Proxy Servers & Failover to the Mothership

[inode0]

After spending some time yesterday trying to configure server failover
so if our local rhn proxy were unavailable our clients will failover
to the central RHN servers for updates I thought I would share what I
discovered.

Documentation for this new arrangement appears at

http://rhn.redhat.com/help/client-config/s1-latest-clients-configuring.html#S2-CLIENT-CONFIG-FAILOVER

and seems lacking in a couple of respects.

First, "add the fully qualified domain names (FQDN) for the Proxy or
Satellite immediately after the primary server, separated by a
semicolon (;)." It appears to me from experimentation that you need to
terminate each with a semicolon rather than just separate them by
semicolons. So the example given

serverURL=https://your_primary.your_domain.com/XMLRPC;https://your_secondary.your_domain.com/XMLRPC

actually should be

serverURL=https://your_primary.your_domain.com/XMLRPC;https://your_secondary.your_domain.com/XMLRPC;

Other obvious typos occur in the noSSLServer line in the example given here.

The more critical piece of information missing from these instructions
is that no mention is made of the sslCACert variable which likely also
needs to be modified as if you are a proxy user you probably have it
pointing to your proxy server's certificate. Something like

sslCACert=/usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT;/usr/share/rhn/RHNS-CA-CERT;

seems to work for us.

Can anyone confirm any of this? I'm eager to roll this feature out to
our clients.

I'm also curious if anyone can confirm that with older up2date clients
these changes are harmless? Or is it really necessary to determine the
version of up2date before making these modifications to
/etc/sysconfig/rhn/up2date?

Thanks,
John