Installing and Upgrading Oracle Linux Manager Proxies

2 Installing and Upgrading Oracle Linux Manager Proxies

This chapter describes how to install or upgrade an Oracle Linux Manager proxy.

An Oracle Linux Manager proxy acts as an intermediary between Oracle Linux Manager clients and an Oracle Linux Manager server. The main purposes of an Oracle Linux Manager proxy are to mitigate the load on Oracle Linux Manager server and reduce the download times for Oracle Linux Manager clients.

Oracle Linux Manager Proxy Requirements

Oracle supports Oracle Linux Manager proxies that are running on Oracle Linux 7 on the x86_64 platform. Note the following requirements to install an Oracle Linux Manager proxy.

Oracle Linux Requirements

The following are additional requirements:

Install Oracle Linux 7 by using either the Minimal or Basic Server profile.
Before installing Oracle Linux Manager, remove the jta package, which prevents Oracle Linux Manager services from starting.
Use only those packages that are provided by Oracle from the Oracle Linux yum server at https://yum.oracle.com. No third-party package repositories are required.
Update your system with the latest packages from the Oracle Linux yum server.
Do not register an Oracle Linux Manager server or client with ULN. Instead, register an Oracle Linux Manager server as a client of itself to receive updates.

Storage Requirements

The following are the storage requirements for an Oracle Linux Manager proxy:

An Oracle Linux Manager proxy should have a minimum of 4 GB of memory.
Typically, the proxy cache requires 10 GB of storage for each combination of Oracle Linux release and architecture.
By default, an Oracle Linux Manager proxy caches packages under the /var/spool/squid directory hierarchy and is limited to using up to 60% of the free space in the file system that contains this directory hierarchy.

Networking Requirements

The following are the networking requirements for an Oracle Linux Manager proxy:

Static IP address for the proxy
Correctly configured forward and reverse DNS host name, with the following specifications:

Caution:

Noncompliance with these specifications for the server's host name can cause Oracle Linux Manager to fail in its proxy communications, inter-server synchronization (ISS), certificate validation, and other areas of operation.
- The host name of the server must not contain uppercase letters.
- While the /etc/hostname file contains the short name of the host, the /etc/hosts file must specify the host's FQDN, as shown in bold in the following example:
```
cat /etc/hostname
```
```
olmproxy
```
```
cat /etc/hosts
```
```
127.0.0.1      localhost localhost.localdomain localhost4 localhost4.localdomain4
::1            localhost localhost.localdomain localhost6 localhost6.localdomain6
10.0.0.24      olmproxy.us.mydom.com swkproxy
```
  Note that Oracle Linux Manager does not consider .local and .localdomain to be valid domain names.

Port numbers

The following table describes the network ports that an Oracle Linux Manager proxy uses, depending on its configuration.

Port/Protocol	Direction	Purpose
`80`/`tcp`	Inbound and outbound	HTTP access
`443`/`tcp`	Inbound and outbound	HTTPS access
`5222`/`tcp`	Inbound	Push support to Oracle Linux Manager clients (if required)
`5269`/`tcp`	Inbound	Push support to Oracle Linux Manager proxies (if required)

Configured network time synchronization

Configure Oracle Linux Manager server, proxies, and clients to use NTP or PTP. In order to establish a Secure Socket Layer (SSL) based connection, Oracle Linux Manager requires that the system times on server and client systems be consistent to within 120 seconds.

If required for Oracle Linux Manager proxy, you can configure a web proxy during installation. See Configuring a Web Proxy for an Oracle Linux Manager Server.

Installing an Oracle Linux Manager Proxy

An Oracle Linux Manager should be configured with the full Oracle Linux Manager client and be registered with Oracle Linux Manager server.

Ensure that the jta package is not installed.
1. Remove the jta package if it is installed on the system.
```
sudo yum list installed | grep jta  
sudo yum remove jta
```
2. To prevent any future accidental installation of the package, do one of the following:
  - Add the jta package to the exclude directive in the /etc/yum.conf file as follows:
```
exclude=jta*
```
  - Disable the Oracle Linux 7 addons channel ([ol7_addons]).
```
sudo yum-config-manager --disable ol7_addons
```

Configure the system firewall.

sudo firewall-cmd --permanent --add-port=80/tcp
sudo firewall-cmd --permanent --add-port=443/tcp
sudo firewall-cmd --permanent --add-port=5222/tcp
sudo firewall-cmd --permanent --add-port=5269/tcp
sudo systemctl reload firewalld

Ensure that the correct channels are configured on the system.
1. If not already present, create these required software channels for both Oracle Linux Manager and Oracle Linux 7:
  - Oracle Linux 7 Latest (https://yum.oracle.com/repo/OracleLinux/OL7/latest/)
  - Oracle Linux 7 Optional Latest (https://yum.oracle.com/repo/OracleLinux/OL7/optional/latest/
  - Oracle Linux Manager (formerly Spacewalk) Server 2.10 for Oracle Linux 7 repository (https://yum.oracle.com/repo/OracleLinux/OL7/oraclemanager210/server/x86_64/)
  - Oracle Linux Manager (formerly Spacewalk) Client 2.10 for Oracle Linux 7 repository (https://yum.oracle.com/repo/OracleLinux/OL7/oraclemanager210/client/x86_64/)
2. Ensure that all the packages in these channels are properly syncrhonized with the Oracle Linux yum server.
3. Change the system's channel subscription from the Spacewalk 2.7 server channel to Oracle Linux Manager (formerly Spacewalk) Server 2.10 for Oracle Linux 7 channel.
4. Subscribe the proxy to Oracle Linux Manager client and server channels.

Install Oracle Linux Manager client software and the openssh-clients packages.

sudo yum install rhn-client-tools rhn-check rhn-setup rhnsd m2crypto yum-rhn-plugin openssh-clients

Register the system as a client of Oracle Linux Manager server for which it functions as a proxy.

Note:

Before you can register a server, you must have already created a client activation key. If enabled, a universal default key can be used. However, using a specific activation key is better.
1. Download the CA certificate file RHN-ORG-TRUSTED-SSL-CERT to the server.
  
  In a browser tab, navigate to http://olmsvr_FQDN/pub, where olmsvr_FQDN is the fully qualified domain name of Oracle Linux Manager server, and download the CA certificate file RHN-ORG-TRUSTED-SSL-CERT to /usr/share/rhn.
  
  Alternatively, you can use wget from the command line, for example:
```
sudo wget -q -O /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT http://olmsvr_FQDN/pub/RHN-ORG-TRUSTED-SSL-CERT
```
2. Register the system with Oracle Linux Manager by using the rhnreg_ks command, with the --sslCACert option to specify the path of the CA certificate.
```
sudo rhnreg_ks --sslCACert=/usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT --serverUrl=https://olmsvr_FQDN/XMLRPC --activationkey=activation_key
```
3. Verify that the settings in the /etc/sysconfig/rhn/up2date file that are used to access Oracle Linux Manager server are correct.
  1. Verify that serverURL is set to Oracle Linux Manager server's URL, for example https://olmsvr.mydom.com/XMLRPC:
```
sudo grep ^serverURL= /etc/sysconfig/rhn/up2date 
```
  2. Verify that sslCACert is set to the correct CA certificate file, for example /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT:
```
sudo grep ^sslCACert= /etc/sysconfig/rhn/up2date 
```
  Note:
  
  If the settings are not correct, most likely a mistake was made when registering the system with the rhnreg_ks command. Run the rhnreg_ks command again to check that you correctly specified the path of the CA certificate and Oracle Linux Manager server's URL. Also, make sure to specify the --force option to override the previous settings.
Install Oracle Linux Manager proxy installer package.
```
sudo yum -y install spacewalk-proxy-installer
```
Create the /root/ssl-build directory.
```
sudo mkdir /root/ssl-build
```

Copy Oracle Linux Manager server's CA key and public certificate files to the proxy server's /root/ssl-build. The files to be copied are the following:

RHN-ORG-PRIVATE-SSL-KEY
RHN-ORG-TRUSTED-SSL-CERT
rhn-ca-openssl.cnf

See the following example:

sudo scp 'root@olm_server:/root/ssl-build/{RHN-ORG-PRIVATE-SSL-KEY,RHN-ORG-TRUSTED-SSL-CERT,rhn-ca-openssl.cnf}' /root/ssl-build

RHN-ORG-PRIVATE-SSL-KEY                       100% 1751 1.7KB/s   00:00
RHN-ORG-TRUSTED-SSL-CERT                      100% 5316 5.2KB/s   00:00
rhn-ca-openssl.cnf                            100% 2186 2.1KB/s   00:00

Configure Oracle Linux Manager proxy by running the /usr/sbin/configure-proxy.sh script.

The script initiates an interactive configuration, as the following example shows. User input is displayed in bold.

sudo /usr/sbin/configure-proxy.sh

Using RHN parent (from /etc/sysconfig/rhn/up2date): olmsvr.mydom.com
Using CA Chain (from /etc/sysconfig/rhn/up2date): /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT
HTTP Proxy []: [Enter]
Proxy version to activate [2.7]: [Enter]
Traceback email []: my.email@mydom.com
Use SSL [Y/n]: Y
Regardless of whether you enabled SSL for the connection to the Oracle Linux Manager Parent
Server, you will be prompted to generate an SSL certificate.
This SSL certificate will allow client systems to connect to this Oracle Linux Manager Proxy
securely. Refer to the Oracle Linux Manager Proxy Installation Guide for more information.
Organization []: Company Demo
Organization Unit [olmproxy.us.mydom.com]: [Enter]
Common Name [olmproxy.us.mydom.com]: [Enter]
City []: Redwood Shores
State []: CA
Country code []: US
Email [my.email@mydom.com]: [Enter]
Cname aliases (separated by space) []: [Enter]
Oracle Linux Manager Proxy successfully activated.
Loaded plugins: rhnplugin
This system is receiving updates from RHN Classic or Red Hat Satellite.
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package spacewalk-proxy-management.noarch... will be installed
...
Transaction Summary
================================================================================
Install      42 Package(s)

Total download size: 13 M
Installed size: 32 M
Is this ok [y/N]: y
Downloading Packages:
(1/42): apr...                     | 122 kB     00:00
...
Using CA key at /root/ssl-build/RHN-ORG-PRIVATE-SSL-KEY.
Generating distributable RPM for CA public certificate:
Copying CA public certificate to /var/www/html/pub for distribution to clients:
Generating SSL key and public certificate:
CA password: cert_passwd
Installing SSL certificate for Apache and Jabberd:
Preparing packages for installation...
rhn-org-httpd-ssl-key-pair-olmproxy-1.0-1
Create and populate configuration channel rhn_proxy_config_1000010000? [Y/n]: Y
Oracle Linux Manager username: []: olm_user
Password: olm_passwd
Using server name olmsvr.mydom.com
Creating config channel rhn_proxy_config_1000010000
Config channel rhn_proxy_config_1000010000 created
Using server name olmsvr.mydom.com
Pushing to channel rhn_proxy_config_1000010000:
Local file /etc/httpd/conf.d/ssl.conf -> remote file /etc/httpd/conf.d/ssl.conf
Local file /etc/rhn/rhn.conf -> remote file /etc/rhn/rhn.conf
Local file /etc/squid/squid.conf -> remote file /etc/squid/squid.conf
Local file /etc/httpd/conf.d/cobbler-proxy.conf -> remote file /etc/httpd/conf.d/cobbler-proxy.conf
Local file /etc/httpd/conf/httpd.conf -> remote file /etc/httpd/conf/httpd.conf
Local file /etc/jabberd/c2s.xml -> remote file /etc/jabberd/c2s.xml
Local file /etc/jabberd/sm.xml -> remote file /etc/jabberd/sm.xml
Enabling Oracle Linux Manager Proxy.
Shutting down rhn-proxy...
Terminating jabberd processes ...
Stopping s2s:                                              [FAILED]
Stopping c2s:                                              [FAILED]
Stopping sm:                                               [FAILED]
Stopping router:                                           [FAILED]
Stopping httpd:                                            [FAILED]
Stopping squid:                                            [FAILED]
Done.
Starting rhn-proxy...
init_cache_dir /var/spool/squid... Starting squid: .       [  OK  ]
Starting httpd:                                            [  OK  ]
Initializing jabberd processes ...
Starting router:                                           [  OK  ]
Starting sm:                                               [  OK  ]
Starting c2s:                                              [  OK  ]
Starting s2s:                                              [  OK  ]
Done.
There were some answers you had to enter manually.
Would you like to have written those into file
formatted as answers file? [Y/n]: y
Writing proxy-answers.txt.NtM1Y

Note:

The information that you provide is recorded in a file named proxy-answers.txt.UID, such as proxy-answers.txt.NtM1Y in the previous output. You can use this file to automate the configuration of an Oracle Linux Manager proxy, as shown in the following example:

configure-proxy.sh --non-interactive --answer-file=proxy-answers.txt.NtM1Y

If you want to use third-party CA-signed SSL certificate instead of the self-signed SSL certificate, follow the procedure described in Replacing a Self-Signed SSL Certificate.

Note:

Oracle recommends that you replace the self-signed SSL certificate before registering any clients. Otherwise, you must log on separately to each existing client and configure it to use the new SSL certificate. You cannot perform this step from Oracle Linux Manager server.
To check that Oracle Linux Manager proxy is running correctly, specify the URL of the proxy when registering an Oracle Linux Manager client, as shown in the following example
```
sudo rhnreg_ks --sslCACert=/usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT --serverUrl=https://olmproxy_FQDN/XMLRPC --activationkey=activation_key
```
After registering the client, subscribe it to software channels on the server and verify that you can update packages from the client.

Upgrading a Spacewalk 2.7 Proxy Server

Upgrade a Spacewalk proxy system as follows:

If not already present on the Spacewalk 2.7 server, create software channels for both Oracle Linux Manager client and server , then subscribe the proxy system to these channels.
1. Create an Oracle Linux Manager client channel as a child of the Oracle Linux 7 base channel.
2. Create an Oracle Linux Manager client repository that accesses the corresponding client channel on the Oracle Linux yum server (https://yum.oracle.com/repo/OracleLinux/OL7/oraclelinuxmanager210/client/x86_64/), using the same GPG settings as the Oracle Linux release.
3. Associate Oracle Linux Manager client repository with the corresponding client channel and synchronize the repository's packages from the Oracle Linux yum server.
4. Create an Oracle Linux Manager server channel as a child of the Oracle Linux 7 base channel.
5. Create an Oracle Linux Manager server repository that accesses the corresponding server channel on the Oracle Linux yum server (https://yum.oracle.com/repo/OracleLinux/OL7/oraclelinuxmanager210/server/x86_64/), using the same GPG settings as the Oracle Linux release.
6. Associate Oracle Linux Manager (formerly Spacewalk) Server 2.10 for Oracle Linux 7 repository with the corresponding server channel and synchronize the repository's packages from the Oracle Linux yum server.
7. Change the system's channel subscription from the Spacewalk 2.7 server channel to Oracle Linux Manager (formerly Spacewalk) Server 2.10 for Oracle Linux 7 channel.
8. Subscribe the upgraded proxy system to Oracle Linux Manager client and server channels instead of the Spacewalk server and client channels for Release 2.7.
Back up the CA key, SSL certificate and the openSSL configuration file in /root/ssl-build.

For example, you could use the tar command as follows to create a backup:
```
sudo cd /root/ssl-build
sudo tar -cvf /tmp/sslcerts.tar RHN-ORG-PRIVATE-SSL-KEY RHN-ORG-TRUSTED-SSL-CERT rhn-ca-openssl.cnf
```
Run the yum update command to update all of the packages on the system.
```
sudo yum update
```
If necessary, extract the CA key, SSL certificate, and openSSL configuration file from your backup file to /root/ssl-build:
```
sudo cd /root/ssl-build
sudo tar -xvf /tmp/sslcerts.tar
```
Configure Oracle Linux Manager proxy by running the configure-proxy.sh script.

The following example uses the proxy-answers.txt.UID file that was saved from a previous installation to perform the configuration:
```
sudo configure-proxy.sh --non-interactive --answer-file=proxy-answers.txt.NtM1Y
```
You can also run this command interactively by omitting any command-line options.