upgrade to Spacewalk 2.7 before proceeding with the steps in this section. For instructions, see Upgrading a Spacewalk Server in Spacewalk for Oracle® Linux: Installation Guide for Release 2.7.

1.4.1 Preparing to Upgrade

You must use Oracle databases that are supported in Oracle Linux Manager. For a list of supported databases in Oracle Linux Manager 2.10, see Oracle Database Support in Oracle® Linux Manager: Release Notes.

Before you upgrade, check the following elements in their respective XML files:

  • <driver> in the /etc/jabberd/sm.xml file

  • <module> in the /etc/jabberd/c2s.xml file

If both elements in the two files specify sqlite, you can proceed to Section 1.4.2, “Performing the Upgrade”. If not, then complete the following steps:

  1. Stop the osa-dispatcher and jabberd services.

    $ sudo systemctl stop osa-dispatcher
    $ sudo systemctl stop jabberd
  2. Specify sqlite for the <driver> and <module> elements in the files as shown:

    • /etc/jabberd/sm.xml: <driver>sqlite</driver>.

    • /etc/jabberd/c2s.xml: <module>sqlite</module>.

  3. Create the SQLite database.

    $ sudo sqlite3 /var/lib/jabberd/db/sqlite.db < /usr/share/jabberd/db-setup.sqlite
    $ sudo chown jabber:jabber /var/lib/jabberd/db/sqlite.db
  4. Start the jabberd and osa-dispatcher services.

    $ sudo systemctl start jabberd
    $ sudo systemctl start osa-dispatcher
  5. Check /var/log/messages to ensure that SQLite is being used.

    $ sudo cat /var/log/messages | grep sqlite
       Feb 24 12:46:18 sw24 jabberd/sm[15196]: loading 'sqlite' storage module
       Feb 24 12:46:18 sw24 jabberd/sm[15196]: initialised storage driver 'sqlite'
       Feb 24 12:46:18 sw24 c2s: Fri Feb 24 12:46:18 2017 [info] loading 'sqlite' authreg module
       Feb 24 12:46:18 sw24 c2s: Fri Feb 24 12:46:18 2017 [notice] initialized auth module 'sqlite'
       Feb 24 12:46:18 sw24 jabberd/c2s[15199]: [sirius.lot209.com] configured; realm=, authreg=sqlite,
       registration enabled, using PEM:/etc/pki/spacewalk/jabberd/server.pem
  6. On client servers, make the osad service re-authenticate to jabberd.

    If you previously registered client servers on which you then installed the osad service, remove the osad-auth.conf file first before restarting the service, as follows:

    $ sudo systemctl stop osad
    $ sudo rm -f /etc/sysconfig/rhn/osad-auth.conf
    $ sudo systemctl start osad

1.4.2 Performing the Upgrade

Note

If your system is already running Spacewalk 2.10, see Section 1.4.3, “Switching From Spacewalk 2.10 to Oracle Linux Manager 2.10” for information to convert it to Oracle Linux Manager.

Upgrade to Oracle Linux Manager 2.10 as follows:

  1. Backup all current configurations.

    • Back up all of the Spacewalk 2.7 configuration files in the following directories:

      • /etc/jabberd

      • /etc/rhn

      • /etc/sysconfig/rhn

      • /root/ssl-build

      $ sudo tar -cvf preSWupgrade.tar /etc/jabberd /etc/rhn /etc/sysconfig/rhn /root/ssl-build
    • Back up the Spacewalk 2.7 database.

      This step is recommended as a precaution in case the upgrade does not complete successfully.

      To use the Recovery Manager (RMAN) to create a backup, refer to your database version's Backup and Recovery User's Guide in https://docs.oracle.com/en/database/oracle/oracle-database/index.html.

  2. Change the way the server that is currently running Spacewalk 2.7 Server obtains packages depending on the server's current configuration.

    • If the Spacewalk 2.7 server is registered as a client of itself:

      1. Create an Oracle Linux Manager server channel as a child of the Oracle Linux 7 base channel.

        For more information about configuring channels, see Creating Software Channels and Repositories in Oracle® Linux Manager: Client Life Cycle Management Guide.

      2. Create an Oracle Linux Manager server repository that accesses the corresponding server channel on the Oracle Linux yum server server (https://yum.oracle.com/repo/OracleLinux/OL7/oraclelinuxmanager210/server/x86_64/) , by using the same GPG settings as for Oracle Linux 7.

      3. Associate Oracle Linux Manager server repository with its corresponding server channel and synchronize the repository's packages from the Oracle Linux yum server.

      4. Change the channel subscription from the Spacewalk server to Oracle Linux Manager server.

      5. Configure and synchronize the following additional channels:

        • Oracle Linux 7 Server Latest

        • Oracle Linux 7 Server Optional Latest

        • Oracle Instant Client for Oracle Linux 7

        • Oracle Linux Manager (formerly Spacewalk) Client 2.10 for Oracle Linux 7

        • Oracle Linux Manager (formerly Spacewalk) Server 2.10 for Oracle Linux 7

    • If the Spacewalk 2.7 server obtains packages from the Oracle Linux yum server:

      1. Disable the Spacewalk server repository for the Spacewalk 2.7 release in the Oracle Linux yum server repository configuration file.

        Edit the configuration file and set enabled=0. Or, run the following command:

        $ sudo yum-config-manager --disable repository
      2. Required: Install the latest oracle-release-el7 package.

        Important

        You must run the following command even if you have recently updated the system, in order to successfully run the yum swap command later in this procedure.

        $ sudo yum install oracle-release-el7

        If your system is running an Oracle Linux release that is earlier than Oracle Linux 7 Update 7, run the following additional command to make the system use the modular yum repository configuration:

        $ sudo /usr/bin/ol_yum_configure.sh
      3. Install the oracle-linux-manager-server-release-el7 package.

        $ sudo yum install oracle-linux-manager-server-release-el7
        Note

        The command creates the file /etc/yum.repos.d/oracle-linux-manager-server-ol7.repo if that file does not exist.

        However, if the file already exists, then the command leaves that file unmodified and instead creates a new file /etc/yum.repos.d/oracle-linux-manager-server-ol7.repo.rpmnew that contains new repository entries for Oracle Linux Manager Server. Use the .rpmnew file to guide you to make the necessary modifications to the existing .repo file.

  3. Verify that the correct Oracle Linux Manager repositories are enabled, and earlier Spacewalk versions are disabled.

    The /etc/yum.repos.d/oracle-linux-manager-server-ol7.repo file should resemble the following example:

    [ol7_oraclelinuxmanager210_server]
    name=Oracle Linux Manager Server (formerly Spacewalk) 2.10 for Oracle Linux 7 ($basearch)
    baseurl=https://yum$ociregion.oracle.com/repo/OracleLinux/OL7/oraclelinuxmanager210/server/$basearch/
    gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-oracle
    gpgcheck=1
    enabled=1
    
    [ol7_spacewalk27_server]
    name=Spacewalk Server 2.7 for Oracle Linux 7 ($basearch)
    baseurl=https://yum$ociregion.oracle.com/repo/OracleLinux/OL7/spacewalk27/server/$basearch/
    gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-oracle
    gpgcheck=1
    enabled=0
    
    [ol7_spacewalk26_server]
    name=Spacewalk Server 2.6 for Oracle Linux 7 ($basearch)
    baseurl=https://yum$ociregion.oracle.com/repo/OracleLinux/OL7/spacewalk26/server/$basearch/
    gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-oracle
    gpgcheck=1
    enabled=0
    
    [ol7_oraclelinuxmanager210_client]
    name=Oracle Linux Manager (formerly Spacewalk) Client 2.10 for Oracle Linux 7 ($basearch)
    baseurl=https://yum.oracle.com/repo/OracleLinux/OL7/oraclelinuxmanager210/client/$basearch/
    gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-oracle
    gpgcheck=1
    enabled=1
    
    [ol7_spacewalk27_client]
    name=Spacewalk Client 2.7 for Oracle Linux 7 ($basearch)
    baseurl=https://yum$ociregion.oracle.com/repo/OracleLinux/OL7/spacewalk27/client/$basearch/
    gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-oracle
    gpgcheck=1
    enabled=0
    
    [ol7_spacewalk26_client]
    name=Spacewalk Client 2.6 for Oracle Linux 7 ($basearch)
    baseurl=https://yum$ociregion.oracle.com/repo/OracleLinux/OL7/spacewalk26/client/$basearch/
    gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-oracle
    gpgcheck=1
    enabled=0
    
  4. Check for any version-locked packages and delete them, for example:

    $ sudo yum versionlock list
    $ sudo yum versionlock delete cglib c3p0
  5. Upgrade the Instant Clients.

    $ yum swap –- remove oracle-instantclient11.2-basic oracle-instantclient11.2-sqlplus freemarker \
    velocity-tools –- upgrade oracle-instantclient18.5-basic oracle-instantclient18.5-sqlplus spacewalk-oracle
    Note

    The command might generate a No match for argument message with references to freemarker and veolcity-tools. These packages might have existed in the system from an earlier Spacewalk 2.6 installation, but which are no longer required by Oracle Linux Manager 2.10. Thus, in this case, you can ignore the message.

  6. Add the library path to ldconfig.

    $ echo "/usr/lib/oracle/18.5/client64/lib" | sudo tee /etc/ld.so.conf.d/oracle-instantclient18.5.conf 
    $ sudo ldconfig
  7. Upgrade all the packages.

    $ sudo yum upgrade
  8. Stop Oracle Linux Manager services.

    $ sudo /sbin/spacewalk-service stop
    Shutting down oracle linux manager services...
    Done.
    

    You can safely ignore any SELinux restorecon messages that are displayed when the packages are installed.

  9. Upgrade Oracle Linux Manager's database schema.

    $ sudo /usr/bin/spacewalk-schema-upgrade
    Please make sure all Oracle Linux Manager services apart from database are stopped.
    ... 
    Schema upgrade: [spacewalk-schema-2.7.28-1.0.2.el7] -> [spacewalk-schema-2.9.11-1.el7]
    Searching for upgrade path: [spacewalk-schema-2.7.28-1.0.2] -> [spacewalk-schema-2.9.11-1]
    Searching for upgrade path: [spacewalk-schema-2.7.28] -> [spacewalk-schema-2.9.11]
    Searching for upgrade path: [spacewalk-schema-2.7] -> [spacewalk-schema-2.9]
    The path: [spacewalk-schema-2.7] -> [spacewalk-schema-2.8] -> [spacewalk-schema-2.9]
    Planning to run spacewalk-sql with [/var/log/spacewalk/schema-upgrade/20200123-165929-script.sql]
    
    Please make sure you have a valid backup of your database before continuing.
    
    Hit Enter to continue or Ctrl+C to interrupt: 
    Executing spacewalk-sql, the log is in 
       [/var/log/spacewalk/schema-upgrade/20200406-174429-to-spacewalk-schema-2.10.log].
    The database schema was upgraded to version [spacewalk-schema-2.10.11-1.el7].

    In the event of a failure, do the following:

    • Check the log files in the /var/log/spacewalk/schema-upgrade directory to determine the cause.

    • Restore the database from backup.

    • Fix the cause of the problem, for example, by extending the tablespaces if there is insufficient space.

    • Upgrade the database schema.

  10. Upgrade Oracle Linux Manager's configuration for the Oracle Database.

    $ sudo spacewalk-setup --external-oracle --upgrade

    The command initiates an interactive session that prompts you for information about your current database.

  11. Restart Oracle Linux Manager services.

    $ sudo /sbin/spacewalk-service start
  12. Perform any necessary postinstallation tasks.

    Review the information in Section 1.3, “Configuring a Newly Installed Oracle Linux Manager Server”.

  13. If necessary, upgrade your Oracle database.

    1. Back up the Oracle Linux Manager database again.

      This step is recommended as a precaution in case the following step to upgrade the database does not complete successfully.

      To use the Recovery Manager (RMAN) to create a backup, refer to your database version's Backup and Recovery User's Guide in https://docs.oracle.com/en/database/oracle/oracle-database/index.html.

    2. Upgrade the Oracle database.

      As indicated in the Oracle® Linux Manager: Release Notes, Oracle Linux Manager 2.10 supports only Oracle Database 12c and Oracle Database 19c. Oracle strongly recommends that you use Oracle Database 19c.

      Important

      If you are upgrading your Oracle database, do not use the RPM version of the 19c release. Upgrading an OUI-installed Oracle database with the RPM version is not supported.

      For this step, consult your database administrator and follow the instructions in your database documentation.

1.4.3 Switching From Spacewalk 2.10 to Oracle Linux Manager 2.10

If you are already using Spacewalk 2.10, you should convert to Oracle Linux Manager 2.10 as the Spacewalk 2.10 repositories are scheduled to be retired. For details, see Oracle® Linux Manager: Release Notes.

To switch a Spacewalk 2.10 server to Oracle Linux Manager:

  1. Backup all current configurations.

    • Back up all of the Spacewalk 2.10 configuration files in the following directories:

      • /etc/jabberd

      • /etc/rhn

      • /etc/sysconfig/rhn

      • /root/ssl-build

      $ sudo tar -cvf preSWupgrade.tar /etc/jabberd /etc/rhn /etc/sysconfig/rhn /root/ssl-build
    • Back up the Spacewalk 2.10 database.

      This step is recommended as a precaution in case the switch does not complete successfully.

      To use the Recovery Manager (RMAN) to create a backup, refer to your database version's Backup and Recovery User's Guide in https://docs.oracle.com/en/database/oracle/oracle-database/index.html.

  2. Change the way the server that is currently running Spacewalk 2.10 Server obtains packages depending on the server's current configuration.

    • If the Spacewalk 2.10 server obtains packages from the Oracle Linux yum server, install the oracle-linux-manager-server-release-el7 package.

      $ sudo yum install oracle-linux-manager-server-release-el7
    • If the Spacewalk 2.10 server is registered as a client of itself, update the existing Spacewalk server and client repository URLs to Oracle Linux Manager as follows:

      Oracle Linux Manager Server

      • Server Repository Label: ol7_oraclelinuxmanager210_server

      • Server Repository Name: Oracle Linux Manager (formerly Spacewalk) Server 2.10 for Oracle Linux 7

      • Yum URL: https://yum.oracle.com/repo/OracleLinux/OL7/oraclelinuxmanager210/server/x86_64

      Oracle Linux Manager Client (Oracle Linux 7)

      • Client Repository Label: ol7_oraclelinuxmanager210_client

      • Client Repository Name: Oracle Linux Manager (formerly Spacewalk) Client 2.10 for Oracle Linux 7

      • Yum URL: https://yum.oracle.com/repo/OracleLinux/OL7/oraclelinuxmanager210/client/x86_64

      Oracle Linux Manager Client (Oracle Linux 8)

      • Client Repository Label: ol8_oraclelinuxmanager210_client

      • Client Repository Name: Oracle Linux Manager (formerly Spacewalk) Client 2.10 for Oracle Linux 8

      • Yum URL: https://yum.oracle.com/repo/OracleLinux/OL8/oraclelinuxmanager210/client/x86_64

      For more information about configuring channels and repositories, see Creating Software Channels and Repositories in Oracle® Linux Manager: Client Life Cycle Management Guide.

  3. Upgrade all the packages.

    $ sudo yum upgrade