This repository has been archived by the owner on Oct 15, 2019. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 3
/
README
92 lines (72 loc) · 4.37 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
/@
\ \ ______ __ __ __
___> \ /_ __/ / / __ __ __ _ / / ___ / / __ __ ___ _
(__O) \ / / / _ \/ // / / ' \ / _ \ (_-< / / / // / / _ `/
(____@) \ /_/ /_//_/\_,_/ /_/_/_//_.__//___//_/ \_,_/ \_, /
(____@) \ /___/
(__o)_ \ A Red Hat Production
\ \
== What? ==
Thumbslug is a content/entitlement proxy. It lets your candlepin clients access
content from the upstream cdn using locally granted entitlement certificates.
== How? ==
To run from source, use the thumbslug.sh file.
If you've installed via the rpm, you can run it as a regular system service, using 'service' or 'chkconfig' or invoke /usr/bin/thumbslug directly.
== Initial Configuration ==
You'll need to do a bit of setup first, before thumbslug will work.
- Create a pkcs keystore containing a cert/private key for thumbslug to use
to talk to its clients, and sign it with a CA that your clients will know.
Place this keystore in /etc/thumbslug/server_keystore.p12
- Example: keytool -genkeypair -alias my_certificate -keystore /etc/thumbslug/server_keystore.p12 -storepass thumbslug -validity 365 -keyalg RSA -keysize 2048 -storetype pkcs12
- set the value of ssl.keystore.password in /etc/thumbslug/thumbslug.conf to
match the password on the above keystore.
- Set up a shared secret betweeen candlepin and thumbslug.
In /etc/candlepin/candlepin.conf, set
candlepin.auth.oauth.consumer.thumbslug.secret = <SECRET>
In /etc/thumbslug/thumbslug.conf, set
candlepin.oauth.secret = <SECRET>
- copy your candlepin's CA cert (what your entitlement certs are signed with)
to /etc/thumbslug/client-ca.pem
That's it!
This assumes your candlepin is running on the same host as thumbslug. If that's
not the case, you'll need to set some more config values. Check the 'Config
Options' section below, and the contents of /etc/thumbslug/thumbslug.conf.
You'll also have to configure your clients to talk to thumbslug. set baseurl in
rhsm.conf to match your thumbslug host/port, and repo_ca_cert to match your
thumbslug's CA cert.
== Config Options ==
port = <integer> ................... :: the local address to listen for
requests on
daemonize = <true|false> ........... :: daemonize thumbslug or keep in the
foreground
ssl = <true|false> ................. :: use ssl for client to thumbslug
communication
ssl.keystore = <string> ............ :: pkcs12 keystore for client to thumbslug
ssl verification
ssl.keystore.password = <string> ... :: password for above
ssl.ca.keystore = <string> ......... :: pem formatted x509 certificate to use
to verify client entitlment
certificates
ssl.client.dynamicSsl = <true|false> :: grab entitlement certificates from
candlepin for thumbslug to cdn
communication, or use a static one.
ssl.client.keystore = <string> ..... :: pem formatted x509 certifcate to use
with dynamicSsl = false
cdn.port = <integer> ............... :: the remote cdn port to connect to
cdn.host = <string> ................ :: hostname of the cdn
cdn.ssl = <true|false> ............. :: use ssl for connecting to the cdn
cdn.ssl.ca.keystore = <string> ..... :: pem formatted x509 certificate to use
to verify the cdn's certificate
cdn.sendTSheader = <true|false> .... :: add thumbslug version to cdn request
log.access = <string> .............. :: client to thumbslug http access log
log.error = <string> ............... :: debug/error log
candlepin.host = <string> .......... :: candlepin host for dynamicSsl
candlepin.port = <integer> ......... :: candlepin port
candlepin.ssl = <true|false> ....... :: use ssl to talk to candlepin
candlepin.oauth.key = <string> ..... :: shared secret with candlepin
candlepin.oauth.secret = <string> .. :: shared secret password with candlepin
== logging properties ==
Logging levels and properties can be set at runtime in the thumbslug.conf.
For ex:
log4j.logger.org.candlepin.thumbslug=INFO
log4j.logger.org.candlepin.thumbslug.HttpRequestHandler=DEBUG