5. Managing Systems and Units

5.1. Registering a New System

Before a system can have any subscriptions attached to it, it has to be added into the inventory in the Customer Portal Subscription Management. This process is called registering. While registering is frequently a local operation as part of setting up or administering a machine, registering and unregistering through Customer Portal Subscription Management can be very useful when you are managing the entire infrastructure and need a more global perspective or when you need to manage systems that are not connected to an external network.
Some systems may not have internet connectivity, but administrators still want to attach and track the subscriptions for that system. This can be done by manually registering the system, rather than depending on Subscription Manager to perform the registration. This has two major steps, first to create an entry on the subscriptions service and then to configure the system.
  1. Open the Subscriptions tab in the Customer Portal, and select the Overview item under the Subscription Management menu area.
  2. In the Usage area on the right, click the Subscription Management link.
  3. In the Units area on the left, click the Register link.
  4. Fill in the information for the new system.
    A system requires information about the architecture and hardware in order to ascertain what subscriptions are available to that system.
    • The name for the entry, which is normally the hostname.
    • The system type, physical or virtual.
    • The architecture, which is used to determine compatible subscriptions.
    • The number of sockets, either the number of physical sockets or, for virtual machines, the number of CPUs. Some subscriptions cover to a certain number of sockets, and multiple subscriptions may be required to cover larger systems.
  5. Once the system is created, attach the appropriate subscriptions to that system.
    1. Open the Attached Subscriptions tab.
    2. Click the Attach a subscription link.
    3. Click the check boxes by all of the subscriptions to attach, and then click the Attach Selected button.
  6. Click the Download link to download the entitlement certificate for each subscription. Save the file to some kind of portable media, like a flash drive.
  7. Optionally, open the Identity Certificate tab and click the Download button. The identity certificate for the registered system could be used by the system to connect to the subscription management service. If the system will permanently be offline, then this is not necessary, but if the system could ever be brought onto the network, then this is useful.
  8. Copy the entitlement certificates from the media device over to the system.
  9. Import the entitlement certificates. This can be done by using the Import Certificates item in the System menu in the Subscription Manager UI or by using the import command. For example:
    # subscription-manager import --certificate=/tmp/export/entitlement_certificates/596576341785244687.pem --certificate=/tmp/export/entitlement_certificates/3195996649750311162.pem
    Successfully imported certificate 596576341785244687.pem
    Successfully imported certificate 3195996649750311162.pem
  10. If you downloaded an identity certificate, copy the cert.pem file directly into the /etc/pki/consumer directory. For example:
    cp /tmp/downloads/cert.pem /etc/pki/consumer

5.2. The System List: Viewing the Inventory

Every system which is registered with Customer Portal Subscription Management is listed in the inventory. That system inventory for Customer Portal Subscription Management, which covers the entire account, can be viewed in Customer Portal Subscription Management. There are several ways to navigate to the system list. The simplest is by selecting the Consumers List item from the Subscriptions menu.
Main Menu Link

Figure 11. Main Menu Link

Alternatively, click the unit typein the Subscription Management page.
Subscription Management Page

Figure 12. Subscription Management Page

The system table shows the system name (usually the fully-qualified domain name or system name) and the type of system. By default, all systems and units are listed. Filters can be set to narrow the results by type or system name.
The System List

Figure 13. The System List

5.3. System Details: Viewing System Information

Clicking the system name in the Units > Type list opens the details page for that system. The details shows a list of subscriptions, system facts, and other subscription settings.
The System Details

Figure 14. The System Details

The System Facts tab shows system information that has been gathered about the system. This information can be about the hardware, the architecture, system settings, and operating system information. The type of information varies depending on the platform, whether it is a virtual or physical machine, operating system version, and system settings. The system facts are used to determine the compatible subscriptions which are available to the system, meaning subscriptions for that architecture, hardware, and operating system version.
The System Facts

Figure 15. The System Facts

Note

If a system is manually added to the inventory through the Customer Portal Subscription Management, then only a limited set of system facts are displayed, dependent on what was entered about the system when it was registered.
Systems which are registered using the local Red Hat Subscription Manager tools can have a great many system facts listed, dependent on the result of system scans performed by the on-premise Red Hat Subscription Manager system service.

5.4. Attaching Subscriptions to a System

Basically, a subscription grants access to software downloads and updates, along with defining support levels. For a system to be able to use software, it must have a subscription which grants it that access. The Attached Subscriptions tab controls what subscriptions are attached to a system.
The Attached Subscriptions tab shows what subscriptions are currently attached to a system. Clicking the Attach a subscription link shows all of the subscriptions that are available to the system, based on what subscriptions are compatible with the hardware.

Note

Available subscriptions can also be determined by subscriptions which are compatible with currently installed products. This view of subscriptions is only available in the Red Hat Subscription Manager local clients, since Customer Portal Subscription Management has no perspective into what products are currently installed on the system. It only knows what its subscriptions are based on the subscription service inventory.
The list of available subscriptions provides three important pieces of information for the product (aside from its name):
  • The service level for the subscription.
  • The contract number for the purchase of the subscription, which is important for record keeping and tracking.
  • The quantity still available for that subscription. Subscriptions are purchased in quantities; this number tells how many are still left of the total quantity purchased.
  • The start and end dates of the subscription. This keeps you from attaching a subscription that may only be valid a few days before it expires or which are not yet active.

Note

Using the Filter box can help narrow down the list of subscriptions, which is useful if the account has many subscriptions, which can require navigating through pages of results.
  1. Open the Attached Subscriptions tab.
  2. Click the Attach a subscription link.
  3. Click the checkboxes by all of the subscriptions to attach.
    Normally, subscriptions are listed only if they are compatible with the system, meaning they match the system's recognized hardware, architecture, and preferences (service level or release version). To list all subscriptions, even those that aren't compatible with the system's hardware or service level preference, then deselect the appropriate Only Show... checkbox.
  4. Click the Attach Selected button.

5.5. Checking Status

The portal provides a way to make sure that a system has all of its subscriptions up-to-date. The system's details page has a Certificate Status summary that shows whether all of the installed products on that system have the appropriate subscriptions attached.
Subscription Status

Figure 16. Subscription Status

The status shows how long the current subscriptions are valid and the last time that the subscription certificates were updated.
The status of the system subscriptions is color-coded:
  • Green means all products have a valid subscription.
  • Yellow means that some products may not have active subscriptions but updates are still in effect.
  • Red means that updates are disabled.
The system status is determined by the local system itself, based on its system facts, installed products, and local subscription certificates. This information is synced with the subscription service every 24 hours (by default). The Customer Portal does not store the information about installed products; it relies on the information from the system itself. If a system is offline and cannot send its information, then the Customer Portal reflects an unknown status.
Unknown Subscription Status

Figure 17. Unknown Subscription Status

5.6. Setting a Preferred Service Level

Part of a subscription is a defined service level for that product on a given system. Red Hat service levels are defined in the contract; a summary of production support levels is available at https://access.redhat.com/support/offerings/production/sla.html.
There are three basic support levels:
  • Premium
  • Standard
  • None (self-supported)
An account can have multiple levels of support available, even for the same product, and, obviously, not every system within an IT environment demands the same response times and support as other systems. For example, a production system usually has a premium support level since it is a business critical system, while a development system may have standard support or be self-supported.
When a system is configured, it can be assigned a preferred service level. When subscriptions are autoattached to the system and the preferred service level is available, then the subscription matching that preference is used. (Service-level preferences are not evaluated or enforced for manually selecting and attaching subscriptions.)

Note

Service-level preferences must first be set locally on the client when it is registered, by autoattaching, or when editing the configuration later. For example:
[root#server ~]# subscription-manager attach --auto --servicelevel Premium
After the service-level preference is set for the system, then that preference can be viewed and edited through the Portal.
The service-level preference is set in the system details page.
Service-Level Preference

Figure 18. Service-Level Preference

5.7. Viewing the Operating System Release Release Preference

Many IT environments have to be certified to meet a certain level of security or other criteria. In that case, major upgrades must be carefully planned and controlled — so administrators cannot simply run yum update and move from version to version.
Setting a release version preference limits the system access to content repositories associated with that operating system version instead of automatically using the newest or latest version repositories.
For example, if the preferred operating system version is 6.3, then 6.3 content repositories will be preferred for all installed products and attached subscriptions for the system, even as other repositories become available.
Only packages, updates, and errata for that specific version will be used for the system.
A release version preference can only be set using the local Red Hat Subscription Manager tools. However, if a release preference is set for the local system, that preference is viewable for that system in the portal.
Operating System Release Version Preference Setting

Figure 19. Operating System Release Version Preference Setting

5.8. Autoattaching Subscriptions

The subscription service can monitor the subscriptions that are attached to a system and track when they near their expiration dates. Within 24 hours of when the subscription expires, the Subscription Manager automatically re-attaches the system to a matching new subscription so that the subscription status remains green.
Autoattaching prevents a system from having uncovered products as long as any active, compatible subscription is available for it.
Autoattaching is enabled by default on systems to ensure that they maintain their subscription status. Autoattaching can be disabled and re-enabled by toggling the Disable/Enable buttons on the system's details page.
Toggling Autoattaching

Figure 20. Toggling Autoattaching

5.9. Viewing Subscriptions for a System

When a subscription is attached to a system, then it is listed on the Attached Subscriptions tab with its contract number and expiration date.
Subscription Details Link

Figure 21. Subscription Details Link

Clicking the View link for that subscription opens up much more detail about the subscription, including a list of products that the subscription provides, its order information, the quantity and type of subscriptions available in that one subscription, and its certificate (which can be regenerated on the system or downloaded for view).
Subscription Details

Figure 22. Subscription Details

5.10. Removing Subscriptions for a System

A subscription can be removed from a system to free up that quantity for another system. To remove a subscription from a system, click the Remove link by the subscription on the Attached Subscriptions tab.

5.11. Removing a System

A system can be removed or unregistered from the subscription management service through Customer Portal Subscription Management. This is equivalent to running the unregister command with Red Hat Subscription Manager.
For an offline system, it may not be possible to use the local tools to unregister the system. Removing the system manually though the Portal will remove the system and free any attached subscriptions.
  1. Open the Subscriptions tab in the Customer Portal, and select the Overview item under the Subscription Management area.
  2. In the Usage area on the right, click the Subscription Management link.
  3. Click the link for the system type in the Subscription Management page.
  4. Select the checkboxes by the systems to delete.

    Note

    You cannot delete more than five (5) systems at a time.

Note

You can also remove a single system by clicking the Delete this system button in its details page.

5.12. Viewing and Regenerating Identity Certificates for a System

Customer Portal Subscription Management is certificate based. Standard SSL certificates are used to authenticate systems and application organizations to the subscription management service. These are called identity certificates.
The identity certificate contains the UUID for the system or application organization in the inventory (in the CN of the certificate), a serial number for the certificate, and the creation and expiration dates for the identity certificate (with creation being the day the system was registered).
The identity certificate tab has all of the relevant information in the identity certificate (the serial number and creation/expiration dates). The UUID for the system or application organization is used to identify it in the certificate.
Identity Certificate Details

Figure 23. Identity Certificate Details

There can be times when the identity certificate for a system is lost, perhaps because it was deleted or corrupted or because the system was changed. The identity certificate can be downloaded directly through Customer Portal Subscription Management, in a base 64-encoded PEM file like the one that was initially generated on the system.
-----BEGIN CERTIFICATE-----
MIIDdzCCAuCgAwIBAgIIASDVoX2P1a8wDQYJKoZIhvcNAQEFBQAwSzEqMCgGA1UE
AxMhY2FuZGxlcGluMS5kZXZsYWIucGh4MS5yZWRoYXQuY29tMQswCQYDVQQGEwJV
UzEQMA4GA1UEBxMHUmFsZWlnaDAeFw0xMTAzMDkxNTAxMDVaFw0xMjAzMDkxNTAx
MDVaMC8xLTArBgNVBAMMJDdmY2Y2NjYwLTdkZDYtNDdjZi04ZjJjLTQ0NmJiMWE1
YWQyZjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJA0wmfB9znYeZu2
lOCga8ERkKPHDZtBKJknT/L74U4+ZQb7wFfRhhqeAv38erEyH40o79iVZJAc0cnT
pBdUYVN9ronv8vOFgdkqBdrjy4t7qq8ofI6dpj0U8fTaisU82WXBq1t41dn7OrJT
vbRCa4ZCt3FMzTkthd1ZKniLgfvokeGr6gVnh4jEgoFuMPHxigXKPDBvn7R5mf0w
vNM1m2/1OKMPI4u5ZLsN/XTyd4t3MSX25SFqobtkVABW7jVlRvyWuR7V6PxpzmTZ
7CjodUY+CVZrFIiL8s2pMkX38KCEXlUuH8DXymDxj4IAMSYC2SW7F7z2YQNTbAvK
kcklWHECAwEAAaOB+zCB+DARBglghkgBhvhCAQEEBAMCBaAwCwYDVR0PBAQDAgSw
MHsGA1UdIwR0MHKAFGiY1N2UtulxcMFy0j6gQGLTyo6CoU+kTTBLMSowKAYDVQQD
EyFjYW5kbGVwaW4xLmRldmxhYi5waHgxLnJlZGhhdC5jb20xCzAJBgNVBAYTAlVT
MRAwDgYDVQQHEwdSYWxlaWdoggkA1s54sVacN0EwHQYDVR0OBBYEFOP0p6JiVnQ2
SBmscyhvB1It2bjmMBMGA1UdJQQMMAoGCCsGAQUFBwMCMCUGA1UdEQQeMBykGjAY
MRYwFAYDVQQDDA10ZXN0LXN5c3RlbS0xMA0GCSqGSIb3DQEBBQUAA4GBADOoBuca
Jg244L6LLMw8ov32VK/kRCk9z8qcMA6y8+jL1yrfW//9Ig1BJiWKnrqln3eSNvf+
zouqNgaS4kvQeQf51lPVws++q3J9/q1i4WvJ4kDRN7HOtasf6KmSBpVM6dSDLrX3
nEZbvD0hT+2YVj/DJ7IXvQ9F3KXDkcwb4Lrh
-----END CERTIFICATE-----
Alternatively, the original identity certificate can be revoked and a new identity certificate generated in its place; this is called regenerating the certificate. The regenerated identity certificate will have the same UUID as the original (so its place in the inventory and all its subscriptions are preserved) but with a different serial number and new creation/expiration dates.