I'm pretty sure this would best fit in the Installation Requirements section below "Procedure 2.1. Configuring SSL Certificates" In Procedure 2.1, they generate SSL certificates for the web server (in other words, repo accesses by yum clients). Internally, RHUI also uses a QPID message broker to communicate between its pieces. This communication is also secured through SSL, however the process for generating those certificates is different. To facilitate the creation, we provide a script called "nss-db-gen". That script is as automated as possible, but there are some points where it will ask for a password for some of the newly created items (more on that later). That generates a directory of files that need to be specified in the answers.conf file. If you accept the default directory in the nss-db-gen command (it's the first thing the user is prompted for) then the defaults in answers.sample will point to the correct locations. If you're stubborn/compulsive and insist on your own temporary directory, here are the relevant entries in answers.conf they need to fill out: ----- # Full path to the CA certificate used to secure QPID communications. This is generated # using the nss-db-gen script included with the RHUI Installer. qpid_ca: /tmp/rhua/qpid/ca.crt # Full path to the client certificate used to secure QPID communications. This is generated # using the nss-db-gen script included with the RHUI Installer. qpid_client: /tmp/rhua/qpid/client.crt # Full path to the NSS database used to secure QPID communications. This is generated # using the nss-db-gen script included with the RHUI Installer. Note: This must be # a directory containing a number of files, including the NSS database and password file. qpid_nss_db: /tmp/rhua/qpid/nss ----- So the idea is that they run this script when they create their HTTP SSL certificates so that they have all of the pieces they need to pass into the rhui-installer script.
Sample output from running the script: Working in: /tmp/tmp24055 Please specify a directory into which the created NSS database and associated certificates will be installed. Enter a directory [/tmp/rhua/qpid]: /tmp/rhua/qpid Enter NSS database password: Password file created. Database created. Creating CA certificate: Generating key. This may take a few moments... CA created Creating BROKER certificate: Generating key. This may take a few moments... Broker certificate created. Creating CLIENT certificate: Generating key. This may take a few moments... Client certificate created. Enter Password or Pin for "NSS Certificate DB": Enter password for PKCS12 file: Re-enter password: pk12util: PKCS12 EXPORT SUCCESSFUL Enter Import Password: MAC verified OK Client key & certficate exported Artifacts copied to: /tmp/rhua/qpid.
Same sample output as above, but with commentary before each place they have to input a password. It's your call how much of this you want to document, I just figured Working in: /tmp/tmp24055 Please specify a directory into which the created NSS database and associated certificates will be installed. Enter a directory [/tmp/rhua/qpid]: /tmp/rhua/qpid ---- Note: Password used by QPID to access the NSS database itself. Enter NSS database password: Password file created. Database created. Creating CA certificate: Generating key. This may take a few moments... CA created Creating BROKER certificate: Generating key. This may take a few moments... Broker certificate created. Creating CLIENT certificate: Generating key. This may take a few moments... Client certificate created. ----- Note: Same password as above, specified again here because we're attempting to access the DB we just created in the previous step. Enter Password or Pin for "NSS Certificate DB": ----- Note: Password for the pkcs12 files used to get the private key out of the NSS DB. Enter password for PKCS12 file: ----- Note: Just a confirmation of the above password. Re-enter password: pk12util: PKCS12 EXPORT SUCCESSFUL ----- Note: Same password as the previous two; now we're accessing the certificate we just created/secured in the previous step so we can get the client certificate and private key from it. Enter Import Password: MAC verified OK Client key & certficate exported Artifacts copied to: /tmp/rhua/qpid.
added to rhui-20 tracker
<procedure id="proc-Installation_Guide-Installation_Requirements-Generating_a_Qpid_SSL_Certificate"> <title>Generating a Qpid SSL Certificate</title> <indexterm> <primary>installation</primary> <secondary>qpid SSL</secondary> </indexterm> <para> &RHUI; uses a qpid message broker for internal comunications. These communication processes are secured by SSL, which is set up using a script called <filename>nss-db-gen</filename>. When the script is run, it will prompt you for some information. </para> <step> <para> Run the <filename>nss-db-gen</filename> script by switching to the root user and issuing the command: </para> <screen> # /usr/bin/nss-db-gen Working in: /tmp/tmp24055 </screen> </step> <step> <para> Specify a directory for the new database and certificates to be stored, or press enter to accept the default value of <filename>/tmp/rhua/qpid</filename>: </para> <screen> Please specify a directory into which the created NSS database and associated certificates will be installed. Enter a directory [/tmp/rhua/qpid]: /tmp/rhua/qpid </screen> </step> <step> <para> Enter a password to be used by qpid to secure the database: </para> <screen> Enter NSS database password: Password file created. </screen> </step> <step> <para> The script will create the database and generate the necessary keys and certificates: </para> <screen> Database created. Creating CA certificate: Generating key. This may take a few moments... CA created Creating BROKER certificate: Generating key. This may take a few moments... Broker certificate created. Creating CLIENT certificate: Generating key. This may take a few moments... Client certificate created. </screen> </step> <step> <para> Enter the NSS database password again. This is so that the database created in the last step can be accessed: </para> <screen> Enter Password or Pin for "NSS Certificate DB": </screen> </step> <step> <para> Enter a password to be used for the pkcs12 file, and re-enter it to confirm: </para> <screen> Enter password for PKCS12 file: Re-enter password: pk12util: PKCS12 EXPORT SUCCESSFUL </screen> </step> <step> <para> Enter the pkcs12 password again. This is so that the certificate created in the last step can be accessed. The script will export the key and certificate, and finish: </para> <screen> Enter Import Password: MAC verified OK Client key & certficate exported Artifacts copied to: /tmp/rhua/qpid. </screen> </step> </procedure> Revision 1-13 LKB
Hi Lana, The latest revision of following stage documentation is 1-12. Could you point me the updated doc with Revision 1-13 to verify this defect. Thanks. HTML: http://documentation-stage.bne.redhat.com/docs/en-US/Red_Hat_Update_Infrastructure/2.0/html/Installation_Guide/index.html PDF: http://documentation-stage.bne.redhat.com/docs/en-US/Red_Hat_Update_Infrastructure/2.0/pdf/Installation_Guide/Red_Hat_Update_Infrastructure-2.0-Installation_Guide-en-US.pdf
Need to add this section in the "3.1 Example Answer file" under General section. This includes the qpid/ssl configuration options. Chapter 3 RHUI Installer ==>Page 16 ==> Example 3.1 Example Answer file ----- # Full path to the CA certificate used to secure QPID communications. This is generated # using the nss-db-gen script included with the RHUI Installer. qpid_ca: /tmp/rhua/qpid/ca.crt # Full path to the client certificate used to secure QPID communications. This is generated # using the nss-db-gen script included with the RHUI Installer. qpid_client: /tmp/rhua/qpid/client.crt # Full path to the NSS database used to secure QPID communications. This is generated # using the nss-db-gen script included with the RHUI Installer. Note: This must be # a directory containing a number of files, including the NSS database and password file. qpid_nss_db: /tmp/rhua/qpid/nss ----- I'll add another comment with new updated answer file. Just replace the Example 3.1 with following example.
Simply replace this with existing sample file in installation guide. ------------------------------------------------------------------------------- # # RHUI Installer Sample Answers File # # This sample answers file can be found at /etc/rhui/answers.sample. # # This file is meant to be used as a template for creating an answers file for use with # the RHUI Installer. Once the appropriate values have been entered, the RHUI Installer # will generate RPMs based on these values through the following call: # # $ rhui-installer --answers <path to populated answers file> # # The results of running the above call will be found in the directory specified in the # dest_dir attribute under the [general] section. # == General =========================================================================== # The [general] section contains configuration options that apply to the RHUI installation # as a whole. [general] # This will be used as the version for all RPMs that are created by this answers file. # Individual components may override this value with the "rpm_version" attribute. version: 2.0 # Local directory into which RHUI tools will place any temporary files as well as the # built RPMs. If this directory exists prior to running RHUI tools, the user executing # it must have write permissions. dest_dir: /tmp/rhui # Full path to the CA certificate used to secure QPID communications. This is generated # using the nss-db-gen script included with the RHUI Installer. qpid_ca: /tmp/rhua/qpid/ca.crt # Full path to the client certificate used to secure QPID communications. This is generated # using the nss-db-gen script included with the RHUI Installer. qpid_client: /tmp/rhua/qpid/client.crt # Full path to the NSS database used to secure QPID communications. This is generated # using the nss-db-gen script included with the RHUI Installer. Note: This must be # a directory containing a number of files, including the NSS database and password file. qpid_nss_db: /tmp/rhua/qpid/nss # == RHUA =========================================================================== # The [rhua] section contains attributes describing a particular RHUA instance. [rhua] # Name of the RHUA configuration RPM created by RHUI tools. rpm_name: rh-rhua-config # Fully qualified hostname of the RHUA instance. hostname: rhua.example.com # SSL certificate and private key to be installed on the RHUA. The CN of this certificate # must match the hostname listed above. ssl_cert: ssl_key: # CA certificate used to sign the RHUA's SSL certificate. This is needed by the CDS # instances when connecting back to the RHUA to synchronize content to verify the # RHUA certificate during the handshake. ca_cert: # If a proxy server is needed for the RHUA to connect to the internet, this is the hostname # of that server. If this is not specified, no proxy server will be used. # proxy_server_host: proxy.example.com # Port to access on the proxy server. This value has no effect if proxy_server_host is # not specified. # proxy_server_port: 443 # Proxy server username. Omit if the proxy server does not require authentication. # proxy_server_username: admin # Proxy server password. # proxy_server_password: password # == CDS Instances =========================================================================== # There should be one [cds-*] section for each CDS to be used in the RHUI infrastructure. # The name between the [ ] must begin with "cds", however the remainder is arbitrary and must # only be unique with respect to other cds sections. There will be one CDS configuration RPM # generated for each section found. [cds-1] # Name of the RPM that will be created for this CDS configuration. rpm_name: rh-cds1-config # Fully qualified name of this CDS instance. hostname: cds1.example.com # SSL certificate and private key to be used by this CDS instance. The CN of this # certificate must match the hostname listed above. ssl_cert: ssl_key: # [cds-2] # rpm_name: rh-cds2-config # hostname: cds2.example.com # ssl_cert: # ssl_key: ----------------------------------------------------------------------------
Done in revision 1-15. LKB
Verified the updated example answer file as per comment 7 here at: http://documentation-stage.bne.redhat.com/docs/en-US/Red_Hat_Update_Infrastructure/2.0/html/Installation_Guide/chap-Installation_Guide-RHUI_Installer.html Updated Under Chapter 3 ==> RHUI Installer ==> Example 3.1 Example answer file
This book is now available at http://docs.redhat.com/docs/en-US/Red_Hat_Update_Infrastructure/2.0/html/Installation_Guide/index.html Please raise a new bug for any further changes. LKB