Administering orcharhino Guide

Accessing orcharhino

After orcharhino has been installed and configured, use the web user interface to log in to orcharhino for further configuration.

Installing the Katello Root CA Certificate

The first time you log on to orcharhino, you might see a warning informing you that you are using the default self-signed certificate and you might not be able to connect this browser to orcharhino until the root CA certificate is installed in the browser. Use the following procedure to locate the root CA certificate on orcharhino and to install it in your browser.

Prerequisites

Your orcharhino is installed and configured.

Procedure
  1. Identify the fully qualified domain name of your orcharhino server:

    # hostname -f
  2. Access the pub directory on your orcharhino server using a web browser pointed to the fully qualified domain name:

    https://orcharhino.example.com/pub
  3. When you access orcharhino for the first time, an untrusted connection warning displays in your web browser. Accept the self-signed certificate and add the orcharhino URL as a security exception to override the settings. This procedure might differ depending on the browser being used. Ensure that the orcharhino URL is valid before you accept the security exception.

  4. Select katello-server-ca.crt.

  5. Import the certificate into your browser as a certificate authority and trust it to identify websites.

Importing the Katello Root CA Certificate Manually

If you cannot add a security exception in your browser, import the Katello root CA certificate manually.

  1. From the orcharhino CLI, copy the katello-server-ca.crt file to the machine you use to access the web UI:

    # scp /var/www/html/pub/katello-server-ca.crt \
    username@hostname:remotefile
  2. In the browser, import the katello-server-ca.crt certificate as a certificate authority and trust it to identify websites.

Logging on to orcharhino

Use the web user interface to log on to orcharhino for further configuration.

Prerequisites

Ensure that the Katello root CA certificate is installed in your browser. For more information, see Installing the Katello Root CA Certificate.

Procedure
  1. Access orcharhino server using a web browser pointed to the fully qualified domain name:

    https://orcharhino.example.com/
  2. Enter the user name and password created during the configuration process. If a user was not created during the configuration process, the default user name is admin. If you have problems logging on, you can reset the password. For more information, see Resetting the Administrative User Password.

Navigation Tabs in the orcharhino Web UI

Use the navigation tabs to browse the orcharhino web UI.

Table 1. Navigation Tabs
Navigation Tabs Description

Any Context

Clicking this tab changes the organization and location. If no organization or location is selected, the default organization is Any Organization and the default location is Any Location. Use this tab to change to different values.

Monitor

Provides summary dashboards and reports.

Content

Provides content management tools. This includes Content Views, Activation Keys, and Life Cycle Environments.

Hosts

Provides host inventory and provisioning configuration tools.

Configure

Provides general configuration tools and data including Host Groups and Puppet data.

Infrastructure

Provides tools on configuring how orcharhino interacts with the environment.

Insights

Provides Red Hat Insights management tools.

User Name

Provides user administration where users can edit their personal information.

administering orcharhino guide icon notifications

Provides event notifications to keep administrators informed of important environment changes.

Administer

Provides advanced configuration for settings such as Users and RBAC, as well as general settings.

Changing the Password

These steps show how to change your password.

To Change your orcharhino Password:
  1. Click your user name at the top right corner.

  2. Select My Account from the menu.

  3. In the Current Password field, enter the current password.

  4. In the Password field, enter a new password.

  5. In the Verify field, enter the new password again.

  6. Click the Submit button to save your new password.

Resetting the Administrative User Password

Use the following procedures to reset the administrative password to randomly generated characters or to set a new administrative password.

To Reset the Administrative User Password:

To reset the password to randomly generated characters, complete the following procedure:

  1. Log on to the base operating system where orcharhino server is installed.

  2. Enter the following command to reset the password:

    # foreman-rake permissions:reset
    Reset to user: admin, password: qwJxBptxb7Gfcjj5
  3. Use this password to reset the password in the orcharhino web UI.

  4. Edit the ~/.hammer/cli.modules.d/foreman.yml file on orcharhino server to add the new password:

    #  vi ~/.hammer/cli.modules.d/foreman.yml

Unless you update the ~/.hammer/cli.modules.d/foreman.yml file, you cannot use the new password with Hammer CLI.

To Set a New Administrative User Password:

To change the administrative user password to a new password, complete the following steps:

  1. Log on to the base operating system where orcharhino server is installed.

  2. To set the password, enter the following command:

    # foreman-rake permissions:reset password=new_password
  3. Edit the ~/.hammer/cli.modules.d/foreman.yml file on orcharhino server to add the new password:

    #  vi ~/.hammer/cli.modules.d/foreman.yml

Unless you update the ~/.hammer/cli.modules.d/foreman.yml file, you cannot use the new password with Hammer CLI.

Setting a Custom Message on the Login Page

To Set a Custom Message on the Login Page:
  1. Navigate to Administer > Settings, and click the General tab.

  2. Click the edit button next to Login page footer text, and enter the desired text to be displayed on the login page. For example, this text may be a warning message required by your company.

  3. Click Save.

  4. Log out of the orcharhino’s web UI and verify that the custom text is now displayed on the login page below the orcharhino version number.

Starting and Stopping orcharhino

orcharhino provides the foreman-maintain service command to manage orcharhino services from the command line. This is useful when creating a backup of orcharhino. For more information on creating backups, see Backing Up orcharhino server and orcharhino Proxy.

After installing orcharhino with the foreman-installer command, all orcharhino services are started and enabled automatically. View the list of these services by executing:

# foreman-maintain service list

To see the status of running services, execute:

# foreman-maintain service status

To stop the foreman-maintain services, execute:

# foreman-maintain service stop

To start the foreman-maintain services, execute:

# foreman-maintain service start

To restart the foreman-maintain services, execute:

# foreman-maintain service restart

Migrating from Internal orcharhino Databases to External Databases

When you install orcharhino, the foreman-installer command installs PostgreSQL databases on the same server as orcharhino. If you are using the default internal databases but want to start using external databases to help with the server load, you can migrate your internal databases to external databases.

To confirm whether your orcharhino server has internal or external databases, you can query the status of your databases:

For PostgreSQL, enter the following command:

# foreman-maintain service status --only postgresql

To migrate from the default internal databases to external databases, you must complete the following procedures:

  1. Preparing a Host for External Databases. Prepare a Red Hat Enterprise Linux 7 server to host the external databases.

  2. Installing PostgreSQL. Prepare PostgreSQL with databases for orcharhino, Pulp and Candlepin with dedicated users owning them.

  3. Migrating to External Databases. Edit the parameters of foreman-installer to point to the new databases, and run foreman-installer.

PostgreSQL as an External Database Considerations

Foreman, Katello, and Candlepin use the PostgreSQL database. If you want to use PostgreSQL as an external database, the following information can help you decide if this option is right for your orcharhino configuration. orcharhino supports PostgreSQL version 12.1.

Advantages of External PostgreSQL:
  • Increase in free memory and free CPU on orcharhino

  • Flexibility to set shared_buffers on the PostgreSQL database to a high number without the risk of interfering with other services on orcharhino

  • Flexibility to tune the PostgreSQL server’s system without adversely affecting orcharhino operations

Disadvantages of External PostgreSQL
  • Increase in deployment complexity that can make troubleshooting more difficult

  • The external PostgreSQL server is an additional system to patch and maintain

  • If either orcharhino or the PostgreSQL database server suffers a hardware or storage failure, orcharhino is not operational

  • If there is latency between the orcharhino server and database server, performance can suffer

Preparing a Host for External Databases

Install a freshly provisioned system with the latest Red Hat Enterprise Linux 7 server to host the external databases.

Subscriptions for Red Hat Software Collections and Red Hat Enterprise Linux do not provide the correct service level agreement for using orcharhino with external databases. You must also attach a orcharhino subscription to the base operating system that you want to use for the external databases.

Prerequisites
Procedure
  1. Use the instructions in Attaching the orcharhino Infrastructure Subscription to attach a orcharhino subscription to your server.

  2. Disable all repositories and enable only the following repositories:

    # subscription-manager repos --disable '*'
    # subscription-manager repos --enable=rhel-server-rhscl-7-rpms \
    --enable=rhel-7-server-rpms --enable=rhel-server-7-satellite-6-beta-rpms

Installing PostgreSQL

You can install only the same version of PostgreSQL that is installed with the foreman-installer tool during an internal database installation. You can install PostgreSQL using Red Hat Enterprise Linux Server 7 repositories or from an external source, as long as the version is supported. orcharhino supports PostgreSQL version 12.1.

Procedure
  1. To install PostgreSQL, enter the following command:

    # yum install rh-postgresql12-postgresql-server \
    rh-postgresql12-syspaths \
    rh-postgresql12-postgresql-evr
  2. To initialize PostgreSQL, enter the following command:

    # postgresql-setup initdb
  3. Edit the /var/opt/rh/rh-postgresql12/lib/pgsql/data/postgresql.conf file:

    # vi /var/opt/rh/rh-postgresql12/lib/pgsql/data/postgresql.conf
  4. Remove the # and edit to listen to inbound connections:

    listen_addresses = '*'
  5. Edit the /var/opt/rh/rh-postgresql12/lib/pgsql/data/pg_hba.conf file:

    # vi /var/opt/rh/rh-postgresql12/lib/pgsql/data/pg_hba.conf
  6. Add the following line to the file:

      host  all   all   orcharhino_ip/24   md5
  7. To start, and enable PostgreSQL service, enter the following commands:

    # systemctl start postgresql
    # systemctl enable postgresql
  8. Open the postgresql port on the external PostgreSQL server:

    # firewall-cmd --add-service=postgresql
    # firewall-cmd --runtime-to-permanent
  9. Switch to the postgres user and start the PostgreSQL client:

    $ su - postgres -c psql
  10. Create two databases and dedicated roles, one for orcharhino and one for Candlepin:

    CREATE USER "foreman" WITH PASSWORD 'Foreman_Password';
    CREATE USER "candlepin" WITH PASSWORD 'Candlepin_Password';
    CREATE DATABASE foreman OWNER foreman;
    CREATE DATABASE candlepin OWNER candlepin;
  11. Exit the postgres user:

    # \q
  12. From orcharhino server, test that you can access the database. If the connection succeeds, the commands return 1.

    # PGPASSWORD='Foreman_Password' psql -h postgres.example.com  -p 5432 -U foreman -d foreman -c "SELECT 1 as ping"
    # PGPASSWORD='Candlepin_Password' psql -h postgres.example.com -p 5432 -U candlepin -d candlepin -c "SELECT 1 as ping"

Migrating to External Databases

Back up and transfer existing data, then use the foreman-installer command to configure orcharhino to connect to an external PostgreSQL database server.

Prerequisites
  • You have installed and configured a PostgreSQL server on a Red Hat Enterprise Linux server.

Procedure
  1. On orcharhino server, stop the foreman-maintain services:

    # foreman-maintain service stop
  2. Start the PostgreSQL services:

    # systemctl start postgresql
  3. Back up the internal databases:

    # foreman-maintain backup online --skip-pulp-content --preserve-directory -y /var/migration_backup
  4. Transfer the data to the new external databases:

    PGPASSWORD='Foreman_Password' pg_restore -h postgres.example.com -U foreman -d foreman < /var/migration_backup/foreman.dump
    PGPASSWORD='Candlepin_Password' pg_restore -h postgres.example.com -U candlepin -d candlepin < /var/migration_backup/candlepin.dump
    PGPASSWORD='Pulpcore_Password' pg_restore -h postgres.example.com -U pulpcore -d pulpcore < /var/migration_backup/pulpcore.dump
  5. Use the foreman-installer command to update orcharhino to point to the new databases:

    foreman-installer --scenario katello \
        --foreman-db-host postgres.example.com \
        --foreman-db-password Foreman_Password \
        --foreman-db-database foreman \
        --foreman-db-manage false \
        --katello-candlepin-db-host postgres.example.com \
        --katello-candlepin-db-name candlepin \
        --katello-candlepin-db-password Candlepin_Password \
        --katello-candlepin-manage-db false \
        --foreman-proxy-content-pulpcore-manage-postgresql false \
        --foreman-proxy-content-pulpcore-postgresql-host postgres.example.com \
        --foreman-proxy-content-pulpcore-postgresql-db-name pulpcore \
        --foreman-proxy-content-pulpcore-postgresql-password Pulpcore_Password

Managing orcharhino with Ansible Collections

orcharhino Ansible Collections is a set of Ansible modules that interact with the orcharhino API. You can use orcharhino Ansible Collections to manage and automate many aspects of orcharhino.

Installing the orcharhino Ansible Modules from RPM

Use this procedure to install the orcharhino Ansible modules.

Procedure
  • Install the RPM using the following command:

    # yum install ansible-collection-theforeman-foreman

Viewing the orcharhino Ansible Modules

You can view the installed orcharhino Ansible modules by listing the content of the following directory:

# ls /usr/share/ansible/collections/ansible_collections/theforeman/foreman/plugins/modules/

At the time of writing, the ansible-doc -l command does not list collections yet.

Managing Users and Roles

A User defines a set of details for individuals using the system. Users can be associated with organizations and environments, so that when they create new entities, the default settings are automatically used. Users can also have one or more roles attached, which grants them rights to view and manage organizations and environments. See User Management for more information on working with users.

You can manage permissions of several users at once by organizing them into user groups. User groups themselves can be further grouped to create a hierarchy of permissions. See Creating and Managing User Groups for more information on creating user groups.

Roles define a set of permissions and access levels. Each role contains one on more permission filters that specify the actions allowed for the role. Actions are grouped according to the Resource type. Once a role has been created, users and user groups can be associated with that role. This way, you can assign the same set of permissions to large groups of users. orcharhino provides a set of predefined roles and also enables creating custom roles and permission filters as described in Creating and Managing Roles.

User Management

As an administrator, you can create, modify and remove orcharhino users. You can also configure access permissions for a user or a group of users by assigning them different roles.

Creating a User

Use this procedure to create a user. To use the CLI instead of the web UI, see the CLI procedure.

Procedure

To create a user, complete the following steps:

  1. Navigate to Administer > Users.

  2. Click Create User.

  3. In the Login field, enter a username for the user.

  4. In the Firstname and Lastname fields, enter the real first name and last name of the user.

  5. In the Mail field, enter the user’s email address.

  6. In the Description field, add a description of the new user.

  7. Select a specific language for the user from the Language list.

  8. Select a timezone for the user from the Timezone list.

    By default, orcharhino server uses the language and timezone settings of the user’s browser.

  9. Set a password for the user:

    1. From the Authorized by list, select the source by which the user is authenticated.

    2. Enter an initial password for the user in the Password field and the Verify field.

  10. Click Submit to create the user.

CLI procedure
  • To create a user, enter the following command:

    # hammer user create \
    --login user_name \
    --password user_password \
    --mail user_mail \
    --auth-source-id 1 \
    --organization-ids org_ID1,org_ID2...

    The --auth-source-id 1 setting means that the user is authenticated internally, you can specify an external authentication source as an alternative. Add the --admin option to grant administrator privileges to the user. Specifying organization IDs is not required, you can modify the user details later using the update subcommand.

For more information about user related subcommands, enter hammer user --help.

Assigning Roles to a User

Use this procedure to assign roles to a user. To use the CLI instead of the web UI, see the CLI procedure.

Procedure
  1. Navigate to Administer > Users.

  2. Click the username of the user to be assigned one or more roles.

    If a user account is not listed, check that you are currently viewing the correct organization. To list all the users in orcharhino, click Default Organization and then Any Organization.

  3. Click the Locations tab, and select a location if none is assigned.

  4. Click the Organizations tab, and check that an organization is assigned.

  5. Click the Roles tab to display the list of available roles.

  6. Select the roles to assign from the Roles list.

    To grant all the available permissions, select the Admin check box.

  7. Click Submit.

To view the roles assigned to a user, click the Roles tab; the assigned roles are listed under Selected items. To remove an assigned role, click the role name in Selected items.

CLI procedure

To assign roles to a user, enter the following command:

# hammer user add-role --id user_id --role role_name

Impersonating a Different User Account

Administrators can impersonate other authenticated users for testing and troubleshooting purposes by temporarily logging on to the orcharhino web UI as a different user. When impersonating another user, the administrator has permissions to access exactly what the impersonated user can access in the system, including the same menus.

Audits are created to record the actions that the administrator performs while impersonating another user. However, all actions that an administrator performs while impersonating another user are recorded as having been performed by the impersonated user.

Prerequisites
  • Ensure that you are logged on to the orcharhino web UI as a user with administrator privileges for orcharhino.

Procedure

To impersonate a different user account, complete the following steps:

  1. In the orcharhino web UI, navigate to Administer > Users.

  2. To the right of the user that you want to impersonate, from the list in the Actions column, select Impersonate.

When you want to stop the impersonation session, in the upper right of the main menu, click the impersonation icon.

SSH Key Management

Adding SSH keys to a user allows deployment of SSH keys during provisioning.

For information on deploying SSH keys during provisioning, see Deploying SSH Keys during Provisioning in the Provisioning Guide.

Managing SSH Keys for a User

Use this procedure to add or remove SSH keys for a user. To use the CLI instead of the web UI, see the CLI procedure.

Prerequisites

Make sure that you are logged in to the web UI as an Admin user of orcharhino or a user with the create_ssh_key permission enabled for adding SSH key and destroy_ssh_key permission for removing a key.

Procedure
  1. Navigate to Administer > Users.

  2. From the Username column, click on the username of the required user.

  3. Click on the SSH Keys tab.

    • To Add SSH key

      1. Prepare the content of the public SSH key in a clipboard.

      2. Click Add SSH Key.

      3. In the Key field, paste the public SSH key content from the clipboard.

      4. In the Name field, enter a name for the SSH key.

      5. Click Submit.

    • To Remove SSH key

      1. Click Delete on the row of the SSH key to be deleted.

      2. Click OK in the confirmation prompt.

CLI procedure

To add an SSH key to a user, you must specify either the path to the public SSH key file, or the content of the public SSH key copied to the clipboard.

  • If you have the public SSH key file, enter the following command:

    # hammer user ssh-keys add \
    --user-id user_id \
    --name key_name \
    --key-file ~/.ssh/id_rsa.pub
  • If you have the content of the public SSH key, enter the following command:

    # hammer user ssh-keys add \
    --user-id user_id \
    --name key_name \
    --key ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNtYAAABBBHHS2KmNyIYa27Qaa7EHp+2l99ucGStx4P77e03ZvE3yVRJEFikpoP3MJtYYfIe8k 1/46MTIZo9CPTX4CYUHeN8= host@user

To delete an SSH key from a user, enter the following command:

# hammer user ssh-keys delete --id key_id --user-id user_id

To view an SSH key attached to a user, enter the following command:

# hammer user ssh-keys info --id key_id --user-id user_id

To list SSH keys attached to a user, enter the following command:

# hammer user ssh-keys list --user-id user_id

Creating and Managing User Groups

User Groups

With orcharhino, you can assign permissions to groups of users. You can also create user groups as collections of other user groups. If using an external authentication source, you can map orcharhino user groups to external user groups as described in Configuring External User Groups.

User groups are defined in an organizational context, meaning that you must select an organization before you can access user groups.

Creating a User Group

Use this procedure to create a user group.

Procedure
  1. Navigate to Administer > User Groups.

  2. Click Create User group.

  3. On the User Group tab, specify the name of the new user group and select group members:

    • Select the previously created user groups from the User Groups list.

    • Select users from the Users list.

  4. On the Roles tab, select the roles you want to assign to the user group. Alternatively, select the Admin check box to assign all available permissions.

  5. Click Submit.

CLI procedure
  • To create a user group, enter the following command:

    # hammer user-group create \
    --name usergroup_name \
    --user-ids user_ID1,user_ID2... \
    --role-ids role_ID1,role_ID2...

Removing a User Group

Use the orcharhino web UI to remove a user group.

Procedure
  1. Navigate to Administer > User Groups.

  2. Click Delete to the right of the user group you want to delete.

  3. In the alert box that appears, click OK to delete a user group.

Creating and Managing Roles

orcharhino provides a set of predefined roles with permissions sufficient for standard tasks, as listed in Predefined Roles Available in orcharhino. It is also possible to configure custom roles, and assign one or more permission filters to them. Permission filters define the actions allowed for a certain resource type. Certain orcharhino plug-ins create roles automatically.

Creating a Role

Use this procedure to create a role.

Procedure
  1. Navigate to Administer > Roles.

  2. Click Create Role.

  3. Provide a Name for the role.

  4. Click Submit to save your new role.

CLI procedure

To create a role, enter the following command:

# hammer role create --name role_name

To serve its purpose, a role must contain permissions. After creating a role, proceed to Adding Permissions to a Role.

Cloning a Role

Use the orcharhino web UI to clone a role.

Procedure
  1. Navigate to Administer > Roles and select Clone from the drop-down menu to the right of the required role.

  2. Provide a Name for the role.

  3. Click Submit to clone the role.

  4. Click the name of the cloned role and navigate to Filters.

  5. Edit the permissions as required.

  6. Click Submit to save your new role.

Adding Permissions to a Role

Use this procedure to add permissions to a role. To use the CLI instead of the web UI, see the CLI procedure.

Procedure
  1. Navigate to Administer > Roles.

  2. Select Add Filter from the drop-down list to the right of the required role.

  3. Select the Resource type from the drop-down list. The (Miscellaneous) group gathers permissions that are not associated with any resource group.

  4. Click the permissions you want to select from the Permission list.

  5. Depending on the Resource type selected, you can select or deselect the Unlimited and Override check box. The Unlimited check box is selected by default, which means that the permission is applied on all resources of the selected type. When you disable the Unlimited check box, the Search field activates. In this field you can specify further filtering with use of the orcharhino search syntax. See Granular Permission Filtering for details. When you enable the Override check box, you can add additional locations and organizations to allow the role to access the resource type in the additional locations and organizations; you can also remove an already associated location and organization from the resource type to restrict access.

  6. Click Next.

  7. Click Submit to save changes.

CLI procedure
  1. List all available permissions:

    # hammer filter available-permissions
  2. Add permissions to a role:

    # hammer filter create \
    --role role_name \
    --permission-ids perm_ID1,perm_ID2...

For more information about roles and permissions parameters, enter the hammer role --help and hammer filter --help commands.

Viewing Permissions of a Role

Use the orcharhino web UI to view the permissions of a role.

Procedure
  1. Navigate to Administer > Roles.

  2. Click Filters to the right of the required role to get to the Filters page.

The Filters page contains a table of permissions assigned to a role grouped by the resource type. It is also possible to generate a complete table of permissions and actions that you can use on your orcharhino system. See Creating a Complete Permission Table for instructions.

Creating a Complete Permission Table

Use the orcharhino CLI to create a permission table.

Procedure
  1. Ensure that the required packages are installed. Execute the following command on orcharhino server:

    # yum install tfm-rubygem-foreman*
  2. Start the orcharhino console with the following command:

    # foreman-rake console

    Insert the following code into the console:

    f = File.open('/tmp/table.html', 'w')
    
    result = Foreman::AccessControl.permissions {|a,b| a.security_block <=> b.security_block}.collect do |p|
          actions = p.actions.collect { |a| "<li>#{a}</li>" }
          "<tr><td>#{p.name}</td><td><ul>#{actions.join('')}</ul></td><td>#{p.resource_type}</td></tr>"
    end.join("\n")
    
    f.write(result)

    The above syntax creates a table of permissions and saves it to the /tmp/table.html file.

  3. Press Ctrl + D to exit the orcharhino console. Insert the following text at the first line of /tmp/table.html:

    <table border="1"><tr><td>Permission name</td><td>Actions</td><td>Resource type</td></tr>

    Append the following text at the end of /tmp/table.html:

    </table>
  4. Open /tmp/table.html in a web browser to view the table.

Removing a Role

Use the orcharhino web UI to remove a role.

Procedure
  1. Navigate to Administer > Roles.

  2. Select Delete from the drop-down list to the right of the role to be deleted.

  3. In an alert box that appears, click OK to delete the role.

Predefined Roles Available in orcharhino

Role Permissions Provided by Role [1]

Access Insights Admin

Add and edit Insights rules.

Access Insights Viewer

View Insight reports.

Ansible Roles Manager

Play roles on hosts and host groups. View, destroy, and import Ansible roles. View, edit, create, destroy, and import Ansible variables.

Ansible Tower Inventory Reader

View facts, hosts, and host groups.

Bookmarks manager

Create, edit, and delete bookmarks.

Boot disk access

Download the boot disk.

Compliance manager

View, create, edit, and destroy SCAP content files, compliance policies, and tailoring files. View compliance reports.

Compliance viewer

View compliance reports.

Create ARF report

Create compliance reports.

Default role

The set of permissions that every user is granted, irrespective of any other roles.

Discovery Manager

View, provision, edit, and destroy discovered hosts and manage discovery rules.

Discovery Reader

View hosts and discovery rules.

Edit hosts

View, create, edit, destroy, and build hosts.

Edit partition tables

View, create, edit and destroy partition tables.

Manager

A role similar to administrator, but does not have permissions to edit global settings. In the orcharhino web UI, global settings can be found under Administer > Settings.

Organization admin

An administrator role defined per organization. The role has no visibility into resources in other organizations.

Red Hat Access Logs

View the log viewer and the logs.

Remote Execution Manager

A role with full remote execution permissions, including modifying job templates.

Remote Execution User

Run remote execution jobs.

Site manager

A restrained version of the Manager role.

System admin

  • Edit global settings in Administer > Settings

  • View, create, edit and destroy users, user groups, and roles.

  • View, create, edit, destroy, and assign organizations and locations but not view resources within them.

Users with this role can create users and assign all roles to them. Therefore, ensure to give this role only to trusted users.

Tasks manager

View and edit orcharhino tasks.

Tasks reader

A role that can only view orcharhino tasks.

Viewer

A passive role that provides the ability to view the configuration of every element of the orcharhino structure, logs, reports, and statistics.

View hosts

A role that can only view hosts.

Virt-who Manager

A role with full virt-who permissions.

Virt-who Reporter

Upload reports generated by virt-who to orcharhino. It can be used if you configure virt-who manually and require a user role that has limited virt-who permissions.

Virt-who Viewer

View virt-who configurations. Users with this role can deploy virt-who instances using existing virt-who configurations.

Granular Permission Filtering

Granular Permission Filter

As mentioned in Adding Permissions to a Role, orcharhino provides the ability to limit the configured user permissions to selected instances of a resource type. These granular filters are queries to the orcharhino database and are supported by the majority of resource types.

Creating a Granular Permission Filter

Use this procedure to create a granular filter. To use the CLI instead of the web UI, see the CLI procedure.

orcharhino does not apply search conditions to create actions. For example, limiting the create_locations action with name = "Default Location" expression in the search field does not prevent the user from assigning a custom name to the newly created location.

Procedure

Specify a query in the Search field on the Edit Filter page. Deselect the Unlimited check box for the field to be active. Queries have the following form:

field_name operator value
  • field_name marks the field to be queried. The range of available field names depends on the resource type. For example, the Partition Table resource type offers family, layout, and name as query parameters.

  • operator specifies the type of comparison between field_name and value. See Supported Operators for Granular Search for an overview of applicable operators.

  • value is the value used for filtering. This can be for example a name of an organization. Two types of wildcard characters are supported: underscore (_) provides single character replacement, while percent sign (%) replaces zero or more characters.

For most resource types, the Search field provides a drop-down list suggesting the available parameters. This list appears after placing the cursor in the search field. For many resource types, you can combine queries using logical operators such as and, not and has operators.

CLI procedure
  • To create a granular filter, enter the hammer filter create command with the --search option to limit permission filters, for example:

    # hammer filter create \
    --permission-ids 91 \
    --search "name ~ ccv*" \
    --role qa-user

This command adds to the qa-user role a permission to view, create, edit, and destroy Content Views that only applies to Content Views with name starting with ccv.

Examples of Using Granular Permission Filters

As an administrator, you can allow selected users to make changes in a certain part of the environment path. The following filter allows you to work with content while it is in the development stage of the application life cycle, but the content becomes inaccessible once is pushed to production.

Applying Permissions for the Host Resource Type

The following query applies any permissions specified for the Host resource type only to hosts in the group named host-editors.

hostgroup = host-editors

The following query returns records where the name matches XXXX, Yyyy, or zzzz example strings:

name ^ (XXXX, Yyyy, zzzz)

You can also limit permissions to a selected environment. To do so, specify the environment name in the Search field, for example:

Dev

You can limit user permissions to a certain organization or location with the use of the granular permission filter in the Search field. However, some resource types provide a GUI alternative, an Override check box that provides the Locations and Organizations tabs. On these tabs, you can select from the list of available organizations and locations. See Creating an Organization Specific Manager Role.

Creating an Organization Specific Manager Role

Use the orcharhino UI to create an administrative role restricted to a single organization named org-1.

Procedure
  1. Navigate to Administer > Roles.

  2. Clone the existing Organization admin role. Select Clone from the drop-down list next to the Filters button. You are then prompted to insert a name for the cloned role, for example org-1 admin.

  3. Click the desired locations and organizations to associate them with the role.

  4. Click Submit to create the role.

  5. Click org-1 admin, and click Filters to view all associated filters. The default filters work for most use cases. However, you can optionally click Edit to change the properties for each filter. For some filters, you can enable the Override option if you want the role to be able to access resources in additional locations and organizations. For example, by selecting the Domain resource type, the Override option, and then additional locations and organizations using the Locations and Organizations tabs, you allow this role to access domains in the additional locations and organizations that is not associated with this role. You can also click New filter to associate new filters with this role.

Supported Operators for Granular Search

Table 2. Logical Operators

Operator

Description

and

Combines search criteria.

not

Negates an expression.

has

Object must have a specified property.

Table 3. Symbolic Operators

Operator

Description

=

Is equal to. An equality comparison that is case-sensitive for text fields.

!=

Is not equal to. An inversion of the = operator.

~

Like. A case-insensitive occurrence search for text fields.

!~

Not like. An inversion of the ~ operator.

^

In. An equality comparison that is case-sensitive search for text fields. This generates a different SQL query to the Is equal to comparison, and is more efficient for multiple value comparison.

!^

Not in. An inversion of the ^ operator.

>, >=

Greater than, greater than or equal to. Supported for numerical fields only.

<, ⇐

Less than, less than or equal to. Supported for numerical fields only.

Configuring Email Notifications

You can configure orcharhino to send email messages to individual users registered to orcharhino. orcharhino sends the email to the email address that has been added to the account, if present. Users can edit the email address by clicking on their name in the top-right of the orcharhino web UI and selecting My account.

Configure email notifications for a user from the orcharhino web UI.

Procedure
  1. Navigate to Administer > Users.

  2. Click the Username of the user you want to edit.

  3. On the User tab, verify the value of the Mail field. Email notifications will be sent to the address in this field.

  4. On the Email Preferences tab, select Mail Enabled.

  5. Select the notifications you want the user to receive using the drop-down menus next to the notification types.

    The Audit Summary notification can be filtered by entering the required query in the Mail Query text box.

  6. Click Submit.

    The user will start receiving the notification emails.

Testing Email Delivery

To verify the delivery of emails, send a test email to a user. If the email gets delivered, the settings are correct.

Procedure
  1. In the orcharhino web UI, navigate to Administer > Users.

  2. Click on the username.

  3. On the Email Preferences tab, click Test email.

    A test email message is sent immediately to the user’s email address.

If the email is delivered, the verification is complete. Otherwise, you must perform the following diagnostic steps:

  1. Verify the user’s email address.

  2. Verify orcharhino server’s email configuration.

  3. Examine firewall and mail server logs.

Testing Email Notifications

To verify that users are correctly subscribed to notifications, trigger the notifications manually.

Procedure
  • To trigger the notifications, execute the following command:

    # foreman-rake reports:<frequency>

    Replace frequency with one of the following:

  • daily

  • weekly

  • monthly

This triggers all notifications scheduled for the specified frequency for all the subscribed users. If every subscribed user receives the notifications, the verification succeeds.

Sending manually triggered notifications to individual users is currently not supported.

Notification Types

The following are the notifications created by orcharhino:

  • Audit summary: A summary of all activity audited by orcharhino server.

  • Host built: A notification sent when a host is built.

  • Host errata advisory: A summary of applicable and installable errata for hosts managed by the user.

  • OpenSCAP policy summary: A summary of OpenSCAP policy reports and their results.

  • Promote errata: A notification sent only after a Content View promotion. It contains a summary of errata applicable and installable to hosts registered to the promoted Content View. This allows a user to monitor what updates have been applied to which hosts.

  • Puppet error state: A notification sent after a host reports an error related to Puppet.

  • Puppet summary: A summary of Puppet reports.

  • Sync errata: A notification sent only after synchronizing a repository. It contains a summary of new errata introduced by the synchronization.

Changing email notification settings for a host

orcharhino can send event notifications for a host to the host’s registered owner.

You can configure orcharhino to send email notifications either to an individual user or a user group. When set to a user group, all group members who are subscribed to the email type receive a message.

To view the notification status for a host, navigate to Hosts > All Hosts and click the host you want to view. In the host details page, click the Additional Information tab, you can view the email notification status.

Receiving email notifications for a host can be useful, but also overwhelming if you are expecting to receive frequent errors, for example, because of a known issue or error you are working around.

To change the email notification settings for a host, complete the following steps.

Procedure
  1. In the orcharhino web UI, navigate to Hosts > All Hosts, and select the host with the notification setting you want to change.

  2. Select the host’s check box, and from the Select Action list, select Enable Notifications or Disable Notifications, depending on what you want.

Managing Security Compliance

Security compliance management is the ongoing process of defining security policies, auditing for compliance with those policies and resolving instances of non-compliance. Any non-compliance is managed according to the organization’s configuration management policies. Security policies range in scope from host-specific to industry-wide, therefore, flexibility in their definition is required.

Security Content Automation Protocol

orcharhino uses the Security Content Automation Protocol (SCAP) to define security configuration policies. For example, a security policy might specify that for hosts running Red Hat Enterprise Linux, login via SSH is not permitted for the root account. With orcharhino you can schedule compliance auditing and reporting on all hosts under management.

SCAP Content

SCAP content is a datastream format containing the configuration and security baseline against which hosts are checked. Checklists are described in the extensible checklist configuration description format (XCCDF) and vulnerabilities in the open vulnerability and assessment language (OVAL). Checklist items, also known as rules express the desired configuration of a system item. For example, you may specify that no one can log in to a host over SSH using the root user account. Rules can be grouped into one or more profiles, allowing multiple profiles to share a rule. SCAP content consists of both rules and profiles.

You can either create SCAP content or obtain it from a vendor. Supported profiles are provided for Red Hat Enterprise Linux in the scap-security-guide package.

The default SCAP content provided with the OpenSCAP components of orcharhino depends on the version of Red Hat Enterprise Linux. On Red Hat Enterprise Linux 7, content for both Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7 is installed.

XCCDF Profile

An XCCDF profile is a checklist against which a host or host group is evaluated. Profiles are created to verify compliance with an industry standard or custom standard.

The profiles provided with orcharhino are obtained from the OpenSCAP project.

Listing Available XCCDF Profiles

In the orcharhino UI, list the available XCCD profiles.

Procedure
  • Navigate to Hosts > SCAP contents.

Configuring SCAP Content

Importing OpenSCAP Puppet Modules

If you do not use Puppet to configure OpenSCAP auditing on hosts, you can skip this procedure.

To audit hosts with OpenSCAP, you must first import a Puppet environment. The Puppet environment contains the Puppet classes you must assign to each host to deploy the OpenSCAP configuration.

You must associate each host that you want to audit with the Puppet environment in the orcharhino web UI.

Procedure
  1. In the orcharhino web UI, navigate to Configure > Environments.

  2. Click Import environments from orcharhino.example.com.

  3. Select the Puppet environment check box associated with the host you want to audit.

    If no Puppet environment exists, select the production environment check box. The Puppet classes that you require for OpenSCAP are in the production environment by default.

  4. Click Update.

Loading the Default OpenSCAP Content

In the CLI, load the default OpenScap content.

Procedure
  • Use the foreman-rake command:

    # foreman-rake foreman_openscap:bulk_upload:default

Extra SCAP Content

You can upload extra SCAP content into orcharhino server, either content created by yourself or obtained elsewhere. SCAP content must be imported into orcharhino server before being applied in a policy. For example, the scap-security-guide RPM package available in the Red Hat Enterprise Linux 7.2 repositories includes a profile for the Payment Card Industry Data Security Standard (PCI-DSS) version 3. You can upload this content into a orcharhino server even if it is not running Red Hat Enterprise Linux 7.2 as the content is not specific to an operating system version.

Uploading Extra SCAP Content

In the orcharhino web UI, upload the extra SCAP content.

Procedure
  1. Navigate to Hosts > SCAP contents and click New SCAP Content.

  2. Enter a title in the Title text box.

    Example: RHEL 7.2 SCAP Content.

  3. Click Choose file, navigate to the location containing the SCAP content file and select Open.

  4. Click Submit.

If the SCAP content file is loaded successfully, a message similar to Successfully created RHEL 7.2 SCAP Content is shown and the list of SCAP Contents includes the new title.

Managing Compliance Policies

Compliance Policy

A scheduled audit, also known as a compliance policy, is a scheduled task that checks the specified hosts for compliance against an XCCDF profile. The schedule for scans is specified by orcharhino server and the scans are performed on the host. When a scan completes, an Asset Reporting File (ARF) is generated in XML format and uploaded to orcharhino server. You can see the results of the scan in the compliance policy dashboard. No changes are made to the scanned host by the compliance policy. The SCAP content includes several profiles with associated rules but policies are not included by default.

Creating a Compliance Policy

With orcharhino, you can create a compliance policy to scan your content hosts to ensure that the hosts remain compliant to your security requirements.

You can use either Puppet or Ansible to deploy the compliance policy to your hosts. Note that Puppet runs by default every 30 minutes. If you assign a new policy, the next Puppet run synchronizes the policy to the host. However Ansible does not perform scheduled runs. To add a new policy, you must run Ansible role manually or using remote execution. For more information about remote execution, see Configuring and Setting up Remote Jobs in the Managing Hosts guide.

Prerequisites

Before you begin, you must decide whether you want to use a Puppet or Ansible deployment.

  • For Puppet deployment, ensure that each host that you want to audit is associated with a Puppet environment. For more information, see Importing OpenSCAP Puppet Modules.

  • For Ansible deployment, ensure that you import the theforeman.foreman_scap_client Ansible role. For more information about importing Ansible roles, see Getting Started with Ansible in orcharhino in Configuring orcharhino to use Ansible.

Procedure
  1. Navigate to Hosts > Policies, and select whether you want a manual, Ansible, or Puppet deployment.

  2. Enter a name for this policy, a description (optional), then click Next.

  3. Select the SCAP Content and XCCDF Profile to be applied, then click Next.

    Note that the openSCAP plugin does not detect if a SCAP content role has no content, which means that the Default XCCDF Profile might return an empty report.

  4. Specify the scheduled time when the policy is to be applied, then click Next.

    Select Weekly, Monthly, or Custom from the Period list.

    • If you select Weekly, also select the desired day of the week from the Weekday list.

    • If you select Monthly, also specify the desired day of the month in the Day of month field.

    • If you select Custom, enter a valid Cron expression in the Cron line field.

      The Custom option allows for greater flexibility in the policy’s schedule than either the Weekly or Monthly options.

  5. Select the locations to which the policy is to be applied, then click Next.

  6. Select the organizations to which the policy is to be applied, then click Next.

  7. Select the host groups to which the policy is to be applied, then click Submit.

When the Puppet agent runs on the hosts which belong to the selected host group, or hosts to which the policy has been applied, the OpenSCAP client will be installed and a Cron job added with the policy’s specified schedule. The SCAP Content tab provides the name of the SCAP content file which will be distributed to the directory /var/lib/openscap/content/ on all target hosts.

Viewing a Compliance Policy

You can preview the rules which will be applied by specific OpenSCAP content and profile combination. This is useful when planning policies.

In the orcharhino web UI, view the compliance policy.

Procedure
  1. Navigate to Hosts > Policies.

  2. Click Show Guide.

Editing a Compliance Policy

In the orcharhino web UI, edit the compliance policy.

Procedure
  1. Navigate to Hosts > Policies.

  2. From the drop-down list to the right of the policy’s name, select Edit.

  3. Edit the necessary attributes.

  4. Click Submit.

An edited policy is applied to the host when its Puppet agent next checks with orcharhino server for updates. By default this occurs every 30 minutes.

Deleting a Compliance Policy

In the orcharhino web UI, delete an existing policy.

  1. Navigate to Hosts > Policies.

  2. From the drop-down list to the right of the policy’s name, select Delete.

  3. Click OK in the confirmation message.

Tailoring Files

Tailoring Files allow existing OpenSCAP policies to be customized without forking or rewriting the policy. You can assign a Tailoring File to a policy when creating or updating a policy.

You can create a Tailoring File using the SCAP Workbench. For more information on using the SCAP Workbench tool, see Customizing SCAP Security Guide for your use-case.

Uploading a Tailoring File

In the orcharhino web UI, upload a Tailoring file.

Procedure
  1. Navigate to Hosts > Compliance - Tailoring Files and click New Tailoring File.

  2. Enter a name in the Name text box.

  3. Click Choose File, navigate to the location containing the SCAP DataStream Tailoring File and select Open.

  4. Click Submit to upload the chosen Tailoring File.

Assigning a Tailoring File to a Policy

In the orcharhino web UI, assign a Tailoring file to a policy.

Procedure
  1. Navigate to Hosts > Compliance - Policies.

  2. Click New Policy, or New Compliance Policy if there are existing Compliance Policies.

  3. Enter a name in the Name text box, and click Next.

  4. Select a Scap content from the dropdown menu.

  5. Select a XCCDF Profile from the dropdown menu.

  6. Select a Tailoring File from the dropdown menu.

  7. Select a XCCDF Profile in Tailoring File from the dropdown menu.

    It is important to select the XCCDF Profile because Tailoring Files are able to contain multiple XCCDF Profiles.

  8. Click Next.

  9. Select a Period from the dropdown menu.

  10. Select a Weekday from the dropdown menu, and click Next.

  11. Select a Location to move it to the Selected Items window, and click Next.

  12. Select an Organization to move it to the Selected Items window, and click Next.

  13. Select a Hostgroup to move it to the Selected Items window, and click Submit.

Configuring a host group for OpenSCAP

Use this procedure to configure all the OpenSCAP requirements for a host group.

OpenSCAP Setup Overview

You must complete the following tasks on orcharhino server to assign the necessary components for a host group:

  • Enable OpenSCAP on orcharhino Proxy. For more information, see Enabling OpenSCAP on External orcharhino Proxies in the Installing orcharhino Proxy guide.

  • Assign an OpenSCAP orcharhino Proxy.

  • Assign a Puppet environment that contains the Puppet classes to deploy the OpenSCAP policies.

  • Assign the foreman_scap_client and foreman_scap_client::params Puppet classes.

  • Assign any compliance policies that you want to add.

For information about creating and administering hosts, see the Managing Hosts guide.

Procedure
  1. In the orcharhino web UI, navigate to Configure > Host Groups, and either create a host group or click the host group that you want to configure for OpenSCAP reporting.

  2. From the Puppet Environment list, select the Puppet environment that contains the foreman_scap_client and foreman_scap_client::params Puppet classes.

  3. From the OpenSCAP orcharhino Proxy list, select the orcharhino Proxy with OpenSCAP enabled that you want to use.

  4. Click the Puppet Classes tab, and add the foreman_scap_client and foreman_scap_client::params Puppet classes.

  5. Click Submit to save your changes.

  6. Navigate to Hosts > Policies.

  7. Select the policy that you want to assign to the host group.

  8. Click the Host Groups tab.

  9. From the Host Groups list, select as many host groups as you want to assign to this policy.

  10. Click Submit to save your changes.

Configuring a host for OpenSCAP

Use this procedure to configure all the OpenSCAP requirements for a host.

OpenSCAP Setup Overview

You must complete the following tasks on orcharhino server to assign the necessary components for a host:

  • Enable OpenSCAP on orcharhino Proxy. For more information, see Enabling OpenSCAP on External orcharhino Proxies in the Installing orcharhino Proxy guide.

  • Assign an OpenSCAP orcharhino Proxy.

  • Assign a Puppet environment that contains the Puppet classes to deploy the OpenSCAP policies.

  • Assign the foreman_scap_client and foreman_scap_client::params Puppet classes.

  • Assign any compliance policies that you want to add.

For information about creating and administering hosts, see the Managing Hosts guide.

Procedure
  1. In the orcharhino web UI, navigate to Hosts > All Hosts, and select Edit on the host you want to configure for OpenSCAP reporting.

  2. From the Puppet Environment list, select the Puppet environment that contains the foreman_scap_client and foreman_scap_client::params Puppet classes.

  3. From the OpenSCAP orcharhino Proxy list, select the orcharhino Proxy with OpenSCAP enabled that you want to use.

  4. Click the Puppet Classes tab, and add the foreman_scap_client and foreman_scap_client::params Puppet classes.

  5. To add a compliance policy, navigate to one of the following locations:

  6. Navigate to Hosts > All Hosts.

  7. Select the host or hosts to which you want to add the policy.

  8. Click Select Action.

  9. Select Assign Compliance Policy from the list.

  10. In the Policy window, select the policy that you want from the list of available policies and click Submit.

Monitoring Compliance

orcharhino enables centralized compliance monitoring and management. A compliance dashboard provides an overview of compliance of hosts and the ability to view details for each host within the scope of that policy. Compliance reports provide a detailed analysis of compliance of each host with the applicable policy. With this information, you can evaluate the risks presented by each host and manage the resources required to bring hosts into compliance.

Common objectives when monitoring compliance using SCAP include the following:

  • Verifying policy compliance.

  • Detecting changes in compliance.

Compliance Policy Dashboard

The compliance policy dashboard provides a statistical summary of compliance of hosts and the ability to view details for each host within the scope of that policy. For all hosts which were evaluated as non-compliant, the Failed statistic provides a useful metric for prioritizing compliance effort. The hosts detected as Never audited should also be a priority, since their status is unknown.

Compliance Policy Dashboard

Viewing the Compliance Policy Dashboard

Use the orcharhino web UI to verify policy compliance with the compliance policy dashboard.

Procedure
  1. In the orcharhino web UI, navigate to Hosts > Policies.

  2. Click the required policy name. The dashboard provides the following information:

    • A ring chart illustrating a high-level view of compliance of hosts with the policy.

    • A statistical breakdown of compliance of hosts with the policy, in a tabular format.

    • Links to the latest policy report for each host.

Compliance Email Notifications

orcharhino server sends an OpenSCAP Summary email to all users who subscribe to the Openscap policy summary email notifications. For more information on subscribing to email notifications, see Configuring Email Notifications. Each time a policy is run, orcharhino checks the results against the previous run, noting any changes between them. The email is sent according to the frequency requested by each subscriber, providing a summary of each policy and its most recent result.

An OpenSCAP Summary email message contains the following information:

  • Details of the time period it covers.

  • Totals for all hosts by status: changed, compliant, and noncompliant.

  • A tabular breakdown of each host and the result of its latest policy, including totals of the rules that passed, failed, changed, or where results were unknown.

Compliance Report

A compliance report is the output of a policy run against a host. Each report includes the total number of rules passed or failed per policy. By default, reports are listed in descending date order.

In the orcharhino web UI, navigate to Hosts > Reports to list all compliance reports.

A compliance report consists of the following areas:

  • Introduction

  • Evaluation Characteristics

  • Compliance and Scoring

  • Rule Overview

Evaluation Characteristics

The Evaluation Characteristics area provides details about an evaluation against a specific profile, including the host that was evaluated, the profile used in the evaluation, and when the evaluation started and finished. For reference, the IPv4, IPv6, and MAC addresses of the host are also listed.

Name Description Example

Target machine

The fully-qualified domain name (FQDN) of the evaluated host.

test-system.example.com

Benchmark URL

The URL of the SCAP content against which the host was evaluated.

/var/lib/openscap/content/1fbdc87d24db51ca184419a2b6f

Benchmark ID

The identifier of the benchmark against which the host was evaluated. A benchmark is a set of profiles

xccdf_org.ssgproject.content_benchmark_RHEL_7

Profile ID

The identifier of the profile against which the host was evaluated.

xccdf_org.ssgproject_content_profile_rht-ccp

Started at

The date and time at which the evaluation started, in ISO 8601 format.

2015-09-12T14:40:02

Finished at

The date and time at which the evaluation finished, in ISO 8601 format.

2015-09-12T14:40:05

Performed by

The local account name under which the evaluation was performed on the host.

root

Compliance and Scoring

The Compliance and Scoring area provides an overview of whether or not the host is in compliance with the profile rules, a breakdown of compliance failures by severity, and an overall compliance score as a percentage. If compliance with a rule was not checked, this is categorized in the Rule results field as Other.

Rule Overview

The Rule Overview area provides details about every rule and the compliance result, with the rules presented in a hierarchical layout.

Select or clear the check boxes to narrow the list of rules included in the compliance report. For example, if the focus of your review is any non-compliance, clear the pass and informational check boxes.

To search all rules, enter a criterion in the Search field. The search is dynamically applied as you type. The Search field only accepts a single plain-text search term and it is applied as a case-insensitive search. When you perform a search, only those rules whose descriptions match the search criterion will be listed. To remove the search filter, delete the search criterion.

For an explanation of each result, hover the cursor over the status shown in the Result column.

Examining Compliance Failure of Hosts

Use the orcharhino web UI to determine why a host failed compliance on a rule.

Procedure
  1. In the orcharhino web UI, navigate to Hosts > Reports to list all compliance reports.

  2. Click View Report in the row of the specific host to view the details of an individual report.

  3. Click on the rule’s title to see further details:

    • A description of the rule with instructions for bringing the host into compliance if available.

    • The rationale for the rule.

    • In some cases, a remediation script.

Do not implement any of the recommended remedial actions or scripts without first testing them in a non-production environment.

Searching Compliance Reports

Use the Compliance Reports search field to filter the list of available reports on any given subset of hosts.

Procedure
  • To apply a filter, enter the search query in the Search field and click Search. The search query is case insensitive.

Search Use Cases
  • The following search query finds all compliance reports for which more than five rules failed:

    failed > 5
  • The following search query finds all compliance reports created after January 1, YYYY, for hosts with host names that contain the prod- group of characters:

    host ~ prod- AND date > "Jan 1, YYYY"
  • The following search query finds all reports generated by the rhel7_audit compliance policy from an hour ago:

    "1 hour ago" AND compliance_policy = date = "1 hour ago" AND compliance_policy = rhel7_audit
  • The following search query finds reports that pass an XCCDF rule:

    xccdf_rule_passed = xccdf_org.ssgproject.content_rule_firefox_preferences-auto-download_actions
  • The following search query finds reports that fail an XCCDF rule:

    xccdf_rule_failed = xccdf_org.ssgproject.content_rule_firefox_preferences-auto-download_actions
  • The following search query finds reports that have a result different than fail or pass for an XCCDF rule:

    xccdf_rule_othered = xccdf_org.ssgproject.content_rule_firefox_preferences-auto-download_actions
Additional Information
  • To see a list of available search parameters, click the empty Search field.

  • You can create complex queries with the following logical operators: and, not and has. For more information about logical operators, see Supported Operators for Granular Search.

  • You cannot use regular expressions in a search query. However, you can use multiple fields in a single search expression. For more information about all available search operators, see Supported Operators for Granular Search.

  • You can bookmark a search to reuse the same search query. For more information, see Creating Bookmarks.

Deleting a Compliance Report

To delete a compliance report, complete the following steps:

  1. In the orcharhino web UI, navigate to Hosts > Reports.

  2. In the Compliance Reports window, identify the policy that you want to delete and, on the right of the policy’s name, select Delete.

  3. Click OK.

Deleting Multiple Compliance Reports

You can delete multiple compliance policies simultaneously. However, in the orcharhino web UI, compliance policies are paginated, so you must delete one page of reports at a time.

  1. In the orcharhino web UI, navigate to Hosts > Reports.

  2. In the Compliance Reports window, select the compliance reports that you want to delete.

  3. In the upper right of the list, select Delete reports.

  4. Repeat these steps for as many pages as you want to delete.

Specifications Supported by OpenSCAP

The following specifications are supported by OpenSCAP:

Title Description Version

XCCDF

The Extensible Configuration Checklist Description Format

1.2

OVAL

Open Vulnerability and Assessment Language

5.11

-

Asset Identification

1.1

ARF

Asset Reporting Format

1.1

CCE

Common Configuration Enumeration

5.0

CPE

Common Platform Enumeration

2.3

CVE

Common Vulnerabilities and Exposures

-

CVSS

Common Vulnerability Scoring System

2.0

Disabling TLS 1.0 and TLS 1.1 Encryption

You might want to change the encryption settings for orcharhino depending on the security requirements of your infrastructure or to fix vulnerabilities quickly.

Apache and Qpid services in orcharhino have TLS 1.0 and 1.1 encryption enabled by default. Use this procedure on orcharhino and orcharhino Proxy to configure orcharhino and orcharhino Proxy to only allow TLS 1.2, as required, for example, by PCI-DSS regulations.

Procedure
  1. Open the /etc/foreman-installer/custom-hiera.yaml file for editing:

    # vi /etc/foreman-installer/custom-hiera.yaml
  2. Add the following entries:

    # Apache
    apache::mod::ssl::ssl_protocol: [ 'ALL' , '-SSLv3' , '-TLSv1' , '-TLSv1.1' , '+TLSv1.2' ]
    
    # QPID Dispatch
    foreman_proxy_content::qpid_router_ssl_ciphers: 'ALL:!aNULL:+HIGH:-SSLv3:!IDEA-CBC-SHA'
  3. Enter the foreman-installer command to apply the above configuration and configure Qpid to use TLS 1.2 only:

    # foreman-installer \
    --foreman-proxy-content-qpid-router-ssl-protocols=TLSv1.2

Backing Up orcharhino server and orcharhino Proxy

You can back up your orcharhino deployment to ensure the continuity of your orcharhino deployment and associated data in the event of a disaster. If your deployment uses custom configurations, you must consider how to handle these custom configurations when you plan your backup and disaster recovery policy.

To create a backup of your orcharhino server or orcharhino Proxy and all associated data, use the foreman-maintain backup command. Backing up to a separate storage device on a separate system is highly recommended.

orcharhino services are unavailable during the backup. Therefore, you must ensure that no other tasks are scheduled by other administrators. You can schedule a backup using cron. For more information, see the Example of a Weekly Full Backup Followed by Daily Incremental Backups.

During offline or snapshot backups, the services are inactive and orcharhino is in a maintenance mode. All the traffic from outside on port 443 is rejected by a firewall to ensure there are no modifications triggered.

A backup contains sensitive information from the /root/ssl-build directory. For example, it can contain hostnames, ssh keys, request files and SSL certificates. You must encrypt or move the backup to a secure location to minimize the risk of damage or unauthorized access to the hosts.

Conventional Backup Methods

You can also use conventional backup methods.

If you plan to use the foreman-maintain backup command to create a backup, do not stop the foreman-maintain services.
  • When creating a snapshot or conventional backup, you must stop all services as follows:

    # foreman-maintain service stop
  • Start the services after creating a snapshot or conventional backup:

    # foreman-maintain service start

Estimating the Size of a Backup

The full backup creates uncompressed archives of PostgreSQL and Pulp database files, and orcharhino configuration files. Compression occurs after the archives are created to decrease the time when orcharhino services are unavailable.

A full backup requires space to store the following data:

  • Uncompressed orcharhino database and configuration files

  • Compressed orcharhino database and configuration files

  • An extra 20% of the total estimated space to ensure a reliable backup

Procedure
  1. Enter the du command to estimate the size of uncompressed directories containing orcharhino database and configuration files:

    # du -sh /var/opt/rh/rh-postgresql12/lib/pgsql/data /var/lib/pulp
    100G  /var/opt/rh/rh-postgresql12/lib/pgsql/data
    100G	/var/lib/pulp
    # du -csh /var/lib/qpidd /var/lib/tftpboot /etc /root/ssl-build \
    /var/www/html/pub /opt/puppetlabs
    886M  /var/lib/qpidd
    16M   /var/lib/tftpboot
    37M   /etc
    900K	/root/ssl-build
    100K	/var/www/html/pub
    2M	  /opt/puppetlabs
    942M  total
  2. Calculate how much space is required to store the compressed data.

    The following table describes the compression ratio of all data items included in the backup:

    Table 4. Backup Data Compression Ratio
    Data type Directory Ratio Example results

    PostgreSQL database files

    /var/opt/rh/rh-postgresql12/lib/pgsql/data

    80 - 85%

    100 GB → 20 GB

    Pulp RPM files

    /var/lib/pulp

    (not compressed)

    100 GB

    Configuration files

    /var/lib/qpidd
    /var/lib/tftpboot
    /etc
    /root-ssl/build
    /var/www/html/pub
    /opt/puppetlabs

    85%

    942 MB → 141 MB

    In this example, the compressed backup data occupies 180 GB in total.

  3. To calculate the amount of available space you require to store a backup, calculate the sum of the estimated values of compressed and uncompressed backup data, and add an extra 20% to ensure a reliable backup.

    This example requires 681 GB plus 180 GB for the uncompressed and compressed backup data, 861 GB in total. With 172 GB of extra space, 1033 GB must be allocated for the backup location.

Performing a Full Backup of orcharhino server or orcharhino Proxy

orcharhino uses the foreman-maintain backup command to make backups.

There are three main methods of backing up orcharhino server:

  • Offline backup

  • Online backup

  • Snapshot backups

    For more information about each of these methods, you can view the usage statements for each backup method.

For offline backups:

# foreman-maintain backup offline --help

For online backups:

# foreman-maintain backup online --help

For snapshots backups:

# foreman-maintain backup snapshot --help
Directory creation

The foreman-maintain backup command creates a time-stamped subdirectory in the backup directory that you specify. The foreman-maintain backup command does not overwrite backups, therefore you must select the correct directory or subdirectory when restoring from a backup or an incremental backup. The foreman-maintain backup command stops and restarts services as required.

When you run the foreman-maintain backup offline command, the following default backup directories are created:

  • orcharhino-backup on orcharhino

  • foreman-proxy-backup on orcharhino Proxy

If you want to set a custom directory name, add the --preserve-directory option and add a directory name. The backup is then stored in the directory you provide in the command line. If you use the --preserve-directory option, no data is removed if the backup fails.

Note that if you use a local PgSQL database, the postgres user requires write access to the backup directory.

Remote databases

You can use the foreman-maintain backup command to back up remote databases.

You can use both online and offline methods to back up remote databases, but if you use offline methods, such as snapshot, the foreman-maintain backup command performs a database dump.

Prerequisites
Procedure

To perform a full offline backup of orcharhino server or orcharhino Proxy, complete one of the following steps:

Request other users of orcharhino server or orcharhino Proxy to save any changes and warn them that orcharhino services are unavailable for the duration of the backup. Ensure no other tasks are scheduled for the same time as the backup.

  • On orcharhino server, enter the following command:

    # foreman-maintain backup offline /var/orcharhino-backup
  • On orcharhino Proxy, enter the following command:

    # foreman-maintain backup offline /var/foreman-proxy-backup

Performing a Backup without Pulp Content

You can perform an offline backup that excludes the contents of the Pulp directory. The backup without Pulp content is useful for debugging purposes and is only intended to provide access to configuration files without backing up the Pulp database. You cannot restore from a directory that does not contain Pulp content.

Request other users of orcharhino server or orcharhino Proxy to save any changes and warn them that orcharhino services are unavailable for the duration of the backup. Ensure no other tasks are scheduled for the same time as the backup.

Prerequisites
Procedure
  • To perform an offline backup without Pulp content, enter the following command:

    # foreman-maintain backup offline --skip-pulp-content /var/backup_directory

Performing an Incremental Backup

Use this procedure to perform an offline backup of any changes since a previous backup.

To perform incremental backups, you must perform a full backup as a reference to create the first incremental backup of a sequence. Keep the most recent full backup and a complete sequence of incremental backups to restore from.

Request other users of orcharhino server or orcharhino Proxy to save any changes and warn them that orcharhino services are unavailable for the duration of the backup. Ensure no other tasks are scheduled for the same time as the backup.

Prerequisites
Procedure
  1. To perform a full offline backup, enter the following command:

    # foreman-maintain backup offline  /var/backup_directory
  2. To create a directory within your backup directory to store the first incremental back up, enter the foreman-maintain backup command with the --incremental option:

    # foreman-maintain backup offline --incremental /var/backup_directory/full_backup  /var/backup_directory
  3. To create the second incremental backup, enter the foreman-maintain backup command with the --incremental option and include the path to the first incremental backup to indicate the starting point for the next increment. This creates a directory for the second incremental backup in your backup directory:

    # foreman-maintain backup offline --incremental /var/backup_directory/first_incremental_backup  /var/backup_directory
  4. Optional: If you want to point to a different version of the backup, and make a series of increments with that version of the backup as the starting point, you can do this at any time. For example, if you want to make a new incremental backup from the full backup rather than the first or second incremental backup, point to the full backup directory:

    # foreman-maintain backup offline --incremental /var/backup_directory/full_backup  /var/backup_directory

Example of a Weekly Full Backup Followed by Daily Incremental Backups

The following script performs a full backup on a Sunday followed by incremental backups for each of the following days. A new subdirectory is created for each day that an incremental backup is performed. The script requires a daily cron job.

#!/bin/bash -e
PATH=/sbin:/bin:/usr/sbin:/usr/bin
DESTINATION=/var/backup_directory
if [[ $(date +%w) == 0 ]]; then
  foreman-maintain backup offline --assumeyes $DESTINATION
else
  LAST=$(ls -td -- $DESTINATION/*/ | head -n 1)
  foreman-maintain backup offline --assumeyes --incremental "$LAST" $DESTINATION
fi
exit 0

Note that the foreman-maintain backup command requires /sbin and /usr/sbin directories to be in PATH and the --assumeyes option is used to skip the confirmation prompt.

Performing an Online Backup

Perform an online backup only for debugging purposes.

Risks Associated with Online Backups

When performing an online backup, if there are procedures affecting the Pulp database, the Pulp part of the backup procedure repeats until it is no longer being altered. Because the backup of the Pulp database is the most time consuming part of backing up orcharhino, if you make a change that alters the Pulp database during this time, the backup procedure keeps restarting.

For production environments, use the snapshot method. For more information, see Performing a Snapshot Backup. If you want to use the online backup method in production, proceed with caution and ensure that no modifications occur during the backup.

Request other users of orcharhino server or orcharhino Proxy to save any changes and warn them that orcharhino services are unavailable for the duration of the backup. Ensure no other tasks are scheduled for the same time as the backup.

Prerequisites
Procedure
  • To perform an online backup, enter the following command:

    # foreman-maintain backup online /var/backup_directory

Performing a Snapshot Backup

You can perform a snapshot backup that uses Logical Volume Manager (LVM) snapshots of the Pulp, and PostgreSQL directories. Creating a backup from LVM snapshots mitigates the risk of an inconsistent backup.

The snapshot backup method is faster than a full offline backup and therefore reduces orcharhino downtime.

To view the usage statement, enter the following command:

foreman-maintain backup snapshot -h

Request other orcharhino server or orcharhino Proxy users to save any changes and warn them that orcharhino services are unavailable for the duration of the backup. Ensure no other tasks are scheduled for the same time as the backup.

Prerequisites

Before you perform the snapshot backup, ensure that the following conditions are met:

  • The system uses LVM for the directories that you snapshot: /var/lib/pulp/, and /var/opt/rh/rh-postgresql12/lib/pgsql.

  • The free disk space in the relevant volume group (VG) is three times the size of the snapshot. More precisely, the VG must have enough space unreserved by the member logical volumes (LVs) to accommodate new snapshots. In addition, one of the LVs must have enough free space for the backup directory.

  • The target backup directory is on a different LV than the directories that you snapshot.

Procedure
  • To perform a snapshot backup, enter the foreman-maintain backup snapshot command:

    # foreman-maintain backup snapshot /var/backup_directory

The foreman-maintain backup snapshot command creates snapshots when the services are active, and stops all services which can impact the backup. This makes the maintenance window shorter. After the successful snapshot, all services are restarted and LVM snapshots are removed.

White-listing and Skipping Steps When Performing Backups

A backup using the foreman-maintain backup command proceeds in a sequence of steps. To skip part of the backup add the --whitelist option to the command and add the step label that you want to omit.

  • To display a list of available step labels, enter the following command:

    # foreman-maintain advanced procedure run -h
  • To skip a step of the backup, enter the foreman-maintain backup command with the --whitelist option. For example:

    # foreman-maintain backup online --whitelist backup-metadata  -y /var/backup_directory

Restoring orcharhino server or orcharhino Proxy from a Backup

You can restore orcharhino Server or Red Hat orcharhino Proxy from the backup data that you create as part of Backing Up orcharhino server and orcharhino Proxy. This process outlines how to restore the backup on the same server that generated the backup, and all data covered by the backup is deleted on the target system. If the original system is unavailable, provision a system with the same configuration settings and host name.

Restoring from a Full Backup

Use this procedure to restore orcharhino or orcharhino Proxy from a full backup. When the restore process completes, all processes are online, and all databases and system configuration revert to the state at the time of the backup.

Prerequisites
  • Ensure that you are restoring to the correct instance. The orcharhino instance must have the same host name, configuration, and be the same minor version (X.Y) as the original system.

  • Ensure that you have an existing target directory. The target directory is read from the configuration files contained within the archive.

  • Ensure that you have enough space to store this data on the base system of orcharhino server or orcharhino Proxy as well as enough space after the restoration to contain all the data in the /etc/ and /var/ directories contained within the backup.

    To check the space used by a directory, enter the following command:

    # du -sh /var/backup_directory

    To check for free space, enter the following command:

    # df -h /var/backup_directory

    Add the --total option to get a total of the results from more than one directory.

  • Ensure that all SELinux contexts are correct. Enter the following command to restore the correct SELinux contexts:

    # restorecon -Rnv /
Procedure
  1. Choose the appropriate method to install orcharhino or orcharhino Proxy:

  2. Copy the backup data to orcharhino server’s local file system. Use /var/ or /var/tmp/.

  3. Run the restoration script.

    # foreman-maintain restore /var/backup_directory

    Where backup_directory is the time-stamped directory or subdirectory containing the backed-up data.

    The restore process can take a long time to complete, because of the amount of data to copy.

Additional Resources
  • For troubleshooting, you can check /var/log/foreman/production.log and /var/log/messages.

Restoring from Incremental Backups

Use this procedure to restore orcharhino or orcharhino Proxy from incremental backups. If you have multiple branches of incremental backups, select your full backup and each incremental backup for the “branch” you want to restore, in chronological order.

When the restore process completes, all processes are online, and all databases and system configuration revert to the state at the time of the backup.

Procedure
  1. Restore the last full backup using the instructions in Restoring from a Full Backup.

  2. Remove the full backup data from orcharhino server’s local file system, for example, /var/ or /var/tmp/.

  3. Copy the incremental backup data to orcharhino server’s local file system, for example, /var/ or /var/tmp/.

  4. Restore the incremental backups in the same sequence that they are made:

    # foreman-maintain restore -i /var/backup_directory/FIRST_INCREMENTAL
    # foreman-maintain restore -i /var/backup_directory/SECOND_INCREMENTAL

    If you created the backup using the foreman-maintain backup command, you do not need to use -i option in the command.

Additional Resources
  • For troubleshooting, you can check /var/log/foreman/production.log and /var/log/messages.

Backup and Restore orcharhino Proxy Using a Virtual Machine Snapshot

If your orcharhino Proxy is a virtual machine, you can restore it from a snapshot. Creating weekly snapshots to restore from is recommended. In the event of failure, you can install, or configure a new orcharhino Proxy, and then synchronize the database content from orcharhino server.

If required, deploy a new orcharhino Proxy, ensuring the host name is the same as before, and then install the orcharhino Proxy certificates. You may still have them on orcharhino server, the package name ends in -certs.tar, alternately create new ones. Follow the procedures in Installing orcharhino Proxy until you can confirm, in the web UI, that orcharhino Proxy is connected to orcharhino server. Then use the procedure Synchronizing an External orcharhino Proxy to synchronize from orcharhino.

Synchronizing an External orcharhino Proxy

Synchronize an external orcharhino Proxy with orcharhino.

Procedure
  1. To synchronize an external orcharhino Proxy, select the relevant organization and location in the web UI, or choose Any Organization and Any Location.

  2. Navigate to Infrastructure > orcharhino Proxies and click the name of the orcharhino Proxy to synchronize.

  3. On the Overview tab, select Synchronize.

Renaming orcharhino server or orcharhino Proxy

To rename orcharhino server or orcharhino Proxy, you must use the katello-change-hostname script.

If you rename orcharhino server, you must reregister all orcharhino clients and configure each orcharhino Proxy to point them to the new orcharhino host name. If you use custom SSL certificates, you must regenerate them with the new host name. If you use virt-who, you must update the virt-who configuration files with the new host name.

If you rename orcharhino Proxy, you must reregister all orcharhino Proxy clients and update the orcharhino Proxy host name in the orcharhino web UI. If you use custom SSL certificates, you must regenerate them with the new host name.

The renaming process shuts down all orcharhino server services on the host being renamed. When the renaming is complete, all services are restarted.

Renaming orcharhino server

The host name of orcharhino server is used by orcharhino server components, all orcharhino Proxys, and hosts registered to it for communication. This procedure ensures that you update all references to the new host name.

If you use external authentication, you must reconfigure orcharhino server for external authentication after you run the katello-change-hostname script. The katello-change-hostname script breaks external authentication for orcharhino server. For more information about configuring external authentication, see Configuring External Authentication.

If you use virt-who, you must update the virt-who configuration files with the new host name after you run the katello-change-hostname script.

Prerequisites
  • Both the hostname and hostname -f commands must return the FQDN of orcharhino server or the katello-change-hostname script will fail to complete. If the hostname command returns the shortname of orcharhino server instead of the FQDN, use hostnamectl set-hostname old_fqdn to set the old FQDN correctly before attempting to use the katello-change-hostname script.

  • Perform a backup of orcharhino server before changing a host name. If the renaming process is not successful, you must restore it from a backup. For more information, see Backing Up orcharhino server and orcharhino Proxy.

  • Optional: If orcharhino server has a custom SSL certificate installed, a new certificate must be obtained for the host’s new name. For more information, see Configuring orcharhino server with a Custom SSL Certificate in Installing orcharhino server from a Connected Network.

Procedure
  1. On orcharhino server, choose the appropriate method to run the katello-change-hostname script, providing the new host name and orcharhino credentials:

    • If your orcharhino server is installed with default self-signed SSL certificates, enter the following command:

      # katello-change-hostname new-orcharhino \
      --username admin \
      --password password
    • If your orcharhino server is installed with custom SSL certificates:

      # katello-change-hostname new-orcharhino \
      --username admin \
      --password password \
      --custom-cert "/root/ownca/test.com/test.com.crt" \
      --custom-key "/root/ownca/test.com/test.com.key"
  2. Optional: If you have created a custom SSL certificate for the new orcharhino server host name, run the orcharhino installation script to install the certificate. For more information about installing a custom SSL certificate, see Deploying a Custom SSL Certificate to orcharhino server in Installing orcharhino server from a Connected Network.

  3. On all orcharhino clients, enter the following commands to reinstall the bootstrap RPM, reregister clients, and refresh their subscriptions.

    You can use remote execution feature to perform this step. For more information, see Configuring and Setting up Remote Jobs in Managing Hosts.

    # yum remove -y katello-ca-consumer*
    
    # rpm -Uvh http://new-orcharhino.example.com/pub/katello-ca-consumer-latest.noarch.rpm
    
    # subscription-manager register \
    --org="Default_Organization" \
    --environment="Library" \
    --force
    
    # subscription-manager refresh
  4. On all orcharhino Proxys, run the orcharhino installation script to update references to the new host name:

    # foreman-installer \
    --foreman-proxy-content-parent-fqdn new-orcharhino.example.com \
    --foreman-proxy-foreman-base-url https://new-orcharhino.example.com \
    --foreman-proxy-trusted-hosts new-orcharhino.example.com
  5. On orcharhino server, list all orcharhino Proxys:

    # hammer proxy list
  6. On orcharhino server, synchronize content for each orcharhino Proxy:

    # hammer proxy_content synchronize \
    --id proxy_id_number

Renaming orcharhino Proxy

The host name of orcharhino Proxy is referenced by orcharhino server components, and all hosts registered to it. This procedure ensures that you update all references to the new host name.

  • Both the hostname and hostname -f commands must return the FQDN of orcharhino Proxy or the katello-change-hostname script will fail to complete.

  • If the hostname command returns the shortname of orcharhino Proxy instead of the FQDN, use hostnamectl set-hostname old_fqdn to set the old FQDN correctly before attempting to use the katello-change-hostname script.

Prerequisites
  • Backup orcharhino Proxy. The katello-change-hostname script makes irreversible changes to orcharhino Proxy. If the renaming process is not successful, you must restore it from a backup.

    Perform a backup before changing a host name. For more information, see Backing Up orcharhino server and orcharhino Proxy.

Until BZ#1829115 is resolved, you must edit the usr/share/katello/hostname-change.rb file on orcharhino Proxy and comment out the following lines before attempting to rename orcharhino Proxy:

STDOUT.puts "updating hostname in hammer configuration"
self.run_cmd("sed -i.bak -e 's/#{@old_hostname} \
/#{@new_hostname}/g' #{hammer_root_config_path}/*.yml")
self.run_cmd("sed -i.bak -e 's/#{@old_hostname} \
/#{@new_hostname>/g' #{hammer_config_path}/*.yml")
Procedure
  1. On orcharhino server, generate a new certificates archive file for orcharhino Proxy.

    • If you are using the default SSL certificate, enter the following command:

      # foreman-proxy-certs-generate \
      --foreman-proxy-fqdn new-orcharhino-proxy.example.com \
      --certs-tar /root/new-orcharhino-proxy.example.com-certs.tar

      Ensure that you enter the full path to the .tar file.

    • If you are using a custom SSL certificate, create a new SSL certificate for orcharhino Proxy. For more information, see Configuring orcharhino Proxy with a Custom SSL Certificate in Installing orcharhino Proxy.

  2. On orcharhino server, copy the certificates archive file to orcharhino Proxy, providing the root user’s password when prompted. In this example the archive file is copied to the root user’s home directory, but you may prefer to copy it elsewhere.

    # scp /root/new-orcharhino-proxy.example.com-certs.tar root@orcharhino-proxy.example.com:
  3. On orcharhino Proxy, run the katello-change-hostname script and provide the host’s new name, orcharhino credentials, and certificates archive filename.

    # katello-change-hostname new-orcharhino Proxy --username admin \
    --password password \
    --certs-tar /root/new-orcharhino-proxy.example.com-certs.tar

    Ensure that you enter the full path to the .tar file.

  4. Optional: If you have created a custom certificate for orcharhino Proxy, on orcharhino Proxy, to deploy the certificate, enter the foreman-installer command that the foreman-proxy-certs-generate command returns. For more information, see Deploying a Custom SSL Certificate to orcharhino Proxy in Installing orcharhino Proxy.

  5. On all orcharhino Proxy clients, enter the following commands to reinstall the bootstrap RPM, reregister clients, and refresh their subscriptions.

    You can use remote execution feature to perform this step. For more information, see Configuring and Setting up Remote Jobs in Managing Hosts.

    # yum remove -y katello-ca-consumer*
    
    # rpm -Uvh http://new-orcharhino-proxy.example.com/pub/katello-ca-consumer-latest.noarch.rpm
    
    # subscription-manager register --org="Default_Organization" \
    --environment="Library" \
    --force
    
    # subscription-manager refresh
  6. In the orcharhino web UI, navigate to Infrastructure > orcharhino Proxies.

  7. Locate orcharhino Proxy in the list, and click Edit to the right of it.

  8. Edit the Name and URL fields to match orcharhino Proxy’s new host name, then click Submit.

  9. On your DNS server, add a record for orcharhino Proxy’s new host name, and delete the record for the previous host name.

Maintaining orcharhino server

This chapter provides information on how to maintain a orcharhino Server, including information on how to work with audit records, how to clean unused tasks, and how to recover Pulp from a full disk.

Deleting Audit Records

Audit records are created automatically in orcharhino. You can use the foreman-rake audits:expire command to remove audits at any time. You can also use a cron job to schedule audit record deletions at the set interval that you want.

By default, using the foreman-rake audits:expire command removes audit records that are older than 90 days. You can specify the number of days to keep the audit records by adding the days option and add the number of days.

For example, if you want to delete audit records that are older than seven days, enter the following command:

# foreman-rake audits:expire days=7

Anonymizing Audit Records

You can use the foreman-rake audits:anonymize command to remove any user account or IP information while maintaining the audit records in the database. You can also use a cron job to schedule anonymizing the audit records at the set interval that you want.

By default, using the foreman-rake audits:anonymize command anonymizes audit records that are older than 90 days. You can specify the number of days to keep the audit records by adding the days option and add the number of days.

For example, if you want to anonymize audit records that are older than seven days, enter the following command:

# foreman-rake audits:anonymize days=7

Configuring the Cleaning Unused Tasks Feature

orcharhino performs regular cleaning to reduce disc space in the database and limit the rate of disk growth. As a result, orcharhino backup completes faster and overall performance is higher.

By default, orcharhino executes a cron job that cleans tasks every day at 19:45. orcharhino removes the following tasks during the cleaning:

  • Tasks that have run successfully and are older than thirty days

  • All tasks that are older than a year

For orcharhinos Upgraded from Previous Versions

If you upgrade orcharhino from previous versions, this functionality is disabled by default. To enable orcharhino to perform regular cleaning, enter the following command:

# foreman-installer --foreman-plugin-tasks-automatic-cleanup true

Optionally use this procedure to adjust the configuration to serve your needs.

Procedure
  1. Optional: To configure the time at which orcharhino runs the cron job, set the --foreman-plugin-tasks-cron-line parameter to the time you want in cron format. For example, to schedule the cron job to run every day at 15:00, enter the following command:

    # foreman-installer --foreman-plugin-tasks-cron-line "00 15 * * *"
  2. Optional: To configure the period after which orcharhino deletes the tasks, edit the :rules: section in the /etc/foreman/plugins/foreman-tasks.yaml file.

Recovering from a Full Disk

The following procedure describes how to resolve the situation when a logical volume (LV) with the Pulp database on it has no free space.

To recover from a full disk
  1. Let running Pulp tasks finish but do not trigger any new ones as they can fail due to the full disk.

  2. Ensure that the LV with the /var/lib/pulp directory on it has sufficient free space. Here are some ways to achieve that:

    1. Remove orphaned content:

      # foreman-rake katello:delete_orphaned_content RAILS_ENV=production

      This is run weekly so it will not free much space.

    2. Change the download policy from Immediate to On Demand for as many repositories as possible and remove already downloaded packages.

    3. Grow the file system on the LV with the /var/lib/pulp directory on it.

      If you use an untypical file system (other than for example ext3, ext4, or xfs), you might need to unmount the file system so that it is not in use. In that case, complete the following steps:

      1. Stop the foreman-maintain services:

        # foreman-maintain service stop
      2. Grow the file system on the LV.

      3. Start the foreman-maintain services:

        # foreman-maintain service start
  3. If some Pulp tasks failed due to the full disk, run them again.

Reclaiming PostgreSQL Space

The PostgreSQL database can use a large amount of disk space especially in heavily loaded deployments. Use this procedure to reclaim some of this disk space on orcharhino.

Procedure
  1. Stop all services, except for the postgresql service:

    # foreman-maintain service stop --exclude postgresql
  2. Switch to the postgres user and reclaim space on the database:

    # su - postgres -c 'vacuumdb --full --dbname=foreman'
  3. Start the other services when the vacuum completes:

    # foreman-maintain service start

Logging and Reporting Problems

This chapter provides information on how to log and report problems in orcharhino Server, including information on relevant log files, how to enable debug logging, how to open a support case and attach the relevant log tar files, and how to access support cases within the orcharhino web UI.

You can use the log files and other information described in this chapter to do your own troubleshooting, or you can capture these and many more files, as well as diagnostic and configuration information, to send to Red Hat Support if you need further assistance.

For more information about orcharhino logging settings, use foreman-installer with the --full-help option:

# foreman-installer --full-help | grep logging

Enabling Debug Logging

Debug logging provides the most detailed log information and can help with troubleshooting issues that can arise with orcharhino and its components.

In the orcharhino CLI, enable debug logging to log detailed debugging information for orcharhino.

Procedure

To enable debug logging, complete the following steps on your orcharhino server.

  1. To enable debug logging, enter the following command :

    # foreman-installer --foreman-logging-level debug
  2. After you complete debugging, reset the logging level to the default value:

    # foreman-installer --reset-foreman-logging-level

Enabling Individual Loggers

You can enable individual loggers for selective logging. orcharhino uses the following loggers:

app

Logs web requests and all general application messages. Default value: true.

audit

Logs additional fact statistics, numbers of added, updated, and removed facts. Default value: true.

ldap

Logs high level LDAP queries and LDAP operations. Default value: false.

permissions

Logs queries to user roles, filters, and permissions when loading pages. Default value: false.

sql

Logs SQL queries made through Rails ActiveRecord. Default value: false.

Procedure

To enable individual loggers, complete the following steps.

  1. Enable the individual loggers that you want. For example, to enable sql and ldap loggers, enter the following command:

    # foreman-installer --foreman-loggers sql:true --foreman-loggers ldap:true
  2. Optional: To reset loggers to their default values, enter the following command:

    # foreman-installer --reset-foreman-loggers

Configuring Logging to Journal

You can configure orcharhino to manage logging with Journal. Journal then forwards log messages to rsyslog and rsyslog writes the log messages to /var/log/messages. Note that after this change the log messages do not appear in /var/log/foreman/production.log or /var/log/foreman-proxy.log any more.

Procedure

To configure orcharhino server logging with Journal, complete the following steps:

  1. Enter the following foreman-installer command to configure logging to journald:

    # foreman-installer --foreman-logging-level info \
    --foreman-logging-type journald \
    --foreman-logging-layout pattern --foreman-proxy-log JOURNAL
  2. Restart the Apache daemon:

    # foreman-maintain service restart --only httpd

Log File Directories Provided by orcharhino

orcharhino provides system information in the form of notifications and log files.

Table 5. Log File Directories for Reporting and Troubleshooting
Log File Directories Description of Log File Content

/var/log/candlepin

Subscription management

/var/log/foreman

Foreman

/var/log/foreman-proxy

Foreman proxy

/var/log/httpd

Apache HTTP server

/var/log/foreman-installer

Installer

/var/log/puppet

Configuration management

/var/log/rhsm

Subscription management

/var/log/tomcat

Candlepin webservice logs

/var/log/messages

Various other log messages

You can also use the foreman-tail command to follow many of the log files related to orcharhino. You can run foreman-tail -l to list the processes and services that it follows.

Utilities for Collecting Log Information

There are two utilities available to collect information from log files.

Table 6. Log Collecting Utilities
Command Description

foreman-debug

The foreman-debug command collects configuration and log file data for orcharhino, its back-end services, and system information. This information is collected and written to a tar file. By default, the output tar file is located at /tmp/foreman-debug-xxx.tar.xz.

Additionally, the foreman-debug command exports tasks run during the last 60 days. By default, the output tar file is located at /tmp/task-export-xxx.tar.xz. If the file is missing, see the file /tmp/task-export.log to learn why task export was unsuccessful.

For more information, run foreman-debug --help.

There is no timeout when running this command.

sosreport

The sosreport command is a tool that collects configuration and diagnostic information from a Red Hat Enterprise Linux system, such as the running kernel version, loaded modules, and system and service configuration files. The command also runs external programs (for example: foreman-debug -g) to collect orcharhino-specific information, and stores this output in a tar file.

By default, the output tar file is located at /var/tmp/sosreport-XXX-20171002230919.tar.xz. For more information, run sosreport --help.

The sosreport command calls the foreman-debug -g and times out after 500 seconds. If your orcharhino server has large log files or many orcharhino tasks, support engineers may require the output of sosreport and foreman-debug when you open a support case.

Both foreman-debug and sosreport remove security information such as passwords, tokens, and keys while collecting information. However, the tar files can still contain sensitive information about the orcharhino Server. Red Hat recommends that you send this information directly to the intended recipient and not to a public target.

Configuring External Authentication

By using external authentication you can derive user and user group permissions from user group membership in an external identity provider. When you use external authentication, you do not have to create these users and maintain their group membership manually on orcharhino server.

Important User and Group Account Information

All user and group accounts must be local accounts. This is to ensure that there are no authentication conflicts between local accounts on your orcharhino server and accounts in your Active Directory domain.

Your system is not affected by this conflict if your user and group accounts exist in both /etc/passwd and /etc/group files. For example, to check if entries for puppet, apache, foreman and foreman-proxy groups exist in both /etc/passwd and /etc/group files, enter the following commands:

# cat /etc/passwd | grep 'puppet\|apache\|foreman\|foreman-proxy'
# cat /etc/group | grep 'puppet\|apache\|foreman\|foreman-proxy'
Scenarios for Configuring External Authentication

orcharhino supports the following general scenarios for configuring external authentication:

  • Using Lightweight Directory Access Protocol (LDAP) server as an external identity provider. LDAP is a set of open protocols used to access centrally stored information over a network. With orcharhino, you can manage LDAP entirely through the orcharhino web UI. For more information, see Using LDAP. Though you can use LDAP to connect to a FreeIPA or AD server, the setup does not support server discovery, cross-forest trusts, or single sign-on with Kerberos in orcharhino’s web UI.

  • Using a FreeIPA server as an external identity provider. FreeIPA deals with the management of individual identities, their credentials and privileges used in a networking environment. Configuration using FreeIPA cannot be completed using only the orcharhino web UI and requires some interaction with the CLI. For more information see Using FreeIPA.

  • Using Active Directory (AD) integrated with FreeIPA through cross-forest Kerberos trust as an external identity provider. For more information see Active Directory with Cross-Forest Trust.

  • Using Keycloak as an OpenID provider for external authentication to orcharhino. For more information, see Configuring orcharhino with Keycloak Authentication.

  • Using Keycloak as an OpenID provider for external authentication to orcharhino with TOTP. For more information, see Configuring Keycloak Authentication with TOTP.

As well as providing access to orcharhino server, hosts provisioned with orcharhino can also be integrated with FreeIPA realms. orcharhino has a realm feature that automatically manages the life cycle of any system registered to a realm or domain provider. For more information, see External Authentication for Provisioned Hosts.

Table 7. Authentication Overview
Type Authentication User Groups

FreeIPA

Kerberos or LDAP

Yes

Active Directory

Kerberos or LDAP

Yes

POSIX

LDAP

Yes

Using LDAP

orcharhino supports LDAP authentication using one or multiple LDAP directories.

If you require orcharhino to use TLS to establish a secure LDAP connection (LDAPS), first obtain certificates used by the LDAP server you are connecting to and mark them as trusted on the base operating system of your orcharhino server as described below. If your LDAP server uses a certificate chain with intermediate certificate authorities, all of the root and intermediate certificates in the chain must be trusted, so ensure all certificates are obtained. If you do not require secure LDAP at this time, proceed to Configuring orcharhino to use LDAP.

Using SSSD Configuration

Though direct LDAP integration is covered in this section, Red Hat recommends that you use SSSD and configure it against FreeIPA, AD, or an LDAP server. SSSD improves the consistency of the authentication process. For more information about the preferred configurations, see Using Active Directory. You can also cache the SSSD credentials and use them for LDAP authentication.

Configuring TLS for Secure LDAP

Use the orcharhino CLI to configure TLS for secure LDAP (LDAPS).

Procedure
  1. Obtain the Certificate from the LDAP Server.

    1. If you use Active Directory Certificate Services, export the Enterprise PKI CA Certificate using the Base-64 encoded X.509 format.

    2. Download the LDAP server certificate to a temporary location on the Red Hat Enterprise Linux system where orcharhino server is installed and remove it when finished.

      For example, /tmp/example.crt. The filename extensions .cer and .crt are only conventions and can refer to DER binary or PEM ASCII format certificates.

  2. Trust the Certificate from the LDAP Server.

    orcharhino Server requires the CA certificates for LDAP authentication to be individual files in /etc/pki/tls/certs/ directory.

    1. Use the install command to install the imported certificate into the /etc/pki/tls/certs/ directory with the correct permissions:

      # install /tmp/example.crt /etc/pki/tls/certs/
    2. Enter the following command as root to trust the example.crt certificate obtained from the LDAP server:

      # ln -s example.crt /etc/pki/tls/certs/$(openssl \
      x509 -noout -hash -in \
      /etc/pki/tls/certs/example.crt).0
    3. Restart the httpd service:

      # systemctl restart httpd

Configuring orcharhino to use LDAP

In the orcharhino web UI, configure orcharhino to use LDAP.

Note that if you need single sign-on functionality with Kerberos on orcharhino’s web UI, you should use FreeIPA and AD external authentication instead. See Using FreeIPA or Using Active Directory for more information on those options.

Procedure
  1. Set the Network Information System (NIS) service boolean to true to prevent SELinux from stopping outgoing LDAP connections:

    # setsebool -P nis_enabled on
  2. Navigate to Administer > LDAP Authentication.

  3. Click Create Authentication Source.

  4. On the LDAP server tab, enter the LDAP server’s name, host name, port, and server type. The default port is 389, the default server type is POSIX (alternatively you can select FreeIPA or Active Directory depending on the type of authentication server). For TLS encrypted connections, select the LDAPS check box to enable encryption. The port should change to 636, which is the default for LDAPS.

  5. On the Account tab, enter the account information and domain name details. See Description of LDAP Settings for descriptions and examples.

  6. On the Attribute mappings tab, map LDAP attributes to orcharhino attributes. You can map login name, first name, last name, email address, and photo attributes. See Example Settings for LDAP Connections for examples.

  7. On the Locations tab, select locations from the left table. Selected locations are assigned to users created from the LDAP authentication source, and available after their first login.

  8. On the Organizations tab, select organizations from the left table. Selected organizations are assigned to users created from the LDAP authentication source, and available after their first login.

  9. Click Submit.

  10. Configure new accounts for LDAP users:

    • If you did not select Automatically Create Accounts In orcharhino check box, see Creating a User to create user accounts manually.

    • If you selected the Automatically Create Accounts In orcharhino check box, LDAP users can now log in to orcharhino using their LDAP accounts and passwords. After they log in for the first time, the orcharhino administrator has to assign roles to them manually. See Assigning Roles to a User to assign user accounts appropriate roles in orcharhino.

Description of LDAP Settings

The following table provides a description for each setting in the Account tab.

Table 8. Account Tab Settings
Setting Description

Account

The user name of the LDAP account that has read access to the LDAP server. User name is not required if the server allows anonymous reading, otherwise use the full path to the user’s object. For example:

uid=$login,cn=users,cn=accounts,dc=example,dc=com

The $login variable stores the username entered on the login page as a literal string. The value is accessed when the variable is expanded.

The variable cannot be used with external user groups from an LDAP source because orcharhino needs to retrieve the group list without the user logging in. Use either an anonymous, or dedicated service user.

Account password

The LDAP password for the user defined in the Account username field. This field can remain blank if the Account username is using the $login variable.

Base DN

The top level domain name of the LDAP directory.

Groups base DN

The top level domain name of the LDAP directory tree that contains groups.

LDAP filter

A filter to restrict LDAP queries.

Automatically Create Accounts In orcharhino

If this check box is selected, orcharhino creates user accounts for LDAP users when they log in to orcharhino for the first time. After they log in for the first time, the orcharhino administrator has to assign roles to them manually. See Assigning Roles to a User to assign user accounts appropriate roles in orcharhino.

Usergroup Sync

If this option is selected, the user group membership of a user is automatically synchronized when the user logs in, which ensures the membership is always up to date. If this option is cleared, orcharhino relies on a cron job to regularly synchronize group membership (every 30 minutes by default). See To Configure an External User Group: for further context.

Example Settings for LDAP Connections

The following table shows example settings for different types of LDAP connections. The example below uses a dedicated service account called redhat that has bind, read, and search permissions on the user and group entries. Note that LDAP attribute names are case sensitive.

Table 9. Example Settings for Active Directory, Free IPA or Red Hat Identity Management and POSIX LDAP Connections
Setting Active Directory FreeIPA or Red Hat Identity Management POSIX (OpenLDAP)

Account

DOMAIN\redhat

uid=redhat,cn=users, cn=accounts,dc=example, dc=com

uid=redhat,ou=users, dc=example,dc=com

Account password

P@ssword

-

-

Base DN

DC=example,DC=COM

dc=example,dc=com

dc=example,dc=com

Groups Base DN

CN=Users,DC=example,DC=com

cn=groups,cn=accounts, dc=example,dc=com

cn=employee,ou=userclass, dc=example,dc=com

Login name attribute

userPrincipalName

uid

uid

First name attribute

givenName

givenName

givenName

Last name attribute

sn

sn

sn

Email address attribute

mail

mail

mail

userPrincipalName allows the use of whitespace in usernames. The login name attribute sAMAccountName (which is not listed in the table above) provides backwards compatibility with legacy Microsoft systems. sAMAccountName does not allow the use of whitespace in usernames.

Example LDAP Filters

As an administrator, you can create LDAP filters to restrict the access of specific users to orcharhino.

Table 10. Example filters for allowing specific users to login
User Filter

User1, User3

(memberOf=cn=Group1,cn=Users,dc=domain,dc=example)

User2, User3

(memberOf=cn=Group2,cn=Users,dc=domain,dc=example)

User1, User2, User3

(|(memberOf=cn=Group1,cn=Users,dc=domain,dc=example)(memberOf=cn=Group2,cn=Users,dc=domain,dc=example))

LDAP directory structure

The LDAP directory structure that the filters in the example use:

DC=Domain,DC=Example
   |
   |----- CN=Users
         |
         |----- CN=Group1
         |----- CN=Group2
         |----- CN=User1
         |----- CN=User2
         |----- CN=User3
LDAP group membership

The group membership that the filters in the example use:

Group Members

Group1

User1, User3

Group2

User2, User3

Using FreeIPA

This section shows how to integrate orcharhino Server with a FreeIPA server and how to enable host-based access control.

You can attach FreeIPA as an external authentication source with no single sign-on support. For more information, see Using LDAP.
Prerequisites
  • orcharhino server has to run on Red Hat Enterprise Linux 7.1 or Red Hat Enterprise Linux 6.6 or later.

  • The base operating system of orcharhino server must be enrolled in the FreeIPA domain by the FreeIPA administrator of your organization.

The examples in this chapter assume separation between FreeIPA and orcharhino configuration.

Configuring FreeIPA Authentication on orcharhino server

In the orcharhino CLI, configure FreeIPA authentication by first creating a host entry on the FreeIPA server.

Procedure
  1. On the FreeIPA server, to authenticate, enter the following command and enter your password when prompted:

    # kinit admin
  2. To verify that you have authenticated, enter the following command:

    # klist
  3. On the FreeIPA server, create a host entry for orcharhino server and generate a one-time password, for example:

    # ipa host-add --random hostname

    The generated one-time password must be used on the client to complete FreeIPA-enrollment.

  4. Create an HTTP service for orcharhino server, for example:

    # ipa service-add servicename/hostname
  5. On orcharhino server, install the IPA client:

    # yum install ipa-client
  6. On orcharhino server, enter the following command as root to configure FreeIPA-enrollment:

    # ipa-client-install --password OTP

    Replace OTP with the one-time password provided by the FreeIPA administrator.

  7. If orcharhino server is running on Red Hat Enterprise Linux 7, execute the following command:

    # subscription-manager repos --enable rhel-7-server-optional-rpms

    The installer is dependent on packages which, on Red Hat Enterprise Linux 7, are in the optional repository rhel-7-server-optional-rpms. On Red Hat Enterprise Linux 6 all necessary packages are in the base repository.

  8. Set foreman-ipa-authentication to true, using the following command:

    # foreman-installer --foreman-ipa-authentication=true
  9. Restart the foreman-maintain services:

    # foreman-maintain service restart

External users can now log in to orcharhino using their FreeIPA credentials. They can now choose to either log in to orcharhino server directly using their username and password or take advantage of the configured Kerberos single sign-on and obtain a ticket on their client machine and be logged in automatically. The two-factor authentication with one-time password (2FA OTP) is also supported. If the user in FreeIPA is configured for 2FA, and orcharhino server is running on Red Hat Enterprise Linux 7, this user can also authenticate to orcharhino with an OTP.

Configuring Host-Based Authentication Control

HBAC rules define which machine within the domain a FreeIPA user is allowed to access. You can configure HBAC on the FreeIPA server to prevent selected users from accessing orcharhino server. With this approach, you can prevent orcharhino from creating database entries for users that are not allowed to log in.

On the FreeIPA server, configure Host-Based Authentication Control (HBAC).

Procedure
  1. On the FreeIPA server, to authenticate, enter the following command and enter your password when prompted:

    # kinit admin
  2. To verify that you have authenticated, enter the following command:

    # klist
  3. Create HBAC service and rule on the FreeIPA server and link them together. The following examples use the PAM service name orcharhino-prod. Execute the following commands on the FreeIPA server:

    # ipa hbacsvc-add orcharhino-prod
    # ipa hbacrule-add allow_orcharhino_prod
    # ipa hbacrule-add-service allow_orcharhino_prod --hbacsvcs=orcharhino-prod
  4. Add the user who is to have access to the service orcharhino-prod, and the hostname of orcharhino server:

    # ipa hbacrule-add-user allow_orcharhino_prod --user=username
    # ipa hbacrule-add-host allow_orcharhino_prod --hosts=orcharhino.example.com

    Alternatively, host groups and user groups can be added to the allow_orcharhino_prod rule.

  5. To check the status of the rule, execute:

    # ipa hbacrule-find orcharhino-prod
    # ipa hbactest --user=username --host=orcharhino.example.com --service=orcharhino-prod
  6. Ensure the allow_all rule is disabled on the FreeIPA server.

  7. Configure the FreeIPA integration with orcharhino server as described in Configuring FreeIPA Authentication on orcharhino server. On orcharhino server, define the PAM service as root:

    # foreman-installer --foreman-pam-service=orcharhino-prod

Using Active Directory

This section shows how to use direct Active Directory (AD) as an external authentication source for orcharhino server.

You can attach Active Directory as an external authentication source with no single sign-on support. For more information, see Using LDAP.

Direct AD integration means that orcharhino server is joined directly to the AD domain where the identity is stored. The recommended setup consists of two steps:

GSS-Proxy

The traditional process of Kerberos authentication in Apache requires the Apache process to have read access to the keytab file. GSS-Proxy allows you to implement stricter privilege separation for the Apache server by removing access to the keytab file while preserving Kerberos authentication functionality. When using AD as an external authentication source for orcharhino, it is recommended to implement GSS-proxy, because the keys in the keytab file are the same as the host keys.

Perform the following procedures on Red Hat Enterprise Linux that acts as a base operating system for your orcharhino server. For the examples in this section EXAMPLE.ORG is the Kerberos realm for the AD domain. By completing the procedures, users that belong to the EXAMPLE.ORG realm can log in to orcharhino server.

Enrolling orcharhino server with the AD Server

In the orcharhino CLI, enroll orcharhino server with the Active Directory server.

Prerequisites
  • GSS-proxy and nfs-utils are installed.

    Installing GSS-proxy and nfs-utils:

    # yum install gssproxy nfs-utils
Procedure
  1. Install the required packages:

    # yum install sssd adcli realmd ipa-python-compat krb5-workstation samba-common-tools
  2. Enroll orcharhino server with the AD server. You may need to have administrator permissions to perform the following command:

    # realm join -v EXAMPLE.ORG

Configuring Direct AD Integration with GSS-proxy

In the orcharhino CLI, configure the direct Active Directory integration with GSS-proxy.

Prerequisite
Procedure
  1. Create the /etc/ipa/ directory and the default.conf file:

    # mkdir /etc/ipa
    # touch /etc/ipa/default.conf
  2. To the default.conf file, add the following content:

    [global]
    server = unused
    realm = EXAMPLE.ORG
  3. Create the /etc/net-keytab.conf file with the following content:

    [global]
    workgroup = EXAMPLE
    realm = EXAMPLE.ORG
    kerberos method = system keytab
    security = ads
  4. Determine the effective user ID of the Apache user:

    # id apache

    Apache user must not have access to the keytab file.

  5. Create the /etc/gssproxy/00-http.conf file with the following content:

    [service/HTTP]
    mechs = krb5
    cred_store = keytab:/etc/krb5.keytab
    cred_store = ccache:/var/lib/gssproxy/clients/krb5cc_%U
    euid = ID_of_Apache_User
  6. Create a keytab entry:

    # KRB5_KTNAME=FILE:/etc/httpd/conf/http.keytab net ads keytab add HTTP -U administrator -d3 -s /etc/net-keytab.conf
    # chown root.apache /etc/httpd/conf/http.keytab
    # chmod 640 /etc/httpd/conf/http.keytab
  7. Enable IPA authenication in orcharhino:

    # foreman-installer --foreman-ipa-authentication=true
  8. Start and enable the gssproxy service:

    # systemctl restart gssproxy.service
    # systemctl enable gssproxy.service
  9. Configure the Apache server to use the gssproxy service:

    1. Create the /etc/systemd/system/httpd.service file with the following content:

      .include /lib/systemd/system/httpd.service
      [Service]
      Environment=GSS_USE_PROXY=1
    2. Apply changes to the service:

      # systemctl daemon-reload
  10. Start and enable the httpd service:

    # systemctl restart httpd.service
  11. Verify that SSO is working as expected.

    With a running Apache server, users making HTTP requests against the server are authenticated if the client has a valid Kerberos ticket.

    1. Retrieve the Kerberos ticket of the LDAP user, using the following command:

      # kinit ldapuser
    2. View the Kerberos ticket, using the following command:

      # klist
    3. View output from successful SSO-based authentication, using the following command:

      # curl -k -u : --negotiate https://orcharhino.example.com/users/extlogin

      This returns the following response:

      <html><body>You are being <a href="https://orcharhino.example.com/users/4-ldapuserexample-com/edit">redirected</a>.</body></html>

Kerberos Configuration in Web Browsers

If you use the Internet Explorer browser, add orcharhino server to the list of Local Intranet or Trusted sites, and turn on the Enable Integrated Windows Authentication setting. See the Internet Explorer documentation for details.

With direct AD integration, HBAC through FreeIPA is not available. As an alternative, you can use Group Policy Objects (GPO) that enable administrators to centrally manage policies in AD environments. To ensure correct GPO to PAM service mapping, use the following sssd configuration:

access_provider = ad
ad_gpo_access_control = enforcing
ad_gpo_map_service = +foreman

Here, foreman is the PAM service name.

Active Directory with Cross-Forest Trust

Kerberos can create cross-forest trust that defines a relationship between two otherwise separate domain forests. A domain forest is a hierarchical structure of domains; both AD and FreeIPA constitute a forest. With a trust relationship enabled between AD and FreeIPA, users of AD can access Linux hosts and services using a single set of credentials.

From the orcharhino point of view, the configuration process is the same as integration with FreeIPA server without cross-forest trust configured. orcharhino server has to be enrolled in the IPM domain and integrated as described in Using FreeIPA.

Configuring the FreeIPA Server to Use Cross-Forest Trust

On the FreeIPA server, configure the server to use cross-forest trust.

Procedure
  1. Enable HBAC:

    1. Create an external group and add the AD group to it.

    2. Add the new external group to a POSIX group.

    3. Use the POSIX group in a HBAC rule.

  2. Configure sssd to transfer additional attributes of AD users.

    • Add the AD user attributes to the nss and domain sections in /etc/sssd/sssd.conf.

      For example:

      [nss]
      user_attributes=+mail, +sn, +givenname
      
      [domain/EXAMPLE]
      ldap_user_extra_attrs=mail, sn, givenname

Configuring External User Groups

orcharhino does not associate external users with their user group automatically. You must create a user group with the same name as in the external source on orcharhino. Members of the external user group then automatically become members of the orcharhino user group and receive the associated permissions.

The configuration of external user groups depends on the type of external authentication.

To assign additional permissions to an external user, add this user to an internal user group that has no external mapping specified. Then assign the required roles to this group.

Prerequisites
  • If you use an LDAP server, configure orcharhino to use LDAP authentication. For more information see Using LDAP.

    When using external user groups from an LDAP source, you cannot use the $login variable as a substitute for the account user name. You must use either an anonymous or dedicated service user.

  • If you use a FreeIPA or AD server, configure orcharhino to use FreeIPA or AD authentication. For more information, see Configuring External Authentication.

  • Ensure that at least one external user authenticates for the first time.

  • Retain a copy of the external group names you want to use. To find the group membership of external users, enter the following command:

    # id username
To Configure an External User Group:
  1. In the orcharhino web UI, navigate to Administer > User Groups, and click Create User Group.

  2. Specify the name of the new user group. Do not select any users to avoid adding users automatically when you refresh the external user group.

  3. Click the Roles tab and select the roles you want to assign to the user group. Alternatively, select the Administrator check box to assign all available permissions.

  4. Click the External groups tab, then click Add external user group, and select an authentication source from the Auth source drop-down menu.

    Specify the exact name of the external group in the Name field.

  5. Click Submit.

Refreshing External User Groups for LDAP

To set the LDAP source to synchronize user group membership automatically on user login, in the Auth Source page, select the Usergroup Sync option. If this option is not selected, LDAP user groups are refreshed automatically through a scheduled cron job synchronizing the LDAP Authentication source every 30 minutes by default.

If the user groups in the LDAP Authentication source change in the lapse of time between scheduled tasks, the user can be assigned to incorrect external user groups. This is corrected automatically when the scheduled task runs.

Use this procedure to refresh the LDAP source manually.

Procedure
  1. Navigate to Administer > Usergroups and select a user group.

  2. Navigate to the External Groups tab and click Refresh to the right of the required user group.

CLI procedure
  • Enter the following command:

    # foreman-rake ldap:refresh_usergroups

Refreshing External User Groups for FreeIPA or AD

External user groups based on FreeIPA or AD are refreshed only when a group member logs in to orcharhino. It is not possible to alter user membership of external user groups in the orcharhino web UI, such changes are overwritten on the next group refresh.

External Authentication for Provisioned Hosts

Use this section to configure orcharhino server or orcharhino Proxy for FreeIPA realm support, then add hosts to the FreeIPA realm group.

Prerequisites

You require the following setup to configure external authentication for provisioned hosts:

  • orcharhino server that is registered to the Content Delivery Network or an external orcharhino Proxy that is registered to orcharhino server.

  • A deployed realm or domain provider such as FreeIPA.

To install and configure FreeIPA packages on orcharhino Server or orcharhino orcharhino Proxy:

To use FreeIPA for provisioned hosts, complete the following steps to install and configure FreeIPA packages on orcharhino Server or orcharhino orcharhino Proxy:

  1. Install the ipa-client package on orcharhino server or orcharhino Proxy:

    # yum install ipa-client
  2. Configure the server as a FreeIPA client:

    # ipa-client-install
  3. Create a realm proxy user, realm-orcharhino Proxy, and the relevant roles in FreeIPA:

    # foreman-prepare-realm admin realm-orcharhino Proxy

    Note the principal name that returns and your FreeIPA server configuration details because you require them for the following procedure.

To configure orcharhino server or orcharhino Proxy for FreeIPA Realm Support:

Complete the following procedure on orcharhino and every orcharhino Proxy that you want to use:

  1. Copy the /root/freeipa.keytab file to any orcharhino Proxy that you want to include in the same principal and realm:

    # scp /root/freeipa.keytab root@orcharhino-proxy.example.com:/etc/foreman-proxy/freeipa.keytab
  2. Move the /root/freeipa.keytab file to the /etc/foreman-proxy directory and set the ownership settings to the foreman-proxy user:

    # mv /root/freeipa.keytab /etc/foreman-proxy
    # chown foreman-proxy:foreman-proxy /etc/foreman-proxy/freeipa.keytab
  3. Enter the following command on all orcharhino Proxies that you want to include in the realm. If you use the integrated orcharhino Proxy on orcharhino, enter this command on orcharhino server:

    # foreman-installer --foreman-proxy-realm true \
    --foreman-proxy-realm-keytab /etc/foreman-proxy/freeipa.keytab \
    --foreman-proxy-realm-principal realm-orcharhino Proxy@EXAMPLE.COM \
    --foreman-proxy-realm-provider freeipa

    You can also use these options when you first configure the orcharhino Server.

  4. Ensure that the most updated versions of the ca-certificates package is installed and trust the FreeIPA Certificate Authority:

    # cp /etc/ipa/ca.crt /etc/pki/ca-trust/source/anchors/ipa.crt
    # update-ca-trust enable
    # update-ca-trust
  5. Optional: If you configure FreeIPA on an existing orcharhino server or orcharhino Proxy, complete the following steps to ensure that the configuration changes take effect:

    1. Restart the foreman-proxy service:

      # systemctl restart foreman-proxy
    2. In the orcharhino web UI, navigate to Infrastructure > orcharhino Proxies.

    3. Locate the orcharhino Proxy you have configured for FreeIPA and from the list in the Actions column, select Refresh.

To create a realm for the FreeIPA-enabled orcharhino Proxy

After you configure your integrated or external orcharhino Proxy with FreeIPA, you must create a realm and add the FreeIPA-configured orcharhino Proxy to the realm.

To create a realm, complete the following steps:

  1. In the orcharhino web UI, navigate to Infrastructure > Realms and click Create Realm.

  2. In the Name field, enter a name for the realm.

  3. From the Realm Type list, select the type of realm.

  4. From the Realm orcharhino Proxy list, select orcharhino Proxy where you have configured FreeIPA.

  5. Click the Locations tab and from the Locations list, select the location where you want to add the new realm.

  6. Click the Organizations tab and from the Organizations list, select the organization where you want to add the new realm.

  7. Click Submit.

Updating Host Groups with Realm Information

You must update any host groups that you want to use with the new realm information.

  1. Navigate to Configure > Host Groups, select the host group that you want to update, and click the Network tab.

  2. From the Realm list, select the realm you create as part of this procedure, and then click Submit.

Adding Hosts to a FreeIPA Host Group

FreeIPA supports the ability to set up automatic membership rules based on a system’s attributes. orcharhino’s realm feature provides administrators with the ability to map the orcharhino host groups to the FreeIPA parameter userclass which allow administrators to configure automembership.

When nested host groups are used, they are sent to the FreeIPA server as they are displayed in the orcharhino User Interface. For example, "Parent/Child/Child".

orcharhino server or orcharhino Proxy sends updates to the FreeIPA server, however automembership rules are only applied at initial registration.

To Add Hosts to a FreeIPA Host Group:
  1. On the FreeIPA server, create a host group:

    # ipa hostgroup-add hostgroup_name --desc=hostgroup_description
  2. Create an automembership rule:

    # ipa automember-add --type=hostgroup hostgroup_name automember_rule

    Where you can use the following options:

    • automember-add flags the group as an automember group.

    • --type=hostgroup identifies that the target group is a host group, not a user group.

    • automember_rule adds the name you want to identify the automember rule by.

  3. Define an automembership condition based on the userclass attribute:

    # ipa automember-add-condition --key=userclass --type=hostgroup --inclusive-regex=^webserver hostgroup_name
    ----------------------------------
    Added condition(s) to "hostgroup_name"
    ----------------------------------
    Automember Rule: automember_rule
    Inclusive Regex: userclass=^webserver
    ----------------------------
    Number of conditions added 1
    ----------------------------

    Where you can use the following options:

    • automember-add-condition adds regular expression conditions to identify group members.

    • --key=userclass specifies the key attribute as userclass.

    • --type=hostgroup identifies that the target group is a host group, not a user group.

    • --inclusive-regex= ^webserver identifies matching values with a regular expression pattern.

    • hostgroup_name - identifies the target host group’s name.

When a system is added to orcharhino server’s hostgroup_name host group, it is added automatically to the FreeIPA server’s "hostgroup_name" host group. FreeIPA host groups allow for Host-Based Access Controls (HBAC), sudo policies and other FreeIPA functions.

Configuring orcharhino with Keycloak Authentication

Use this section to configure orcharhino to use Keycloak as an OpenID provider for external authentication.

Prerequisites for Configuring orcharhino with Keycloak Authentication

Before configuring orcharhino with Keycloak external authentication, ensure that you meet the following requirements:

  • A working installation of Keycloak server that uses HTTPS instead of HTTP.

  • A Keycloak account with admin privileges.

  • A realm for orcharhino user accounts created in Keycloak.

  • If the certificates or the CA are self-signed, ensure that they are added to the end-user certificate trust store.

  • Users imported or added to Keycloak.

    If you have an existing user database configured such as LDAP or Kerberos, you can import users from it by configuring user federation.

    If you do not have an existing user database configured, you can manually create users in Keycloak.

Registering orcharhino as a Keycloak Client

Use this procedure to register orcharhino to Keycloak as a client and configure orcharhino to use Keycloak as an authentication source.

You can configure orcharhino and Keycloak with two different authentication methods:

  1. Users authenticate to orcharhino using the orcharhino web UI.

  2. Users authenticate to orcharhino using the orcharhino CLI.

You must decide on how you want your users to authenticate in advance because both methods require different orcharhino clients to be registered to Keycloak and configured. The steps to register and configure orcharhino client in Keycloak are distinguished within the procedure.

You can also register two different orcharhino clients to Keycloak if you want to use both authentication methods and configure both clients accordingly.

Procedure
  1. On the orcharhino server, install the following packages:

    # yum install mod_auth_openidc keycloak-httpd-client-install
  2. Register orcharhino to Keycloak as a client. Note that you the registration process for logging in using the web UI and the CLI are different. You can register two clients orcharhino clients to Keycloak to be able to log in to orcharhino from the web UI and the CLI.

    • If you want you users to authenticate to orcharhino using the web UI, create a client as follows:

      # keycloak-httpd-client-install --app-name foreman-openidc \
      --keycloak-server-url "https://Keycloak.example.com" \
      --keycloak-admin-username "admin" \
      --keycloak-realm "orcharhino_Realm" \
      --keycloak-admin-realm master \
      --keycloak-auth-role root-admin \
      -t openidc -l /users/extlogin --force

      Enter the password for the administer account when prompted. This command creates a client for orcharhino in Keycloak.

      Then, configure orcharhino to use Keycloak as an authentication source:

      # foreman-installer --foreman-keycloak true \
      --foreman-keycloak-app-name "foreman-openidc" \
      --foreman-keycloak-realm "orcharhino_Realm"
    • If you want your users to authenticate to orcharhino using the CLI, create a client as follows:

      # keycloak-httpd-client-install --app-name hammer-openidc \
      --keycloak-server-url "https://Keycloak.example.com" \
      --keycloak-admin-username "admin" \
      --keycloak-realm "orcharhino_Realm" \
      --keycloak-admin-realm master \
      --keycloak-auth-role root-admin \
      -t openidc -l /users/extlogin --force

      Enter the password for the administer account when prompted. This command creates a client for orcharhino in Keycloak.

  3. Restart the httpd service:

    # systemctl restart httpd

Configuring the orcharhino Client in Keycloak

Use this procedure to configure the orcharhino client in the Keycloak web UI and create group and audience mappers for the orcharhino client.

Procedure
  1. In the Keycloak web UI, navigate to Clients and click the orcharhino client.

  2. Configure access type:

    • If you want your users to authenticate to orcharhino using the web UI, from the Access Type list, select confidential.

    • If you want your users to authenticate to orcharhino using the CLI, from the Access Type list, select public.

  3. In the Valid redirect URI fields, add a valid redirect URI.

    • If you want your users to authenticate to orcharhino using the web UI, in the blank field below the existing URI, enter a URI in the form https://orcharhino.example.com/users/extlogin. Note that you must add the string /users/extlogin after the orcharhino FQDN.

      After completing this step, the orcharhino client for logging in using the web UI must have the following Valid Redirect URIs:

      https://orcharhino.example.com/users/extlogin/redirect_uri
      https://orcharhino.example.com/users/extlogin
    • If you want your users to authenticate to orcharhino using the CLI, in the blank field below the existing URI, enter urn:ietf:wg:oauth:2.0:oob.

      After completing this step, the orcharhino client for logging in using the CLI must have the following Valid Redirect URIs:

      https://orcharhino.example.com/users/extlogin/redirect_uri
      urn:ietf:wg:oauth:2.0:oob
  4. Click Save.

  5. Click the Mappers tab and click Create to add an audience mapper.

  6. In the Name field, enter a name for the audience mapper.

  7. From the Mapper Type list, select Audience.

  8. From the Included Client Audience list, select the orcharhino client.

  9. Click Save.

  10. Click Create to add a group mapper so that you can specify authorization in orcharhino based on group membership.

  11. In the Name field, enter a name for the group mapper.

  12. From the Mapper Type list, select Group Membership.

  13. In the Token Claim Name field, enter groups.

  14. Set the Full group path setting to OFF.

  15. Click Save.

Configuring orcharhino Settings for Keycloak Authentication

Use this section to configure orcharhino for Keycloak authentication using the orcharhino web UI or the CLI.

Configuring orcharhino Settings for Keycloak Authentication Using the Web UI

Use this procedure to configure orcharhino settings for Keycloak authentication using the orcharhino web UI.

Note that you can navigate to the following URL within your realm to obtain values to configure orcharhino settings: https://Keycloak.example.com/auth/realms/orcharhino_Realm/.well-known/openid-configuration

Prerequisite
  • Ensure that the Access Type setting in the orcharhino client in the Keycloak web UI is set to confidential

Procedure
  1. In the orcharhino web UI, navigate to Administer > Settings, and click the Authentication tab.

  2. Locate the Authorize login delegation row, and in the Value column, set the value to Yes.

  3. Locate the Authorize login delegation auth source user autocreate row, and in the Value column, set the value to External.

  4. Locate the Login delegation logout URL row, and in the Value column, set the value to https://orcharhino.example.com/users/extlogout.

  5. Locate the OIDC Algorithm row, and in the Value column, set the algorithm for encoding on Keycloak to RS256.

  6. Locate the OIDC Audience row, and in the Value column, set the value to the client ID for Keycloak.

  7. Locate the OIDC Issuer row, and in the Value column, set the value to https://Keycloak.example.com/auth/realms/orcharhino_Realm.

  8. Locate the OIDC JWKs URL row, and in the Value column, set the value to https://Keycloak.example.com/auth/realms/orcharhino_Realm/protocol/openid-connect/certs.

  9. Navigate to Administer > Authentication Sources and click External.

  10. Click Create LDAP Authentication Source and select the Keycloak server.

  11. Click the Locations tab and add locations that can use the Keycloak authentication source.

  12. Click the Organizations tab and add organizations that can use the Keycloak authentication source.

  13. Click Submit.

Configuring orcharhino Settings for Keycloak Authentication Using the CLI

Use this procedure to configure orcharhino settings for Keycloak authentication using the orcharhino CLI.

Note that you can navigate to the following URL within your realm to obtain values to configure orcharhino settings: https://Keycloak.example.com/auth/realms/orcharhino_Realm/.well-known/openid-configuration

Prerequisite
  • Ensure that the Access Type setting in the orcharhino client in the Keycloak web UI is set to public

Procedure
  1. On orcharhino, set the login delegation to true so that users can authenticate using the Open IDC protocol:

    # hammer settings set --name authorize_login_delegation --value true
  2. Set the login delegation logout URL:

    # hammer settings set --name login_delegation_logout_url \
    --value https://orcharhino.example.com/users/extlogout
  3. Set the algorithm for encoding on Keycloak, for example, RS256:

    # hammer settings set --name oidc_algorithm --value 'RS256'
  4. Open the Keycloak.example.com/auth/realms/Keycloak_REALM/.well-known/openid-configuration URL and note the values to populate the options in the following steps.

  5. Add the value for the Hammer client in the Open IDC audience:

    # hammer settings set --name oidc_audience \
    --value "['orcharhino.example.com-hammer-openidc']"

    If you register several Keycloak clients to orcharhino, ensure that you append all audiences in the array. For example:

    # hammer settings set --name oidc_audience \
    --value "['orcharhino.example.com-foreman-openidc', 'orcharhino.example.com-hammer-openidc']"
  6. Set the value for the Open IDC issuer:

    # hammer settings set --name oidc_issuer \
    --value "Keycloak.example.com/auth/realms/Keycloak_Realm"
  7. Set the value for Open IDC Java Web Token (JWT):

    # hammer settings set --name oidc_jwks_url \
    --value "Keycloak.example.com/auth/realms/Keycloak_Realm/protocol/openid-connect/certs"
  8. Retrieve the ID of the Keycloak authentication source:

    # hammer auth-source external list
  9. Set the location and organization:

    # hammer auth-source external update --id Authentication Source ID \
    --location-ids Location ID --organization-ids Organization ID

Logging in to the orcharhino Web UI Using Keycloak

Use this procedure to log in to the orcharhino web UI using Keycloak.

Procedure
  • In your browser, log in to orcharhino and enter your credentials.

Logging in to the orcharhino CLI Using Keycloak

Use this procedure to authenticate to the orcharhino CLI using the code grant type.

Procedure
  1. To authenticate to the orcharhino CLI using the code grant type, enter the following command:

    # hammer auth login oauth \
    --two-factor \
    --oidc-token-endpoint 'https://Keycloak.example.com/auth/realms/ssl-realm/protocol/openid-connect/token' \
    --oidc-authorization-endpoint 'https://Keycloak.example.com/auth' \
    --oidc-client-id 'orcharhino.example.com-foreman-openidc' \
    --oidc-redirect-uri urn:ietf:wg:oauth:2.0:oob

    The command prompts you to enter a success code.

  2. To retrieve the success code, navigate to the URL that the command returns and provide the required information.

  3. Copy the success code that the web UI returns.

  4. In the command prompt of hammer auth login oauth, enter the success code to authenticate to the orcharhino CLI.

Configuring Group Mapping for Keycloak Authentication

Optionally, to implement the Role Based Access Control (RBAC), create a group in orcharhino, assign a role to this group, and then map an Active Directory group to the orcharhino group. As a result, anyone in the given group in Keycloak are logged in under the corresponding orcharhino group. This example configures users of the orcharhino-admin user group in the Active Directory to authenticate as users with administrator privileges on orcharhino.

Procedure
  1. In the orcharhino web UI, navigate to Administer > User Groups, and click the Create User Group button.

  2. In the Name field, enter a name for the user group. The name should not be the same as in the Active Directory.

  3. Do not add users and user groups to the right-hand columns. Click the Roles tab.

  4. Select the Administer check box.

  5. Click the External Groups tab.

  6. Click Add external user group.

  7. In the Name field, enter the name of the Active Directory group.

  8. From the list, select EXTERNAL.

Configuring Keycloak Authentication with TOTP

Use this section to configure orcharhino to use Keycloak as an OpenID provider for external authentication with TOTP cards.

Prerequisites for Configuring orcharhino with Keycloak Authentication

Before configuring orcharhino with Keycloak external authentication, ensure that you meet the following requirements:

  • A working installation of Keycloak server that uses HTTPS instead of HTTP.

  • A Keycloak account with admin privileges.

  • A realm for orcharhino user accounts created in Keycloak.

  • If the certificates or the CA are self-signed, ensure that they are added to the end-user certificate trust store.

  • Users imported or added to Keycloak.

    If you have an existing user database configured such as LDAP or Kerberos, you can import users from it by configuring user federation.

    If you do not have an existing user database configured, you can manually create users in Keycloak.

Registering orcharhino as a Keycloak Client

Use this procedure to register orcharhino to Keycloak as a client and configure orcharhino to use Keycloak as an authentication source.

You can configure orcharhino and Keycloak with two different authentication methods:

  1. Users authenticate to orcharhino using the orcharhino web UI.

  2. Users authenticate to orcharhino using the orcharhino CLI.

You must decide on how you want your users to authenticate in advance because both methods require different orcharhino clients to be registered to Keycloak and configured. The steps to register and configure orcharhino client in Keycloak are distinguished within the procedure.

You can also register two different orcharhino clients to Keycloak if you want to use both authentication methods and configure both clients accordingly.

Procedure
  1. On the orcharhino server, install the following packages:

    # yum install mod_auth_openidc keycloak-httpd-client-install
  2. Register orcharhino to Keycloak as a client. Note that you the registration process for logging in using the web UI and the CLI are different. You can register two clients orcharhino clients to Keycloak to be able to log in to orcharhino from the web UI and the CLI.

    • If you want you users to authenticate to orcharhino using the web UI, create a client as follows:

      # keycloak-httpd-client-install --app-name foreman-openidc \
      --keycloak-server-url "https://Keycloak.example.com" \
      --keycloak-admin-username "admin" \
      --keycloak-realm "orcharhino_Realm" \
      --keycloak-admin-realm master \
      --keycloak-auth-role root-admin \
      -t openidc -l /users/extlogin --force

      Enter the password for the administer account when prompted. This command creates a client for orcharhino in Keycloak.

      Then, configure orcharhino to use Keycloak as an authentication source:

      # foreman-installer --foreman-keycloak true \
      --foreman-keycloak-app-name "foreman-openidc" \
      --foreman-keycloak-realm "orcharhino_Realm"
    • If you want your users to authenticate to orcharhino using the CLI, create a client as follows:

      # keycloak-httpd-client-install --app-name hammer-openidc \
      --keycloak-server-url "https://Keycloak.example.com" \
      --keycloak-admin-username "admin" \
      --keycloak-realm "orcharhino_Realm" \
      --keycloak-admin-realm master \
      --keycloak-auth-role root-admin \
      -t openidc -l /users/extlogin --force

      Enter the password for the administer account when prompted. This command creates a client for orcharhino in Keycloak.

  3. Restart the httpd service:

    # systemctl restart httpd

Configuring the orcharhino Client in Keycloak

Use this procedure to configure the orcharhino client in the Keycloak web UI and create group and audience mappers for the orcharhino client.

Procedure
  1. In the Keycloak web UI, navigate to Clients and click the orcharhino client.

  2. Configure access type:

    • If you want your users to authenticate to orcharhino using the web UI, from the Access Type list, select confidential.

    • If you want your users to authenticate to orcharhino using the CLI, from the Access Type list, select public.

  3. In the Valid redirect URI fields, add a valid redirect URI.

    • If you want your users to authenticate to orcharhino using the web UI, in the blank field below the existing URI, enter a URI in the form https://orcharhino.example.com/users/extlogin. Note that you must add the string /users/extlogin after the orcharhino FQDN.

      After completing this step, the orcharhino client for logging in using the web UI must have the following Valid Redirect URIs:

      https://orcharhino.example.com/users/extlogin/redirect_uri
      https://orcharhino.example.com/users/extlogin
    • If you want your users to authenticate to orcharhino using the CLI, in the blank field below the existing URI, enter urn:ietf:wg:oauth:2.0:oob.

      After completing this step, the orcharhino client for logging in using the CLI must have the following Valid Redirect URIs:

      https://orcharhino.example.com/users/extlogin/redirect_uri
      urn:ietf:wg:oauth:2.0:oob
  4. Click Save.

  5. Click the Mappers tab and click Create to add an audience mapper.

  6. In the Name field, enter a name for the audience mapper.

  7. From the Mapper Type list, select Audience.

  8. From the Included Client Audience list, select the orcharhino client.

  9. Click Save.

  10. Click Create to add a group mapper so that you can specify authorization in orcharhino based on group membership.

  11. In the Name field, enter a name for the group mapper.

  12. From the Mapper Type list, select Group Membership.

  13. In the Token Claim Name field, enter groups.

  14. Set the Full group path setting to OFF.

  15. Click Save.

Configuring orcharhino Settings for Keycloak Authentication

Use this section to configure orcharhino for Keycloak authentication using the orcharhino web UI or the CLI.

Configuring orcharhino Settings for Keycloak Authentication Using the Web UI

Use this procedure to configure orcharhino settings for Keycloak authentication using the orcharhino web UI.

Note that you can navigate to the following URL within your realm to obtain values to configure orcharhino settings: https://Keycloak.example.com/auth/realms/orcharhino_Realm/.well-known/openid-configuration

Prerequisite
  • Ensure that the Access Type setting in the orcharhino client in the Keycloak web UI is set to confidential

Procedure
  1. In the orcharhino web UI, navigate to Administer > Settings, and click the Authentication tab.

  2. Locate the Authorize login delegation row, and in the Value column, set the value to Yes.

  3. Locate the Authorize login delegation auth source user autocreate row, and in the Value column, set the value to External.

  4. Locate the Login delegation logout URL row, and in the Value column, set the value to https://orcharhino.example.com/users/extlogout.

  5. Locate the OIDC Algorithm row, and in the Value column, set the algorithm for encoding on Keycloak to RS256.

  6. Locate the OIDC Audience row, and in the Value column, set the value to the client ID for Keycloak.

  7. Locate the OIDC Issuer row, and in the Value column, set the value to https://Keycloak.example.com/auth/realms/orcharhino_Realm.

  8. Locate the OIDC JWKs URL row, and in the Value column, set the value to https://Keycloak.example.com/auth/realms/orcharhino_Realm/protocol/openid-connect/certs.

  9. Navigate to Administer > Authentication Sources and click External.

  10. Click Create LDAP Authentication Source and select the Keycloak server.

  11. Click the Locations tab and add locations that can use the Keycloak authentication source.

  12. Click the Organizations tab and add organizations that can use the Keycloak authentication source.

  13. Click Submit.

Configuring orcharhino Settings for Keycloak Authentication Using the CLI

Use this procedure to configure orcharhino settings for Keycloak authentication using the orcharhino CLI.

Note that you can navigate to the following URL within your realm to obtain values to configure orcharhino settings: https://Keycloak.example.com/auth/realms/orcharhino_Realm/.well-known/openid-configuration

Prerequisite
  • Ensure that the Access Type setting in the orcharhino client in the Keycloak web UI is set to public

Procedure
  1. On orcharhino, set the login delegation to true so that users can authenticate using the Open IDC protocol:

    # hammer settings set --name authorize_login_delegation --value true
  2. Set the login delegation logout URL:

    # hammer settings set --name login_delegation_logout_url \
    --value https://orcharhino.example.com/users/extlogout
  3. Set the algorithm for encoding on Keycloak, for example, RS256:

    # hammer settings set --name oidc_algorithm --value 'RS256'
  4. Open the Keycloak.example.com/auth/realms/Keycloak_REALM/.well-known/openid-configuration URL and note the values to populate the options in the following steps.

  5. Add the value for the Hammer client in the Open IDC audience:

    # hammer settings set --name oidc_audience \
    --value "['orcharhino.example.com-hammer-openidc']"

    If you register several Keycloak clients to orcharhino, ensure that you append all audiences in the array. For example:

    # hammer settings set --name oidc_audience \
    --value "['orcharhino.example.com-foreman-openidc', 'orcharhino.example.com-hammer-openidc']"
  6. Set the value for the Open IDC issuer:

    # hammer settings set --name oidc_issuer \
    --value "Keycloak.example.com/auth/realms/Keycloak_Realm"
  7. Set the value for Open IDC Java Web Token (JWT):

    # hammer settings set --name oidc_jwks_url \
    --value "Keycloak.example.com/auth/realms/Keycloak_Realm/protocol/openid-connect/certs"
  8. Retrieve the ID of the Keycloak authentication source:

    # hammer auth-source external list
  9. Set the location and organization:

    # hammer auth-source external update --id Authentication Source ID \
    --location-ids Location ID --organization-ids Organization ID

Configuring orcharhino with Keycloak for TOTP Authentication

Use this procedure to configure orcharhino to use Keycloak as an OpenID provider for external authentication with Time-based One-time Password (TOTP).

Procedure
  1. In the Keycloak web UI, navigate to the orcharhino realm.

  2. Navigate to Authentication, and click the OTP Policy tab.

  3. Ensure that the Supported Applications field includes FreeOTP or Google Authenticator.

  4. Configure the OTP settings to suit your requirements.

  5. Optional: If you want to use TOTP authentication as a default authentication method for all users, click the Flows tab, and to the right of the OTP Form setting, select REQUIRED.

  6. Click the Required Actions tab.

  7. To the right of the Configure OTP row, select the Default Action check box.

Logging in to the orcharhino Web UI Using Keycloak TOTP Authentication

Use this procedure to log in to the orcharhino web UI using Keycloak TOTP authentication.

Procedure
  1. Log in to orcharhino, orcharhino redirects you to the Keycloak login screen.

  2. Enter your username and password, and click Log In.

  3. The first attempt to log in, Keycloak requests you to configure your client by scanning the barcode and entering the pin displayed.

  4. After you configure your client and enter a valid PIN, Keycloak redirects you to orcharhino and logs you in.

Logging in to the orcharhino CLI Using Keycloak

Use this procedure to authenticate to the orcharhino CLI using the code grant type.

Procedure
  1. To authenticate to the orcharhino CLI using the code grant type, enter the following command:

    # hammer auth login oauth \
    --two-factor \
    --oidc-token-endpoint 'https://Keycloak.example.com/auth/realms/ssl-realm/protocol/openid-connect/token' \
    --oidc-authorization-endpoint 'https://Keycloak.example.com/auth' \
    --oidc-client-id 'orcharhino.example.com-foreman-openidc' \
    --oidc-redirect-uri urn:ietf:wg:oauth:2.0:oob

    The command prompts you to enter a success code.

  2. To retrieve the success code, navigate to the URL that the command returns and provide the required information.

  3. Copy the success code that the web UI returns.

  4. In the command prompt of hammer auth login oauth, enter the success code to authenticate to the orcharhino CLI.

Configuring Group Mapping for Keycloak Authentication

Optionally, to implement the Role Based Access Control (RBAC), create a group in orcharhino, assign a role to this group, and then map an Active Directory group to the orcharhino group. As a result, anyone in the given group in Keycloak are logged in under the corresponding orcharhino group. This example configures users of the orcharhino-admin user group in the Active Directory to authenticate as users with administrator privileges on orcharhino.

Procedure
  1. In the orcharhino web UI, navigate to Administer > User Groups, and click the Create User Group button.

  2. In the Name field, enter a name for the user group. The name should not be the same as in the Active Directory.

  3. Do not add users and user groups to the right-hand columns. Click the Roles tab.

  4. Select the Administer check box.

  5. Click the External Groups tab.

  6. Click Add external user group.

  7. In the Name field, enter the name of the Active Directory group.

  8. From the list, select EXTERNAL.

Disabling Keycloak Authentication

If you want to disable Keycloak authentication in orcharhino, complete this procedure.

Procedure
  • Enter the following command to disable Keycloak Authentication:

    # foreman-installer --reset-foreman-keycloak

Monitoring Resources

The following chapter details how to configure monitoring and reporting for managed systems. This includes host configuration, content views, compliance, subscriptions, registered hosts, promotions and synchronization.

Using the orcharhino Content Dashboard

The orcharhino content dashboard contains various widgets which provide an overview of the host configuration, Content Views, compliance reports, subscriptions and hosts currently registered, promotions and synchronization, and a list of the latest notifications.

Navigate to Monitor > Dashboard to access the content dashboard. The dashboard can be rearranged by clicking on a widget and dragging it to a different position. The following widgets are available:

Host Configuration Status

An overview of the configuration states and the number of hosts associated with it during the last reporting interval. The following table shows the descriptions of the possible configuration states.

Table 11. Host Configuration States
Icon State Description

administering orcharhino guide icon 1

Hosts that had performed modifications without error

Host that successfully performed modifications during the last reporting interval.

administering orcharhino guide icon 2

Hosts in error state

Hosts on which an error was detected during the last reporting interval.

administering orcharhino guide icon 3

Good host reports in the last 35 minutes

Hosts without error that did not perform any modifications in the last 35 minutes.

administering orcharhino guide icon 4

Hosts that had pending changes

Hosts on which some resources would be applied but Puppet was configured to run in the noop mode.

administering orcharhino guide icon 5

Out of sync hosts

Hosts that were not synchronized and the report was not received during the last reporting interval.

administering orcharhino guide icon 6

Hosts with no reports

Hosts for which no reports were collected during the last reporting interval.

administering orcharhino guide icon 7

Hosts with alerts disabled

Hosts which are not being monitored.

Click the particular configuration status to view hosts associated with it.

Host Configuration Chart

A pie chart shows the proportion of the configuration status and the percentage of all hosts associated with it.

Latest Events

A list of messages produced by hosts including administration information, product and subscription changes, and any errors.

Monitor this section for global notifications sent to all users and to detect any unusual activity or errors.

Run Distribution (last 30 minutes)

A graph shows the distribution of the running Puppet agents during the last puppet interval which is 30 minutes by default. In this case, each column represents a number of reports received from clients during 3 minutes.

New Hosts

A list of the recently created hosts. Click the host for more details.

Task Status

A summary of all current tasks, grouped by their state and result. Click the number to see the list of corresponding tasks.

Latest Warning/Error Tasks

A list of the latest tasks that have been stopped due to a warning or error. Click a task to see more details.

Discovered Hosts

A list of all bare-metal hosts detected on the provisioning network by the Discovery plug-in.

Latest Errata

A list of all errata available for hosts registered to orcharhino.

Content Views

A list of all Content Views in orcharhino and their publish status.

Sync Overview

An overview of all products or repositories enabled in orcharhino and their synchronization status. All products that are in the queue for synchronization, are unsynchronized or have been previously synchronized are listed in this section.

Host Subscription Status

An overview of the subscriptions currently consumed by the hosts registered to orcharhino. A subscription is a purchased certificate that unlocks access to software, upgrades, and security fixes for hosts. The following table shows the possible states of subscriptions.

Table 12. Host Subscription States
Icon State Description

administering orcharhino guide icon 1229

Invalid

Hosts that have products installed, but are not correctly subscribed. These hosts need attention immediately.

administering orcharhino guide icon 1230

Partial

Hosts that have a subscription and a valid entitlement, but are not using their full entitlements. These hosts should be monitored to ensure they are configured as expected.

administering orcharhino guide icon 1228

Valid

Hosts that have a valid entitlement and are using their full entitlements.

Click the subscription type to view hosts associated with subscriptions of the selected type.

Subscription Status

An overview of the current subscription totals that shows the number of active subscriptions, the number of subscriptions that expire in the next 120 days, and the number of subscriptions that have recently expired.

Host Collections

A list of all host collections in orcharhino and their status, including the number of content hosts in each host collection.

Virt-who Configuration Status

An overview of the status of reports received from the virt-who daemon running on hosts in the environment. The following table shows the possible states.

Table 13. Virt-who Configuration States
State Description

No Reports

No report has been received because either an error occurred during the virt-who configuration deployment, or the configuration has not been deployed yet, or virt-who cannot connect to orcharhino during the scheduled interval.

No Change

No report has been received because hypervisor did not detect any changes on the virtual machines, or virt-who failed to upload the reports during the scheduled interval. If you added a virtual machine but the configuration is in the No Change state, check that virt-who is running.

OK

The report has been received without any errors during the scheduled interval.

Total Configurations

A total number of virt-who configurations.

Click the configuration status to see all configurations in this state.

The widget also lists the three latest configurations in the No Change state under Latest Configurations Without Change.

Latest Compliance Reports

A list of the latest compliance reports. Each compliance report shows a number of rules passed (P), failed (F), or othered (O). Click the host for the detailed compliance report. Click the policy for more details on that policy.

Compliance Reports Breakdown

A pie chart shows the distribution of compliance reports according to their status.

Red Hat Insights Actions

Red Hat Insights is a tool embedded in orcharhino that checks the environment and suggests actions you can take. The actions are divided into 4 categories: Availability, Stability, Performance, and Security.

Red Hat Insights Risk Summary

A table shows the distribution of the actions according to the risk levels. Risk level represents how critical the action is and how likely it is to cause an actual issue. The possible risk levels are: Low, Medium, High, and Critical.

It is not possible to change the date format displayed in the orcharhino web UI.

Managing Tasks

orcharhino keeps a complete log of all planned or performed tasks, such as repositories synchronised, errata applied, and Content Views published. To review the log, navigate to Monitor > Tasks.

In the Task window, you can search for specific tasks, view their status, details, and elapsed time since they started. You can also cancel and resume one or more tasks.

The tasks are managed using the Dynflow engine. Remote tasks have a timeout which can be adjusted as needed.

To Adjust Timeout Settings:
  1. Navigate to Administer > Settings.

  2. Enter %_timeout in the search box and click Search. The search should return four settings, including a description.

  3. In the Value column, click the icon next to a number to edit it.

  4. Enter the desired value in seconds, and click Save.

Adjusting the %_finish_timeout values might help in case of low bandwidth. Adjusting the %_accept_timeout values might help in case of high latency.

When a task is initialized, any back-end service that will be used in the task, such as Candlepin or Pulp, will be checked for correct functioning. If the check fails, you will receive an error similar to the following one:

There was an issue with the backend service candlepin: Connection refused – connect(2).

If the back-end service checking feature turns out to be causing any trouble, it can be disabled as follows.

To Disable Checking for Services:
  1. Navigate to Administer > Settings.

  2. Enter check_services_before_actions in the search box and click Search.

  3. In the Value column, click the icon to edit the value.

  4. From the drop-down menu, select false.

  5. Click Save.

Configuring RSS Notifications

To view orcharhino event notification alerts, click the Notifications icon in the upper right of the screen.

By default, the Notifications area displays RSS feed events published in the orcharhino news.

The feed is refreshed every 12 hours and the Notifications area is updated whenever new events become available.

You can configure the RSS feed notifications by changing the URL feed. The supported feed format is RSS 2.0 and Atom.

To Configure RSS Feed Notifications:
  1. Navigate to Administer > Settings and select the Notifications tab.

  2. In the RSS URL row, click the edit icon in the Value column and type the required URL.

  3. In the RSS enable row, click the edit icon in the Value column to enable or disable this feature.

Monitoring orcharhino server

From the About page in orcharhino server web UI, you can find an overview of the following:

  • System Status, including orcharhino Proxies, Available Providers, Compute Resources, and Plug-ins

  • Support information

  • System Information

  • Backend System Status

  • Installed packages

To navigate to the About page:

  • In the upper right corner of orcharhino server web UI, click Administer > About.

After Pulp failure, the status of Pulp might show OK instead of Error for up to 10 minutes due to synchronization delay.

Monitoring orcharhino Proxy

The following section shows how to use the orcharhino web UI to find orcharhino Proxy information valuable for maintenance and troubleshooting.

Viewing General orcharhino Proxy Information

Navigate to Infrastructure > orcharhino Proxies to view a table of orcharhino Proxys registered to orcharhino server. The information contained in the table answers the following questions:

Is orcharhino Proxy running?

This is indicated by a green icon in the Status column. A red icon indicates an inactive orcharhino Proxy, use the service foreman-proxy restart command on orcharhino Proxy to activate it.

What services are enabled on orcharhino Proxy?

In the Features column you can verify if orcharhino Proxy for example provides a DHCP service or acts as a Pulp mirror. orcharhino Proxy features can be enabled during installation or configured in addition. For more information, see Installing orcharhino Proxy.

What organizations and locations is orcharhino Proxy assigned to?

A orcharhino Proxy can be assigned to multiple organizations and locations, but only orcharhino Proxies belonging to the currently selected organization are displayed. To list all orcharhino Proxies, select Any Organization from the context menu in the top left corner.

After changing the orcharhino Proxy configuration, select Refresh from the drop-down menu in the Actions column to make sure the orcharhino Proxy table is up to date.

Click the orcharhino Proxy name to view further details. At the Overview tab, you can find the same information as in the orcharhino Proxy table. In addition, you can answer to the following questions:

Which hosts are managed by orcharhino Proxy?

The number of associated hosts is displayed next to the Hosts managed label. Click the number to view the details of associated hosts.

How much storage space is available on orcharhino Proxy?

The amount of storage space occupied by the Pulp content in /var/lib/pulp is displayed. Also the remaining storage space available on the orcharhino Proxy can be ascertained.

Monitoring Services

Navigate to Infrastructure > orcharhino Proxies and click the name of the selected orcharhino Proxy. At the Services tab, you can find basic information on orcharhino Proxy services, such as the list of DNS domains, or the number of Pulp workers. The appearance of the page depends on what services are enabled on orcharhino Proxy. Services providing more detailed status information can have dedicated tabs at the orcharhino Proxy page (see Monitoring Puppet).

Monitoring Puppet

Navigate to Infrastructure > orcharhino Proxies and click the name of the selected orcharhino Proxy. At the Puppet tab you can find the following:

  • A summary of Puppet events, an overview of latest Puppet runs, and the synchronization status of associated hosts at the General sub-tab.

  • A list of Puppet environments at the Environments sub-tab.

At the Puppet CA tab you can find the following:

  • A certificate status overview and the number of autosign entries at the General sub-tab.

  • A table of CA certificates associated with the orcharhino Proxy at the Certificates sub-tab. Here you can inspect the certificate expiry data, or cancel the certificate by clicking Revoke.

  • A list of autosign entries at the Autosign entries sub-tab. Here you can create an entry by clicking New or delete one by clicking Delete.

Searching and Bookmarking

The orcharhino web UI features powerful search functionality which is available on most pages of the web UI. It enables you to search all kinds of resources that orcharhino server manages. Searches accept both free text and syntax-based queries, which can be built using extensive input prediction. Search queries can be saved as bookmarks for future reuse.

Building Search Queries

As you start typing a search query, a list of valid options to complete the current part of the query appears. You can either select an option from the list and keep building the query using the prediction, or continue typing. To learn how free text is interpreted by the search engine, see Using Free Text Search.

Query Syntax

parameter operator value

Available fields, resources to search, and the way the query is interpreted all depend on context, that is, the page where you perform the search. For example, the field "hostgroup" on the Hosts page is equivalent to the field "name" on the Host Groups page. The field type also determines available operators and accepted values. For a list of all operators, see Operators. For descriptions of value formats, see Values.

Operators

All operators that can be used between parameter and value are listed in the following table. Other symbols and special characters that might appear in a prediction-built query, such as colons, do not have special meaning and are treated as free text.

Table 14. Comparison Operators Accepted by Search
Operator Short Name Description Example

=

EQUALS

Accepts numerical, temporal, or text values. For text, exact case sensitive matches are returned.

hostgroup = RHEL7

!=

NOT EQUALS

~

LIKE

Accepts text or temporal values. Returns case insensitive matches. Accepts the following wildcards: _ for a single character, % or * for any number of characters including zero. If no wildcard is specified, the string is treated as if surrounded by wildcards: %rhel7%

hostgroup ~ rhel%

!~

NOT LIKE

>

GREATER THAN

Accepts numerical or temporal values. For temporal values, the operator > is interpreted as "later than", and < as "earlier than". Both operators can be combined with EQUALS: >= <=

registered_at > 10-January-2017
The search will return hosts that have been registered after the given date, that is, between 10th January 2017 and now.

registered_at <= Yesterday
The search will return hosts that have been registered yesterday or earlier.

<

LESS THAN

^

IN

Compares an expression against a list of values, as in SQL. Returns matches that contain or not contain the values, respectively.

release_version !^ 7

!^

NOT IN

HAS or set?

 

Returns values that are present or not present, respectively.

has hostgroup or set? hostgroup
On the Puppet Classes page, the search will return classes that are assigned to at least one host group.

not has hostgroup or null? hostgroup
On the Dashboard with an overview of hosts, the search will return all hosts that have no assigned host group.

NOT HAS or null?

 

Simple queries that follow the described syntax can be combined into more complex ones using logical operators AND, OR, and NOT. Alternative notations of the operators are also accepted:

Table 15. Logical Operators Accepted by Search
Operator Alternative Notations Example

and

&

&&

<whitespace>

class = motd AND environment ~ production

or

|

||

 

errata_status = errata_needed || errata_status = security_needed

not

!

 

hostgroup ~ rhel7 not status.failed

Values

Text Values

Text containing whitespaces must be enclosed in quotes. A whitespace is otherwise interpreted as the AND operator.

Examples:

hostgroup = "Web servers"

The search will return hosts with assigned host group named "Web servers".

hostgroup = Web servers

The search will return hosts in the host group Web with any field matching %servers%.

Temporal Values

Many date and time formats are accepted, including the following:

  • "10 January 2017"

  • "10 Jan 2017"

  • 10-January-2017

  • 10/January/2017

  • "January 10, 2017"

  • Today, Yesterday, and the like.

Avoid ambiguous date formats, such as 02/10/2017 or 10-02-2017.

When you enter free text, it will be searched for across multiple fields. For example, if you type "64", the search will return all hosts that have that number in their name, IP address, MAC address, and architecture.

Multi-word queries must be enclosed in quotes, otherwise the whitespace is interpreted as the AND operator.

Because of searching across all fields, free text search results are not very accurate and searching can be slow, especially on a large number of hosts. For this reason, we recommend that you avoid free text and use more specific, syntax-based queries whenever possible.

Managing Bookmarks

You can save search queries as bookmarks for reuse. You can also delete or modify a bookmark.

Bookmarks appear only on the page on which they were created. On some pages, there are default bookmarks available for the common searches, for example, all active or disabled hosts.

Creating Bookmarks

This section details how to save a search query as a bookmark. You must save the search query on the relevant page to create a bookmark for that page, for example, saving a host related search query on the Hosts page.

To Create a Bookmark:
  1. Navigate to the page where you want to create a bookmark.

  2. In the Search field, enter the search query you want to save.

  3. Select the arrow to the right of the Search button and then select Bookmark this search.

  4. In the Name field, enter a name for the new bookmark.

  5. In the Search query field, ensure your search query is correct.

  6. Ensure the Public check box is set correctly:

    • Select the Public check box to set the bookmark as public and visible to all users.

    • Clear the Public check box to set the bookmark as private and only visible to the user who created it.

  7. Click Submit.

To confirm the creation, either select the arrow to the right of the Search button to display the list of bookmarks, or navigate to Administer > Bookmarks and then check the Bookmarks list for the name of the bookmark.

Deleting Bookmarks

You can delete bookmarks on the Bookmarks page.

To Delete a Bookmark:
  1. Navigate to Administer > Bookmarks.

  2. On the Bookmarks page, click Delete for the Bookmark you want to delete.

  3. When the confirmation window opens, click OK to confirm the deletion.

To confirm the deletion, check the Bookmarks list for the name of the bookmark.

Appendix A: orcharhino Settings

This section contains noteworthy information or known issues about settings that you can edit in the orcharhino web UI by navigating to Administer > Settings.

Table 16. General Settings Information
Setting Description

Fix DB cache

orcharhino maintains a cache of permissions and roles. When set to Yes, orcharhino recreates this cache on the next restart.

Table 17. Provisioning Settings Information
Setting Description

Type of name generator

Specifies the method used to generate a host name when creating a new host.

The default Random-based option generates a unique random host name which you can but do not have to use. This is useful for users who create many hosts and do not know how to name them.

The MAC-based option is for bare-metal hosts only. If you delete a host and create it later on, it receives the same host name based on the MAC address. This can be useful for users who recycle servers and want them to always get the same host name.

The Off option disables the name generator function and leaves the host name field blank.

Safemode rendering

Enables safe mode rendering of provisioning templates. The default and recommended option Yes denies the access to variables and any object that is not whitelisted within orcharhino.

When set to No, any object may be accessed by a user with permission to use templating features, either via editing of templates, parameters or smart variables. This permits users full remote code execution on orcharhino server, effectively disabling all authorization. This is not a safe option, especially in bigger companies.

The text and illustrations on this page are licensed by ATIX AG under a Creative Commons Attribution–Share Alike 3.0 Unported ("CC-BY-SA") license. This page also contains text from the official Foreman documentation which uses the same license ("CC-BY-SA").


1. The exact set of allowed actions associated with predefined roles can be viewed by the privileged user as described in Viewing Permissions of a Role