How to register with RHN

Jephe Wu - http://linuxtechres.blogspot.com

Objective: summarize a few ways to register RHEL5 system with RHN
Environment: RHEL5, Squid proxy, RHN


Steps:
1.  Configure /etc/sysconfig/rhn/up2date first

make sure the following lines are there.
serverURL=https://xmlrpc.rhn.redhat.com/XMLRPC
sslCACert=/usr/share/rhn/RHNS-CA-CERT


# ls -l /usr/share/rhn/RHNS-CA-CERT  [file should be present]

If you are using Squid http proxy, configure this:
enableProxy=1
httpProxy=ip/name:port
proxyUser=
proxyPasword=


2. how to identify it's Oracle Linux or RHEL

a. cat /usr/share/rhn/RHNS-CA-CERT to see it's Oracle or Redhat
b. more /etc/issue.net or more /etc/issue
c. rpm -qi kernel to check Vendor part and Build Host

3. registration
3.1 - interactive way - rhn_register  (configure proxy in step 1 first before use, if you are using proxy. or use

rhn_register --help to specify proxy settings)

If you have already registered before and /etc/sysconfig/rhn/systemid 
exists on the system, rhn_register first asks if you are sure that 
you would like to register in this way. 
 

3.2 - non-interactive way - rhnreg_ks (kickstart style)

activationkey method (https://access.redhat.com/kb/docs/DOC-2395, need management entitlement) 
e.g. rhnreg_ks --profilename=jephe --activationkey=1-2b48feedf5b5a0e0609ae028d9275c93

username/password method (for security reason, you need to clear history commands, use history -d or history -c and clear commands)
e.g. rhnreg_ks --profilename "jephe" --username "username" --password "password" [--force]

4. references
a. RHN FAQ - https://access.redhat.com/kb/docs/DOC-16303
b. How to register with RHN - https://access.redhat.com/kb/docs/DOC-11217
c. rhnreg_ks command: - https://access.redhat.com/kb/docs/DOC-2395
d. using rhn_register, up2date or yum to access RHN, RHN Satellite or RHN proxy via an HTTP proxy
- https://access.redhat.com/kb/docs/DOC-9826
e. activationkey (https://access.redhat.com/kb/docs/DOC-2395, need management entitlement)
f. difference between all kinds of entitlements: https://access.redhat.com/kb/docs/DOC-11277

GPG Concept and Usages

Jephe Wu - http://linuxtechres.blogspot.com

Objective: understanding how gpg works and command usages
Environment: RHEL or CentOS, GnuPG


Concepts:
1. keypair generation
When you generate a pair of gpg keys by using command 'gpg --gen-key', basically you generated two pair of keys, one is used for DSA signature, another is for encryption/decryption(Elgamal). Private key contains the private part for both DSA and Elgamal keys, Public key contains the public part for both DSA and Elgamal keys.

You can use private key or public key to sign or encrypt file, then send to the peer. Or you can encrypt and sign at the same time.

when to use sign only?
If you need to publish a software to the public, in this case, the software itself is not confidential, you don't have to encrypt it. You can sign the software itself, in this case, you attach you signature at the end of the software. Or just put software itself on the website, then upload your signed result(.sig for binary file and .asc for ascii file) on the website for users to verify the signature of your software. Of course, user needs to get your master sign key(a part of public key) first. In order to let user to make sure that public key/sign key beglongs to you, you can put on your website for user to download. Or in personal email communcation case, just email public key to the peer.

If you need to communicate with your friends with some secret messages, like password, bank statements etc, you might need to use both encrypt/sign functions.

2. when you received a public key, what to do?
Firstly, you need to import to your public key ring, then you need to make sure it's from the real person you'd like to communicate with. If you received it through email or downloaded from that person's website, you will be pretty sure it's from that person, if not, you can check the fingerprint of that public key then call the person to confirm:

gpg --import jephe.gpg

gpg --fingerprint # get the fingerprint of the master public sign key
gpg --sign-key "emailaddress or name"

or run commands below to sign the key to validate it.
gpg --edit-key "emailadddress or name"
fpr
sign

3. how gpg sign files (what does it mean for 'good signature' after decrypting encrypted/signed file)
The following paragraph is from http://www.glump.net/howto/gpg_intro.
When GPG creates a digital signature, it doesn't encrypt the entire file with the signer's private key. Instead, it computes a hash value,6) encrypts that, and appends it to the original data as the signature. This makes it possible to create signed files that are readable without any encryption software, and aren't significantly larger; GPG is needed only to verify the authenticity of the file.

To verify a signature, GPG reads the data that was signed and computes its hash value. Then it decrypts the signature, using the signer's public key, to obtain the true hash value. If the two hash values match, the signature is valid and the data you have is exactly the data the signer had when he created the signature.

3.1 how to sign a file?
a. gpg -s # sign a file and append signature information to the file. No matter the file is ascii or binary file

b. For ascii files, you can also use --clearsign feature, for example.
 # gpg -r jephe@domain.com --clearsign hosts  # in this case, the original text and signature are in the same file.
# cat hosts.asc
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1        localhost.localdomain localhost
10.0.0.1        jephe.domain.com    jephe

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFNeH45bkqqCc9zAksRAtwvAKCzxPtS8VajyPVL69+5L1KhOcHsPACgoAUf
bD+LeQhMSMkLqt41+mwHTOM0
=Wnmj
-----END PGP SIGNATURE-----

You can verify the signature by using 'gpg --verify hosts.asc'.

c. sign a binary file with detached signature (doc and zip files are not allowed for appending to it)
gpg -r jephe@domain.com -o file.zip.sig --detach-sign file.zip

Note: you need to use only .sig or .asc as detached file name. And, when you use gpg --verify to verify signature, you need to have original file and signature file at the same current directory, otherwise, gpg will report 'bad signature' because gpg needs the original data file to calculate hash value. Pls refer to point 3.

4. other usages

a. use symmetric key to encrypt/decrypt file
gpg -c files

b. decrypting files automatically
echo PASSPHRASE| gpg --passphrase-fd 0 OPTIONS COMMAND
or
cat filecontainspassphrase | gpg --passphrase-fd 0 OPTIONS COMMAND

c. Encrypting for Multiple Recipients
You can specify more than one people who need to decrypt your file, gpg will use public keys from all these people to encrypt file in such a way that any one of their private key can decrypt the file.
gpg -e -r user1 -r user2

Use RIP CD to fix the grub issue after RHEL 5 hard power shutdown

Jephe Wu -  http://linuxtechres.blogspot.com

Scenario: HP Proliant DL360G5 server running RHEL 5 and 32bit Oracle 11g database (11.1), after yum update and some Oracle impdp/expdp operations, the server hangs, we have to press power button to shut it down, after power it on again, the GRUB stops at 'loading grub stage 2'.

Steps:

1. use RIP(Rescue Is Possible - http://www.tux.org/pub/people/kent-robotti/looplinux/rip/) to reboot server.
2. re-generate grub
# vgdisplay -v
# lvdisplay -v (find out the root LVM partition name)
# vgchange -a y
# mount /dev/VolGroup00/LogVol00 /mnt/hd
# cd /mnt/hd; chroot .
# mount /dev/cciss/c0d0p0 boot
# cd /dev
# MAKEDEV cciss
# grub-install hd0


3. finishing job
# cd /mnt/hd
# umount boot
# exit
# umount /mnt/hd
# reboot