Red Hat Certified Cloud and Service Provider Certification for Red Hat Enterprise Linux for SAP Images Policy Guide
For Red Hat Enterprise Linux for SAP with HA and Update Services Cloud Images
Chapter 1. Introduction
This document describes the technical and operational certification requirements for CCSP Partners who want to offer Red Hat Enterprise Linux (RHEL) for SAP with High Availability and Update Services in Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), or a managed service offerings.
1.2. Creating value for our joint customers
As a Certified Cloud and Service Provider (CCSP), you are required to certify images that you publish in a catalog. The RHEL for SAP with High Availability and Update Services image certification process includes a series of tests that provide your Red Hat customers an assurance that they will have a consistent experience across cloud providers.
Partners are expected to have entered into certifications in good faith and for the interest of our joint customers. Customers will also have the confidence that their deployments are jointly supported by Red Hat and your organization ensuring the customer’s experience comes with the highest level of support and good security practices.
Chapter 2. Red Hat Certification test suite life cycle and policy update
Partners must install and utilize the latest version of the Red Hat Certification (
rhcert) tooling and use the latest workflow for the certification process. Red Hat supports previous versions of
rhcert for a maximum period of 90 days from the release date of the current version.
At the end of the 90 days period, test logs and results generated using the previous version(s) are automatically rejected and partners are expected to regenerate the test logs/results using the latest tooling and workflow.
The latest version of the certification tooling is available in the Red Hat Software & Download Center and on the command line via Red Hat Subscription Management. See, CCSP Workflow Guide for installing and using the certification tool.
Chapter 3. Red Hat Certification Self Check (rhcert/selfcheck)
The Red Hat Certification self check test also known as
rhcert/selfcheck confirms that all the software packages required in the certification process are installed and that they have not been altered. This ensures that the test environment is ready for the certification process and that all the certification software packages are supportable.
- The test environment includes the required certification packages process and their dependencies.
- The required certification packages have not been modified.
Chapter 4. Red Hat Certification tests overview
The cloud certification test suite
redhat-certification-cloud-sap includes four image tests:
- configuration, and
Each image tests consists of a series of subtests and checks. For more information on running the tests, see CCSP Certification Workflow Guide.
Logs from a singular run with all four of the image tests and the
rhcert/selfcheck must be submitted to Red Hat for credit in all new certifications as well as recertifications.
A certification may exit with one of the following statuses:
- Pass: All the subtests have passed and no further action is required.
- Fail: A critical subtest or check has not succeeded and requires a change before a certification can be achieved.
- Review: Additional detailed review is required by Red Hat to determine the status.
- Warn: One or more subtests did not follow best practices and require further action. However, the certification will succeed.
Partners are recommended to review the output of all tests, perform appropriate actions, and re-run the test as appropriate.
4.1. System report (sosreport)
The sosreport test, also known as
cloud-sap/sosreport, captures the basic sosreport.
Red Hat provides and utilizes an essential tool called
sos to collect the configuration and diagnostic information from a RHEL environmen to assist customers. SOS is pivotal in troubleshooting and verifying recommended practices. The system report subtest ensures that the sos tool functions as expected and necessary on the image. During this test a basic sosreport is created and captured. For more information about sosreports, see the article What is an sosreport and how to create one in Red Hat Enterprise Linux?
A basic sosreport can be captured on the image.
This SOSReport archives can also assist with debugging issues during the certification process.
4.2. Supportability tests
The Supportability tests, also known as
cloud-sap/supportable, ensure that the image is supportable by Red Hat. The test confirms that the image consists of Red Hat kernel and user space software, is run in a Red Hat supportable environment, and includes access to Red Hat updates and fixes.
cloud-sap/supportable tests include the following subtests:
4.2.1. Log versions
The Log versions subtest verifies the version of Red Hat Enterprise Linux (RHEL) installed on the image.
The Kernel subtest confirms the running kernel is from Red Hat and its version is either the original General Availability (GA) version or any subsequent kernel errata released for the RHEL major + minor release. For more information on Red Hat Enterprise Linux Life Cycle and Kernel Versions, see Red Hat Enterprise Linux Life Cycle and Red Hat Enterprise Linux Release Dates.
The kernel subtest also ensures that the kernel is not tainted when running in the environment. For more information about kernel tainting, see Why is the kernel "tainted" and how are the taint values deciphered?.
- The running kernel is a Red Hat kernel.
- The running kernel is released by Red Hat for use with the RHEL version.
- The running kernel is not tainted.
4.2.3. Kernel Modules
The Kernel Modules subtest confirms the loaded kernel modules are from Red Hat, and is either from the running kernel’s package or a Red Hat Driver Update (see Where can I download Driver Update Program (DUP) disks?). The kernel module subtest also ensures the kernel modules do not identify as Technology Preview when running in the environment (see What does a "Technology Preview" feature mean?).
The kernel modules are from Red Hat and supported.
4.2.4. Hardware Health
The Hardware Health subtest checks the system’s health by testing if the hardware is supported, meets the requirements, and has any known hardware vulnerabilities. The subtest does the following:
Checks that the Red Hat Enterprise Linux (RHEL) kernel does not identify hardware as unsupported. When the kernel identifies unsupported hardware, it will display an unsupported hardware message in the system logs and/or trigger an unsupported kernel taint. This subtest prevents customers from possible production risks which may arise from running Red Hat products on unsupported configurations and environments.
In hypervisor, partitioning, cloud instances, and other virtual machine situations, the kernel may trigger an unsupported hardware message or taint based on the hardware data presented to RHEL by the virtual machine (VM).
Checks that the system under test (SUT) meets the minimum hardware requirements as follows:
- Checks if the kernel has reported any known hardware vulnerabilities, if those vulnerabilities have mitigations and if those mitigations have resolved the vulnerability. Many mitigations are automatic to ensure that customers do not need to take active steps to resolve vulnerabilities. In some cases this is not possible; where most of these remaining cases require changes to the configuration of the system BIOS/firmware which may not be modifiable by customers in all situations.
- Confirms the system does not have any offline CPUs.
- Confirms if Simultaneous Multithreading (SMT) is available, enabled, and active in the system.
Failing any of these tests will result in a WARN from the test suite and should be verified by the partner to have correct and intended behavior.
- The kernel does not have the UNSUPPORTEDHARDWARE taint bit set.
- The kernel does not report an unsupported hardware system message.
- The kernel does not report any vulnerabilities with mitigations as vulnerable.
- The kernel does not report the logic core to installed memory ratio as out of range.
- The kernel does not report CPUs in an offline state.
The Hypervisor/Partitioning subtest confirms that the host architecture and hardware partitioning in the RHEL image is supported by RHEL, the CCSP program, and the kernel. Currently, the CCSP image certification is supported for the following existing and upcoming RHEL versions and corresponding architectures:
For RHEL 7:
- Architecture is one of x86_64, ppc, ppc64, ppc64le, and s390x
- Partitioning is one of Baremetal, RHEL KVM, VMware, HyperV, and PowerVM
- Architecture is one of x86_64, ppc64le, and s390x
- Partitioning is one of Baremetal, RHEL KVM, VMware, HyperV, and PowerVM
4.2.6. Filesystem Layout
The Filesystem Layout confirms that the filesystem type and the minimum partition size of the image follow the guidelines for each RHEL release. This ensures that the image has a reasonable amount of space required to operate effectively, run applications, and install upgrades for customer use.
- For RHEL 7: The root file system is 10GB or greater and xfs or ext4 formatted.
- RHEL 8: The root file system is 10GB or greater, the boot file system is 1GB or greater and both are xfs formatted.
4.2.7. Installed RPMs
Confirms that RPM packages installed are from Red Hat and they are not modified, which ensures that customers avoid the significant risks arising from unexpected software/packages. The test confirms that customers are starting with a supportable environment.
Non-Red Hat packages may be installed if they are necessary and documented to enable the cloud environment, and if they DO NOT modify or conflict with Red Hat packages or software. This subtest will require detailed review at Red Hat to confirm success or failure when non-Red Hat packages are installed.
For more information on Red Hat support policies on third-party software, refer to https://access.redhat.com/support/offerings/production/soc.
- The installed Red Hat provided RPM packages are from Red Hat product(s) available in the offering.
- The installed Red Hat RPM packages are not modified.
- The installed Non-Red Hat RPM packages are necessary to enable the cloud environment and are documented.
- The installed Non Red Hat RPM packages do not conflict with Red Hat provided packages/software available in Red Hat products included in the offering.
4.2.8. Software Repositories
Confirms that relevant Red Hat repositories are configured and GPG keys are already imported to avoid potentially significant risks from unsupported content. Red Hat provides core software packages and content in Red Hat official software repositories (included with attached subscriptions) which are signed with GPG keys to ensure authenticity of the distributed files. Software provided as part of these repositories is fully supported and reliable for use in customer production environments. For more information, refer to Production Support Scope of Coverage.
Repositories published but not supported by Red Hat, such as EPEL or the RHEL Supplementary and Optional , and non-Red Hat repositories may be configured if they are necessary to enable the cloud environment and are properly documented and approved by Red Hat.
- Supported Red Hat repositories are configured.
- GPG keys for Red Hat repositories are imported in the image.
- The valid repositories are Red Hat Update Infrastructure and Red Hat Satellite.
RHEL 8 and AppStream repos must be enabled.
RHEL 7 Repos:
- rhel-sap-hana-for-rhel-7-server-eus-rpms (7.5 only has eus)
- rhel-sap-hana-for-rhel-7-server-e4s-rpms (7.4, 7.6, 7.7)
- rhel-sap-for-rhel-7-server-eus-rpms (7.5)
- rhel-sap-for-rhel-7-server-e4s-rpms (7.4, 7.6, 7.7)
RHEL 8 Repos (currently 8.0, 8.1 are both on e4s):
- Red Hat repositories configured on the image match the image content.
- Non-Red Hat repositories if required for proper operation of the cloud are configured and described.
4.2.9. Package Groups
The Package Groups test verifies that the base package groups of the RHEL cloud image are the provided by Red Hat and that the correct minimum package groups is configured properly.
All package groups are recognized as RHEL package groups
4.2.10. Software Containers
The Software Containers test verifies that containers on the RHEL cloud image are provided by Red Hat or Partners. It is expected from Partners to provide a reason if any non-RHT container exists.
- All the containers should be supplied by Red Hat.
For RHEL 8 the container tool
podmanis a required package.
Enable the required container registry
4.2.11. Software Modules
The RHEL 8 modularity feature is a collection of packages available on the system. The software modules test validates modules available on the RHEL 8 system.
- The test fails if there are non-Red Hat software modules.
4.3. Image Configuration Overview
The Image Configuration tests, also known as
cloud-sap/configuration, confirm that the image is configured in accordance with Red Hat standards so that customers have a uniform and consistent experience across multiple cloud providers and images in an integrated environment.
cloud-sap/configuration test includes the following subtests:
4.3.1. Default System Logging
Confirms the default system logging service (syslog) is configured to store the logs in the /var/log/ directory of the image to allow quick issue resolution when needed.
Basic system logging is stored in /var/log/ directory on the image.
4.3.2. Network Configuration
Network configuration confirms that the default firewall service (iptables) is running, port 22 is open with SSHD running, ports 80 and 443 are open or closed, and that all other ports are closed. This ensures that the image is protected from unauthorized access by default, with a known access configuration.
This also ensures that customers have SSH access to the image and are able to quickly deploy HTTP applications without additional configuration. The image may have other ports open if they are necessary for proper operation of the cloud infrastructure but such ports must be documented.
This test displays status (Pass) at runtime only if ports 22, 80 (optional), 443 (optional) are open on the image. If other ports are open, this test requests a description of the open ports for review at Red Hat to confirm success or failure.
As part of the certification process, the Red Hat Certification application by default runs on port 8009. The Red Hat Certification application may also run on another open port during certification testing but it is recommended to open this port only during the testing and not as default in the configuration of an image.
Ensure for the following RHEL versions subsequent services are enabled and running:
- For RHEL 7, iptables and firewalld respectively
- For RHEL 8, firewalld with nftables or iptables
- sshd is enabled and running on port 22 and is accessible
- Any other ports open are required for proper operation of the cloud infrastructure and are documented
- Red Hat Certification application is running on port 8009 (or another port as configured)
- All other ports are closed
The httpd service is allowed but not required to be running on port 80 and/or port 443.
4.3.3. Default OS Runlevel
Confirms that the current system runlevel is 3, 4, or 5. This subtest ensures that the image is operating in the desired mode/state with all the required system services (for example networking) running.
For more information about runlevels in RHEL 7, and 8 versions see:
The current runlevel is 3, 4, or 5.
4.3.4. System Services
The system services confirms the root user can start and stop services on the system. This ensures that your customers who have system administration privileges can access/work with applications and services on the system and perform all the tasks which require administrative access in a seamless manner. The system services also ensures that there is no gap between the configured and actual state of the installed system services.
For more information on gaining the required privileges, see:
- The root user can start and stop system services provided by the Red Hat product.
- The chronyd service is started and enabled and functional
- The uuidd service is started and enabled
- For all the installed system services, the service status should match to the configured status. For instance, if the service is enabled then it should be in running state.
4.3.5. Subscription Services
Confirms that the required Red Hat subscriptions are configured, available and working on the image and that the update mechanism is Red Hat Satellite or RHUI. This ensures that customers are able to obtain access to the packages and updates they need to support their applications through standard Red Hat package update or delivery mechanisms.
The image is configured and able to download, install, and upgrade a package from Red Hat Satellite or the RHUI subscription management services.
4.3.6. SAP RPM Dependencies
The following packages are installed
- setup-2.12.2-2.el8_0.1 (or later)
- setup-2.12.2-2.el8_1.1 (or later)
4.4. Security Practices Overview
The Security Practices tests also known as
cloud-sap/security confirm that the image follows a minimum set of standard security practices. They also confirm (but do not require at this time) that the latest Red Hat security updates are installed.
cloud-sap/security test includes the following subtests:
4.4.1. Password Configuration
This test checks the hashing algorithm that depends on certificates or SHA-512 algorithm for RHEL 7, and 8 versions. For RHEL 7 versions the profile uses
authconfig utility whereas for the RHEL 8 versions it uses
authselect utility. The test ensures that the image follows standard encryption/decryption mechanisms for optimal security.
- Successful user authentication support certificates or SHA-512 algorithm for RHEL 7, and 8 versions
- The test fails for RHEL 8 if either of the services NIS, SSSD, or winbind are not configured
4.4.2. RPM Freshness
Confirms that all important and critical security errata released against Red Hat packages that are included in the image are installed. Red Hat encourages partners to update and recertify their images whenever an errata is released. This test displays status (REVIEW) at runtime as it requires review at Red Hat to confirm success or failure. For more information on Red Hat security ratings, refer to https://access.redhat.com/security/updates/classification.
All important and critical security errata released for installed Red Hat packages are current.
Security-Enhanced Linux (SELinux) subtest confirms that SELinux is enabled and running in permissive or enforcing mode on the image.
SELinux adds Mandatory Access Control (MAC) to the Linux kernel, and is enabled by default in Red Hat Enterprise Linux. SELinux policy is administratively-defined, enforced system-wide, and is not set at user discretion. It reduces vulnerability to privilege escalation attacks and limits the damage made during the configuration. If a process becomes compromised, the attacker only has access to the normal functions of that process, and to files the process has been configured to have access to.
For more information on SELinux in RHEL, see:
- SELinux is configured and running in permissive or enforcing mode on the image.
Chapter 5. References
For more information on Red Hat Certified Cloud and Service Provider Program or Red Hat Certified Cloud and Service Provider Certification, see the following documents/pages.