2.4 Installing a Spacewalk Proxy

The software described in this documentation is either no longer supported or is in extended support.
Oracle recommends that you upgrade to a current supported release.

2.4 Installing a Spacewalk Proxy

Note

The following procedure assumes that you are installing and configuring a Spacewalk proxy on an Oracle Linux 7 Update 1 or later system or an Oracle Linux 6 Update 7 or later system. You do not need to install the Spacewalk client software before registering a Spacewalk proxy system with the Spacewalk server.

Install the Spacewalk Proxy software as follows:

Ensure that the jta package is not installed and prevent it from being installed when you install Spacewalk.
Check whether the jta package is installed:
```
# yum list installed | grep jta
```
Remove the jta package:
```
# yum remove jta
```
To prevent the jta package from being installed, either disable the Oracle Linux 6 or Oracle Linux 7 Add-ons channel ([ol6_addons] or [ol7_addons]), or add the jta package to the exclude directive in the yum configuration file /etc/yum.conf, for example:
```
exclude=jta*
```

Configure the system firewall.

The following example shows how you might configure the system firewall for Oracle Linux 6:

# iptables -I INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
# iptables -I INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
# iptables -I INPUT -p tcp -m state --state NEW -m tcp --dport 5222 -j ACCEPT
# iptables -I INPUT -p tcp -m state --state NEW -m tcp --dport 5269 -j ACCEPT
# iptables -I OUTPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
# iptables -I OUTPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
# iptables -I OUTPUT -p tcp -m state --state NEW -m tcp --dport 4545 -j ACCEPT
# service iptables save

For Oracle Linux 7, you would configure the system firewall as follows:

# firewall-cmd --permanent --add-port=80/tcp
# firewall-cmd --permanent --add-port=443/tcp
# firewall-cmd --permanent --add-port=5222/tcp
# firewall-cmd --permanent --add-port=5269/tcp
# systemctl reload firewalld

Register the system as a client of the Spacewalk server for which it will act as a Spacewalk proxy:
Note
Before you can register a server, you must have already created a client activation key. If enabled, a universal default key can be used. However, using a specific activation key is better.
The following steps use SSL to encrypt all communication between the client and the Spacewalk server (the recommended configuration).
1. Download the CA certificate file RHN-ORG-TRUSTED-SSL-CERT to the server.
  In a browser tab, navigate to http://swksvr_FQDN/pub, where swksvr_FQDN is the fully qualified domain name of the Spacewalk server, and download the CA certificate file RHN-ORG-TRUSTED-SSL-CERT to /usr/share/rhn.
  Alternatively, you can use wget from the command line, for example:
```
# wget -q -O /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT \
  http://swksvr_FQDN/pub/RHN-ORG-TRUSTED-SSL-CERT
```
2. Register the system with Spacewalk by using the rhnreg_ks command, specifying the --sslCACert option to specify the path of the CA certificate.
```
# rhnreg_ks --sslCACert=/usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT \
  --serverUrl=https://swksvr_FQDN/XMLRPC --activationkey=activation_key
```
  Specify the Spacewalk server or proxy by its fully qualified domain name.
3. Verify that the settings in the /etc/sysconfig/rhn/up2date file that are used to access the Spacewalk server are correct:
  1. Verify that serverURL is set to the Spacewalk server's URL, for example https://swksvr.mydom.com/XMLRPC:
    # grep ^serverURL= /etc/sysconfig/rhn/up2date serverURL=https://swksvr.mydom.com/XMLRPC
  2. Verify that sslCACert is set to the correct CA certificate file, for example /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT:
    # grep ^sslCACert= /etc/sysconfig/rhn/up2date sslCACert=/usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT
  Note
  If the settings are not correct, you probably made a mistake when you used rhnreg_ks to register the system. Run the rhnreg_ks command again, checking that you correctly specify the path of the CA certificate and the Spacewalk server's URL, and specifying the --force option to override the previous settings.
If not already present on the Spacewalk server, create software channels for Spacewalk 2.4 Client and Spacewalk Server 2.4, subscribe the Spacewalk proxy system to these channels and enable Provisioning entitlements for the Spacewalk proxy:
1. Create a Spacewalk Client 2.4 channel as a child of either the Oracle Linux 6 or Oracle Linux 7 base channel as appropriate to the installed version of Oracle Linux.
2. Create a Spacewalk Client 2.4 repository that accesses the appropriate Spacewalk Client 2.4 channel on the Oracle Linux yum server (https://yum.oracle.com/repo/OracleLinux/OL6/spacewalk24/client/x86_64/ or https://yum.oracle.com/repo/OracleLinux/OL7/spacewalk24/client/x86_64/) by using the same GPG settings as for Oracle Linux 6 or Oracle Linux 7.
3. Associate the Spacewalk Client 2.4 repository with the Spacewalk Client 2.4 channel and synchronize the repository's packages from the Oracle Linux yum server.
4. Create a Spacewalk Server 2.4 channel as a child of either the Oracle Linux 6 or Oracle Linux 7 base channel as appropriate to the installed version of Oracle Linux.
5. Create a Spacewalk Server 2.4 repository that accesses the appropriate Spacewalk Server 2.4 channel on the Oracle Linux yum server (https://yum.oracle.com/repo/OracleLinux/OL6/spacewalk24/server/x86_64/ or https://yum.oracle.com/repo/OracleLinux/OL7/spacewalk24/server/x86_64/) by using the same GPG settings as for Oracle Linux 6 or Oracle Linux 7.
6. Associate the Spacewalk Server 2.4 repository with the Spacewalk Server 2.4 channel and synchronize the repository's packages from the Oracle Linux yum server.
7. Change the channel subscription of the Spacewalk server in Spacewalk from the Spacewalk Server 2.0 or 2.2 channel to the Spacewalk Server 2.4 channel.
8. Subscribe the Spacewalk proxy to the Spacewalk Client 2.4 and Spacewalk Server 2.4 channels.
9. Enable Provisioning entitlements for the Spacewalk proxy.

Install the Spacewalk Client software and openssh-clients packages:

# yum install rhn-client-tools rhn-check rhn-setup rhnsd \
  m2crypto yum-rhn-plugin openssh-clients

Install the Spacewalk Proxy installer package.
```
# yum -y install spacewalk-proxy-installer
```
Create the /root/ssl-build directory.
```
# mkdir /root/ssl-build
```

Copy the Spacewalk server's CA key and public certificate files to /root/ssl-build. For example:

# scp 'root@spacewalk_server:/root/ssl-build/{RHN-ORG-PRIVATE-SSL-KEY,\
RHN-ORG-TRUSTED-SSL-CERT,rhn-ca-openssl.cnf}' /root/ssl-build
RHN-ORG-PRIVATE-SSL-KEY                       100% 1751 1.7KB/s   00:00
RHN-ORG-TRUSTED-SSL-CERT                      100% 5316 5.2KB/s   00:00
rhn-ca-openssl.cnf                            100% 2186 2.1KB/s   00:00

Configure the Spacewalk proxy by running the /usr/sbin/configure-proxy.sh script.

The following example shows an interactive configuration:

# /usr/sbin/configure-proxy.sh
Using RHN parent (from /etc/sysconfig/rhn/up2date): swksvr.mydom.com
Using CA Chain (from /etc/sysconfig/rhn/up2date): /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT
HTTP Proxy []: [Enter]
Proxy version to activate [2.4]: [Enter]
Traceback email []: my.email@mydom.com
Use SSL [Y/n]: Y
Regardless of whether you enabled SSL for the connection to the Spacewalk Parent
Server, you will be prompted to generate an SSL certificate.
This SSL certificate will allow client systems to connect to this Spacewalk Proxy
securely. Refer to the Spacewalk Proxy Installation Guide for more information.
Organization []: Oracle Demo
Organization Unit [swkproxy.us.mydom.com]: [Enter]
Common Name [swkproxy.us.mydom.com]: [Enter]
City []: Redwood Shores
State []: CA
Country code []: US
Email [my.email@mydom.com]: [Enter]
Cname aliases (separated by space) []: [Enter]
Spacewalk Proxy successfully activated.
Loaded plugins: rhnplugin
This system is receiving updates from RHN Classic or Red Hat Satellite.
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package spacewalk-proxy-management.noarch... will be installed
...
Transaction Summary
================================================================================
Install      42 Package(s)

Total download size: 13 M
Installed size: 32 M
Is this ok [y/N]: y
Downloading Packages:
(1/42): apr...                     | 122 kB     00:00
...
Using CA key at /root/ssl-build/RHN-ORG-PRIVATE-SSL-KEY.
Generating distributable RPM for CA public certificate:
Copying CA public certificate to /var/www/html/pub for distribution to clients:
Generating SSL key and public certificate:
CA password: cert_passwd
Installing SSL certificate for Apache and Jabberd:
Preparing packages for installation...
rhn-org-httpd-ssl-key-pair-swkproxy-1.0-1
Create and populate configuration channel rhn_proxy_config_1000010000? [Y/n]: Y
Spacewalk username: []: swadmin
Password: swadmin_passwd
Using server name swksvr.mydom.com
Creating config channel rhn_proxy_config_1000010000
Config channel rhn_proxy_config_1000010000 created
Using server name swksvr.mydom.com
Pushing to channel rhn_proxy_config_1000010000:
Local file /etc/httpd/conf.d/ssl.conf -> remote file /etc/httpd/conf.d/ssl.conf
Local file /etc/rhn/rhn.conf -> remote file /etc/rhn/rhn.conf
Local file /etc/squid/squid.conf -> remote file /etc/squid/squid.conf
Local file /etc/httpd/conf.d/cobbler-proxy.conf -> remote file /etc/httpd/conf.d/cobbler-proxy.conf
Local file /etc/httpd/conf/httpd.conf -> remote file /etc/httpd/conf/httpd.conf
Local file /etc/jabberd/c2s.xml -> remote file /etc/jabberd/c2s.xml
Local file /etc/jabberd/sm.xml -> remote file /etc/jabberd/sm.xml
Enabling Spacewalk Proxy.
Shutting down rhn-proxy...
Terminating jabberd processes ...
Stopping s2s:                                              [FAILED]
Stopping c2s:                                              [FAILED]
Stopping sm:                                               [FAILED]
Stopping router:                                           [FAILED]
Stopping httpd:                                            [FAILED]
Stopping squid:                                            [FAILED]
Done.
Starting rhn-proxy...
init_cache_dir /var/spool/squid... Starting squid: .       [  OK  ]
Starting httpd:                                            [  OK  ]
Initializing jabberd processes ...
Starting router:                                           [  OK  ]
Starting sm:                                               [  OK  ]
Starting c2s:                                              [  OK  ]
Starting s2s:                                              [  OK  ]
Done.
There were some answers you had to enter manually.
Would you like to have written those into file
formatted as answers file? [Y/n]: Y
Writing proxy-answers.txt.NtM1Y

The Spacewalk user name and password (swadmin and swadmin_passwd) are the Spacewalk server administrator's user name and password.

Note

The information that you provide is optionally recorded in a file named proxy-answers.txt.UID, where UID is a unique identifier. You can use this file to automate the configuration of a Spacewalk proxy, as shown in the following example:

# configure-proxy.sh --non-interactive --answer-file=proxy-answers.txt.NtM1Y

If you want to use third-party CA-signed SSL certificate instead of the self-signed SSL certificate, follow the procedure described in Chapter 3, Replacing SSL Certificates on Spacewalk Servers or Spacewalk Proxies.
Note
Oracle recommends that you replace the self-signed SSL certificate before registering any clients. Otherwise, you must log on separately to each existing client and configure it to use the new SSL certificate. You cannot do this from the Spacewalk server.
To check that the Spacewalk proxy is running correctly, specify the URL of the proxy when registering a Spacewalk client, as shown in the following example
```
 rhnreg_ks --sslCACert=/usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT \
  --serverUrl=https://swkproxy_FQDN/XMLRPC --activationkey=activation_key
```
After registering the client, subscribe it to software channels on the server and verify that you can update packages from the client.