Hide Forgot
Prereqs "These are required for configuring communication between CDS instances and Red Hat Enterprise Linux clients." I'd say "for configuring SSL and signing client entitlement certificates" instead. ----- Prereqs "Ensure you have an entitlement for every RHUA instance in the cloud. This grants access to: * Red Hat Update Infrastructure (RHUA and associated technologies). * 32-bit and 64-bit Red Hat Enterprise Linux images. This is required to perform instantiation. " ... and... "A certificate provided by Red Hat and used by RHUA to synchronize channel content from RHN." ... are the same thing. What happens is we give them a certificate that has a valid RHUI entitlement plus a RHEL Server entitlement for each RHUI Server (RHUA, CDS) that will be running. I think we should try to merge them to one bullet point with sub-bullet points. Chances are, the cert they get from us will be right, so I don't want it to look like there are two different things they need by having them as two high level bullet points. Ping me if that last paragraph doesn't make any sense. ----- Technical Requirements "Content Certificate Private Key. The unique key that enables syncing from Red Hat Network Satellite to your RHUA. " I'd change "Red Hat Network Satellite" to just "RHN" to be consistent with how it's referred to elsewhere. ----- Firewall = Additions = Port: 5674 Protocol: QPID Source: RHUA Dest: CDS Notes: Used for RHUA <-> CDS communication Port: 5674 Protocol: QPID Source: CDS Dest: RHUA Notes: Used for RHUA <-> CDS communication (note the swapping of source and dest in the above two; they are in fact separate rules and not just a copy/paste thing) = Removals = The port 22 line, it's not required anymore. ----- Firewall "By default, these ports are opened by the firewall rules set during RHUA configuration." Remove that, we don't dork with the firewall anymore. ----- Configuring SSL Certificates "This certificate and key enables you to create SSL keys and certificates for the CDS" "RHUA and CDS" FYI, that's not an error in the 1.2 docs. We didn't used to use HTTPS on the RHUA. Now we do. So keep that in the back of your head as you tweak the docs that chances are, in most places you talk about the need to configure the CDSes for HTTPS, you need to do it for the RHUA too. ----- Configuring SSL Certificates There's actually a step missing between 1 and 2. Step 1 is to get the CA certificate/private key. You need to generate the server's SSL key before generating the cert request in step 2. That's where "server.key" comes from in the example. That can be done with the following: openssl genrsa -out server.key 2048 ----- Configuring SSH Keys Remove this whole section. SSH keys are not used/needed in 2.0.
Also, there's going to be an addition here of a script they run to generate an NSS database. We're providing the script. It's very close to done and I'll file a new BZ when it is. Just wanted to throw that out there as an FYI that this BZ represents a review of what's there, but also notes that it's not 100% complete yet.
*** Bug 705716 has been marked as a duplicate of this bug. ***
(In reply to comment #0) > Prereqs > > "These are required for configuring communication between CDS instances and Red > Hat Enterprise Linux clients." > > I'd say "for configuring SSL and signing client entitlement certificates" > instead. <para> The ability to generate or obtain CA and SSL certificates. These are required for configuring SSL and signing client entitlement certificates. </para> > > ----- > > Prereqs > > "Ensure you have an entitlement for every RHUA instance in the cloud. This > grants access to: > * Red Hat Update Infrastructure (RHUA and associated technologies). > * 32-bit and 64-bit Red Hat Enterprise Linux images. This is required to > perform instantiation. " > > ... and... > > "A certificate provided by Red Hat and used by RHUA to synchronize channel > content from RHN." > > ... are the same thing. What happens is we give them a certificate that has a > valid RHUI entitlement plus a RHEL Server entitlement for each RHUI Server > (RHUA, CDS) that will be running. > > I think we should try to merge them to one bullet point with sub-bullet points. > Chances are, the cert they get from us will be right, so I don't want it to > look like there are two different things they need by having them as two high > level bullet points. > > Ping me if that last paragraph doesn't make any sense. <listitem> <para> Ensure you have an entitlement for every RHUA instance in the cloud. This grants access to: </para> <itemizedlist> <listitem> <para> &RHUI; (RHUA and associated technologies). </para> </listitem> <listitem> <para> 32-bit and 64-bit &RHEL; images. This is required to perform instantiation. </para> </listitem> <listitem> <para> Permission for the RHUA to synchronize channel content from RHN. </para> </listitem> </itemizedlist> </listitem> > > ----- > > Technical Requirements > > "Content Certificate Private Key. The unique key that enables syncing from Red > Hat Network Satellite to your RHUA. " > > I'd change "Red Hat Network Satellite" to just "RHN" to be consistent with how > it's referred to elsewhere. <listitem> <para> Content Certificate. An entitlement certificate provided by Red Hat that enables content download and syncing from RHN. When you are installing a content certificate for the first time, or if you need to upload a new certificate, you will require write access to <filename>/etc/pki/rhui</filename>. However, these permissions are not required during normal operation. </para> </listitem> <listitem> <para> Content Certificate Private Key. The unique key that enables syncing from RHN to your RHUA. </para> </listitem> > > ----- > > Firewall > > = Additions = > > Port: 5674 > Protocol: QPID > Source: RHUA > Dest: CDS > Notes: Used for RHUA <-> CDS communication > > Port: 5674 > Protocol: QPID > Source: CDS > Dest: RHUA > Notes: Used for RHUA <-> CDS communication <row> <entry> 5674 </entry> <entry> QPID </entry> <entry> RHUA </entry> <entry> CDS </entry> <entry> Used for communication between the RHUA and the CDS </entry> </row> <row> <entry> 5674 </entry> <entry> QPID </entry> <entry> CDS </entry> <entry> RHUA </entry> <entry> Used for communication between the RHUA and the CDS </entry> </row> > > (note the swapping of source and dest in the above two; they are in fact > separate rules and not just a copy/paste thing) > > = Removals = > > The port 22 line, it's not required anymore. It's gone. > > ----- > > Firewall > > "By default, these ports are opened by the firewall rules set during RHUA > configuration." > > Remove that, we don't dork with the firewall anymore. Gone. > > ----- > > Configuring SSL Certificates > > "This certificate and key enables you to create SSL keys and certificates for > the CDS" > > "RHUA and CDS" > > FYI, that's not an error in the 1.2 docs. We didn't used to use HTTPS on the > RHUA. Now we do. So keep that in the back of your head as you tweak the docs > that chances are, in most places you talk about the need to configure the CDSes > for HTTPS, you need to do it for the RHUA too. <para> This certificate and key enables you to create SSL keys and certificates for the RHUA and the CDS, as well as sign the entitlement certificates for the clients to access the CDS instances. </para> > > ----- > > Configuring SSL Certificates > > There's actually a step missing between 1 and 2. Step 1 is to get the CA > certificate/private key. You need to generate the server's SSL key before > generating the cert request in step 2. That's where "server.key" comes from in > the example. > > That can be done with the following: > > openssl genrsa -out server.key 2048 Added new step: <step> <para> Generate the server SSL key, using the following command: </para> <screen> $ openssl genrsa -out server.key 2048 </screen> </step> > > ----- > > Configuring SSH Keys > > Remove this whole section. SSH keys are not used/needed in 2.0. Commented out. Revision 1-9. LKB
All changes for Chapter 2 : Installation Requirements Done
This book is now available at http://docs.redhat.com/docs/en-US/Red_Hat_Update_Infrastructure/2.0/html/Installation_Guide/index.html Please raise a new bug for any further changes. LKB