Introduction to Red Hat Subscription Management Workflows
to better understand and manage subscriptions for an IT infrastructure
Abstract
1. Introduction to Subscription Management
1.1. The Goals of Subscription Management
- Maintain regulatory compliance by tracking software attached subscriptions and expiration periods.
- Simplify IT audits.
- Be more effective at assigning subscriptions by clarifying the relationships between subscriptions and systems.
- Lower costs and streamline procurement. While under-subscribing systems can run afoul of regulations, over-subscribing systems can cause a significant impact on IT budgets.
- Access to support services
- Content delivery and hosted repositories
- Access to knowledgebases, forums, videos, and other resources
1.2. Subscriptions: The Relationship Between Systems, Software, and Support
- A company (account) buys a subscription to a product. The subscription defines a number of times it can be used (the quantity), the support level, the content repositories, and the period that it is good for.
- A system is added, or registered, to the inventory for the subscription service. This means that the subscription service can manage the server and attach subscriptions to it.The subscription service collects certain facts about the system, including its hardware and installed products, which it uses to help determine what subscriptions the system requires.
- A subscription is assigned or attached to a system.
- The system downloads software packages and updates from the content delivery network for as long as the subscription is active.

Figure 1. The Structure of the Subscription Service
- An identity certificate for the system; this is used by the system to authenticate to the subscription service periodically to check for updates.This is created when the system is registered.
- A product certificate for each product installed on the system. Each product in Red Hat has an identifying certificate (but this is not unique to the system).This is installed on the system as part of installing the product.
- A subscription certificate for each subscription attached to the system. This includes information about the subscription from the inventory.This is installed on the system when a subscription is attached to the system.
Note
yum. Conversely, having a product installed does not mean that the appropriate subscriptions have been attached to the system. A system does not require a valid certificate to install a product.
- For regulatory compliance and IT audits, Red Hat offers two account-wide views into systems and subscription associations: the utilization views in the Customer Portal and the reporting and dashboards in subscription management applications such as Subscription Asset Manager
- For better effectiveness at assigning subscriptions, system tools allow systems to have all relevant, compatible subscriptions automatically assigned (attached) to the system based on what products are installed — or for administrators to select and manually attach subscriptions (Viewing Reports and Notifications). Tools list both available subscriptions and the quantities still available for those subscriptions, so that the right subscription can be attached and the right number of subscriptions are used.
- For better purchasing strategies, subscription management tools help simultaneously track oversubscribing (using the same subscription on too many systems), undersubscribing (not having enough subscriptions for the installed products on a system), and subscription expirations.For details, see Viewing Reports and Notifications.Having a time-based picture on subscriptions — not only what is covered but how long it is covered — helps administrators control identify when to purchase new subscriptions, so subscriptions are not purchased too early or too late.
1.3. About Relationships Between Subscriptions and Systems
1.3.1. Interactions with Subscriptions, Products, and Systems
- Associate a single quantity of a product with a single system (which is the most common relationship).
- Restrict one product so that it cannot be installed on the same system as a specific, different product.
- Keep a system on a consistent service level. Each subscription includes a definition for what service level (e.g., standard or premium) the product has. Subscription clients first try to assign subscriptions of the same service level (and this can be enforced) so that the system has consistent support levels.
- Allow virtual guests to inherit some subscriptions from their host.
- Allow some hosts to have unlimited guests for a data center deployment.
- Allow a single “subscription” to be broken across multiple systems. This works in something like Red Hat Cloud Infrastructure, where a single purchase actually covers four products — Red Hat Enterprise Linux, Red Hat OpenStack, Red Hat Virtualization, and Satellite 6 Management Engine — and those products each have their own subscription which can be used on different systems to create the stack.
- Stack or combine subscriptions of the same type to cover a system.
1.3.2. Counting Subscriptions
- Multiple products with a single subscription (Red Hat Cloud Infrastructure)
- Inheritable subscriptions
- Data center subscriptions, which allow unlimited virtual guests (and only the host requires a specific subscription)
1.4. Subscription Terms
- account
- The primary, top-level account for a company. This is the entity that is used within the Customer Portal to define the company and it is where all user and subscription information originates.
- attach
- Assigning a subscription to a system.
- autoattach
- A setting on the local system (or an option with the Subscription Manager tools) that perodically checks for new subscriptions, changing subscription statuses for products, and then automatically assigns new subscriptions to cover the changes. The subscriptions are selected based on the best fit for the system architecture and hardware, installed product, and defined preferences.
- certificate
- A specific file based on the X.509 certificate standard that is used for SSL communication and within a public key infrastructure. This is used to identify elements within Red Hat Subscription Management including identities (systems), installed products, and consumed subscriptions.
- identity
- An entity registered with a subscription management application. An identity usually correlates to a system, but it can also be a hypervisor, domain, an organization within a management application, or other servers such as RHUI and Satellite.
- instance
- An element within a system that is covered by a subscription. For physical systems, an instance is most commonly a socket pair. For virtual environments, an instance is a single virtual guest.
- inventory
- The list of systems, hypervisors, applications, and other entities registered with a subscription application. The inventory also contains a list of available and used subscriptions for the organization.
- organization
- A subdivision in an on-premise application such as Subscription Asset Manager. An organization has its own system inventory and a subset of subscriptions (defined in a manifest). This is a way to define a subscription structure that reflects the IT environment. An organization can be aligned with a physical location or an organizational division in a company.
- pools
- The complete set of subscriptions and quantities allocated to an organization or account.
- preference
- A defined criterion used by autoattach operations to select subscriptions. Preferences are set on the local system, but they actually define attributes within the potential subscriptions that should be evaluated for autoattach. There are two preferences: the service level for the subscription and the operating system minor release (the X.Y version, such as 5.10 or 6.5).
- quantity
- The number of subscriptions used to cover a product or system. A subscription covers a set amount of attributes, such as the number of sockets on a physical system. Multiple subscriptions may be required to cover a given system, based on its hardware and configuration.
- register
- To add a system or other entity (such as an organization or hypervisor) to the subscription management inventory.
- stacking
- Combining multiple subscriptions to cover a product or system. There are rules applied to what subscriptions can be stacked. For example, only subscriptions of the same service level can be stacked. Also, some subscriptions may restrict what products can be installed with it, so some subscriptions may not be available to some systems.
- status
- The cumulative state for a system of all of the installed products and associated valid subscriptions. If all installed products have active subscriptions, the status is valid (green). If some products lack subscriptions or do not have enough quantities of subscriptions to cover its configuration, the status is insufficient (yellow). If a product or system has no subscriptions, the status is invalid (red).
- subscription
- A definition of the products that are available, the support levels, the quantities (or number) of servers that the product can be installed on, architectures that the product is available for, content repositories which supply the product, and other information related to the products.
- subscription management application
- The backend server which interacts with the individual systems by creating an inventory of systems. It also keeps the inventory of subscriptions, including contracts, quantities, and expiration dates. When a new system is registered, when subscriptions are attached, or when products are installed, the subscription management service manages the changes and issues a corresponding certificate to the system to mark the change. The subscription management service also defines rules for products, such as hardware/architecture restrictions, to help with attaching subscriptions.
- system
- Any entity — a physical or virtual machine — which is in the subscription service inventory and which can have subscriptions attached to it.
- utilization
- A summary of the total number of subscriptions available to an organization, and the total number of subscriptions that are attached to Customer Portal Subscription Management, RHN Classic, and different subscription management applications.
1.5. RHN Classic, Satellite, and Channel Entitlements
- Use Satellite 5.6 and Subscription Asset Manager 1.3 for enhanced reporting.
- Migrate Red Hat Enterprise Linux 5 and 6 systems from the old subscription service to a new subscription service (Subscription Asset Manager or Customer Portal Subscription Management); this moves their registration, updates their attached subscriptions, and changes what client tools are used to manage the system from
rhn_registertosubscription-manager.
- Consolidate channel entitlements and system entitlements into a single entitlement pool, which is more structurally similar to the new subscription model.
- Map channel entitlements to new product subscriptions.
- Correlate installed products on managed systems with corresponding subscriptions, based on their channel subscriptions.
- Display legacy systems and entitlements in the same style as modern subscription management, to make it easier to create cohesive audit reports.
- Provide unified views of subscriptions and products for legacy systems and systems registered with Red Hat Subscription Management.
2. Tools and Applications for Subscription Management
- Red Hat Subscription Manager client tools to manage local systems
- Customer Portal Subscription Management to manage systems and subscription application organizations for a single account globally through the Customer Portal
- Subscription Asset Manager to install an on-premise subscription service
2.1. Local System Tools (Red Hat Subscription Manager)
Note
root because of the nature of the changes to the system. However, Red Hat Subscription Manager connects to the subscription service as a user account for the subscription service.
firstboot process for configuring content and updates, but the system can be registered at any time through the Red Hat Subscription Manager UI or CLI. New subscriptions, new products, and updates can be viewed and applied to a system through the Red Hat Subscription Manager tools.
2.1.1. Launching the Red Hat Subscription Manager UI
[root@server1 ~]# subscription-manager-gui
- The My Subscriptions tab shows all of the current subscriptions that the system is subscribed to.
- The All Available Subscriptions tab shows all of the subscriptions that are available to the system. The default displays only subscriptions that are compatible with the hardware, but these can be filtered to show any subscriptions which match the hardware, any subscriptions which match installed products, only subscriptions which do not overlap with a currently-attached subscription, or any subscription which matches a given string.
- The My Installed Products tab shows the currently installed products on the system, along with their subscription status. This does not allow administrators to install software, only to view installed software.

Figure 3. Red Hat Subscription Manager Main Screen
2.1.2. Running the subscription-manager Command-Line Tool
subscription-manager tool. This tool has the following format:
[root@server1 ~]# subscription-manager command [options]
subscription-manager help and manpage have more information.
Table 1. Frequently-Used subscription-manager Commands
| Command | Description |
|---|---|
| Operational Commands | |
| register | Registers or identifies a new system to the subscription service. |
| unregister | Unregisters a machine, which strips its subscriptions and removes the machine from the subscription service. |
| attach | Assigns a specific subscription to the machine. |
| remove | Removes a specific subscription or all subscriptions from the machine. |
| redeem | Autosubscribes a machine to a pre-specified subscription that was purchased from a vendor, based on its hardware and BIOS information. |
| import | Manually installs a subscription certificate, rather than contacting the subscription service with a request and then receiving the certificate. |
| list | Lists all of the subscriptions that are compatible with a machine, either subscriptions that are actually consumed by the machine or unused subscriptions that are available to the machine. |
| Configuration Commands | |
| config | Modifies a specified configuration parameter in the Red Hat Subscription Manager configuration file, /etc/rhsm/rhsm.conf. The parameters are passed in the form configuration_area.parameter="value". |
| service-level | Sets the service-level preference for the system to use when selecting subscriptions in autoattach operations. |
| release | Sets the operating system release version preference for the system to use when selecting subscriptions in autoattach operations. |
| refresh | Pulls the latest subscription data from the server. Normally, the system polls the subscription server at a set interval (4 hours by default) to check for any changes in the available subscriptions. The refresh command checks with the subscription server immediately, outside the normal interval. |
| clean | Removes all of the subscription and identity data from the local system, without affecting the consumer information in the subscription service. Any of the subscriptions consumed by the system are still consumed and are not available for other systems to use. The clean command is useful in cases where the local subscription information is corrupted or lost somehow, and the system will be reregistered using the register --consumerid=EXISTING_ID command. |
| Informative Commands | |
| version | Returns the version of the local Red Hat Subscription Manager client, the name of the subscription service the system is registered with, and the version of the subscription service. |
| identity | Handles the identity certificate and registration ID for a system. This command can be used to return the current UUID or generate a new identity certificate. |
| facts | Lists the system information, like the release version, number of CPUs, and other architecture information. |
| orgs, repos, environments | Lists all of the configured organizations, environments, and content repositories that are available to the given user account or system. These commands are used to view information in a multi-org infrastructure. They are not used to configure the local machine or multi-org infrastructure. |
2.2. Customer Portal Subscription Management

Figure 4. RHN Subscription Management in the Customer Portal
Note
2.3. Subscription Asset Manager
- Subscription Asset Manager, which provides on-premise subscription services and proxies requests for Customer Portal Subscription Management content delivery
- Satellite 6, which provides both subscription services and content delivery on-premise
2.4. Hypervisor Processes
virt-who.
virt-who packages are not installed by default, but are available to Red Hat Enterprise Linux systems as part of their subscription.
3. Subscription Workflows
3.1. Planning the Workflow to Use
Table 2. Subscription and Content Services, by Source
| Server Type | Supports Subscription Services | Supports Content Delivery Services | Recommended Environment Types |
|---|---|---|---|
| Customer Portal Subscription Management |
|
|
|
| Subscription Asset Manager |
|
|
|
| Satellite 6 |
|
|
|
3.2. A Note on User Accounts
When a subscription is initially purchased, it must be configured in Subscription Asset Manager. The user accounts used to connect to the Customer Portal cannot be used to manage those systems. The lo is created in Customer Portal Subscription Management. That administrator can create other user accounts, associated with the overall company account, which (with the proper permissions) can also manage systems and subscriptions. Creating and managing Customer Portal accounts is described in Managing User Access to the Red Hat Customer Portal and the RHN Application.
Subscription Asset Manager is an on-premise application. When an IT administrator is initially accessing subscription manifests and managing subscriptions across the Red Hat account, those actions are performed through the Customer Portal, so a Customer Portal user account is used to set up and manage the Subscription Asset Manager application itself.
A user account is associated with an activation key and is used to redeem the activation key — but which user account to use depends on who issued the key. If a key was created by a vendor, then they will also define a user account to use with the key, as will Red Hat if the key were issued by Red Hat. For activation keys created by local IT departments using Subscription Asset Manager, then the associated Subscription Asset Manager user account is to be used.
3.3. Customer Portal: Autoattaching Systems
3.3.1. The Environment: Small Businesses
- Fewer than 20 Linux servers
- Limited IT resources for system maintenance
- No business need to create custom subscription or content utilities
- Infrastructures already using RHN Classic hosted services for existing Linux systems
- Simple to implement, since it uses the default system configuration
- No additional software or hardware overhead
- Possible to migrate to on-premise subscription/content services based on organization configuration later
- The same subscription services for all systems, even if the systems are in different data centers or geographic locations
Note
3.3.2. Workflow

Figure 5. Autoattach Process
--auto-attach with the subscription-manager command), there is only a single step to the registration process.
3.3.3. Options and Details
- Attaching additional subscriptions, which is especially useful if the system is autoattached during firstboot, when subscriptions are only attached for the operating system.
- Overriding system facts, which is used by the autoattach and healing processes to determine what the system architecture and hardware is for finding compatible subscriptions.
- Setting a service level preference (this can also be done during registration, so it is used as one of the priorities when selecting subscriptions).
- Setting a release preference, so that the system only updates for software targeted to that release version and ignores any upgrades to a later operating system version.
- Enabling or disabling associated
yumrepos.
3.4. Customer Portal: Registration and Manual Subscription
3.4.1. The Environment: Small Businesses
3.4.2. Workflow

Figure 6. Manual Subscription Process
- Register the system.Using the
subscription-managerCLI command, all this requires is sending the username and password for the Customer Portal Subscription Management account holder.For the Red Hat Subscription Manager UI (both run on the system and in firstboot), an autoattach operation is run by default. To undo this, check the option to skip autoattaching subscriptions. Alternatively, some subscriptions could be autoattached for the operating system, and then additional subscriptions can be attached or other subscriptions removed later. - Select and attach the subscriptions, using the Red Hat Subscription Manager tools.When the system is registered, the subscription service sends over a list of all subscriptions that are available to the account. Any of the available subscriptions can be attached to the system.Using the Red Hat Subscription Manager UI, the available subscriptions are listed in the Available Subscriptions tab; they can be selected and attached by clicking a button.In the CLI, subscriptions are listed first using the
listsubcommand and then attached by their pool ID, using theattachsubcommand.
3.4.3. Options and Details
- Setting a service level preference (this can also be done during registration, so it is used as one of the priorities when selecting subscriptions).
- Setting a release preference, so that the system only updates for software targeted to that release version and ignores any upgrades to a later operating system version.
- Enabling or disabling associated
yumrepos.
3.5. Subscription Asset Manager: Direct Subscription Assignments
3.5.1. The Environment: Small Businesses to Large Enterprises for Locally-Defined Structure
- Enact security rules that require on-premise services rather than hosted services.
- Better manage virtual environments, particularly in private clouds or data centers, which require systems to be created and removed on the fly.
- Define different content repositories for different types of systems, such as different sources for development and production systems.
3.5.2. Workflow

Figure 7. Subscription Asset Manager Setup
- If necessary, create an entry in the Red Hat inventory for the organization. Every organization in Subscription Asset Manager must have a corresponding subscription service entry in the Red Hat inventory.
- Assign a bloc of subscriptions to the organization. This bloc of subscriptions is the manifest of subscriptions for that Subscription Asset Manager organization.
- Export the manifest.
- Import the manifest into Subscription Asset Manager.
- Configure the Red Hat Subscription Manager client on the local system to use the Subscription Asset Manager subscription service and, optionally, the Subscription Asset Manager content proxy.

Figure 8. Registering with Subscription Asset Manager
- Register the system.Using the
subscription-managerCLI command, use theregistercommand with the username and password for the Customer Portal Subscription Management account holder and the hostname of the Subscription Asset Manager server.For the Red Hat Subscription Manager UI, autoattaching subscriptions is performed by default. Check the option to attach subscriptions later. - Select and attach the subscriptions, using the Subscription Asset Manager UI.
3.5.3. Details and Options
- Enable autoattaching for the system and, optionally, set a service level preference.
3.6. Subscription Asset Manager: Activation Keys
3.6.1. The Environment: Preconfigured Systems
- Administrators have control over which subscriptions are installed to a system without having to create and configure every system first.
- Because activation keys are created within Subscription Asset Manager and do not rely on system settings or architecture, the target system does not have to exist yet.
- Users can register their system in a single step and automatically have all the proper subscriptions attached, without having to select and attach subscriptions manually and potentially miss a subscription.
3.6.2. Workflow

Figure 9. Subscription Asset Manager Setup
- If necessary, create an entry in the Red Hat inventory for the organization. Every organization in Subscription Asset Manager must have a corresponding subscription service entry in the Red Hat inventory.
- Assign a bloc of subscriptions to the organization. This bloc of subscriptions is the manifest of subscriptions for that Subscription Asset Manager organization.
- Export the manifest.
- Import the manifest into Subscription Asset Manager.
- Configure the Red Hat Subscription Manager client on the local system to use the Subscription Asset Manager subscription service and, optionally, the Subscription Asset Manager content proxy.This can be done at any point before the system is registered, so it can even be performed after the activation key is created.

Figure 10. Registering with Activation Keys
- Create the activation key. This is a container entry that subscriptions can be attached to.
- Attach subscriptions to the key.
- Register the local system using the activation key.This is basically an autoattach operation, only instead of using the Red Hat Subscription Manager evaluation to select best-matched subscriptions, it attaches the pre-configured subscriptions associated with the key.
3.6.3. Details and Options
- Enable autoattaching for the system and, optionally, set a service level preference.
3.7. General Management: Firstboot
- Red Hat Subscription Management, which covers product-driven subscription services in Customer Portal Subscription Management, Subscription Asset Manager, and Satellite 6
- RHN Classic, which uses channel-driven access to content
- Satellite or Proxy content delivery, which uses a channel-based system similar to RHN Classic
- Register later

Figure 11. Firstboot
3.8. General Management: Kickstart
subscription-manager command to run through each of the required steps.
3.8.1. The Environment: Scripted Environments
3.8.2. Workflow
subscription-manager command as a post-install script.
%post --log=/root/ks-post.log /usr/sbin/subscription-manager register --username rhn_username --password rhn_password --auto-attach
--auto-attach option to attach the best-matched subscriptions.
3.8.3. Options and Details
- Set a service level preference using the
--serviceleveloption. - To attach subscriptions manually, leave off the
--auto-attachoption and run a second script with theattachcommand or add the subscriptions later. - By default, Red Hat Subscription Manager uses the Customer Portal hosted subscription and content services. To use an on-premise service like Subscription Asset Manager, first run the
subscription-manager configcommand and reset the Red Hat Subscription Manager configuration, and then register the system using the new configuration. - To register a system and attach subscriptions using an activation key, first configure Red Hat Subscription Manager to use the appropriate subscription service and then register with the activation key.
3.9. General Management: Hypervisors and Guests
virt-who process can detect and associate guests on several different types of hypervisors:
- Red Hat Enterprise Virtualization Manager (KVM)
- Xen
- HyperV
- VMware ESX
3.9.1. The Environment: Data Centers, Cloud Environments, Any Environment Using Virtual Machines
Note
virt-who process on the hypervisor.
3.9.2. Workflow
- If registering with a Subscription Asset Manager instance, install the Subscription Asset Manager RPM to configure Red Hat Subscription Manager.
- Register the system as hypervisor, using the
--type=hypervisoroption with thesubscription-managercommand. - Install
virt-whoon a Red Hat Enterprise Linux system within the infrastructure. This Red Hat Enterprise Linux system manages the mapping and communicates with Red Hat Enterprise Linux guests, the hypervisor, and the backend subscription service, even if the hypervisor itself is not a Red Hat Enterprise Linux system.If the Red Hat Enterprise Linux system is ever unavailable, the host/guest mapping is not available, and virtual systems are treated as physical systems. - For VMware or for environments using Subscription Asset Manager. Edit the
virt-whoconfiguration file (/etc/sysconfig/virt-who) to recognize the appropriate virtualization and subscription services. - Start the
virt-whoprocess to create the host-guest mapping.
3.10. General Management: Disconnected Systems
3.10.1. The Environment: Security Environments and Backup Systems
rhsmcertd process checks for updated subscription information every four hours by connecting to the given subscription service. If a system cannot connect to the Internet, than almost all of those management tasks cannot be performed.
3.10.2. Workflow

Figure 12. Registering Disconnected Systems
- Create the system's entry.The simplest thing is to create this entry in the Customer Portal, which is a global view of all systems in the company. If a subscription service like Subscription Asset Manager is used, then the disconnected system can be associated with a local organization and system group, which could be useful if the system will be brought online later.
- Attach subscriptions to the system. If the system were online, the Red Hat Subscription Manager would pull in a list of available subscriptions and then communicate that back to the subscription service (much like a waiter taking an order in a restaurant). In that way, both the local system and the subscription service are aware of what is attached to the system.With a disconnected system, the appropriate subscriptions need to be set aside and attached to the system first so that the subscription service is aware of the assignments.
- Download all of the certificates for the system, both the identity (registration) certificate and all of the associated attached subscription certificates.
- Copy the identity certificate into the appropriate location. This tells the system what its registration information is.
- Copy the subscription certificates into the appropriate location.This tells the system what subscriptions it has attached to it, without having to query the subscription service for available subscriptions.
3.10.3. Options and Details
3.11. Legacy: Migration from RHN Classic
Important
3.11.1. The Environment: Small Businesses with Older Red Hat Enterprise Linux Systems
3.11.2. Workflow

Figure 13. Migration Process
- Red Hat Enterprise Linux 5 and 6. Migrating a system's registration and subscriptions from RHN Classic to Customer Portal Subscription Management (both hosted services).This uses the
rhn-migrate-classic-to-rhsmmigration script. - Red Hat Enterprise Linux 5 only. Migrating the local system configuration using RHN Classic-style channels to using Customer Portal Subscription Management certificates for installed products. This migration is based on the installation number for the system. Using the installation number as the basis for migrating information is particularly useful for a disconnected (offline) system, which has no way to connect to RHN Classic.This uses the
install-num-migrate-to-rhsmmigration script.
3.11.3. Options and Details
4. Revision History
| Revision History | |||
|---|---|---|---|
| Revision 1.3-6 | April 13, 2014 | ||
| |||
| Revision 1.3-4 | September 18, 2013 | ||
| |||



