Installing and Upgrading Oracle Linux Manager Servers

1 Installing and Upgrading Oracle Linux Manager Servers

This chapter describes how to install and upgrade Oracle Linux Manager servers.

For information about the types of support that Oracle provides for Oracle Linux Manager 2.10, refer to the About Oracle Linux Manager Server and Client Support section of the Oracle Linux Manager: Release Notes for Release 2.10 .

Oracle Linux Manager Server Requirements

As the primary component in the entire setup, Oracle Linux Manager sever has different sets of requirements to efficiently manage client systems that are registered to the server.

Oracle Linux Requirements

Complete the following requirements for the designated Oracle Linux Manager server:

Install Oracle Linux 7 by using either the Minimal or Basic Server profile.
Before installing Oracle Linux Manager, remove the jta package which prevents Oracle Linux Manager services from starting.
Use only those packages that are provided by Oracle from the Oracle Linux yum server at https://yum.oracle.com. No third-party package repositories are required.
Update your system with the latest packages from the Oracle Linux yum server.
Do not register an Oracle Linux Manager 2.10 server or client with ULN. Instead, register an Oracle Linux Manager 2.10 server as a client of itself to receive updates.

Memory Requirements

An Oracle Linux Manager server should have a minimum of 8 GB of memory. If the server also runs the database that stores the Oracle Linux Manager repository, this memory requirement is in addition to what is required to run the database.

In large deployments where Oracle Linux Manager server services and maintains a large number of clients, custom channels, and so on, consider installing 16 GB of RAM. Increasing RAM improves performance in operations such as building repositories, which requires sizeable amounts of memory. See Memory Considerations When Building Repositories in Oracle Linux Manager: Client Life Cycle Management Guide for Release 2.10 .

Storage Requirements

To preserve errata mapping, by default, Oracle Linux Manager maintains all of the available versions of available packages in each software channel that you configure. As a result, the storage requirements for an Oracle Linux Manager server can be significant, depending on the number of major versions and architectures that you choose to support. Typically, the Oracle Linux binary repositories require approximately 60 GB for each combination of Oracle Linux release and architecture. An extra 40 GB is required for source packages and 80 GB is required for Ksplice updates for each combination of Oracle Linux release and architecture.

With Oracle Linux Manager 2.10, you can reduce the storage requirements considerably by using the following command when synchronizing packages:

sudo spacewalk-repo-sync --latest

The server then synchronizes only the latest packages that are available at the time of synchronization. It does not remove older packages from the channel.

Caution:

If the synchronization interval is large, you might miss a particular version of a package. Errata handling, which manages errata that are associated with specific package versions, would be affected. If errata consistency is important to you, Oracle recommends that you do not use the --latest option. However, using the option with a Ksplice channel is an exception because its packages are always cumulative.

Important:

DO NOT use the --latest option when synchronizing module-enabled channels such as ol8_AppStream. The mechanism that underlies this option is not module-aware and if used, will skip required packages.

An Oracle Linux Manager server stores the packages that it hosts under the /var/satellite/redhat directory hierarchy. You should plan how to best configure the /var file system before installing Oracle Linux Manager. For example, if you set up /var as an ext4 or XFS file system by using Logical Volume Manager (LVM), you can expand the storage when required.

Packages are never removed from Oracle Linux repositories. Thus, the space that is required for each repository always increases. You should actively monitor the available disk space on the server.

Networking Requirements

The following are network requirements to install an Oracle Linux Manager server:

Static IP address
Correctly configured forward and reverse DNS host name, with the following specifications:

Caution:

Noncompliance with these specifications for the server's host name can cause Oracle Linux Manager to fail in proxy communications, inter-server synchronization (ISS), certificate validation, and other areas of operation.
- The host name of the server must not contain uppercase letters.
- While the /etc/hostname file contains the short name of the host, the /etc/hosts file must specify the host's FQDN, as shown in bold in the following example:
```
cat /etc/hostname
```
```
olmsvr
```
```
cat /etc/hosts
```
```
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.1.3 olmsvr.mydom.com olmsvr
```
  Note that Oracle Linux Manager does not consider .local and .localdomain to be valid domain names.

Port numbers

The following table describes the network ports that an Oracle Linux Manager server uses, depending on its configuration.

Port/Protocol	Direction	Purpose
`69`/`udp`	Inbound	TFTP (if PXE provisioning support is required)
`80`/`tcp`	Inbound and outbound	HTTP access
`443`/`tcp`	Inbound and outbound	HTTPS access
`5222`/`tcp`	Inbound	Push support to Oracle Linux Manager clients (if required)
`5269`/`tcp`	Inbound	Push support to Oracle Linux Manager proxies (if required)

Configured network time synchronization

Configure Oracle Linux Manager server, proxies, and clients to use a network time synchronization mechanism such as the Network Time Protocol (NTP) or the Precision Time Protocol (PTP). To establish a Secure Socket Layer (SSL) based connection, Oracle Linux Manager requires that the system times on server and client systems be consistent to within 120 seconds.

For more information, see Configuring Network Time in Oracle Linux 7: Setting Up Networking.

Database Requirements and Configuration Instructions

Oracle supports only Oracle Database for use with Oracle Linux Manager. Thus, while you can use PostgreSQL with the software, this setup is not covered by Oracle support. Additionally, Oracle does not provide any tools for migrating from an unsupported database.

In general, you should use supported Oracle databases when using Oracle Linux Manager 2.10. For specific supported versions, see Oracle Database Support in Oracle Linux Manager: Release Notes for Release 2.10 . Oracle provides a restricted-use license for the use of Oracle Database Enterprise Edition with Oracle Linux Manager 2.10 for Oracle Linux support customers.

For more information about Oracle licenses, see Oracle Linux 7: Licensing Information User Manual.

Important:

Providing comprehensive information about operating supported databases is outside the scope of this documentation. For any database operation such as installation, configuration, upgrade, and other related tasks, consult your Oracle Database administrator and the Oracle Database documentation at https://docs.oracle.com/en/database/database.html.

Oracle Database Installation Requirements

Prior to installing Oracle Linux Manager server, you must install an Oracle Database server, make this server available, and ensure that it is operational.

You can download Oracle database software from Oracle at https://www.oracle.com/database/technologies/oracle-database-software-downloads.html.

The following database installation requirements apply to Oracle Linux Manager server installations:

For fresh installations of the server, use Oracle Database Enterprise edition 19c or Oracle Database Enterprise edition 12c.
For upgrades to the server, Oracle strongly suggests that you use Oracle Database Enterprise edition 19c.

Database Sizing Requirements

When determining the amount of space Oracle Linux Manager database requires, be sure to include sizing estimates in your overall calculation for the following:

Number of client systems that will be served by the server (typically, 250 KiB per client system).
Number of channels allocated to each client system (about 500 KiB per channel).
Number of packages that each channel will contain (approximately 230 KiB per package in the channel. A channel with 5000 packages would require 1.1 GiB).

For example, if you have a large Oracle Linux Manager server that is serving 10,000 systems, and each system has four channels containing 12,000 packages per-channel, then 2.5 GiB would be required for the clients, and 11 GiB would be required for the channels.

Oracle Database Configuration

The following are general guidelines for configuring Oracle Database. You can perform these steps during or after the database installation. Always consult with your Oracle database administrator for matters related to installing or configuring the database for your particular environment.

The database must use the AL32UTF8 character set that supports Unicode.
The database must have an Oracle Linux Manager user.

For every Oracle Linux Manager server that shares the same database server, you must create a separate Oracle Linux Manager user.
The Oracle Linux Manager user must be assigned the CONNECT and RESOURCE roles.
The Oracle Linux Manager user must have the following system privileges:
- ALTER SESSION
- CREATE SYNONYM
- CREATE TABLE
- CREATE TRIGGER
- CREATE VIEW
- UNLIMITED TABLESPACE
- SELECT ON V_$PARAMETER

Creating an Oracle Linux Manager User on an On-Premise Database

The steps to follow depend on whether you connect to the container database first or directly to the pluggable database.

For all cases, you must log in to your Oracle account first before performing these steps.

If you are connecting to the container database first, choose one of the following methods:
- Running the ALTER SESSION command before creating the user
  1. Log in to the container database as a database administrator (typically, SYS or SYSDBA).
```
cd $ORACLE_HOME/bin
sqlplus / as SYSDBA
```
  2. Type the following command:
```
SQL> ALTER SESSION SET CONTAINER = DEVPDB;
```
  3. For each Oracle Linux Manager user that you need to set up, run the following commands:
```
SQL> create user olm_user identified by olm_passwd;
SQL> grant connect,resource to olm_user;
SQL> grant alter session, create synonym, create table, create trigger, create view to olm_user;
SQL> grant select on v_$parameter to olm_user 
SQL> grant unlimited tablespace to olm_user; 
```
- Creating the user directly
  1. Log in to the container database as a database administrator (typically, SYS or SYSDBA).
```
cd $ORACLE_HOME/bin
sqlplus / as SYSDBA
```
  2. For each Oracle Linux Manager user that you need to set up, run the following commands:
    
    Important:
    
    Make sure to use the required c## prefix for the user name.
```
SQL> create user c##olm_user identified by olm_passwd;
SQL> grant connect,resource to c##olm_user;
SQL> grant alter session, create synonym, create table, create trigger, create view to olm_user;
SQL> grant select on v_$parameter to olm_user 
SQL> grant unlimited tablespace to c##olm_user; 
```

If you are connecting directly to the pluggable database:

Log in to the PDB as a database administrator (typically, SYS or SYSDBA).
```
cd $ORACLE_HOME/bin
sqlplus / as SYSDBA
```

For each Oracle Linux Manager user that you need to set up, run the following commands:

SQL> create user olm_user identified by olm_passwd;
SQL> grant connect,resource to olm_user;
SQL> grant alter session, create synonym, create table, create trigger, create view to olm_user;
SQL> grant select on v_$parameter to olm_user 
SQL> grant unlimited tablespace to olm_user;

Installing Oracle Linux Manager Server

Follow these steps to install Oracle Linux Manager server software:

Ensure that the Oracle Database is running.

See Oracle Database Installation Requirements.
Install Oracle Instant Client.
1. Download the latest 18.5 release of the following Instant Client RPM packages.
  - Instant Client Package (Basic)
  - Instant Client Package (SQL*Plus)
  The packages can be downloaded from https://www.oracle.com/database/technologies/instant-client.html.
2. Install the Instant Client packages.
```
sudo yum install oracle-instantclient18.5-basic-18.5.0.0.0-3.x86_64.rpm oracle-instantclient18.5-sqlplus-18.5.0.0.0-3.x86_64.rpm
```
3. Add the library path to ldconfig.
```
echo "/usr/lib/oracle/18.5/client64/lib" | sudo tee /etc/ld.so.conf.d/oracle-instantclient18.5.conf 
sudo ldconfig
```
Ensure that the jta package is not installed.
1. Remove the jta package if it is installed on the system.
```
sudo yum list installed | grep jta  
sudo yum remove jta
```
2. To prevent any future accidental installation of the package, do one of the following:
  - Add the jta package to the exclude directive in the /etc/yum.conf file as follows:
```
exclude=jta*
```
  - Disable the Oracle Linux 7 addons channel ([ol7_addons]).
```
sudo yum-config-manager --disable ol7_addons
```

Configure the system firewall.

sudo firewall-cmd --permanent --add-port=69/udp
sudo firewall-cmd --permanent --add-port=80/tcp
sudo firewall-cmd --permanent --add-port=443/tcp
sudo firewall-cmd --permanent --add-port=5222/tcp
sudo firewall-cmd --permanent --add-port=5269/tcp
sudo systemctl reload firewalld

Install the latest oracle-release-el7 package.
```
sudo yum install oracle-release-el7
```
If your system is running an Oracle Linux release that is earlier than Oracle Linux 7 Update 7, run the following additional command to make the system use the modular yum repository configuration.
```
sudo /usr/bin/ol_yum_configure.sh
```

Install and enable the Oracle Linux Manager yum repository.

sudo yum install oracle-linux-manager-server-release-el7
sudo yum-config-manager --enable ol7_optional_latest

Install the following packages for enabling Oracle Linux Manager server to use Oracle Database.
```
sudo yum install spacewalk-oracle spacecmd spacewalk-utils
```
Note:

As part of Oracle Linux Manager installation process, all of the Oracle Linux yum server configuration, as well as ULN configuration, are disabled. After the installation, Oracle Linux Manager handles this configuration henceforth.

If you need to re-enable yum repository configuration after an installation, but before you have configured any repositories in Oracle Linux Manager, you can temporarily rename any affected yum repository configuration files to enable them again, for example:
```
sudo mv /etc/yum.repos.d/oracle-linux-ol7.repo.rpmsave /etc/yum.repos.d/oracle-linux-ol7.repo
```
Remember to disable the yum repository configuration files again after you have configured repositories within Oracle Linux Manager.

Configure Oracle Linux Manager to use the Oracle Database.

sudo spacewalk-setup --external-oracle

The command initiates an interactive session that prompts you for information about your current database.

Global Database Name or SID: Name of the database when it was set up. If necessary, inquire with your database administrator for the information.
Database hostname [localhost]: FQDN of the database system if that system is separate from Oracle Linux Manager server. Otherwise, this prompt is skipped.
Username and Password: Credentials of the database Oracle Linux Manager user.

Caution:

The user name you specify must match the name you previously created when following the steps in Oracle Database Configuration. For example, if the name has the c## prefix, that name must also be specified here.
Admin Email Address: Email address of the Oracle Linux Manager administrator.
Organization: Name of your Oracle Linux Manager organization.
Organization Unit: Oracle Linux Manager server's FQDN.
Email address: Email address of person managing the certificates, if different from the Admin Email Address.
Location prompts: Information identifying the location of Oracle Linux Manager server.

The following is an example of the interactive session:

sudo spacewalk-setup --external-oracle

* Setting up SELinux..
* Setting up Oracle environment.
* Setting up database.
** Database: Setting up database connection for Oracle backend.
Global Database Name or SID (requires tnsnames.ora)? company.mydom.com
Database hostname [localhost]? olmmanager-db.mydom.com
Username? olm_user
Password? olm_passwd
** Database: Testing database connection. 
** Database: Populating database. 
*** Progress: ############################################################ 
* Configuring tomcat.
* Setting up users and groups.
** GPG: Initializing GPG and importing key.
** GPG: Creating /root/.gnupg directory
You must enter an email address. 
Admin Email Address? my.email@mydom.com
* Performing initial configuration.
** Package installation: Locking required rpm versions. 
* Configuring apache SSL virtual host. 
Should setup configure apache's default ssl server for you
                                        (saves original ssl.conf) [Y]? y 
** /etc/httpd/conf.d/ssl.conf has been backed up to ssl.conf-swsave 
* Configuring jabberd.
* Creating SSL certificates. 
CA certificate password? cert_passwd
Re-enter CA certificate password? cert_passwd
Cname alias of the machine (comma separated)?
Organization? Company Demo 
Organization Unit [olmsvr.mydom.com]? olmsvr.mydom.com
Email Address [your.email@domain.com]? my.email@mydom.com 
City? city
State? state
Country code (Examples: "US", "JP", "IN", or type "?" to see a list)? country
** SSL: Generating CA certificate. 
** SSL: Deploying CA certificate. 
** SSL: Generating server certificate. 
** SSL: Storing SSL certificates. 
* Deploying configuration files. 
* Update configuration in database. 
* Setting up Cobbler..
Cobbler requires tftp and xinetd services be turned on for PXE provisioning functionality.
Enable these services [Y]? y
* Restarting services. 
Installation complete. 
Visit https://olmsvr.mydom.com to create the Oracle Linux Manager administrator account.

Verify that Oracle Linux Manager services are running.

In the following example, the status is displayed in bold.

sudo /usr/sbin/spacewalk-service status

● tomcat.service - Apache Tomcat Web Application Container
   Loaded: loaded (/usr/lib/systemd/system/tomcat.service; enabled; vendor preset: disabled)
   Active: active (running) since Thu 2020-01-16 22:37:14 UTC; 18h ago
 Main PID: 29861 (java)
   CGroup: /system.slice/tomcat.service
           └─29861 /usr/lib/jvm/jre/bin/java -ea -Xms256m -Xmx256m -Djava.awt.headless=true 
-Dorg.xml.sax.driver=org.apache.xerces.parsers.SAXParser -
...

● httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
   Active: active (running) since Thu 2020-01-16 22:37:28 UTC; 18h ago
     Docs: man:httpd(8)
           man:apachectl(8)
 Main PID: 30034 (httpd)
   Status: "Total requests: 2504; Current requests/sec: 0; Current traffic:   0 B/sec"
   CGroup: /system.slice/httpd.service
           ├─30034 /usr/sbin/httpd -DFOREGROUND
           ├─30036 /usr/sbin/httpd -DFOREGROUND
           ...

● rhn-search.service - Oracle Linux Manager search engine
   Loaded: loaded (/usr/lib/systemd/system/rhn-search.service; enabled; vendor preset: disabled)
   Active: inactive (dead) since Thu 2020-01-16 22:37:32 UTC; 18h ago
  Process: 30181 ExecStop=/usr/sbin/rhn-search stop (code=exited, status=0/SUCCESS)
  Process: 30040 ExecStart=/usr/sbin/rhn-search start (code=exited, status=0/SUCCESS)
 Main PID: 30073 (code=exited, status=0/SUCCESS)

● cobblerd.service - Cobbler daemon
   Loaded: loaded (/usr/lib/systemd/system/cobblerd.service; enabled; vendor preset: disabled)
   Active: active (running) since Thu 2020-01-16 22:37:28 UTC; 18h ago
 Main PID: 30038 (cobblerd)
   CGroup: /system.slice/cobblerd.service
           └─30038 /usr/bin/python2 -s /usr/bin/cobblerd --no-daemonize
...

At the completion of the installation, ensure that only the following repositories are enabled on the system:
- UEKR5 or UEKR6
- ol7_latest
- ol7_optional_latest
- ol7_oraclelinuxmanager210_client
- ol7_oraclelinuxmanager210_server
You can verify enabled repositories by running the following command:
```
sudo yum repolist
```

Configuring a Newly Installed Oracle Linux Manager Server

Of the configuration tasks described in this section, configuring the initial organization and the Oracle Linux Manager administrator is mandatory. The other tasks are optional but recommended.

Creating the Initial Organization and Oracle Linux Manager Administrator Account

After completing the installation, you must create an initial organization and the main Oracle Linux Manageradministrator account.

For more information about the concept of organization, see Oracle Linux Manager: Concepts Guide for Release 2.10 .

Open a browser and access Oracle Linux Manager server's URL, which is the server's FQDN, such as https://olmsvr.mydom.com.
If prompted, select to trust the SSL certificate.

The Create Organization page opens automatically.
Enter the required values in the appropriate fields to create the organization and its administrator.
Click Create Organization.

The administrator you created is automatically logged in and the Overview page is displayed.

Use the web interface to perform additional configuration tasks. For example, see Setting Up Primary-Worker Configurations With Oracle Linux Manager Web Interface as well as Oracle Linux Manager: Client Life Cycle Management Guide for Release 2.10 .

Replacing a Self-Signed SSL Certificate

You can use certificates for individual Oracle Linux Manager servers or proxies. Alternatively, you can also use wildcard certificates for all Oracle Linux Manager servers or proxies in the domains that the wildcard certificates cover.

The following procedure describes how to replace self-signed certificates or expired CA-signed certificates with certificates that have been signed by a Certificate Authority (CA).

Create a backup of the system's existing SSL configuration.

sudo tar -cvf SSLconfig.tar /etc/httpd/conf/ssl.* /etc/pki/spacewalk/jabberd/server.pem /root/ssl-build /var/www/html/pub

Obtain a server certificate by using one of the following methods:
- Obtain a server certificate from a CA and install this certificate in the SSL build hierarchy on the system:
  1. Send the Certificate Signing Request (CSR) file /root/ssl-build/olmsvr/server.csr to the CA, where olmsvr is the simple name, not the FQDN, of Oracle Linux Manager server or the proxy.
    
    After validating your request, the CA returns a signed server certificate file.
  2. Create a backup of the signed server certificate file.
  3. If necessary, convert the certificate to a Privacy Enhanced Mail (PEM) format.
    - If your certificate is DER-formatted, convert it to PEM format.
```
sudo openssl x509 -inform der -text -in certificate_file Readable content
sudo openssl x509 -inform der -in server.cer -out server.pem
```
    - If a PEM-formatted certificate is not generated from a Linux or UNIX based system, remove ^M characters that might exist in that certificate.
```
sudo sed -i -e 's/\r//' server.pem
```
      As an alternative, you can also run the following command, provided you installed the dos2unix package:
```
sudo dos2unix server.pem
```
  4. Copy the PEM-formatted server certificate file to /root/ssl-build/olmsvr/server.crt.
```
sudo cp server.pem /root/ssl-build/olmsvr/server.crt
```
    This command overwrites the original file in that destination directory.
- Obtain a server certificate using an external tool:
  1. Obtain both the private key and the signed certificate from the external tool in PEM format, then copy both to /root/ssl-build/olmsvr.
  2. If the private key has an existing password, replace that key as follows:
```
sudo openssl rsa -in keyfilewithpasswd.key -out /root/ssl-build/olmsvr/server.key
```
    This step ensures that Oracle Linux Manager services can start unattended.
Add the CA public certificate to the /root/ssl-build directory as the RHN-ORG-TRUSTED-SSL-CERT file by using one of the following methods:
- If available, obtain the CA chain certificate from the CA that issued the server certificate. Copy this certificate file to /root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT:
```
sudo cp ca_chain.pem /root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT
```
- If the CA chain certificate is not available from the issuing CA, create the CA chain certificate as follows:
  1. Obtain the root CA public certificate and the intermediate CA public certificates from the issuing CA.
  2. Concateneate the two certificates you just downloaded to /root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT.
    
    Use the followng command exactly as shown:
```
sudo cat intermediate_ca.pem root_ca.pem > /root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT
```
    - intermediate_ca.pem: intermediate public certificate file of the CA that issued your server certificate
    - root_ca.pem: public certificate file of the root CA
    In the the chain certificate, the intermediate certificate must precede the certificate of the root CA. The CA chain certificate does not work if its component certificates are not in the correct order.
    Note:
    
    In the rare case where a root CA signed the server certificate directly, then only the root_ca.pem would be contained in the chain certificate:
```
sudo cp root_ca.pem /root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT
```
Validate the server certificate against the CA public certificate.
```
sudo openssl verify -CAfile /root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT /root/ssl-build/olmsvr/server.crt
```
If the command returns an error, verify that you correctly created RHN-ORG-TRUSTED-SSL-CERT and also verify that the date and time on the server are configured correctly.
Store the CA public certificate in the Oracle Linux Manager database so that it is available for provisioning client systems.
```
sudo rhn-ssl-dbstore -v --ca-cert=/root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT
```
If the command returns an error, run the command again, specifying a higher level of debugging, such as -vvv, to gather more information about the problem.

Prepare the web server SSL package for installation:

Generate the web server SSL package., for example:

sudo rhn-ssl-tool --gen-server --rpm-only --dir /root/ssl-build

...working...

Generating web server's SSL key pair/set RPM:
    /root/ssl-build/olmsvr/rhn-org-httpd-ssl-key-pair-olmsvr-1.0-rev.src.rpm
    /root/ssl-build/olmsvr/rhn-org-httpd-ssl-key-pair-olmsvr-1.0-rev.noarch.rpm

The most current Oracle Linux Manager Proxy Server installation process against RHN hosted
requires the upload of an SSL tar archive that contains the CA SSL public
certificate and the web server's key set.

Generating the web server's SSL key set and CA SSL public certificate archive:
    /root/ssl-build/olmsvr/rhn-org-httpd-ssl-archive-olmsvr-1.0-rev.tar

Deploy the server's SSL key pair/set RPM:
    (NOTE: the Red Hat Satellite or Proxy installers may do this step for you.)
    The "noarch" RPM needs to be deployed to the machine working as a
    web server, or Red Hat Satellite, or Oracle Linux Manager Proxy.
    Presumably 'olmsvr.mydom.com'.

(Optional) List the files that the packages install.

See the following two examples:

sudo rpm -qlp /root/ssl-build/olmsvr/rhn-org-httpd-ssl-key-pair-olmsvr-1.0-rev.src.rpm

rhn-org-httpd-ssl-key-pair-olmsvr-1.0.tar.gz
rhn-org-httpd-ssl-key-pair-olmsvr.spec

sudo rpm -qlp /root/ssl-build/olmsvr/rhn-org-httpd-ssl-key-pair-olmsvr-1.0-rev.noarch.rpm

/etc/httpd/conf/ssl.crt/server.crt
/etc/httpd/conf/ssl.csr/server.csr
/etc/httpd/conf/ssl.key/server.key
/etc/pki/spacewalk/jabberd/server.pem

Install the web server SSL noarch package.

sudo yum install /root/ssl-build/olmsvr/rhn-org-httpd-ssl-key-pair-olmsvr-1.0-rev.noarch.rpm

Generate the public CA certificate package and make both the package and the CA public certificate file available to clients.

Generate the public CA certificate package, for example:

sudo rhn-ssl-tool --gen-ca --dir=/root/ssl-build --rpm-only

...working...
Generating CA public certificate RPM:
    /root/ssl-build/rhn-org-trusted-ssl-cert-1.0-rev.src.rpm
    /root/ssl-build/rhn-org-trusted-ssl-cert-1.0-rev.noarch.rpm

Make the public CA certificate publicly available:
    (NOTE: the Red Hat Satellite or Proxy installers may do this step for you.)
    The "noarch" RPM and raw CA certificate can be made publicly accessible
    by copying it to the /var/www/html/pub directory of your Red Hat Satellite or
    Proxy server.

(Optional) List the files that the packages install.

The following are two examples:

sudo rpm -qlp /root/ssl-build/rhn-org-trusted-ssl-cert-1.0-rev.src.rpm

rhn-org-trusted-ssl-cert-1.0.tar.gz
rhn-org-trusted-ssl-cert.spec

sudo rpm -qlp /root/ssl-build/rhn-org-trusted-ssl-cert-1.0-rev.noarch.rpm

/usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT

If an Oracle Linux Manager server or proxy is also configured as a client, install the public CA certificate noarch package on this system.
```
sudo yum install /root/ssl-build/pub/rhn-org-trusted-ssl-cert-1.0-rev.noarch.rpm
```
The public CA certificate is installed as /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT.

Copy the rhn-org-trusted-ssl-cert-1.0-rev.noarch.rpm package and CA public certificate file to /var/www/html/pub for access by clients.

sudo cp /root/ssl-build/rhn-org-trusted-ssl-cert-1.0-rev.noarch.rpm /var/www/html/pub
sudo cp /root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT /var/www/html/pub

Verify that the installed copies of RHN-ORG-TRUSTED-SSL-CERT digest in the different locations are identical. The locations are /root/ssl-build, /usr/share, and /var/www/html/pub, for example:

sudo sha1sum /root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT /var/www/html/pub/RHN-ORG-TRUSTED-SSL-CERT

74380a372bfa55d8ab7579bf01502c874b8aae84
                      /root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT
74380a372bfa55d8ab7579bf01502c874b8aae84
                      /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT
74380a372bfa55d8ab7579bf01502c874b8aae84
                      /var/www/html/pub/RHN-ORG-TRUSTED-SSL-CERT

On an Oracle Linux Manager server, stop Oracle Linux Manager services, clear the jabberd database, then restart the services.
```
sudo /usr/sbin/spacewalk-service stop
sudo rm -Rf /var/lib/jabberd/db/*
sudo /usr/sbin/spacewalk-service start
```
On Oracle Linux Manager proxies, restart the proxy services.
```
sudo /usr/sbin/rhn-proxy restart
```
On the remaining Oracle Linux Manager clients, download and install the public CA certificate package.
```
sudo wget https://olmsvr/pub/rhn-org-trusted-ssl-cert-1.0-rev.noarch.rpm
```
Note:

If you subsequently replace the server certificate because it is revoked or expired, you do not need to update the public CA certificate on the clients unless you change the CA that signs the server certificate.

Configuring a Web Proxy for an Oracle Linux Manager Server

If needed, configure the web proxy by using one of the following methods after you have installed Oracle Linux Manager:

Edit the /etc/rhn/rhn.conf file and configure the specific web proxy parameters as shown by the settings in bold:

server.satellite.http_proxy = webproxy.mydom.com:80
server.satellite.http_proxy_username = proxy-username
server.satellite.http_proxy_password = proxy-password

In the Oracle Linux Manager web interface, select the Admin tab, then Oracle Linux Manager Configuration, and enter the appropriate values to the HTTP proxy fields.

Upgrading to Oracle Linux Manager Server

This section provides information for upgrading Spacewalk 2.7 server to Oracle Linux Manager 2.10.

Attention:

If you are currently running earlier Spacewalk versions, such as Spacewalk 2.4 or Spacewalk 2.6, you must first upgrade to Spacewalk 2.7 before proceeding with the steps in this section. For instructions, see Upgrading a Spacewalk Server in Spacewalk for Oracle^® Linux: Installation Guide for Release 2.7.

Preparing to Upgrade

You must use Oracle databases that are supported in Oracle Linux Manager. For a list of supported databases in Oracle Linux Manager 2.10, see Oracle Database Support in Oracle Linux Manager: Release Notes for Release 2.10 .

Before you upgrade, check the following elements in their respective XML files:

<driver> in the /etc/jabberd/sm.xml file
<module> in the /etc/jabberd/c2s.xml file

If both elements in the two files specify sqlite, you can proceed to Performing the Upgrade. If not, then complete the following steps:

Stop the osa-dispatcher and jabberd services.

sudo systemctl stop osa-dispatcher
sudo systemctl stop jabberd

Specify sqlite for the <driver> and <module> elements in the files as shown:
- /etc/jabberd/sm.xml: <driver>sqlite</driver>.
- /etc/jabberd/c2s.xml: <module>sqlite</module>.

Create the SQLite database.

sudo sqlite3 /var/lib/jabberd/db/sqlite.db < /usr/share/jabberd/db-setup.sqlite
sudo chown jabber:jabber /var/lib/jabberd/db/sqlite.db

Start the jabberd and osa-dispatcher services.

sudo systemctl start jabberd
sudo systemctl start osa-dispatcher

Check /var/log/messages to ensure that SQLite is being used.
```
sudo cat /var/log/messages | grep sqlite
```
On client servers, make the osad service re-authenticate to jabberd.

If you previously registered client servers on which you then installed the osad service, remove the osad-auth.conf file first before restarting the service, as follows:
```
sudo systemctl stop osad
sudo rm -f /etc/sysconfig/rhn/osad-auth.conf
sudo systemctl start osad
```

Performing the Upgrade

Note:

If your system is already running Spacewalk 2.10, see Switching From Spacewalk 2.10 to Oracle Linux Manager 2.10 for information to convert it to Oracle Linux Manager.

Upgrade to Oracle Linux Manager 2.10 as follows:

Backup all current configurations.
- Back up all of the Spacewalk 2.7 configuration files in the following directories:
  - /etc/jabberd
  - /etc/rhn
  - /etc/sysconfig/rhn
  - /root/ssl-build
```
sudo tar -cvf preSWupgrade.tar /etc/jabberd /etc/rhn /etc/sysconfig/rhn /root/ssl-build
```
- Back up the Spacewalk 2.7 database.
  
  This step is recommended as a precaution in case the upgrade does not complete successfully.
  
  To use the Recovery Manager (RMAN) to create a backup, refer to your database version's Backup and Recovery User's Guide in https://docs.oracle.com/en/database/oracle/oracle-database/index.html.
Change the way the server that is currently running Spacewalk 2.7 Server obtains packages depending on the server's current configuration.
- If the Spacewalk 2.7 server is registered as a client of itself:
  1. Create an Oracle Linux Manager server channel as a child of the Oracle Linux 7 base channel.
    
    For more information about configuring channels, see Creating Software Channels and Repositories in Oracle Linux Manager: Client Life Cycle Management Guide for Release 2.10 .
  2. Create an Oracle Linux Manager server repository that accesses the corresponding server channel on the Oracle Linux yum server server (https://yum.oracle.com/repo/OracleLinux/OL7/oraclelinuxmanager210/server/x86_64/) , by using the same GPG settings as for Oracle Linux 7.
  3. Associate Oracle Linux Manager server repository with its corresponding server channel and synchronize the repository's packages from the Oracle Linux yum server.
  4. Change the channel subscription from the Spacewalk server to Oracle Linux Manager server.
  5. Configure and synchronize the following additional channels:
    - Oracle Linux 7 Server Latest
    - Oracle Linux 7 Server Optional Latest
    - Oracle Instant Client for Oracle Linux 7
    - Oracle Linux Manager (formerly Spacewalk) Client 2.10 for Oracle Linux 7
    - Oracle Linux Manager (formerly Spacewalk) Server 2.10 for Oracle Linux 7
- If the Spacewalk 2.7 server obtains packages from the Oracle Linux yum server:
  1. Disable the Spacewalk server repository for the Spacewalk 2.7 release in the Oracle Linux yum server repository configuration file.
    
    Edit the configuration file and set enabled=0. Or, run the following command:
```
sudo yum-config-manager --disable repository
```
  2. Required: Install the latest oracle-release-el7 package.
    
    Important:
    
    You must run the following command even if you have recently updated the system, in order to successfully run the yum swap command later in this procedure.
```
sudo yum install oracle-release-el7
```
    If your system is running an Oracle Linux release that is earlier than Oracle Linux 7 Update 7, run the following additional command to make the system use the modular yum repository configuration:
```
sudo /usr/bin/ol_yum_configure.sh
```
  3. Install the oracle-linux-manager-server-release-el7 package.
```
sudo yum install oracle-linux-manager-server-release-el7
```
    Note:
    
    The command creates the file /etc/yum.repos.d/oracle-linux-manager-server-ol7.repo if that file does not exist.
    
    However, if the file already exists, then the command leaves that file unmodified and instead creates a new file /etc/yum.repos.d/oracle-linux-manager-server-ol7.repo.rpmnew that contains new repository entries for Oracle Linux Manager Server. Use the .rpmnew file to guide you to make the necessary modifications to the existing .repo file.

Verify that the correct Oracle Linux Manager repositories are enabled, and earlier Spacewalk versions are disabled.

The /etc/yum.repos.d/oracle-linux-manager-server-ol7.repo file should resemble the following example:

[ol7_oraclelinux-manager210_server]
name=Oracle Linux Manager Server 2.10 for Oracle Linux 7 ($basearch)
baseurl=https://yum$ociregion.oracle.com/repo/OracleLinux/OL7/oraclelinuxmanager210/server/$basearch/
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-oracle
gpgcheck=1
enabled=1

[ol7_oracle-linux-manager210_client]
name=Oracle Linux Manager Client 2.10 for Oracle Linux 7 ($basearch)
baseurl=https://yum$ociregion.oracle.com/repo/OracleLinux/OL7/oraclelinuxmanager210/client/$basearch/
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-oracle
gpgcheck=1
enabled=1

The /etc/yum.repos.d/oracle-spacewalk-server-ol7.repo should resemble the following example:

[ol7_spacewalk27_server]
name=Spacewalk Server 2.7 for Oracle Linux 7 ($basearch)
baseurl=https://yum$ociregion.oracle.com/repo/OracleLinux/OL7/spacewalk27/server/$basearch/
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-oracle
gpgcheck=1
enabled=0

[ol7_spacewalk26_server]
name=Spacewalk Server 2.6 for Oracle Linux 7 ($basearch)
baseurl=https://yum$ociregion.oracle.com/repo/OracleLinux/OL7/spacewalk26/server/$basearch/
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-oracle
gpgcheck=1
enabled=0

[ol7_spacewalk27_client]
name=Spacewalk Client 2.7 for Oracle Linux 7 ($basearch)
baseurl=https://yum$ociregion.oracle.com/repo/OracleLinux/OL7/spacewalk27/client/$basearch/
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-oracle
gpgcheck=1
enabled=0

[ol7_spacewalk26_client]
name=Spacewalk Client 2.6 for Oracle Linux 7 ($basearch)
baseurl=https://yum$ociregion.oracle.com/repo/OracleLinux/OL7/spacewalk26/client/$basearch/
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-oracle
gpgcheck=1
enabled=0

Check for any version-locked packages and delete them, for example:
```
sudo yum versionlock list
sudo yum versionlock delete cglib c3p0
```
Upgrade the Instant Clients.
```
sudo yum swap -- remove oracle-instantclient11.2-basic oracle-instantclient11.2-sqlplus freemarker velocity-tools -- upgrade oracle-instantclient18.5-basic oracle-instantclient18.5-sqlplus spacewalk-oracle
```
Note:

The command might generate a No match for argument message with references to freemarker and veolcity-tools. These packages might have existed in the system from an earlier Spacewalk 2.6 installation, but which are no longer required by Oracle Linux Manager 2.10. Thus, in this case, you can ignore the message.

Add the library path to ldconfig.

echo "/usr/lib/oracle/18.5/client64/lib" | sudo tee /etc/ld.so.conf.d/oracle-instantclient18.5.conf 
sudo ldconfig

Upgrade all the packages.
```
sudo yum upgrade
```
Stop Oracle Linux Manager services.
```
sudo /sbin/spacewalk-service stop
```
You can safely ignore any SELinux restorecon messages that are displayed when the packages are installed.

Upgrade Oracle Linux Manager's database schema.

sudo /usr/bin/spacewalk-schema-upgrade

The process requires intervention at some point in order to continue, as shown in bold in the following example:

sudo /usr/bin/spacewalk-schema-upgrade

Please make sure all Oracle Linux Manager services apart from database are stopped.
... 
Schema upgrade: [spacewalk-schema-2.7.28-1.0.2.el7] -> [spacewalk-schema-2.9.11-1.el7]
Searching for upgrade path: [spacewalk-schema-2.7.28-1.0.2] -> [spacewalk-schema-2.9.11-1]
Searching for upgrade path: [spacewalk-schema-2.7.28] -> [spacewalk-schema-2.9.11]
Searching for upgrade path: [spacewalk-schema-2.7] -> [spacewalk-schema-2.9]
The path: [spacewalk-schema-2.7] -> [spacewalk-schema-2.8] -> [spacewalk-schema-2.9]
Planning to run spacewalk-sql with [/var/log/spacewalk/schema-upgrade/20200123-165929-script.sql]

Please make sure you have a valid backup of your database before continuing.

Hit Enter to continue or Ctrl+C to interrupt: 
Executing spacewalk-sql, the log is in 
   [/var/log/spacewalk/schema-upgrade/20200406-174429-to-spacewalk-schema-2.10.log].
The database schema was upgraded to version [spacewalk-schema-2.10.11-1.el7].

In the event of a failure, do the following:

Check the log files in the /var/log/spacewalk/schema-upgrade directory to determine the cause.
Restore the database from backup.
Fix the cause of the problem, for example, by extending the tablespaces if there is insufficient space.
Upgrade the database schema.

Upgrade Oracle Linux Manager's configuration for the Oracle Database.
```
sudo spacewalk-setup --external-oracle --upgrade
```
The command initiates an interactive session that prompts you for information about your current database.
Restart Oracle Linux Manager services.
```
sudo /sbin/spacewalk-service start
```
Perform any necessary postinstallation tasks.

Review the information in Configuring a Newly Installed Oracle Linux Manager Server.
If necessary, upgrade your Oracle database.
1. Back up the Oracle Linux Manager database again.
  
  This step is recommended as a precaution in case the following step to upgrade the database does not complete successfully.
  
  To use the Recovery Manager (RMAN) to create a backup, refer to your database version's Backup and Recovery User's Guide in https://docs.oracle.com/en/database/oracle/oracle-database/index.html.
2. Upgrade the Oracle database.
  
  As indicated in the Oracle Linux Manager: Release Notes for Release 2.10 , Oracle Linux Manager 2.10 supports only Oracle Database Enterprise edition 12c and Oracle Database Enterprise edition 19c. Oracle strongly recommends that you use Oracle Database Enterprise edition 19c.
  
  Important:
  
  If you are upgrading your Oracle database, do not use the RPM version of the Oracle Database Enterprise edition 19c release. Upgrading an OUI-installed Oracle database with the RPM version is not supported.
  
  For this step, consult your database administrator and follow the instructions in your database documentation.
Upgrade the Spacewalk Client to Oracle Linux Manager 2.10 Client.

For instructions, refer to the appropriate section in the chapter Registering Client Systems With Oracle Linux Manager in Oracle Linux Manager: Client Life Cycle Management Guide for Release 2.10 .

Switching From Spacewalk 2.10 to Oracle Linux Manager 2.10

If you are already using Spacewalk 2.10, you should convert to Oracle Linux Manager 2.10 as the Spacewalk 2.10 repositories are scheduled to be retired. For details, see Oracle Linux Manager: Release Notes for Release 2.10 .

To switch a Spacewalk 2.10 server to Oracle Linux Manager:

Backup all current configurations.
- Back up all of the Spacewalk 2.10 configuration files in the following directories:
  - /etc/jabberd
  - /etc/rhn
  - /etc/sysconfig/rhn
  - /root/ssl-build
```
sudo tar -cvf preSWupgrade.tar /etc/jabberd /etc/rhn /etc/sysconfig/rhn /root/ssl-build
```
- Back up the Spacewalk 2.10 database.
  
  This step is recommended as a precaution in case the switch does not complete successfully.
  
  To use the Recovery Manager (RMAN) to create a backup, refer to your database version's Backup and Recovery User's Guide in https://docs.oracle.com/en/database/oracle/oracle-database/index.html.
Change the way the server that is currently running Spacewalk 2.10 Server obtains packages depending on the server's current configuration.
- If the Spacewalk 2.10 server obtains packages from the Oracle Linux yum server, install the oracle-linux-manager-server-release-el7 package.
```
sudo yum install oracle-linux-manager-server-release-el7
```
- If the Spacewalk 2.10 server is registered as a client of itself, update the existing Spacewalk server and client repository URLs to Oracle Linux Manager as follows:
  
  Oracle Linux Manager Server
  - Server Repository Label: ol7_oraclelinuxmanager210_server
  - Server Repository Name: Oracle Linux Manager (formerly Spacewalk) Server 2.10 for Oracle Linux 7
  - Yum URL: https://yum.oracle.com/repo/OracleLinux/OL7/oraclelinuxmanager210/server/x86_64
  Oracle Linux Manager Client (Oracle Linux 7)
  - Client Repository Label: ol7_oraclelinuxmanager210_client
  - Client Repository Name: Oracle Linux Manager (formerly Spacewalk) Client 2.10 for Oracle Linux 7
  - Yum URL: https://yum.oracle.com/repo/OracleLinux/OL7/oraclelinuxmanager210/client/x86_64
  Oracle Linux Manager Client (Oracle Linux 8)
  - Client Repository Label: ol8_oraclelinuxmanager210_client
  - Client Repository Name: Oracle Linux Manager (formerly Spacewalk) Client 2.10 for Oracle Linux 8
  - Yum URL: https://yum.oracle.com/repo/OracleLinux/OL8/oraclelinuxmanager210/client/x86_64
  For more information about configuring channels and repositories, see Creating Software Channels and Repositories in Oracle Linux Manager: Client Life Cycle Management Guide for Release 2.10 .
Upgrade all the packages.
```
sudo yum upgrade
```