Jump to contentJump to page navigation: previous page [access key p]/next page [access key n]
Applies to Subscription Management Tool 11.3

8 Configuring Clients to Use SMT

Any machine running SUSE Linux Enterprise 10 SP4 or 11 SP1 (or later) can be configured to register against SMT and download software updates from there, instead of communicating directly with the Customer Center and the NU servers.

If your network includes an SMT server to provide a local update source, you need to equip the client with the server's URL. As client and server communicate via the HTTPS protocol during registration, you also need to make sure the client trusts the server's certificate. In case you set up your SMT server to use the default server certificate, the CA certificate will be available on the SMT server at http://FQDN/smt.crt . In this case you do not have to manually set the certificate: The registration process will automatically download the CA certificate from there, unless configured otherwise. You must enter a path to the server's CA certificate if the certificate was issued by an external certificate authority.

Note
Note: Registering Against *.novell.com Subdomain

If you try to register against any *.novell.com subdomain, the certificate will not be downloaded during registration for security reasons, and certificate handling will not be done. In such a case, use a different domain name or a plain IP address.

There are several ways to provide the registration information and to configure the client machine to use SMT:

  1. Provide the needed information via kernel parameters at boot time (Section 8.1, “Using Kernel Parameters to Access an SMT Server”).

  2. Configure the clients using an AutoYaST profile (Section 8.2, “Configuring Clients with AutoYaST Profile”).

  3. Use the clientSetup4SMT.sh script (Section 8.3, “Configuring Clients with the clientSetup4SMT.sh Script in SLE 11”). This script can be run on a client to make it register against a specified SMT server.

  4. In SUSE Linux Enterprise 11 you can now set the SMT server URL with the YaST registration module during installation (Section 8.4, “Configuring Clients with YaST”).

These methods are described in the following sections.

8.1 Using Kernel Parameters to Access an SMT Server

Any client can be configured to use SMT by providing the following kernel parameters during machine boot: regurl and regcert. The first parameter is mandatory, the latter is optional.

Warning
Warning: Beware of Typing Errors

Make sure the values you enter are correct. If regurl has not been specified correctly, the registration of the update source will fail.

If an invalid value for regcert has been entered, you will be prompted for a local path to the certificate. In case regcert is not specified at all, it will default to http://FQDN/smt.crt with FQDN being the name of the SMT server.

regurl

URL of the SMT server.

The URL needs to be in the following format: https://FQDN/center/regsvc/ with FQDN being the fully qualified hostname of the SMT server. It must be identical to the FQDN of the server certificate used on the SMT server. Example:

regurl=https://smt.example.com/center/regsvc/
regcert

Location of the SMT server's CA certificate. Specify one of the following locations:

URL

Remote location (http, https or ftp) from which the certificate can be downloaded. Example:

regcert=http://smt.example.com/smt.crt
Floppy

Specifies a location on a floppy. The floppy has to be inserted at boot time—you will not be prompted to insert it if it is missing. The value has to start with the string floppy, followed by the path to the certificate. Example:

regcert=floppy/smt/smt-ca.crt
Local Path

Absolute path to the certificate on the local machine. Example:

regcert=/data/inst/smt/smt-ca.cert
Interactive

Use ask to open a pop-up menu during installation where you can specify the path to the certificate. Do not use this option with AutoYaST. Example:

regcert=ask
Deactivate Certificate Installation

Use done if either the certificate will be installed by an add-on product, or if you are using a certificate issued by an official certificate authority. Example:

regcert=done
Warning
Warning: Change of SMT Server Certificate

If the SMT server gets a new certificate from a new and untrusted CA, the clients need to retrieve the new CA certificate file. This is done automatically with the registration process but only if a URL was used at installation time to retrieve the certificate, or if the regcert parameter was omitted and thus, the default URL is used. If the certificate was loaded using any other method, such as floppy or local path, the CA certificate will not be updated.

8.2 Configuring Clients with AutoYaST Profile

Clients can be configured to register with SMT server via AutoYaST profile. For general information about creating AutoYaST profiles and preparing automatic installation, refer to the AutoYaST Guide. In this section, only SMT specific configuration is described.

To configure SMT specific data using AutoYaST, follow these steps:

  1. As root, start YaST and select Miscellaneous › Autoinstallation to start the graphical AutoYaST front-end.

    From a command line, you can start the graphical AutoYaST front-end with the yast2 autoyast command.

  2. Open an existing profile using File › Open, create a profile based on the current system's configuration using Tools › Create Reference Profile, or just work with an empty profile.

  3. In SLE 11, select Software › Novell Customer Center Configuration. An overview of the current configuration is shown.

  4. Click Configure.

  5. Set the URL of the SMT Server and, optionally, the location of the SMT Certificate. The possible values are the same as for the kernel parameters regurl and regcert (see Section 8.1, “Using Kernel Parameters to Access an SMT Server”). The only exception is that the ask value for regcert does not work in AutoYaST, because it requires user interaction. If using it, the registration process will be skipped.

  6. Perform all other configuration needed for the systems to be deployed.

  7. Select File › Save As and enter a filename for the profile, such as autoinst.xml.

8.3 Configuring Clients with the clientSetup4SMT.sh Script in SLE 11

In SLE 11, the /usr/share/doc/packages/smt/clientSetup4SMT.sh script is provided with SMT. This script allows you to configure a client machine to use an SMT server. It can also be used to reconfigure an existing client to use a different SMT server.

Note
Note: Installation of wget

The script clientSetup4SMT.sh itself uses wget, so wget must be installed on the client.

To configure a client machine to use SMT with the clientSetup4SMT.sh script, follow these steps:

  1. Copy the clientSetup4SMT.sh script from your SMT server to the client machine. The script is available at <SMT_HOSTNAME>/repo/tools/clientSetup4SMT.sh and /srv/www/htdocs/repo/tools/clientSetup4SMT.sh. You can download it with a browser, using wget, or by another means, such as with scp.

  2. As root, execute the script on the client machine. The script can be executed in two ways. In the first case, the script name is followed by the registration URL; for example:

    ./clientSetup4SMT.sh https://smt.example.com/center/regsvc/

    In the second case, the script uses the --host option followed by the hostname of the SMT server, and --regcert followed by the URL of the SSL certificate; for example:

    ./clientSetup4SMT.sh --host smt.example.com \
      --regcert http://smt.example.com/smt.crt

    In this case, without any namespace specified, the client will be configured to use the default production repositories. If --namespace groupname is specified, the client will use that staging group.

  3. The script downloads the server's CA certificate. Accept it by pressing y.

  4. The script performs all necessary modifications on the client. However, the registration itself is not performed by the script.

  5. The script downloads and asks to accept additional GPG keys to sign repositories with.

  6. Perform a registration by executing suse_register or running yast2 inst_suse_register module on the client.

The clientSetup4SMT.sh script works with SUSE Linux Enterprise 10 SP2 and later SPs, and SLE 11 systems.

This script is also provided for download. You can get it by calling:

wget http://smt.example.com/repo/tools/clientSetup4SMT.sh

8.3.1 Problems Downloading GPG Keys from the Server

The apache2-example-pages package includes a robots.txt file. The file is installed into the Apache2 document root directory, and controls how clients can access files from the web server. If this package is installed on the server, clientSetup4SMT.sh fails to download the keys stored under /repo/keys.

You can solve this problem by either editing robots.txt, or uninstalling the apache2-example-pages package.

If you choose to edit the robots.txt file, add before the Disallow: / statement:

Allow: /repo/keys

8.4 Configuring Clients with YaST

8.4.1 Configuring Clients with YaST in SLE 11

To configure a client to perform the registration against an SMT server use the YaST registration module (yast2 inst_suse_register).

Click Advanced › Local Registration Server and enter the name of the SMT server plus the path to the registration internals (/center/regsvc/), e.g.:

https://smt.example.com/center/regsvc/

After confirmation the certificate is loaded and the user is asked to accept it. Then continue.

Warning
Warning: Staging Groups Registration

If a staging group is used, make sure that settings in /etc/suseRegister.conf are done accordingly. If not already done, modify the register= paramater and append &namespace=namespace. For more information about staging groups, see Section 4.3, “Staging Repositories”.

Alternatively, use the clientSetup4SMT.sh script (see Section 8.3, “Configuring Clients with the clientSetup4SMT.sh Script in SLE 11”).

8.5 Registering SLE11 Clients Against SMT Test Environment

To configure a client to register against the test environment instead of the production environment, modify /etc/suseRegister.conf on the client machine by setting:

register = command=register&namespace=testing

For more information about using SMT with a test environment, see Section 3.4, “Using the Test Environment”.

8.6 Listing Accessible Repositories

To retrieve the accessible repositories for a client, download repo/repoindex.xml from the SMT server with the client's credentials. The credentials are stored in /etc/zypp/credentials.d/NCCCredentials on the client machine. Using wget, the command for testing could be as follows:

wget https://USER:PASS@smt.example.com/repo/repoindex.xml

repoindex.xml returns the complete repository list as they come from the vendor. If a repository is marked for staging, repoindex.xml lists the repository in the full namespace (repos/full/$RCE).

To get a list of all repositories available on the SMT server, use the credentials specified in the [LOCAL] section of /etc/smt.conf on the server as mirrorUser and mirrorPassword.

8.7 How to Update Red Hat Enterprise Linux with SMT 11

SMT 11 enables customers that possess the required entitlements to mirror updates for Red Hat Enterprise Linux (RHEL). Refer to http://www.suse.com/products/expandedsupport/ for details on SUSE Linux Enterprise Server Subscription with Expanded Support. This section discusses the actions required to configure the SMT server and clients (RHEL servers) for this solution.

Note
Note: SUSE Linux Enterprise Server 10

Configuring RHEL client with Subscription Management Tool for SUSE Linux Enterprise (SMT 1.0) running SUSE Linux Enterprise Server 10 is slightly different. For more information, see How to update Red Hat Enterprise Linux with SMT.

8.7.1 How to Prepare SMT server for mirroring and publishing updates for RHEL

  1. Install SUSE Linux Enterprise Server (SLES) 11 with the SMT 11 add-on product as per the documentation on the respective products.

  2. During SMT setup, use organization credentials that have access to Novell-provided RHEL update catalogs.

  3. Verify that the organization credentials have access to download updates for the Red Hat products with

    smt-repos -m | grep RES
  4. Enable mirroring of the RHEL update catalog(s) for the desired architecture(s):

    smt-repos -e repo-name architecture
  5. Mirror the updates and log verbose output:

    smt-mirror -d -L /var/log/smt/smt-mirror.log

    The updates for RHEL will also be mirrored automatically as part of the default nightly SMT mirroring cron job. When the mirror process of the catalogs for your RHEL products has completed, the updates are available via

    http://smt-server.your-domain.top/repo/$RCE/catalog-name/architecture/
  6. To enable GPG checking of the repositories, the key used to sign the repositories needs to be made available to the RHEL clients. This key is now available in the res-signingkeys package, which is included in the SMT 11 installation source.

    • Install the res-signingkeys package with the command

      zypper in -y res-signingkeys
    • The installation of the package stores the key file as /srv/www/htdocs/repo/keys/res-signingkeys.key.

    • Now the key is available to the clients and can be imported into their RPM database as described later.

8.7.2 How to Configure the YUM client on RHEL 5.2 to receive updates from SMT

  1. Import the repository signing key downloaded above into the local RPM database with

    rpm --import http://smt-server.domain.top/repo/keys/res-signingkeys.key
  2. Create a file in /etc/yum.repos.d/ and name it RES5.repo.

  3. Edit the file and enter the repository data, and point to the catalog on the SMT server as follows:

    [smt]
    name=SMT repository
    baseurl=http://smt-server.domain.top/repo/$RCE/catalog-name/architecture/
    enabled=1
    gpgcheck=1

    Example of base URL:

    http://smt.mycompany.com/repo/$RCE/RES5/i386/
  4. Save the file.

  5. Disable standard Red Hat repositories by setting

    enabled=0

    in the repository entries in other files in /etc/yum.repos.d/ (if any are enabled).

    Both YUM and the update notification applet should work correctly now and notify of available updates when applicable. You may need to restart the applet.

8.7.3 How to Configure the UP2DATE client on RHEL 3.9 and 4.7 to receive updates from SMT

  1. Import the repository signing key downloaded above into the local RPM database with

    rpm --import http://smt-server.domain.top/repo/keys/res-signingkeys.key
  2. Edit the file /etc/sysconfig/rhn/sources and make the following changes:

  3. Comment out any lines starting with up2date.

    Normally, there will be a line that says "up2date default".

  4. Add an entry pointing to the SMT repository (all in one line):

    yum repo-name http://smt-server.domain.top/repo/$RCE/catalog-name/architecture/

    where repo-name should be set to RES3 for 3.9 and RES4 for 4.7.

  5. Save the file.

Both up2date and the update notification applet should work correctly now, pointing to the SMT repository and indicating updates when available. In case of trouble, try to restart the applet.

In order to ensure correct reporting of the Red Hat Enterprise systems in Novell Customer Center or SUSE Customer Center, they need to be be registered against your SMT server. For this a special suseRegisterRES package is provided through the RES* catalogs and it should be installed, configured and executed as described below.

8.7.4 How to Register RHEL 5.2 against SMT

  1. Install the suseRegisterRES package.

    yum install suseRegisterRES
    Note
    Note: Additional Packages

    You may need to install perl-Crypt-SSLeay and perl-XML-Parser packages from the original RHEL media.

  2. Copy the SMT certificate to the system:

    wget http://smt-server.domain.top/smt.crt
    cat smt.crt >> /etc/pki/tls/cert.pem
  3. Edit /etc/suseRegister.conf to point to SMT by changing the URL value to

    url = https://smt-server.domain.top/center/regsvc/

    or (for SUSE Customer Center)

    url = https://smt-server.domain.top/connect/
  4. Register the system:

    suse_register

8.7.5 How to Register RHEL 4.7 and RHEL 3.9 against SMT

  1. Install the suseRegisterRES package:

    up2date --get suseRegisterRES
    up2date --get perl-XML-Writer
    rpm -ivh /var/spool/up2date/suseRegisterRES*.rpm /var/spool/up2date/perl-XML-Writer-0*.rpm
    Note
    Note: Additional Packages

    You may need to install perl-Crypt-SSLeay and perl-XML-Parser packages from the original RHEL media.

  2. Copy the SMT certificate to the system:

    wget http://smt-server.domain.top/smt.crt
    cat smt.crt >> /usr/share/ssl/cert.pem
  3. Edit /etc/suseRegister.conf to point to SMT by changing the URL value to

    url = https://smt-server.domain.top/center/regsvc/

    or (for SUSE Customer Center)

    url = https://smt-server.domain.top/connect/
  4. Register the system:

    suse_register
Print this page