SUSE Manager Proxy Setup

Uyuni Proxy requires additional configuration in order to make it useful.

Proxy Chains

It is possible to arrange Salt proxies in a chain. In such a case, the upstream proxy is named “parent”.

Make sure the proxie’s TCP ports 4505 and 4506 are open and that the proxy can reach the Uyuni server (or another upstream proxy) on these ports.

Copy Server Certificate and Key

The proxy will share some SSL information with the Uyuni server. Copy the certificate and its key from the Uyuni 4 server or the upstream proxy.

As root, enter the following commands on the proxy using your Uyuni 4 server or chained proxy 4 named PARENT:

mkdir -m 700 /root/ssl-build
cd /root/ssl-build
scp root@PARENT:/root/ssl-build/RHN-ORG-PRIVATE-SSL-KEY .
scp root@PARENT:/root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT .
scp root@PARENT:/root/ssl-build/rhn-ca-openssl.cnf .
Known Limitation

The SUSE Manager Proxy functionality is only supported if the SSL certificate was signed by the same CA as the Uyuni Server certificate. Using certificates signed by different CAs for Proxies and Server is not supported.


The script will finalize the setup of your SUSE Manager Proxy.

Now execute the interactive script. Pressing Enter without further input will make the script use the default values provided between brackets []. Here is some information about the requested settings:

Uyuni Parent

A Uyuni parent can be either another proxy server or a Uyuni server.

HTTP Proxy

A HTTP proxy enables your Uyuni proxy to access the Web. This is needed if direct access to the Web is prohibited by a firewall.

Proxy Version to Activate

Normally, the correct value (3.0, 3.1, 3.2, or 4.0) should be offered as a default.

Traceback Email

An email address where to report problems.


For safety reasons, press Y.

Do You Want to Import Existing Certificates?

Answer N. This ensures using the new certificates that were copied previously from the Uyuni server.


The next questions are about the characteristics to use for the SSL certificate of the proxy. The organization might be the same organization that was used on the server, unless of course your proxy is not in the same organization as your main server.

Organization Unit

The default value here is the proxy’s hostname.


Further information attached to the proxy’s certificate. Beware the country code must be made of two upper case letters. For further information on country codes, refer to the online list of alpha-2 codes.

Country Code

As the country code enter the country code set during the SUSE Manager installation. For example, if your proxy is in US and your Uyuni in DE, you must enter DE for the proxy.

Cname Aliases (Separated by Space)

Use this if your proxy server can be accessed through various DNS CNAME aliases. Otherwise it can be left empty.

CA Password

Enter the password that was used for the certificate of your Uyuni server.

Do You Want to Use an Existing SSH Key for Proxying SSH-Push Salt Minion?

Use this option if you want to reuse a SSH key that was used for SSH-Push Salt clients on the server.

Create and Populate Configuration Channel rhn_proxy_config_1000010001?

Accept default Y.

SUSE Manager Username

Use same user name and password as on the Uyuni server.

Activate advertising proxy via SLP?

SLP stands for Service Location Protocol.

If parts are missing, such as CA key and public certificate, the script prints commands that you must execute to integrate the needed files. When the mandatory files are copied, re-run Also restart the script if a HTTP error was met during script execution. activates services required by Uyuni Proxy, such as squid, apache2, salt-broker, and jabberd.

To check the status of the proxy system and its clients, click the proxy system’s details page on the Web UI (Main Menu  Systems  Proxy, then the system name). Connection and Proxy subtabs display the respective status information.

Enabling PXE Boot via SUSE Manager Proxy

Synchronizing Profiles and System Information

To enable PXE boot via a proxy server, additional software must be installed and configured on both the Uyuni server and the SUSE Manager Proxy server.

  1. On the Uyuni server install susemanager-tftpsync :

    zypper in susemanager-tftpsync
  2. On the SUSE Manager Proxy server install susemanager-tftpsync-recv :

    zypper in susemanager-tftpsync-recv
  3. Run the setup script and enter the requested information:

    It asks for hostname and IP address of the Uyuni server and of the proxy itself. Additionally, it asks for the tftpboot directory on the proxy.

  4. On the Uyuni server, run to configure the upload to the SUSE Manager Proxy server: FQDN_of_Proxy_Server
  5. To start an initial synchronization on the Uyuni Server run:

    cobbler sync

    Also can also be done after each a change within Cobbler that needs to be synchronized immediately. Otherwise Cobbler synchronization will also run automatically when needed. For more information about Cobbler, see Cobbler.

Configuring DHCP for PXE via SUSE Manager Proxy

Uyuni is using Cobbler to provide provisioning. PXE (tftp) is installed and activated by default. To enable systems to find the PXE boot on the SUSE Manager Proxy server add the following to the DHCP configuration for the zone containing the systems to be provisioned:

next-server: <IP_Address_of_SUSE_Manager_Proxy_Server>
filename: "pxelinux.0"

Replacing a SUSE Manager Proxy

A SUSE Manager Proxy is dumb in the sense that it does not contain any information about the clients that are connected to it. A SUSE Manager Proxy can therefore be replaced by a new one. Naturally, the replacement proxy must have the same name and IP address as its predecessor.

In order to replace a SUSE Manager Proxy and keeping the clients registered to the proxy leave the old proxy in Uyuni. Create a reactivation key for this system and then register the new proxy using the reactivation key. If you do not use the reactivation key, you will need to re-registered all the clients against the new proxy.

Procedure: Replacing a SUSE Manager Proxy and Keeping the Clients Registered
  1. Before starting the actual migration procedure, save the data from the old proxy, if needed. Consider copying important data to a central place that can also be accessed by the new server:

    • Copy the scripts that are still needed.

    • Copy the activation keys from the previous server. Of course, it is always better to re-create the keys.

  2. Shutdown the server.

  3. Install a new Uyuni 4 Proxy, see Proxy Installation.

  4. In the Uyuni Web UI select the newly installed SUSE Manager Proxy and delete it from the systems list.

  5. In the Web UI, create a reactivation key for the old proxy system: On the System Details tab of the old proxy click Reactivation. Then click Generate New Key, and remember it (write it on a piece of paper or copy it to the clipboard). For more information about reactivation keys, see Reactivation Keys.

  6. After the installation of the new proxy, perform the following actions (if needed):

    • Copy the centrally saved data to the new proxy system.

    • Install any other needed software.

    • If the proxy is also used for autoinstallation, do not forget to setup TFTP synchronization.

Proxy Installation and Client Connections

During the installation of the proxy, clients will not be able to reach the Uyuni server. After a SUSE Manager Proxy system has been deleted from the systems list, all clients connected to this proxy will be (incorrectly) listed as directly connected to the Uyuni server. After the first successful operation on a client such as execution of a remote command or installation of a package or patch this information will automatically be corrected. This may take a few hours.