Configuring orcharhino Proxies with a Load Balancer

Load Balancing Solution Architecture

You can configure orcharhino Server to use a load balancer to distribute client requests and network load across multiple orcharhino Proxies. This results in an overall performance improvement on orcharhino Proxies.

This guide outlines how to prepare orcharhino Server and orcharhino Proxy for load balancing, and provides guidelines on how to configure a load balancer and register clients in a load-balanced setup.

A load-balanced setup consists of the following components:

  • orcharhino Server

  • Two or more orcharhino Proxies

  • A load balancer

  • Multiple clients

Load Balancing Solution Architecture
Figure 1. orcharhino Load Balancing Solution Architecture

In a load-balanced setup, nearly all orcharhino Proxy functionality continues to work as expected when one orcharhino Proxy is down, for planned or unplanned maintenance. Load balancer works with the following services and features:

  • Registration using subscription-manager

  • Content Management with yum repositories

  • Optional: Puppet

In the load-balanced setup, a load balancer distributes load only for the services and features mentioned above. If other services, such as provisioning or virt-who, are running on the individual orcharhino Proxies, you must access them directly through orcharhino Proxies and not through the load balancer.
Managing Puppet Limitations

Puppet Certificate Authority (CA) management does not support certificate signing in a load-balanced setup. Puppet CA stores certificate information, such as the serial number counter and CRL, on the file system. Multiple writer processes that attempt to use the same data can corrupt it.

To manage this Puppet limitation, complete the following steps:

  1. Configure Puppet certificate signing on one orcharhino Proxy, typically the first system where you configure orcharhino Proxy for load balancing.

  2. Configure the clients to send CA requests to port 8141 on a load balancer.

  3. Configure a load balancer to redirect CA requests from port 8141 to port 8140 on the system where you configure orcharhino Proxy to sign Puppet certificates.

Load Balancing Considerations

Distributing load between several orcharhino Proxies prevents any one orcharhino Proxy from becoming a single point of failure. Configuring orcharhino Proxies to use a load balancer can provide resilience against planned and unplanned outages. This improves availability and responsiveness.

Consider the following guidelines when configuring load balancing:

  • If you use Puppet, Puppet certificate signing is assigned to the first orcharhino Proxy that you configure. If the first orcharhino Proxy is down, clients cannot obtain Puppet content.

  • This solution does not use Pacemaker or other similar HA tools to maintain one state across all orcharhino Proxies. To troubleshoot issues, reproduce the issue on each orcharhino Proxy, bypassing the load balancer.

Additional Maintenance Required for Load Balancing

Configuring orcharhino Proxies to use a load balancer results in a more complex environment and requires additional maintenance.

The following additional steps are required for load balancing:

  • You must ensure that all orcharhino Proxies have the same Content Views and synchronize all orcharhino Proxies to the same Content View versions

  • You must upgrade each orcharhino Proxy in sequence

  • You must backup each orcharhino Proxy that you configure regularly

Upgrading orcharhino Proxies in a Load Balancing Configuration

There are no additional steps required for orcharhino Proxies in a load balancing configuration.

Prerequisites for Configuring orcharhino Proxies for Load Balancing

You can find a list of requirements for orcharhino Proxy in Installing orcharhino Proxy.

Configuring orcharhino Proxies for Load Balancing

This chapter outlines how to configure orcharhino Proxies for load balancing. Proceed to one of the following sections depending on your orcharhino Server configuration:

Use different file names for the Katello certificates you create for each orcharhino Proxy. For example, name the certificate archive file with orcharhino Proxy FQDN.

Configuring orcharhino Proxy with Default SSL Certificates for Load Balancing without Puppet

The following section describes how to configure orcharhino Proxies that use default SSL certificates for load balancing without Puppet. Complete this procedure on each orcharhino Proxy that you want to configure for load balancing.

Procedure
  1. On orcharhino Server, generate Katello certificates for orcharhino Proxy:

    $ foreman-proxy-certs-generate \
    --certs-tar "/root/orcharhino-proxy.network2.example.com-certs.tar" \
    --foreman-proxy-cname loadbalancer.example.com \
    --foreman-proxy-fqdn orcharhino-proxy.network2.example.com

    Retain a copy of the example orcharhino-installer command that is output by the foreman-proxy-certs-generate command for installing orcharhino Proxy certificate.

  2. Copy the certificate archive file from orcharhino Server to orcharhino Proxy.

    $ scp /root/orcharhino-proxy.network2.example.com-certs.tar root@orcharhino-proxy.network2.example.com:/root/orcharhino-proxy.network2.example.com-certs.tar
  3. Append the following options to the orcharhino-installer command that you obtain from the output of the foreman-proxy-certs-generate command:

    --certs-cname "loadbalancer.example.com" \
    --enable-foreman-proxy-plugin-remote-execution-script
  4. On orcharhino Proxy, enter the orcharhino-installer command:

    $ orcharhino-installer --no-enable-foreman \
    --certs-cname "loadbalancer.example.com" \
    --certs-tar-file "orcharhino-proxy.network2.example.com-certs.tar" \
    --enable-foreman-proxy-plugin-remote-execution-script \
    --foreman-proxy-foreman-base-url "https://orcharhino.example.com" \
    --foreman-proxy-oauth-consumer-key "oauth key" \
    --foreman-proxy-oauth-consumer-secret "oauth secret" \
    --foreman-proxy-register-in-foreman "true" \
    --foreman-proxy-trusted-hosts "orcharhino.example.com" \
    --foreman-proxy-trusted-hosts "orcharhino-proxy.network2.example.com"

Configuring orcharhino Proxy with Default SSL Certificates for Load Balancing with Puppet

The following section describes how to configure orcharhino Proxies that use default SSL certificates for load balancing with Puppet.

If you use Puppet in your orcharhino configuration, you must complete the following procedures:

Configuring orcharhino Proxy with Default SSL Certificates to Generate and Sign Puppet Certificates

Complete this procedure only for the system where you want to configure orcharhino Proxy to generate and sign Puppet certificates for all other orcharhino Proxies that you configure for load balancing.

Procedure
  1. On orcharhino Server, generate Katello certificates for the system where you configure orcharhino Proxy to generate and sign Puppet certificates:

    $ foreman-proxy-certs-generate \
    --certs-tar "/root/orcharhino-proxy-ca.example.com-certs.tar" \
    --foreman-proxy-cname loadbalancer.example.com \
    --foreman-proxy-fqdn orcharhino-proxy-ca.example.com

    Retain a copy of the example orcharhino-installer command that is output by the foreman-proxy-certs-generate command for installing orcharhino Proxy certificate.

  2. Copy the certificate archive file from orcharhino Server to orcharhino Proxy:

    $ scp /root/orcharhino-proxy-ca.example.com-certs.tar root@orcharhino-proxy-ca.example.com:orcharhino-proxy-ca.example.com-certs.tar
  3. Append the following options to the orcharhino-installer command that you obtain from the output of the foreman-proxy-certs-generate command:

    --certs-cname "loadbalancer.example.com" \
    --enable-foreman-proxy-plugin-remote-execution-script \
    --foreman-proxy-puppetca "true" \
    --puppet-ca-server "orcharhino-proxy-ca.example.com" \
    --puppet-dns-alt-names "loadbalancer.example.com" \
    --puppet-server-ca "true"
  4. On orcharhino Proxy, enter the orcharhino-installer command:

    $ orcharhino-installer --no-enable-foreman \
    --certs-cname "loadbalancer.example.com" \
    --certs-tar-file "orcharhino-proxy-ca.example.com-certs.tar" \
    --enable-foreman-proxy-plugin-remote-execution-script \
    --enable-puppet \
    --foreman-proxy-foreman-base-url "https://orcharhino.example.com" \
    --foreman-proxy-oauth-consumer-key "oauth key" \
    --foreman-proxy-oauth-consumer-secret "oauth secret" \
    --foreman-proxy-puppetca "true" \
    --foreman-proxy-register-in-foreman "true" \
    --foreman-proxy-trusted-hosts "orcharhino.example.com" \
    --foreman-proxy-trusted-hosts "orcharhino-proxy-ca.example.com" \
    --puppet-ca-server "orcharhino-proxy-ca.example.com" \
    --puppet-dns-alt-names "loadbalancer.example.com" \
    --puppet-server true \
    --puppet-server-ca "true" \
    --puppet-server-foreman-url "https://orcharhino.example.com"
  5. On orcharhino Proxy, stop the Puppet server:

    $ puppet resource service puppetserver ensure=stopped
  6. Generate Puppet certificates for all other orcharhino Proxies that you configure for load balancing, except the first system where you configure Puppet certificates signing:

    $ puppetserver ca generate \
    --ca-client \
    --certname orcharhino-proxy.network2.example.com \
    --subject-alt-names loadbalancer.example.com

    This command creates the following files on the system where you configure orcharhino Proxy to sign Puppet certificates:

    • /etc/puppetlabs/puppet/ssl/certs/orcharhino-proxy.network2.example.com.pem

    • /etc/puppetlabs/puppet/ssl/certs/ca.pem

    • /etc/puppetlabs/puppet/ssl/private_keys/orcharhino-proxy.network2.example.com.pem

    • /etc/puppetlabs/puppet/ssl/public_keys/orcharhino-proxy.network2.example.com.pem

  7. Resume the Puppet server:

    $ puppet resource service puppetserver ensure=running

Configuring Remaining orcharhino Proxies with Default SSL Certificates for Load Balancing

Complete this procedure on each orcharhino Proxy excluding the system where you configure orcharhino Proxy to sign Puppet certificates.

Procedure
  1. On orcharhino Server, generate Katello certificates for orcharhino Proxy:

    $ foreman-proxy-certs-generate \
    --certs-tar "/root/orcharhino-proxy.network2.example.com-certs.tar" \
    --foreman-proxy-cname loadbalancer.example.com \
    --foreman-proxy-fqdn orcharhino-proxy.network2.example.com

    Retain a copy of the example orcharhino-installer command that is output by the foreman-proxy-certs-generate command for installing orcharhino Proxy certificate.

  2. Copy the certificate archive file from orcharhino Server to orcharhino Proxy:

    $ scp /root/orcharhino-proxy.network2.example.com-certs.tar root@orcharhino-proxy.network2.example.com:/root/orcharhino-proxy.network2.example.com-certs.tar
  3. On orcharhino Proxy, install the puppetserver package:

    $ dnf install puppetserver
  4. On orcharhino Proxy, create directories for puppet certificates:

    $ mkdir -p /etc/puppetlabs/puppet/ssl/certs/ \
    /etc/puppetlabs/puppet/ssl/private_keys/ \
    /etc/puppetlabs/puppet/ssl/public_keys/
  5. On orcharhino Proxy, copy the Puppet certificates for this orcharhino Proxy from the system where you configure orcharhino Proxy to sign Puppet certificates:

    $ scp root@orcharhino-proxy-ca.example.com:/etc/puppetlabs/puppet/ssl/certs/orcharhino-proxy.network2.example.com.pem /etc/puppetlabs/puppet/ssl/certs/orcharhino-proxy.network2.example.com.pem
    $ scp root@orcharhino-proxy-ca.example.com:/etc/puppetlabs/puppet/ssl/certs/ca.pem /etc/puppetlabs/puppet/ssl/certs/ca.pem
    $ scp root@orcharhino-proxy-ca.example.com:/etc/puppetlabs/puppet/ssl/private_keys/orcharhino-proxy.network2.example.com.pem /etc/puppetlabs/puppet/ssl/private_keys/orcharhino-proxy.network2.example.com.pem
    $ scp root@orcharhino-proxy-ca.example.com:/etc/puppetlabs/puppet/ssl/public_keys/orcharhino-proxy.network2.example.com.pem /etc/puppetlabs/puppet/ssl/public_keys/orcharhino-proxy.network2.example.com.pem
  6. On orcharhino Proxy, change the /etc/puppetlabs/puppet/ssl/ directory ownership to user puppet and group puppet:

    $ chown -R puppet:puppet /etc/puppetlabs/puppet/ssl/
  7. On orcharhino Proxy, set the SELinux context for the /etc/puppetlabs/puppet/ssl/ directory:

    $ restorecon -Rv /etc/puppetlabs/puppet/ssl/
  8. Append the following options to the orcharhino-installer command that you obtain from the output of the foreman-proxy-certs-generate command:

    --certs-cname "loadbalancer.example.com" \
    --enable-foreman-proxy-plugin-remote-execution-script \
    --foreman-proxy-puppetca "false" \
    --puppet-ca-server "orcharhino-proxy-ca.example.com" \
    --puppet-dns-alt-names "loadbalancer.example.com" \
    --puppet-server-ca "false"
  9. On orcharhino Proxy, enter the orcharhino-installer command:

    $ orcharhino-installer --no-enable-foreman \
    --certs-cname "loadbalancer.example.com" \
    --certs-tar-file "orcharhino-proxy.network2.example.com-certs.tar" \
    --enable-foreman-proxy-plugin-remote-execution-script \
    --foreman-proxy-foreman-base-url "https://orcharhino.example.com" \
    --foreman-proxy-oauth-consumer-key "oauth key" \
    --foreman-proxy-oauth-consumer-secret "oauth secret" \
    --foreman-proxy-puppetca "false" \
    --foreman-proxy-register-in-foreman "true" \
    --foreman-proxy-trusted-hosts "orcharhino.example.com" \
    --foreman-proxy-trusted-hosts "orcharhino-proxy.network2.example.com" \
    --puppet-ca-server "orcharhino-proxy-ca.example.com" \
    --puppet-dns-alt-names "loadbalancer.example.com" \
    --puppet-server-ca "false" \
    --puppet-server-foreman-url "https://orcharhino.example.com"

Configuring orcharhino Proxy with Custom SSL Certificates for Load Balancing without Puppet

The following section describes how to configure orcharhino Proxies that use custom SSL certificates for load balancing without Puppet.

Creating Custom SSL Certificates for orcharhino Proxy

This procedure outlines how to create a configuration file for the Certificate Signing Request and include the load balancer and orcharhino Proxy as Subject Alternative Names (SAN). Complete this procedure on each orcharhino Proxy that you want to configure for load balancing.

Procedure
  1. On orcharhino Proxy, create a directory to contain all the source certificate files, accessible to only the root user:

    $ mkdir /root/orcharhino-proxy_cert
    $ cd /root/orcharhino-proxy_cert
  2. Create a private key with which to sign the Certificate Signing Request (CSR).

    Note that the private key must be unencrypted. If you use a password-protected private key, remove the private key password.

    If you already have a private key for this orcharhino Proxy, skip this step.

    $ openssl genrsa -out /root/orcharhino-proxy_cert/orcharhino-proxy_cert_key.pem 4096
  3. Create the certificate request configuration file with the following content:

    [ req ]
    default_bits       = 4096
    distinguished_name = req_distinguished_name
    req_extensions     = req_ext
    prompt = no
    
    [ req_distinguished_name ]
    countryName=2 Letter Country Code
    stateOrProvinceName=State or Province Full Name
    localityName=Locality Name
    0.organizationName=Organization Name
    organizationalUnitName=orcharhino Proxy Organization Unit Name
    commonName=orcharhino-proxy.network2.example.com (1)
    emailAddress=Email Address
    
    [ req_ext ]
    #authorityKeyIdentifier=keyid,issuer
    #basicConstraints=CA:FALSE
    keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
    subjectAltName = @alt_names
    
    [alt_names] (2)
    DNS.1 = loadbalancer.example.com
    DNS.2 = orcharhino-proxy.network2.example.com
    1 The certificate’s common name must match the FQDN of orcharhino Proxy. Ensure to change this when running the command on each orcharhino Proxy that you configure for load balancing. You can also set a wildcard value *. If you set a wildcard value, you must add the -t foreman-proxy option when you use the katello-certs-check command.
    2 Under [alt_names], include the FQDN of the load balancer as DNS.1 and the FQDN of orcharhino Proxy as DNS.2.
  4. Create a Certificate Signing Request (CSR) for the SAN certificate:

    $ openssl req -new \
    -key /root/orcharhino-proxy_cert/orcharhino-proxy_cert_key.pem \ (1)
    -config SAN_config.cfg \ (2)
    -out /root/orcharhino-proxy_cert/orcharhino-proxy_cert_csr.pem (3)
    1 orcharhino Proxy’s private key, used to sign the certificate
    2 The certificate request configuration file
    3 Certificate Signing Request file
  5. Send the certificate request to the Certificate Authority:

    When you submit the request, specify the lifespan of the certificate. The method for sending the certificate request varies, so consult the Certificate Authority for the preferred method. In response to the request, you can expect to receive a Certificate Authority bundle and a signed certificate, in separate files.

  6. Copy the Certificate Authority bundle and orcharhino Proxy certificate file that you receive from the Certificate Authority, and orcharhino Proxy private key to your orcharhino Server.

  7. On orcharhino Server, validate orcharhino Proxy certificate input files:

    $ katello-certs-check \
    -c /root/orcharhino-proxy_cert/orcharhino-proxy_cert.pem \ (1)
    -k /root/orcharhino-proxy_cert/orcharhino-proxy_cert_key.pem \ (2)
    -b /root/orcharhino-proxy_cert/ca_cert_bundle.pem (3)
    1 orcharhino Proxy certificate file, provided by your Certificate Authority
    2 orcharhino Proxy’s private key that you used to sign the certificate
    3 Certificate Authority bundle, provided by your Certificate Authority

    If you set the commonName= to a wildcard value *, you must add the -t foreman-proxy option to the katello-certs-check command.

    Retain a copy of the example foreman-proxy-certs-generate command that is output by the katello-certs-check command for creating the Certificate Archive File for this orcharhino Proxy.

Configuring orcharhino Proxy with Custom SSL Certificates for Load Balancing without Puppet

The following section describes how to configure orcharhino Proxies that use custom SSL certificates for load balancing without Puppet. Complete this procedure on each orcharhino Proxy that you want to configure for load balancing.

Procedure
  1. Append the following option to the foreman-proxy-certs-generate command that you obtain from the output of the katello-certs-check command:

    --foreman-proxy-cname loadbalancer.example.com
  2. On orcharhino Server, enter the foreman-proxy-certs-generate command to generate orcharhino Proxy certificates:

    $ foreman-proxy-certs-generate \
    --certs-tar /root/orcharhino-proxy_cert/orcharhino-proxy.tar \
    --foreman-proxy-cname loadbalancer.example.com \
    --foreman-proxy-fqdn orcharhino-proxy.network2.example.com \
    --server-ca-cert /root/orcharhino-proxy_cert/ca_cert_bundle.pem \
    --server-cert /root/orcharhino-proxy_cert/orcharhino-proxy.pem \
    --server-key /root/orcharhino-proxy_cert/orcharhino-proxy.pem

    Retain a copy of the example orcharhino-installer command from the output for installing orcharhino Proxy certificates.

  3. Copy the certificate archive file from orcharhino Server to orcharhino Proxy:

    $ scp /root/orcharhino-proxy.network2.example.com-certs.tar root@orcharhino-proxy.network2.example.com:orcharhino-proxy.network2.example.com-certs.tar
  4. Append the following options to the orcharhino-installer command that you obtain from the output of the foreman-proxy-certs-generate command:

    --certs-cname "loadbalancer.example.com" \
    --enable-foreman-proxy-plugin-remote-execution-script
  5. On orcharhino Proxy, enter the orcharhino-installer command:

    $ orcharhino-installer --no-enable-foreman \
    --certs-cname "loadbalancer.example.com" \
    --certs-tar-file "orcharhino-proxy.network2.example.com-certs.tar" \
    --enable-foreman-proxy-plugin-remote-execution-script \
    --foreman-proxy-foreman-base-url "https://orcharhino.example.com" \
    --foreman-proxy-oauth-consumer-key "oauth key" \
    --foreman-proxy-oauth-consumer-secret "oauth secret" \
    --foreman-proxy-register-in-foreman "true" \
    --foreman-proxy-trusted-hosts "orcharhino.example.com" \
    --foreman-proxy-trusted-hosts "orcharhino-proxy.network2.example.com"

Configuring orcharhino Proxy with Custom SSL Certificates for Load Balancing with Puppet

If you use Puppet in your orcharhino configuration, then you must complete the following procedures:

Creating Custom SSL Certificates for orcharhino Proxy

This procedure outlines how to create a configuration file for the Certificate Signing Request and include the load balancer and orcharhino Proxy as Subject Alternative Names (SAN). Complete this procedure on each orcharhino Proxy that you want to configure for load balancing.

Procedure
  1. On orcharhino Proxy, create a directory to contain all the source certificate files, accessible to only the root user:

    $ mkdir /root/orcharhino-proxy_cert
    $ cd /root/orcharhino-proxy_cert
  2. Create a private key with which to sign the Certificate Signing Request (CSR).

    Note that the private key must be unencrypted. If you use a password-protected private key, remove the private key password.

    If you already have a private key for this orcharhino Proxy, skip this step.

    $ openssl genrsa -out /root/orcharhino-proxy_cert/orcharhino-proxy_cert_key.pem 4096
  3. Create the certificate request configuration file with the following content:

    [ req ]
    default_bits       = 4096
    distinguished_name = req_distinguished_name
    req_extensions     = req_ext
    prompt = no
    
    [ req_distinguished_name ]
    countryName=2 Letter Country Code
    stateOrProvinceName=State or Province Full Name
    localityName=Locality Name
    0.organizationName=Organization Name
    organizationalUnitName=orcharhino Proxy Organization Unit Name
    commonName=orcharhino-proxy.network2.example.com (1)
    emailAddress=Email Address
    
    [ req_ext ]
    #authorityKeyIdentifier=keyid,issuer
    #basicConstraints=CA:FALSE
    keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
    subjectAltName = @alt_names
    
    [alt_names] (2)
    DNS.1 = loadbalancer.example.com
    DNS.2 = orcharhino-proxy.network2.example.com
    1 The certificate’s common name must match the FQDN of orcharhino Proxy. Ensure to change this when running the command on each orcharhino Proxy that you configure for load balancing. You can also set a wildcard value *. If you set a wildcard value, you must add the -t foreman-proxy option when you use the katello-certs-check command.
    2 Under [alt_names], include the FQDN of the load balancer as DNS.1 and the FQDN of orcharhino Proxy as DNS.2.
  4. Create a Certificate Signing Request (CSR) for the SAN certificate:

    $ openssl req -new \
    -key /root/orcharhino-proxy_cert/orcharhino-proxy_cert_key.pem \ (1)
    -config SAN_config.cfg \ (2)
    -out /root/orcharhino-proxy_cert/orcharhino-proxy_cert_csr.pem (3)
    1 orcharhino Proxy’s private key, used to sign the certificate
    2 The certificate request configuration file
    3 Certificate Signing Request file
  5. Send the certificate request to the Certificate Authority:

    When you submit the request, specify the lifespan of the certificate. The method for sending the certificate request varies, so consult the Certificate Authority for the preferred method. In response to the request, you can expect to receive a Certificate Authority bundle and a signed certificate, in separate files.

  6. Copy the Certificate Authority bundle and orcharhino Proxy certificate file that you receive from the Certificate Authority, and orcharhino Proxy private key to your orcharhino Server.

  7. On orcharhino Server, validate orcharhino Proxy certificate input files:

    $ katello-certs-check \
    -c /root/orcharhino-proxy_cert/orcharhino-proxy_cert.pem \ (1)
    -k /root/orcharhino-proxy_cert/orcharhino-proxy_cert_key.pem \ (2)
    -b /root/orcharhino-proxy_cert/ca_cert_bundle.pem (3)
    1 orcharhino Proxy certificate file, provided by your Certificate Authority
    2 orcharhino Proxy’s private key that you used to sign the certificate
    3 Certificate Authority bundle, provided by your Certificate Authority

    If you set the commonName= to a wildcard value *, you must add the -t foreman-proxy option to the katello-certs-check command.

    Retain a copy of the example foreman-proxy-certs-generate command that is output by the katello-certs-check command for creating the Certificate Archive File for this orcharhino Proxy.

Configuring orcharhino Proxy with Custom SSL Certificates to Generate and Sign Puppet Certificates

Complete this procedure only for the system where you want to configure orcharhino Proxy to generate Puppet certificates for all other orcharhino Proxies that you configure for load balancing.

Procedure
  1. Append the following option to the foreman-proxy-certs-generate command that you obtain from the output of the katello-certs-check command:

    --foreman-proxy-cname loadbalancer.example.com
  2. On orcharhino Server, enter the foreman-proxy-certs-generate command to generate orcharhino Proxy certificates:

    $ foreman-proxy-certs-generate \
    --certs-tar /root/orcharhino-proxy_cert/orcharhino-proxy-ca.tar \
    --foreman-proxy-cname loadbalancer.example.com \
    --foreman-proxy-fqdn orcharhino-proxy-ca.example.com \
    --server-ca-cert /root/orcharhino-proxy_cert/ca_cert_bundle.pem \
    --server-cert /root/orcharhino-proxy_cert/orcharhino-proxy-ca.pem \
    --server-key /root/orcharhino-proxy_cert/orcharhino-proxy-ca.pem

    Retain a copy of the example orcharhino-installer command from the output for installing orcharhino Proxy certificates.

  3. Copy the certificate archive file from orcharhino Server to orcharhino Proxy.

  4. Append the following options to the orcharhino-installer command that you obtain from the output of the foreman-proxy-certs-generate command:

    --enable-foreman-proxy-plugin-remote-execution-script \
    --foreman-proxy-puppetca "true" \
    --puppet-ca-server "orcharhino-proxy-ca.example.com" \
    --puppet-dns-alt-names "loadbalancer.example.com" \
    --puppet-server-ca "true"
  5. On orcharhino Proxy, enter the orcharhino-installer command:

    $ orcharhino-installer --no-enable-foreman \
    --certs-cname "loadbalancer.example.com" \
    --certs-tar-file "certs.tgz" \
    --enable-foreman-proxy-plugin-remote-execution-script \
    --enable-puppet \
    --foreman-proxy-foreman-base-url "https://orcharhino.example.com" \
    --foreman-proxy-oauth-consumer-key "oauth key" \
    --foreman-proxy-oauth-consumer-secret "oauth secret" \
    --foreman-proxy-puppetca "true" \
    --foreman-proxy-register-in-foreman "true" \
    --foreman-proxy-trusted-hosts "orcharhino.example.com" \
    --foreman-proxy-trusted-hosts "orcharhino-proxy-ca.example.com" \
    --puppet-ca-server "orcharhino-proxy-ca.example.com" \
    --puppet-dns-alt-names "loadbalancer.example.com" \
    --puppet-server true \
    --puppet-server-ca "true" \
    --puppet-server-foreman-url "https://orcharhino.example.com"
  6. On orcharhino Proxy, generate Puppet certificates for all other orcharhino Proxies that you configure for load balancing, except this first system where you configure Puppet certificates signing:

    $ puppet cert generate orcharhino-proxy.network2.example.com \
    --dns_alt_names=loadbalancer.example.com

    This command creates the following files on the Puppet certificate signing orcharhino Proxy instance:

    • /etc/puppetlabs/puppet/ssl/certs/ca.pem

    • /etc/puppetlabs/puppet/ssl/certs/orcharhino-proxy.network2.example.com.pem

    • /etc/puppetlabs/puppet/ssl/private_keys/orcharhino-proxy.network2.example.com.pem

    • /etc/puppetlabs/puppet/ssl/public_keys/orcharhino-proxy.network2.example.com.pem

Configuring Remaining orcharhino Proxies with Custom SSL Certificates for Load Balancing

Complete this procedure for each orcharhino Proxy excluding the system where you configure orcharhino Proxy to sign Puppet certificates.

Procedure
  1. Append the following option to the foreman-proxy-certs-generate command that you obtain from the output of the katello-certs-check command:

    --foreman-proxy-cname loadbalancer.example.com
  2. On orcharhino Server, enter the foreman-proxy-certs-generate command to generate orcharhino Proxy certificates:

    $ foreman-proxy-certs-generate \
    --certs-tar /root/orcharhino-proxy_cert/orcharhino-proxy.tar \
    --foreman-proxy-cname loadbalancer.example.com \
    --foreman-proxy-fqdn orcharhino-proxy.network2.example.com \
    --server-ca-cert /root/orcharhino-proxy_cert/ca_cert_bundle.pem \
    --server-cert /root/orcharhino-proxy_cert/orcharhino-proxy.pem \
    --server-key /root/orcharhino-proxy_cert/orcharhino-proxy.pem

    Retain a copy of the example orcharhino-installer command from the output for installing orcharhino Proxy certificates.

  3. Copy the certificate archive file from orcharhino Server to orcharhino Proxy.

    $ scp /root/orcharhino-proxy.network2.example.com-certs.tar root@orcharhino-proxy.network2.example.com:orcharhino-proxy.network2.example.com-certs.tar
  4. On orcharhino Proxy, install the puppetserver package:

    $ dnf install puppetserver
  5. On orcharhino Proxy, create directories for puppet certificates:

    $ mkdir -p /etc/puppetlabs/puppet/ssl/certs/ \
    /etc/puppetlabs/puppet/ssl/private_keys/ \
    /etc/puppetlabs/puppet/ssl/public_keys/
  6. On orcharhino Proxy, copy the Puppet certificates for this orcharhino Proxy from the system where you configure orcharhino Proxy to sign Puppet certificates:

    $ scp root@orcharhino-proxy-ca.example.com:/etc/puppetlabs/puppet/ssl/certs/orcharhino-proxy.network2.example.com.pem /etc/puppetlabs/puppet/ssl/certs/orcharhino-proxy.network2.example.com.pem
    $ scp root@orcharhino-proxy-ca.example.com:/etc/puppetlabs/puppet/ssl/certs/ca.pem /etc/puppetlabs/puppet/ssl/certs/ca.pem
    $ scp root@orcharhino-proxy-ca.example.com:/etc/puppetlabs/puppet/ssl/private_keys/orcharhino-proxy.network2.example.com.pem /etc/puppetlabs/puppet/ssl/private_keys/orcharhino-proxy.network2.example.com.pem
    $ scp root@orcharhino-proxy-ca.example.com:/etc/puppetlabs/puppet/ssl/public_keys/orcharhino-proxy.network2.example.com.pem /etc/puppetlabs/puppet/ssl/public_keys/orcharhino-proxy.network2.example.com.pem
  7. On orcharhino Proxy, change the /etc/puppetlabs/puppet/ssl/ directory ownership to user puppet and group puppet:

    $ chown -R puppet:puppet /etc/puppetlabs/puppet/ssl/
  8. On orcharhino Proxy, set the SELinux context for the /etc/puppetlabs/puppet/ssl/ directory:

    $ restorecon -Rv /etc/puppetlabs/puppet/ssl/
  9. Append the following options to the orcharhino-installer command that you obtain from the output of the foreman-proxy-certs-generate command:

    --certs-cname "loadbalancer.example.com" \
    --enable-foreman-proxy-plugin-remote-execution-script \
    --foreman-proxy-puppetca "false" \
    --puppet-ca-server "orcharhino-proxy-ca.example.com" \
    --puppet-dns-alt-names "loadbalancer.example.com" \
    --puppet-server-ca "false"
  10. On orcharhino Proxy, enter the orcharhino-installer command:

    $ orcharhino-installer --no-enable-foreman \
    --certs-cname "loadbalancer.example.com" \
    --certs-tar-file "orcharhino-proxy.network2.example.com-certs.tar" \
    --enable-foreman-proxy-plugin-remote-execution-script \
    --foreman-proxy-foreman-base-url "https://orcharhino.example.com" \
    --foreman-proxy-oauth-consumer-key "oauth key" \
    --foreman-proxy-oauth-consumer-secret "oauth secret" \
    --foreman-proxy-puppetca "false" \
    --foreman-proxy-register-in-foreman "true" \
    --foreman-proxy-trusted-hosts "orcharhino.example.com" \
    --foreman-proxy-trusted-hosts "orcharhino-proxy.network2.example.com" \
    --puppet-ca-server "orcharhino-proxy-ca.example.com" \
    --puppet-dns-alt-names "loadbalancer.example.com" \
    --puppet-server-ca "false" \
    --puppet-server-foreman-url "https://orcharhino.example.com"

Setting the Load Balancer for Host Registration

You can configure orcharhino to register clients through a load balancer when using the host registration feature.

You will be able to register hosts to the load balancer instead of orcharhino Proxy. The load balancer will decide through which orcharhino Proxy to register the host at the time of request. Upon registration, the subscription manager on the host will be configured to manage content through the load balancer.

Prerequisites
  • You configured SSL certificates on all orcharhino Proxies. For more information, see Configuring orcharhino Proxies for Load Balancing.

  • You enabled Registration and Templates plug-ins on all orcharhino Proxies:

    $ orcharhino-installer --no-enable-foreman \
    --foreman-proxy-registration true \
    --foreman-proxy-templates true
Procedure
  1. On all orcharhino Proxies, set the registration and template URLs using orcharhino-installer:

    $ orcharhino-installer --no-enable-foreman \
    --foreman-proxy-registration-url "https://loadbalancer.example.com:443" \
    --foreman-proxy-template-url "https://loadbalancer.example.com:8000"
  2. In the orcharhino management UI, navigate to Infrastructure > orcharhino Proxies.

  3. For each orcharhino Proxy, click the dropdown menu in the Actions column and select Refresh.

Installing the Load Balancer

The following example provides general guidance for configuring an HAProxy load balancer using Enterprise Linux 8 server. However, you can install any suitable load balancing software solution that supports TCP forwarding.

Procedure
  1. Install HAProxy:

    $ dnf install haproxy
  2. Install the following package that includes the semanage tool:

    $ dnf install policycoreutils-python-utils
  3. Configure SELinux to allow HAProxy to bind any port:

    $ semanage boolean --modify --on haproxy_connect_any
  4. Configure the load balancer to balance the network load for the ports as described in Ports Configuration for the Load Balancer. For example, to configure ports for HAProxy, edit the /etc/haproxy/haproxy.cfg file to correspond with the table.

    Table 1. Ports Configuration for the Load Balancer
    Service Port Mode Balance Mode Destination

    HTTP

    80

    TCP

    roundrobin

    port 80 on all orcharhino Proxies

    HTTPS and RHSM

    443

    TCP

    source

    port 443 on all orcharhino Proxies

    AMQP

    5647

    TCP

    roundrobin

    port 5647 on all orcharhino Proxies

    Puppet (Optional)

    8140

    TCP

    roundrobin

    port 8140 on all orcharhino Proxies

    PuppetCA (Optional)

    8141

    TCP

    roundrobin

    port 8140 only on the system where you configure orcharhino Proxy to sign Puppet certificates

    SmartProxy (Optional for OpenScap)

    9090

    TCP

    roundrobin

    port 9090 on all orcharhino Proxies

  5. Configure the load balancer to disable SSL offloading and allow client-side SSL certificates to pass through to back end servers. This is required because communication from clients to orcharhino Proxies depends on client-side SSL certificates.

  6. Start and enable the HAProxy service:

    $ systemctl enable --now haproxy

Promoting SCAP Content to Clients

The following section describes how to promote Security Content Automation Protocol (SCAP) content to clients registered to orcharhino Proxies that you configure for load balancing.

Prerequisite
  • Ensure that you configure the SCAP content. For more information, see Configuring SCAP Content in Administering orcharhino.

Procedure
  1. In the orcharhino management UI, navigate to Configure > Classes and click foreman_scap_client.

  2. Click the Smart Class Parameter tab.

  3. In the pane to the left of the Smart Class Parameter window, click port.

  4. In the Default Behavior area, select the Override checkbox.

  5. From the Key Type list, select integer.

  6. In the Default Value field, enter 443.

  7. In the pane to the left of the Smart Class Parameter window, click server.

  8. In the Default Behavior area, select the Override checkbox.

  9. From the Key Type list, select string.

  10. In the Default Value field, enter the FQDN of your load balancer. For example, loadbalancer.example.com.

  11. In the lower left of the Smart Class Parameter window, click Submit.

  12. Add the puppet module that contains the foreman_scap_client puppet class to a Content View. Publish and promote this Content View to your client’s environment.

  13. If you want to verify the configuration, run the Puppet agent on the client to promote the changes. Do not run the Puppet agent on every client manually because the Puppet agent runs on the clients every 30 minutes.

    $ puppet agent -t --noop
  14. On the client, verify that the /etc/foreman_scap_client/config.yaml file contains the following lines:

    $ Foreman proxy to which reports should be uploaded
    :server: 'loadbalancer.example.com'
    :port: 443
Additional Resources

Registering Clients to the Load Balancer

To balance the load of network traffic from clients, you must register the clients to the load balancer.

To register clients, proceed with one of the following procedures:

Registering Clients Using Host Registration

You can register hosts with orcharhino using the host registration feature, the orcharhino API, or Hammer CLI.

Procedure
  1. In the orcharhino management UI, navigate to Hosts > Register Host.

  2. Click Generate to create the registration command.

  3. Click on the files icon to copy the command to your clipboard.

  4. Log in to the host you want register and run the previously generated command.

  5. Update subscription manager configuration for rhsm.baseurl and server.hostname:

    $ subscription-manager config \
    --rhsm.baseurl=https://loadbalancer.example.com/pulp/content \
    --server.hostname=loadbalancer.example.com
  6. Ensure that the appropriate repositories have been enabled:

    • On Enterprise Linux: Check the /etc/yum.repos.d/redhat.repo file and ensure that the appropriate repositories have been enabled.

    • On Debian/Ubuntu: Check the /etc/apt/sources.list file and ensure that the appropriate repositories have been enabled.

CLI procedure
  1. Generate the host registration command using the Hammer CLI:

    $ hammer host-registration generate-command \
    --activation-keys "My_Activation_Key"

    If your hosts do not trust the SSL certificate of orcharhino Server, you can disable SSL validation by adding the --insecure flag to the registration command.

    $ hammer host-registration generate-command \
    --activation-keys "My_Activation_Key" \
    --insecure true
  2. Log in to the host you want register and run the previously generated command.

  3. Update subscription manager configuration for rhsm.baseurl and server.hostname:

    $ subscription-manager config \
    --rhsm.baseurl=https://loadbalancer.example.com/pulp/content \
    --server.hostname=loadbalancer.example.com
  4. Ensure that the appropriate repositories have been enabled:

    • On Enterprise Linux: Check the /etc/yum.repos.d/redhat.repo file and ensure that the appropriate repositories have been enabled.

    • On Debian/Ubuntu: Check the /etc/apt/sources.list file and ensure that the appropriate repositories have been enabled.

API procedure
  1. Generate the host registration command using the orcharhino API:

    $ curl -X POST https://orcharhino.example.com/api/registration_commands \
    --user "My_User_Name" \
    -H 'Content-Type: application/json' \
    -d '{ "registration_command": { "activation_keys": ["My_Activation_Key_1, My_Activation_Key_2"] }}'

    If your hosts do not trust the SSL certificate of orcharhino Server, you can disable SSL validation by adding the --insecure flag to the registration command.

    $ curl -X POST https://orcharhino.example.com/api/registration_commands \
    --user "My_User_Name" \
    -H 'Content-Type: application/json' \
    -d '{ "registration_command": { "activation_keys": ["My_Activation_Key_1, My_Activation_Key_2"], "insecure": true }}'

    Use an activation key to simplify specifying the environments. For more information, see Managing Activation Keys in Managing Content.

    To enter a password as command line argument, use username:password syntax. Keep in mind this can save the password in the shell history.

    For more information about registration see Registering a Host to orcharhino in Managing Hosts.

  2. Log in to the host you want register and run the previously generated command.

  3. Update subscription manager configuration for rhsm.baseurl and server.hostname:

    $ subscription-manager config \
    --rhsm.baseurl=https://loadbalancer.example.com/pulp/content \
    --server.hostname=loadbalancer.example.com
  4. Ensure that the appropriate repositories have been enabled:

    • On Enterprise Linux: Check the /etc/yum.repos.d/redhat.repo file and ensure that the appropriate repositories have been enabled.

    • On Debian/Ubuntu: Check the /etc/apt/sources.list file and ensure that the appropriate repositories have been enabled.

(Deprecated) Registering Clients Using the Bootstrap Script

To register clients, enter the following command on the client. You must complete the registration procedure for each client.

Prerequisite
Procedure
  • On Enterprise Linux 8, enter the following command:

    $ /usr/libexec/platform-python bootstrap.py \
    --activationkey="My_Activation_Key" \
    --enablerepos=orcharhino Client \ (1)
    --force \ (2)
    --hostgroup="My_Hostgroup" \
    --location="My_Location" \
    --login=admin \
    --organization="My_Organization" \
    --puppet-ca-port 8141 \ (3)
    --server loadbalancer.example.com
    1 Replace <arch> with the client architecture, for example x86.
    2 Include the --force option to register the client that has been previously registered to a standalone orcharhino Proxy.
    3 Include the --puppet-ca-port 8141 option if you use Puppet.
  • On Enterprise Linux 7 or 6, enter the following command:

    $ python bootstrap.py --login=admin \
    --activationkey="My_Activation_Key" \
    --enablerepos=orcharhino Client \
    --force \ (1)
    --hostgroup="My_Hostgroup" \
    --location="My_Location" \
    --organization="My_Organization" \
    --puppet-ca-port 8141 \ (2)
    --server loadbalancer.example.com
    1 Include the --force option to register the client that has been previously registered to a standalone orcharhino Proxy.
    2 Include the --puppet-ca-port 8141 option if you use Puppet.

The script prompts for the password corresponding to the orcharhino user name you entered with the --login option.

(Deprecated) Registering Clients Manually Using katello-ca-consumer RPM

To register clients manually, complete the following procedure on each client that you want to register.

Procedure
  1. Remove the katello-ca-consumer package if it is installed:

    $ dnf remove 'katello-ca-consumer*'
  2. Install the katello-ca-consumer package from the load balancer:

    $ dnf install http://loadbalancer.example.com/pub/katello-ca-consumer-latest.noarch.rpm
  3. Register the client and include the --serverurl and --baseurl options:

    $ subscription-manager register \
    --activationkey="My_Activation_Key" \
    --baseurl=https://loadbalancer.example.com/pulp/content/ \
    --org="My_Organization" \
    --serverurl=https://loadbalancer.example.com/rhsm

Verifying the Load Balancing Configuration

Use this procedure to verify the load balancing configuration for each orcharhino Proxy.

Procedure
  1. Shut down the base operating system for your orcharhino Proxy.

  2. Verify that content or subscription management features are available on clients registered to this orcharhino Proxy. For example, enter the subscription-manager refresh command on a client.

  3. Restart the base operating system for your orcharhino Proxy.

The text and illustrations on this page are licensed by ATIX AG under a Creative Commons Attribution–Share Alike 3.0 Unported ("CC-BY-SA") license. This page also contains text from the official Foreman documentation which uses the same license ("CC-BY-SA").