SUSE Manager Proxy Setup
SUSE Manager Proxy requires additional configuration.
It is possible to arrange Salt proxies in a chain.
In such a case, the upstream proxy is named
Make sure the TCP ports
4506 are open on the proxy.
The proxy must be able to reach the SUSE Manager Server or a parent proxy on these ports.
The proxy will share some SSL information with the SUSE Manager Server. Copy the certificate and its key from the SUSE Manager 4 Server or the parent proxy.
As root, enter the following commands on the proxy using your SUSE Manager 4 Server or parent Proxy 4 (named
mkdir -m 700 /root/ssl-build cd /root/ssl-build scp root@PARENT:/root/ssl-build/RHN-ORG-PRIVATE-SSL-KEY . scp root@PARENT:/root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT . scp root@PARENT:/root/ssl-build/rhn-ca-openssl.cnf .
To keep the security chain intact, the SUSE Manager Proxy functionality requires the SSL certificate to be signed by the same CA as the SUSE Manager Server certificate. Using certificates signed by different CAs for proxies and server is not supported.
configure-proxy.sh script will finalize the setup of your SUSE Manager Proxy.
Now execute the interactive
Pressing Enter without further input will make the script use the default values provided between brackets
Here is some information about the requested settings:
- SUSE Manager Parent
A SUSE Manager parent can be either another proxy or a SUSE Manager Server.
- HTTP Proxy
A HTTP proxy enables your SUSE Manager proxy to access the Web. This is needed if direct access to the Web is prohibited by a firewall.
- Proxy Version to Activate
Normally, the correct value (3.0, 3.1, 3.2, or 4.0) should be offered as a default.
- Traceback Email
An email address where to report problems.
- Use SSL
For safety reasons, press
- Do You Want to Import Existing Certificates?
N. This ensures using the new certificates that were copied previously from the SUSE Manager server.
The next questions are about the characteristics to use for the SSL certificate of the proxy. The organization might be the same organization that was used on the server, unless of course your proxy is not in the same organization as your main server.
- Organization Unit
The default value here is the proxy’s hostname.
Further information attached to the proxy’s certificate.
Further information attached to the proxy’s certificate.
- Country Code
country codefield, enter the country code set during the SUSE Manager installation. For example, if your proxy is in the US and your SUSE Manager is in DE, enter
DEfor the proxy.
The country code must be two upper case letters. For a complete list of country codes, see https://www.iso.org/obp/ui/#search.
- Cname Aliases (Separated by Space)
Use this if your proxy can be accessed through various DNS CNAME aliases. Otherwise it can be left empty.
- CA Password
Enter the password that was used for the certificate of your SUSE Manager Server.
- Do You Want to Use an Existing SSH Key for Proxying SSH-Push Salt Minion?
Use this option if you want to reuse a SSH key that was used for SSH-Push Salt clients on the server.
- Create and Populate Configuration Channel rhn_proxy_config_1000010001?
- SUSE Manager Username
Use same user name and password as on the SUSE Manager server.
If parts are missing, such as CA key and public certificate, the script prints commands that you must execute to integrate the needed files.
When the mandatory files are copied, run
If you receive an HTTP error during script execution, run the script again.
configure-proxy.sh activates services required by SUSE Manager Proxy, such as
To check the status of the proxy system and its clients, click the proxy system’s details page on the Web UI (
Proxy subtabs display various status information.
To enable PXE boot through a proxy, additional software must be installed and configured on both the SUSE Manager Proxy and the SUSE Manager Server.
On the SUSE Manager Proxy install susemanager-tftpsync-recv:
zypper in susemanager-tftpsync-recv
On the SUSE Manager Proxy, run the
configure-tftpsync.shsetup script and enter the requested information:
It asks for hostname and IP address of the SUSE Manager Server and of the proxy itself. Additionally, it asks for the tftpboot directory on the proxy.
On the SUSE Manager Server, install
zypper in susemanager-tftpsync
On the SUSE Manager Server, run
configure-tftpsync.shto configure the upload to the SUSE Manager Proxy:
To start an initial synchronization on the SUSE Manager Server run:
It can also be done after a change within Cobbler that needs to be synchronized immediately. Otherwise Cobbler synchronization will run automatically when needed. For more information about Cobbler, see Cobbler.
SUSE Manager is using Cobbler to provide provisioning. PXE (tftp) is installed and activated by default. To enable systems to find the PXE boot on the SUSE Manager Proxy add the following to the DHCP configuration for the zone containing the systems to be provisioned:
next-server: <IP_Address_of_SUSE_Manager_Proxy> filename: "pxelinux.0"
A SUSE Manager Proxy is dumb in that it does not contain any information about the clients that are connected to it. A SUSE Manager Proxy can therefore be replaced by a new one. Naturally, the replacement proxy must have the same name and IP address as its predecessor.
In order to replace a SUSE Manager Proxy and keeping the clients registered to the proxy leave the old proxy in SUSE Manager. Create a reactivation key for this system and then register the new proxy using the reactivation key. If you do not use the reactivation key, you will need to re-register all the clients against the new proxy.
Before starting the actual migration procedure, save the data from the old proxy, if needed. Consider copying important data to a central place that can also be accessed by the new proxy.
Shut down the proxy.
Install a new SUSE Manager Proxy 4.0, following Proxy Installation.
In the SUSE Manager Web UI select the newly installed SUSE Manager Proxy and delete it from the systems list.
In the Web UI, create a reactivation key for the old proxy system: On the System Details tab of the old proxy click
Reactivation. Then click
Generate New Key, and remember it (write it on a piece of paper or copy it to the clipboard). For more information about reactivation keys, see Reactivation Keys.
Re-run the configure-proxy.sh.
After the installation of the new proxy, perform the following actions (if needed):
Copy the centrally saved data to the new proxy system.
Install any other needed software.
If the proxy is also used for autoinstallation, do not forget to setup TFTP synchronization.
Proxy Installation and Client Connections
During the installation of the proxy, clients will not be able to reach the SUSE Manager Server.
After a SUSE Manager Proxy system has been deleted from the systems list, all clients connected to this proxy will be (incorrectly) listed as