Migrating from RHN Classic
to migrate from older Red Hat Network Classic (hosted) to updated subscription management
- Systems can be upgraded from Red Hat Enterprise Linux 6 to Red Hat Enterprise Linux 7. Both Red Hat Enterprise Linux 6 and 7 systems use the same type of subscription management services, but the available content repositories and product subscriptions are different between the platforms. This means that subscriptions must be managed appropriately as part of upgrading the underlying system.
- Red Hat Enterprise Linux 5 and Red Hat Enterprise Linux 6 systems can migrate from channel-based subscription services to Red Hat Subscription Management. This is truly migrating subscriptions, since the subscriptions are moved from one type of service to another.
Since Red Hat Enterprise Linux 6 can use Red Hat Subscription Management and Red Hat Enterprise Linux 7 systems must use Red Hat Subscription Management, there is no need to migrate the subscription services: it is the same service. However, the system migration and installed product migrations may not happen at the same time, which means that the subscriptions required to cover the system at Red Hat Enterprise Linux 6 may be different than the ones required after it is upgraded. This requires administering the subscriptions for the system, by updating the registration, configuring repositories, and re-attaching the subscriptions.
Red Hat Subscription Management structure provides detailed, accurate, and clear representations of the relationships between subscriptions, systems, their parent organizations, and overall usage patterns. This is done by identifying the different elements involved in subscription management — the system, the installed products, and the assigned subscriptions — with unique certificates.
1. Managing Subscriptions When Upgrading to RHEL 7
redhat-upgrade-toolupgrades the underlying operating system, but any software or applications installed may not necessarily be upgraded by the script. Many products do not yet have Red Hat Enterprise Linux 7 content repositories available.
- Update the Red Hat Enterprise Linux 6 to install the required upgrade tools, and reboot the system.
- Run the preupgrade check.
- Unregister your system from the previous subscription service. This is done using the unregister command.
[root@server ~]# subscription-manager unregister
- Remove the Red Hat Enterprise Linux 6 product certificate to allow the system to be upgraded. If the product certificate is not removed, then later attempting to register the system creates a conflict, because it is incorrectly interpreted as a Red Hat Enterprise Linux 6 system.
[root@server ~]# rm -rf /etc/pki/product/69.pem
- Use the upgrade script to upgrade the system to Red Hat Enterprise Linux 7. In this example, the version is set to Red Hat Enterprise Linux 7.0 and the installation directory points to a public FTP repository.
[root@server ~]# redhat-upgrade-tool-cli --network 7.0 --instrepo ftp://ftp.redhat.com/pub/redhat/rhel/7.0/x86_64/os
NoteThis only upgrades the base operating system. Any additional products or applications need to be upgraded separately.
- Register your system again with the subscription service. This is done using the register command.
[root@server ~]# subscription-manager register --username email@example.com Password: The system has been registered with id: 7d133d55-876f-4f47-83eb-0ee931cb0a97
- Locate any available Red Hat Enterprise Linux 7 repositories for any required layered products, and configure
yumto use those repositories.
- Optional. Attach any required subscriptions. For example:
[root@server1 ~]# subscription-manager list --available +-------------------------------------------+ Available Subscriptions +-------------------------------------------+ ProductName: RHEL for Physical Servers ProductId: MKT-rhel-server PoolId: ff8080812bc382e3012bc3845ca000cb Quantity: 10 Expires: 2016-09-21 [root@server1 ~]# subscription-manager attach --pool=ff8080812bc382e3012bc3845ca000cb
2. Migrating Systems from RHN Classic
2.1. Differences Between Customer Portal Subscription Management and RHN Classic
2.1.1. Purpose of Migration
2.1.2. The Focus of Customer Portal Subscription Management
2.1.3. The Focus of RHN Classic
2.1.4. Differences in Functionality
Table 1. Comparison of Customer Portal Subscription Management and RHN Classic Functions
|Customer Portal Subscription Management||RHN Classic|
|Registering a system|
|Managing configuration files||Must be done locally.|
|Taking system snapshots||Must be done locally.|
|Kickstarting systems||Satellite 6 or other management tools.|
|Running scripts||Satellite 6 or other tools.|
2.1.5. Differences in Registration and Subscription Processes
2.1.7. Migration Paths
systemidvalue (Red Hat Enterprise Linux 5 or 6) or an installation number (Red Hat Enterprise Linux 5).
rhn-migrate-classic-to-rhsmperforms the migration based on the system ID, in the
2.2. Installing the Migration Tools
- The migration tools and data are usually in the main channels for Red Hat Enterprise Linux 5 or 6, but they may be located in optional or supplementary channels. Do a simple
yumsearch to make sure that the packages are available. For example:
[root@server ~]# yum search subscription-manager-migration -v Not loading "rhnplugin" plugin, as it is disabled Loading "product-id" plugin Loading "refresh-packagekit" plugin Loading "security" plugin Loading "subscription-manager" plugin Updating certificate-based repositories. ================= N/S Matched: subscription-manager-migration ================== subscription-manager-migration.x86_64 : Migration scripts for moving to : certificate based subscriptions Repo : rhel-6-server-rpms subscription-manager-migration-data.noarch : RHN Classic to RHSM migration data Repo : rhel-6-server-rpmsIf necessary, enable the supplementary repositories which contain the migration RPMs.
[root@server ~]# subscription-manager repos --enable rhel-6-server-optional-rpms
- Install the migration tool packages.
[root@server ~]# yum install subscription-manager-migration subscription-manager-migration-data
2.3. Migrating from RHN Classic to Customer Portal Subscription Management
rhn-migrate-classic-to-rhsmscript has this syntax:
[root@server ~]# subscription-manager facts --list | grep migr migration.classic_system_id: 09876 migration.migrated_from: rhn_hosted_classic migration.migration_date: 2012-09-14T14:55:29.280519
Please refer to the following table for comparisons between RHN Classic and Red Hat Customer Portal Subscription Management capabilities. Note, this table may contain statements regarding future services not yet approved for implementation and does not indicate a commitment for delivery.
Red Hat Portal (Red Hat Subscription Management)
Red Hat Product Support
Red Hat Enterprise Linux versions supported
All current products and versions in Red Hat Enterprise Linux 4 All current products and versions in Red Hat Enterprise Linux 5 and Red Hat Enterprise Linux 6 All current products and versions in Red Hat including Enterprise Linux 7 are supported via Red Hat Satellite 5.7 But not via RHN Classic Hosted or stand-alone Proxy)
Red Hat Enterprise Linux 5 (5.7 and newer) Red Hat Enterprise Linux 6 (6.1 and newer) Red Hat Enterprise Linux 7 Intended for future versions of Red Hat Enterprise Linux
Red Hat Enterprise Virtualization versions supported
All current products and versions including RHEV 2.1, 2.2, 3.0
RHEV 3.0 and newer
Red Hat Enterprise Linux Migration to RHSM support?
YES, for Red Hat Enterprise Linux 5 (5.8 and newer) - via migration tooling as described in Red Hat Subscription Management
YES, for Red Hat Enterprise Linux 6 (6.3 and newer) - via migration tooling as described in Red Hat Subscription Management and How to migrate a Red Hat Enterprise Linux System from RHN Classic to RHSM
Red Hat Satellite 5
YES, all versions of 5.x
PARTIAL, Satellite 5 certificates can be issued from Customer Portal. Satellite 5.6 or 5.7 can be integrated with SAM 1.3+ to provide subscription status reporting
Red Hat Satellite 6
Support for all product SKUs
YES, but future product products may not be enabled for RHN Classic
YES, with a small number of exceptions and Why aren’t my subscriptions available in Red Hat Subscription Management?
Subscription Management Support
Default Client for installation method
Red Hat Enterprise Linux 5 (5.7 and older) Red Hat Enterprise Linux 6 (6.1 and older) All Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 6 (6.3 and later) Red Hat Enterprise Linux 5 (5.9 and later) future versions of Red Hat Enterprise Linux
Content Basis for Client
Red Hat Subscription Manager
Command line utilities for Client
| || |
| || |
YES, with Smart Management subscriptions
List subscriptions available to apply to installed system on Client
Force list all subscriptions on Client
Smart autosubscribe a subscription
Graphical user interface utilities for Client
System → Administration → RHN Registration
System → Administration → Red Hat Subscription Manager
Package update utility
| || |
Yum plugin support
| || |
Web-based administration tool for customers
Support for updating content through Content Delivery Network
Email errata notifications
Satellite 6.1: Subscribing to Errata Notifications
Support for IP-Based Firewall Rules
Optional and Supplementary Channels available?
YES, but off by default Many devel packages are not available in Red Hat Enterprise Linux
Support for subscription status
PARTIAL, Red Hat Satellite 5.6 or 5.7 can be integrated with Red Hat SAM 1.3+ for subscription status
Support for subscription consumption reports
PARTIAL, Red Hat Satellite 5.6 or 5.7 can be integrated with Red Hat SAM 1.3 for subscription status
YES, via Red Hat Subscription Asset Manager FUTURE, via Red Hat Satellite 6
System Management Support
Support for Smart Management Red Hat Enterprise Linux Add-On
YES, with Red Hat Satellite 6
Support for machine provisioning and monitoring
YES, with Smart Management subscriptions
YES, via Red Hat Satellite 6 provisioning feature
Content Management Support
Content Download GUI
Support for remote updating
YES, with Smart Management subscriptions
Support for offline updating
YES, via Red Hat Satellite 5
FUTURE, via Red Hat Subscription Asset Manager YES, via Red Hat Satellite 6
Support for proxied updating
YES, via Red Hat Satellite Proxy 5
YES, via Red Hat Subscription Asset Manager (SAM) and Red Hat Satellite 6 Capsule Server
2.3.1. Basic RHN Classic to Customer Portal Subscription Management Migration
rhn-migrate-classic-to-rhsmtool migrates the system profile, registers the system with Customer Portal Subscription Management Subscription Management, and autoattaches the system to the best-matched subscriptions. Optionally, administrators can also set a service level preference for the system, which is used to help evaluate what subscriptions to select.
[root@server ~]# rhn-migrate-classic-to-rhsm --servicelevel=premium RHN Username: firstname.lastname@example.org Password:
Retrieving existing RHN classic subscription information ... +----------------------------------+ System is currently subscribed to: +----------------------------------+ rhel-i386-client-5
List of channels for which certs are being copied rhel-i386-client-5 Product Certificates copied successfully to /etc/pki/product !!
Preparing to unregister system from RHN classic ... System successfully unregistered from RHN Classic.
Attempting to register system to RHN ... The system has been registered with id: abcd1234 System server.example.com successfully registered to RHN.
Attempting to auto-subscribe to appropriate subscriptions ... Installed Product Current Status: ProductName: Red Hat Enterprise Linux Desktop Status: Subscribed Successfully subscribed.
2.3.2. Migrating to an On-Premise Service
rhn-migrate-classic-to-rhsmtool migrates the system to Customer Portal Subscription Management (hosted) services by default, using the default configuration for Subscription Manager. For infrastructures which have an on-premise subscription management service such as Subscription Asset Manager, this configuration can be changed so that the migration process registers the systems with the on-premise subscription services and attaches matching subscriptions.
--serverurloption, which specifies the URL of the on-premise service. In this case, the authorization credentials must also be given for the on-premise subscription management service account (which is independent of the RHN account).
[root@server ~]# rhn-migrate-classic-to-rhsm --serverurl=sam.example.com
2.3.3. Manually Selecting Subscriptions
rhn-migrate-classic-to-rhsmcan open the Subscription Manager UI to allow administrators to select the subscriptions manually.
--guioption tells the
rhn-migrate-classic-to-rhsmto register the system only and then to open the UI, rather than attaching subscriptions to the system.
[root@server ~]# rhn-migrate-classic-to-rhsm --gui RHN Username: email@example.com Password: Retrieving existing RHN classic subscription information ... ... 8< ... Launching the GUI tool to manually subscribe the system ...
Figure 1. Subscription Selection Tab
2.4. Looking at Channel and Certificate Mappings
/usr/share/rhsm/product/RHEL-5/channel-cert-mapping.txt) uses simple keys to map the values:
.pemand the product certificate is installed in the
/etc/pki/productdirectory. For the
rhel-i386-client-workstation-5, this migrates to the
71.pemproduct certificate (the last two digits of the mapping).
2.5. About Certificates Used for Products and Subscriptions
.pemformatted file. This file format stores both keys and certificates in a base-64 blob. For example:
-----BEGIN CERTIFICATE----- MIIDaTCCAtKgAwIBAgICBZYwDQYJKoZIhvcNAQEFBQAwSzEqMCgGA1UEAxMhY2Fu ZGxlcGluMS5kZXZsYWIucGh4MS5yZWRoYXQuY29tMQswCQYDVQQGEwJVUzEQMA4G A1UEBxMHUmFsZWlnaDAeFw0xMDEwMDYxNjMyMDVaFw0xMTEwMDYyMzU5NTlaMC8x LTArBgNVBAMMJDQ4ODFiZDJmLTg2OGItNDM4Yy1hZjk2LThiMWQyODNkYWZmYzCC ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKNyLw6+IMtjY03F7Otxj2GL GTz5VKx1kfWY7q4OD4w+XlBHTkt+2tQV9S+4TFkUZ7XoI80LDL/BONpy/gq5c5cw yKvjv2gjSS/pihgYNXc5zUOIfSj1vb3fHGHOkzdCcZMyWq1z0N/zaLClp/zP/pcM og4NTAg2niNPjFYvkQ+oIl16WmQpefM0y0SY7N7oJd2T8dZjOiuLV2cVZLfwjrwG 9UpkT2J03g+n1ZA9q95ibLD5NVOdTy9+2lfRhdDViZaVoFiQXvg86qBHQ0ieENuF a6bCvGgpTxcBuVXmsnl2+9dnMiwoDqPZp1HB6G2uNmyNe/IvkTOPFJ/ZVbtBTYUC AwEAAaOB8zCB8DARBglghkgBhvhCAQEEBAMCBaAwCwYDVR0PBAQDAgSwMHsGA1Ud IwR0MHKAFGiY1N2UtulxcMFy0j6gQGLTyo6CoU+kTTBLMSowKAYDVQQDEyFjYW5k bGVwaW4xLmRldmxhYi5waHgxLnJlZGhhdC5jb20xCzAJBgNVBAYTAlVTMRAwDgYD VQQHEwdSYWxlaWdoggkA1s54sVacN0EwHQYDVR0OBBYEFGbB5fqOzh32g4Wqrwhc /96IupIgMBMGA1UdJQQMMAoGCCsGAQUFBwMCMB0GA1UdEQQWMBSkEjAQMQ4wDAYD VQQDDAV4ZW9wczANBgkqhkiG9w0BAQUFAAOBgQANxHRsev4fYfnHO9kYcHo4UeK7 owN+fq92gl76iRHRnhzkPlhWL+uV2tyqGG9zJASOX+qEDOqN5sVAB4iNQTDGiUbK z757igD2hsQ4ewv9Vq3QtnajWnfdaUZH919GgWs09Etg6ucsKwgfx1fqjSRLBbOo lZuvBTYROOX6W2vKXw== -----END CERTIFICATE-----
rcttool with Subscription Manager can be used to extract and view information from these certificates, in a pretty-print format. (So can general PKI management tools like
2.5.1. Summary of Certificates Used by Subscription Services
Table 2. Types of Certificates Used for Content and Subscriptions
|Certificate Type||Description||Default Location|
|Identity Certificate||Used to identify the system to the subscription service. This contains a unique ID which is assigned to the system when it is registered to the system. The identity certificate itself is generated by the subscription service when the system is registered and then sent to the system.||/etc/pki/consumer|
|Subscription Certificate||Contains a list of products that are available to a system to install, based on the subscriptions that have been attached to the system. The subscription certificate defines the software products, the content delivery location, and validity dates. The presence of a subscription certificate means that the system has used one of the quantities from the subscription.||/etc/pki/entitlement|
|Product Certificate||Contains the information about a product after it has been installed.||/etc/pki/product/product_serial#.pem|
|CA Certificate||A certificate for the certificate authority which issued the SSL server certificate used by the subscription service. This must be installed on a system for the system to use SSL to connect to the subscription service.||/etc/rhsm/ca/candlepin-ca.pem|
|Satellite Certificate||An XML-formatted certificate which contains a product list. This is used by on-premise Satellite 5.x systems, not the newer subscription service.|
2.5.2. The Structure of Identity Certificates
- The system UUID, in the subject CN of the certificate
- The subscription service which the system is registered to, in the issuer field of the certificate
- The user account which registered the system, as the DirName value in the Subject Alt Name
Example 1. Identity Certificate
Certificate: Data: Version: 3 (0x2) Serial Number: 1430 (0x596) Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=subscription.server.example.com, C=US, L=RaleighValidity Not Before: Oct 6 16:32:05 2010 GMT Not After : Oct 6 23:59:59 2011 GMT
Subject: CN=4881bd2f-868b-438c-af96-8b1d283daffcSubject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:a3:72:2f:0e:be:20:cb:63:63:4d:c5:ec:eb:71: 8f:61:8b:19:3c:f9:54:ac:75:91:f5:98:ee:ae:0e: 0f:8c:3e:5e:50:47:4e:4b:7e:da:d4:15:f5:2f:b8: 4c:59:14:67:b5:e8:23:cd:0b:0c:bf:c1:38:da:72: fe:0a:b9:73:97:30:c8:ab:e3:bf:68:23:49:2f:e9: 8a:18:18:35:77:39:cd:43:88:7d:28:f5:bd:bd:df: 1c:61:ce:93:37:42:71:93:32:5a:ad:73:d0:df:f3: 68:b0:a5:a7:fc:cf:fe:97:0c:a2:0e:0d:4c:08:36: 9e:23:4f:8c:56:2f:91:0f:a8:22:5d:7a:5a:64:29: 79:f3:34:cb:44:98:ec:de:e8:25:dd:93:f1:d6:63: 3a:2b:8b:57:67:15:64:b7:f0:8e:bc:06:f5:4a:64: 4f:62:74:de:0f:a7:d5:90:3d:ab:de:62:6c:b0:f9: 35:53:9d:4f:2f:7e:da:57:d1:85:d0:d5:89:96:95: a0:58:90:5e:f8:3c:ea:a0:47:43:48:9e:10:db:85: 6b:a6:c2:bc:68:29:4f:17:01:b9:55:e6:b2:79:76: fb:d7:67:32:2c:28:0e:a3:d9:a7:51:c1:e8:6d:ae: 36:6c:8d:7b:f2:2f:91:33:8f:14:9f:d9:55:bb:41: 4d:85 Exponent: 65537 (0x10001) X509v3 extensions: Netscape Cert Type: SSL Client, S/MIME X509v3 Key Usage: Digital Signature, Key Encipherment, Data Encipherment X509v3 Authority Key Identifier: keyid:68:98:D4:DD:94:B6:E9:71:70:C1:72:D2:3E:A0:40:62:D3:CA:8E:82 DirName:/CN=subscription.server.example.com/C=US/L=Raleigh serial:D6:CE:78:B1:56:9C:37:41 X509v3 Subject Key Identifier: 66:C1:E5:FA:8E:CE:1D:F6:83:85:AA:AF:08:5C:FF:DE:88:BA:92:20 X509v3 Extended Key Usage: TLS Web Client Authentication
X509v3 Subject Alternative Name:
DirName:/CN=admin-exampleSignature Algorithm: sha1WithRSAEncryption 0d:c4:74:6c:7a:fe:1f:61:f9:c7:3b:d9:18:70:7a:38:51:e2: bb:a3:03:7e:7e:af:76:82:5e:fa:89:11:d1:9e:1c:e4:3e:58: 56:2f:eb:95:da:dc:aa:18:6f:73:24:04:8e:5f:ea:84:0c:ea: 8d:e6:c5:40:07:88:8d:41:30:c6:89:46:ca:cf:be:7b:8a:00: f6:86:c4:38:7b:0b:fd:56:ad:d0:b6:76:a3:5a:77:dd:69:46: 47:f7:5f:46:81:6b:34:f4:4b:60:ea:e7:2c:2b:08:1f:c7:57: ea:8d:24:4b:05:b3:a8:95:9b:af:05:36:11:38:e5:fa:5b:6b: ca:5f
2.5.3. The Structure of Subscription Certificates
*.pemfile stored in the subscription certificates directory,
/etc/pki/entitlement. The name of the
*.pemfile is a numeric identifier that is generated by the subscription service. This ID is an inventory number that is used to associate a subscription quantity with the system in the software inventory.
Certificate: Data: Version: 3 (0x2) Serial Number: 3c:da:6c:06:90:7f:ff Signature Algorithm: sha1WithRSAEncryption Issuer: CN=candlepin.example.com, C=US, L=City Validity Not Before: Oct 8 17:55:28 2010 GMT Not After : Oct 2 23:59:59 2011 GMT Subject: CN=8a878c912b875189012b8cfbc3f2264a ... [snip] ...
2indicates that it is a product entry. product_# is a unique ID which identifies the specific product or variant. config_# relates to the installation information for that product, like its content server or the quantity available.
184.108.40.206.4.1.2312.9. The subsequent numbers identify different subscription areas:
.2.is the product-specific information
.1.is the subscription information
.4.contains the contract information, like its ID number and start and end dates
.5.contains the system information, like the system ID which installed a product
Example 2. Annotated Red Hat Enterprise Linux High Availability Product Extensions in a Subscription Certificate
content repository type 220.127.116.11.4.1.2318.104.22.168393.1: ..yum product 22.214.171.124.4.1.23126.96.36.199393.1.1: .HRed Hat Enterprise Linux High Availability (for RHEL Subscription) (RPMs) channel name 188.8.131.52.4.1.23184.108.40.206393.1.2: .Dred-hat-enterprise-linux-high-availability-for-rhel-entitlement-rpms vendor 220.127.116.11.4.1.2318.104.22.168393.1.5: ..Red Hat download URL 22.214.171.124.4.1.23126.96.36.199393.1.6: .Q/content/dist/rhel/entitlement/releases/$releasever/$basearch/highavailability/os key download URL 188.8.131.52.4.1.23184.108.40.206393.1.7: .2file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release flex quantity 220.127.116.11.4.1.2318.104.22.168393.1.4: ..0 quantity 22.214.171.124.4.1.23126.96.36.199393.1.3: ..25 repo enabled setting 188.8.131.52.4.1.23184.108.40.206393.1.8: ..1
2.5.4. The Structure of Product Certificates
*.pemfile stored in the subscription certificates directory,
/etc/pki/product/product_serial#.pem. The name of the
*.pemfile is a numeric identifier that is generated by the subscription service. As with subscription tracking, the generated ID is an inventory number, used to track installed products and associate them with systems within the subscription service.
2.5.5. Viewing Certificate Information with the rct Tool
rcttool performs two tasks:
- It displays the size and statistics of the certificate information (
- It displays information (headers) contained within the certificate, such as product or content set information (
220.127.116.11. Viewing Certificate Sizes and Statistics
stat-certcommand and specifying the PEM file of the certificate to check.
# rct stat-cert /path/to/PEM_FILE
Table 3. Information Returned by stat-cert
|Parameter||Description||Possible Values||Certificate Types It Applies To|
|Type||Identifies the type of certificate being checked.|| || |
|Version||The version of the certificate formatting which indicates the type of DER encoding used.|| || |
|DER size||The size of the certificate contents (not the size of the certificate file itself).||Size in bytes|| |
|Subject Key ID size||The size of the hashed public key for the key associated with the certificate (not the size of the key file itself).||Size in bytes|| |
|Content sets||The total number of all available content sets for the system, for all supported versions for products for the system.||Number|| |
[root@server ~]# rct stat-cert /etc/pki/entitlement/2027912482659389239.pem Type: Entitlement Certificate Version: 1.0 DER size: 47555b Subject Key ID size: 553b Content sets: 100
stat-certcommand can still be used to view the size and statistics of the certificates.
[root@server ~]# rct stat-cert /etc/pki/product/69.pem Type: Product Certificate Version: 1.0 DER size: 1558b
[root@server ~]# rct stat-cert /etc/pki/consumer/cert.pem Type: Identity Certificate Version: 1.0 DER size: 1488b Subject Key ID size: 20b
18.104.22.168. Viewing Certificate Information
# rct cat-cert /path/to/PEM_FILE [--no-product] [--no-content]
--no-contentoptions can be used to cut out the long lists of products and repositories and only return certificate and order information.
Certificatesection. The subject DN of the certificate is in the
[root@server ~]# rct cat-cert /etc/pki/consumer/cert.pem +-------------------------------------------+ Identity Certificate +-------------------------------------------+ Certificate: Path: /etc/pki/consumer/cert.pem Version: 1.0 Serial: 824613308750035399 Start Date: 2012-11-09 16:20:22+00:00 End Date: 2013-11-09 16:20:22+00:00 Alt Name: DirName:/CN=server.example.com Subject: CN: e94bc90e-44a1-4f8c-b6fc-0a3e9d6fac2b
Productsection, which defines the information for the specific installed product, such as its name, product version, and any yum tags used for that product. For example:
[root@server ~]# rct cat-cert /etc/pki/product/69.pem +-------------------------------------------+ Product Certificate +-------------------------------------------+ Certificate: Path: /etc/pki/product/69.pem Version: 1.0 Serial: 12750047592154746449 Start Date: 2012-10-04 18:45:02+00:00 End Date: 2032-09-29 18:45:02+00:00 Subject: CN: Red Hat Product ID [b4f7ac9e-b7ed-45fa-9dcc-323beb20e916] Product: ID: 69 Name: Red Hat Enterprise Linux Server Version: 6.4 Arch: x86_64 Tags: rhel-6,rhel-6-server
Subjectsections, it also has a
Productsection that defines the product group that is covered by the subscription.
Ordersection that details everything related to the purchase of the subscription (such as the contract number, service level, total quantity, quantities assigned to the system, and other details on the subscription).
Contentsection that contains the repository name, associated tags, its URL, and a notice on whether the yum repository is enabled by default.
[root@server ~]# rct cat-cert /etc/pki/entitlement/2027912482659389239.pem +-------------------------------------------+ Entitlement Certificate +-------------------------------------------+ Certificate: Path: /etc/pki/entitlement/2027912482659389239.pem Version: 1.0 Serial: 2027912482659389239 Start Date: 2011-12-31 05:00:00+00:00 End Date: 2012-12-31 04:59:59+00:00 Subject: CN: 8a99f9843adc8b8f013ae5f9de022b73 Product: ID: 69 Name: Red Hat Enterprise Linux Server Version: Arch: x86_64,ia64,x86 Tags: Order: Name: Red Hat Enterprise Linux Server, Premium (8 sockets) (Up to 4 guests) Number: 2673502 SKU: RH0103708 Contract: 10011052 Account: 5206751 Service Level: Premium Service Type: L1-L3 Quantity: 100 Quantity Used: 1 Socket Limit: 8 Virt Limit: Virt Only: False Subscription: Stacking ID: Warning Period: 0 Provides Management: 0 Content: Type: yum Name: Red Hat Enterprise Linux 6 Server (RPMs) Label: rhel-6-server-rpms Vendor: Red Hat URL: /content/dist/rhel/server/6/$releasever/$basearch/os GPG: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release Enabled: True Expires: 86400 Required Tags: rhel-6-server
cat-certcommand results can be truncated by using the
--no-contentoptions to remove the
2.5.6. The Structure of Satellite Certificates (Classic Style of Certificates)
- System subscriptions are subscriptions for services that can be performed, such as monitoring, provisioning, and virtualization.
- Channel subscriptions, or content subscriptions, provide access to the different software product download channels on Red Hat Network. These include Red Hat Enterprise Linux add-ons like Supplementary and FastTrack and layered products like Red Hat Directory Server.
nameargument identifies what entity is being configured. This can be the organization which ordered the subscription (
name="owner"), the start and end dates for the subscription (
name="expires"), or the subscription itself. A system subscription uses the
nameargument to set the service being covered; every content subscription is set as a
name="channel-family"type, with the specific product identified in an additional
nameargument, while the value is between the tags. The last lines of the certificate also set metadata for the subscription, including the version of the Satellite and the signature that signs the XML document (and allows the XML file to be used as a certificate).
<rhn-cert-field name="product">RHN-SATELLITE-001</rhn-cert-field> <rhn-cert-field name="owner">Example Corp</rhn-cert-field> <rhn-cert-field name="issued">2009-04-07 10:18:33</rhn-cert-field> <rhn-cert-field name="expires">2009-11-25 00:00:00</rhn-cert-field> ... [snip] ... <rhn-cert-field name="satellite-version">5.3</rhn-cert-field> <rhn-cert-field name="generation">2</rhn-cert-field> <rhn-cert-signature> -----BEGIN PGP SIGNATURE----- Version: Crypt::OpenPGP 1.03 iQBGBAARAwAGBQJJ22C+AAoJEJ5ynaAAAAkyyZ0An18+4hK5Ozt4HWieFvahsTnF aPcaAJ0e5neOfdDZRLOgDE+Tp/Im3Hc3Rg== =gqP7 -----END PGP SIGNATURE----- </rhn-cert-signature>
name="slot"field lists how many total systems are allowed to use this Satellite certificate to receive content. It is a global quantity.
nameargument and then setting the quantity as the value within the tags.
<rhn-cert-field name="provisioning-slots">117</rhn-cert-field> <rhn-cert-field name="monitoring-slots">20</rhn-cert-field> <rhn-cert-field name="virtualization_host">67</rhn-cert-field>
rhel-serverfamily, while a specific Virtualization Server subscription provides an additional
<rhn-cert-field name="channel-families" quantity="95" family="rhel-server"/> <rhn-cert-field name="channel-families" quantity="67" family="rhel-server-vt"/>
rhel-*family, because that refers to the platform the product is supported on. In this example, Red Hat Directory Server is in the
<rhn-cert-field name="channel-families" quantity="3" family="rhel-rhdirserv"/>
<rhn-cert-field name="channel-families" quantity="212" family="rhn-tools"/>
3. Revision History
|Revision 1.5-0||February 28, 2017|
|Revision 1.4-12||January 11, 2016|
|Revision 1.4-10||September 10, 2014|
|Revision 1.3-5||September 18, 2013|