Bug 1573349 - Incorrect instructions to lock down Satellite<->CDN on enterprise firewall, multiple disagreeing sources of truth.
Summary: Incorrect instructions to lock down Satellite<->CDN on enterprise firewall, m...
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Docs Install Guide
Version: 6.3.1
Hardware: Unspecified
OS: Unspecified
medium vote
Target Milestone: Unspecified
Assignee: Stephen Wadeley
QA Contact: Sergei Petrosian
Depends On:
TreeView+ depends on / blocked
Reported: 2018-05-01 00:37 UTC by Miki Shapiro
Modified: 2021-06-10 16:02 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2018-05-04 17:33:33 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description Miki Shapiro 2018-05-01 00:37:21 UTC
Description of problem:
Customer wanted to lock down access between Satellite and CDN (without using an HTTP proxy).

The following is the authoritative document that describes the required access, which got passed on to the infosec firewall team: 

(Section 2.5, Table 2.3). 
The section is definitely a documentation bug. 
It states what is needed is:
cdn.redhat.com 443 (HTTPS)
access.redhat.com 443 (HTTPS)

A second set of instructions can be found in the section detailing setting up access through an HTTP proxy - same document, section 3.4.2, item 3: https://access.redhat.com/documentation/en-us/red_hat_satellite/6.3/html-single/installation_guide/#configuring_satellite_http_proxy
subscription.rhsm.redhat.com 443 (HTTPS)
cdn.redhat.com 443 (HTTPS)
*.akamaiedge.net 443 (HTTPS)
cert-api.access.redhat.com (if using Red Hat Insights) 443 (HTTPS)
api.access.redhat.com (if using Red Hat Insights) 443 (HTTPS)

Note when making the same info available in section 2, the subnote about using Red Hat's CIDR IP addresses should also be carried across, as some customers will refuse to open blanket access to Akamai for sensible security reasons. 

A third set of (again, different) instructions can be found in the KB article describing this: 
The instructions here read that what needs to be opened is:
subscription.rhn.redhat.com:443 [https] (presumably no longer needed)
subscription.rhsm.redhat.com:443 [https] (This is the new default address in newer versions of RHEL 7)
cdn.redhat.com:443 [https]
*.akamaiedge.net:443 [https] OR *.akamaitechnologies.com:443 [https]

Version-Release number of selected component (if applicable):

How reproducible:
Doco Bug

Steps to Reproduce:

Actual results:
3 different and inconsistent sets of instructions

Expected results:
1. Consistent information. 
2. Fewer sources of truth. 

Additional info:
As above.

Document URL: 

Section Number and Name: 

Describe the issue: 

Suggestions for improvement: 

Additional information:

Comment 1 Stephen Wadeley 2018-05-02 07:32:21 UTC
Hello Miki

Thank you for raising this bug.

Re. Table 2.3, are you suggesting this change:


Re. the Knowledgebase *solution*. Note that DocsTeam does not maintain the KBase solutions; they are created by GSS but any one in Red Hat can fix them.

The part "subscription.rhn.redhat.com:443 [https] AND subscription.rhsm.redhat.com:443 [https] " was added by Craig Donnelly. I would not like to remove the AND without asking him why it needs to be there.

Thank you

Comment 2 Stephen Wadeley 2018-05-02 07:50:32 UTC
Hello Craig

In Kbase solution[1] you added " AND subscription.rhsm.redhat.com:443 [https]" after "subscription.rhn.redhat.com:443 [https]".

Is it now safe to remove that rhn URL and just have:

subscription.rhsm.redhat.com:443 [https]

or will older installs of RHEL6 and 5 still try to use  rhn URL?

Thank you

[1] https://access.redhat.com/solutions/65300

Comment 3 Craig Donnelly 2018-05-03 04:01:31 UTC

This is fine.

The subscription.rhn url is what will be seen inside RHEL 5 + 6 by default in /etc/rhsm.conf.

In RHEL 7 after a certain point, subscription.rhsm became default.

Both links are currently usable, but subscription.rhsm should be recommended anywhere this is solid documentation around this, and it will work for all versions of RHEL that can use subscription-manager.

Comment 4 Stephen Wadeley 2018-05-03 10:06:39 UTC
Thank you Craig

Hello Miki

Seems for legacy reasons we cannot remove subscription.rhn.redhat.com from the KBase[1] you linked to in comment 0

I will copy the paragraph with the link to the list of IP addresses[2] from the "Configuring Satellite Server with HTTP Proxy" section to underneath Table 2.3

Thank you

[1] https://access.redhat.com/solutions/65300[How to access Red Hat Subscription Manager (RHSM) through a firewall or proxy]

[2] https://access.redhat.com/articles/1525183[Public CIDR Lists for Red Hat]

Note You need to log in before you can comment on or make changes to this bug.