Menu Close
Migrating from RHN Classic
to migrate from older Red Hat Network Classic (hosted) to updated subscription management
Red Hat Subscription Management Documentation Team
rhsm-docs@redhat.com
Abstract
- Systems can be upgraded from Red Hat Enterprise Linux 6 to Red Hat Enterprise Linux 7. Both Red Hat Enterprise Linux 6 and 7 systems use the same type of subscription management services, but the available content repositories and product subscriptions are different between the platforms. This means that subscriptions must be managed appropriately as part of upgrading the underlying system.
- Red Hat Enterprise Linux 5 and Red Hat Enterprise Linux 6 systems can migrate from channel-based subscription services to Red Hat Subscription Management. This is truly migrating subscriptions, since the subscriptions are moved from one type of service to another.
Since Red Hat Enterprise Linux 6 can use Red Hat Subscription Management and Red Hat Enterprise Linux 7 systems must use Red Hat Subscription Management, there is no need to migrate the subscription services: it is the same service. However, the system migration and installed product migrations may not happen at the same time, which means that the subscriptions required to cover the system at Red Hat Enterprise Linux 6 may be different than the ones required after it is upgraded. This requires administering the subscriptions for the system, by updating the registration, configuring repositories, and re-attaching the subscriptions.
Red Hat Subscription Management structure provides detailed, accurate, and clear representations of the relationships between subscriptions, systems, their parent organizations, and overall usage patterns. This is done by identifying the different elements involved in subscription management — the system, the installed products, and the assigned subscriptions — with unique certificates.
1. Managing Subscriptions When Upgrading to RHEL 7
redhat-upgrade-tool
.
Important
redhat-upgrade-tool
upgrades the underlying operating system, but any software or applications installed may not necessarily be upgraded by the script. Many products do not yet have Red Hat Enterprise Linux 7 content repositories available.
- Update the Red Hat Enterprise Linux 6 to install the required upgrade tools, and reboot the system.
- Run the preupgrade check.
- Unregister your system from the previous subscription service. This is done using the unregister command.
[root@server ~]# subscription-manager unregister
- Remove the Red Hat Enterprise Linux 6 product certificate to allow the system to be upgraded. If the product certificate is not removed, then later attempting to register the system creates a conflict, because it is incorrectly interpreted as a Red Hat Enterprise Linux 6 system.
[root@server ~]# rm -rf /etc/pki/product/69.pem
- Use the upgrade script to upgrade the system to Red Hat Enterprise Linux 7. In this example, the version is set to Red Hat Enterprise Linux 7.0 and the installation directory points to a public FTP repository.
[root@server ~]# redhat-upgrade-tool-cli --network 7.0 --instrepo ftp://ftp.redhat.com/pub/redhat/rhel/7.0/x86_64/os
Note
This only upgrades the base operating system. Any additional products or applications need to be upgraded separately. - Register your system again with the subscription service. This is done using the register command.
[root@server ~]# subscription-manager register --username admin@example.com Password: The system has been registered with id: 7d133d55-876f-4f47-83eb-0ee931cb0a97
- Locate any available Red Hat Enterprise Linux 7 repositories for any required layered products, and configure
yum
to use those repositories. - Optional. Attach any required subscriptions. For example:
[root@server1 ~]# subscription-manager list --available +-------------------------------------------+ Available Subscriptions +-------------------------------------------+ ProductName: RHEL for Physical Servers ProductId: MKT-rhel-server PoolId: ff8080812bc382e3012bc3845ca000cb Quantity: 10 Expires: 2016-09-21 [root@server1 ~]# subscription-manager attach --pool=ff8080812bc382e3012bc3845ca000cb
2. Migrating Systems from RHN Classic
rhn-migrate-classic-to-rhsm
migration script.
2.1. Differences Between Customer Portal Subscription Management and RHN Classic
2.1.1. Purpose of Migration
2.1.2. The Focus of Customer Portal Subscription Management
2.1.3. The Focus of RHN Classic
2.1.4. Differences in Functionality
Table 1. Comparison of Customer Portal Subscription Management and RHN Classic Functions
Customer Portal Subscription Management | RHN Classic | |
---|---|---|
Registering a system | ![]() | ![]() |
Assigning subscriptions | ![]() | ![]() |
Content delivery | ![]() | ![]() |
Managing configuration files | Must be done locally. | ![]() |
Taking system snapshots | Must be done locally. | ![]() |
Kickstarting systems | Satellite 6 or other management tools. | ![]() |
Running scripts | Satellite 6 or other tools. | ![]() |
2.1.5. Differences in Registration and Subscription Processes
2.1.6. Exclusivity
2.1.7. Migration Paths
systemid
value (Red Hat Enterprise Linux 5 or 6) or an installation number (Red Hat Enterprise Linux 5).
rhn-migrate-classic-to-rhsm
performs the migration based on the system ID, in the /etc/sysconfig/rhn/systemid
file.
2.2. Installing the Migration Tools
- The migration tools and data are usually in the main channels for Red Hat Enterprise Linux 5 or 6, but they may be located in optional or supplementary channels. Do a simple
yum
search to make sure that the packages are available. For example:[root@server ~]# yum search subscription-manager-migration -v Not loading "rhnplugin" plugin, as it is disabled Loading "product-id" plugin Loading "refresh-packagekit" plugin Loading "security" plugin Loading "subscription-manager" plugin Updating certificate-based repositories. ================= N/S Matched: subscription-manager-migration ================== subscription-manager-migration.x86_64 : Migration scripts for moving to : certificate based subscriptions Repo : rhel-6-server-rpms subscription-manager-migration-data.noarch : RHN Classic to RHSM migration data Repo : rhel-6-server-rpms
If necessary, enable the supplementary repositories which contain the migration RPMs.[root@server ~]# subscription-manager repos --enable rhel-6-server-optional-rpms
- Install the migration tool packages.
[root@server ~]# yum install subscription-manager-migration subscription-manager-migration-data
2.3. Migrating from RHN Classic to Customer Portal Subscription Management
Note
rhn-migrate-classic-to-rhsm
script.
rhn-migrate-classic-to-rhsm
script has this syntax:
rhn-migrate-classic-to-rhsm [--force|--gui|--help|--no-auto|--servicelevel=SERVICE_LEVEL]
[root@server ~]# subscription-manager facts --list | grep migr migration.classic_system_id: 09876 migration.migrated_from: rhn_hosted_classic migration.migration_date: 2012-09-14T14:55:29.280519
Please refer to the following table for comparisons between RHN Classic and Red Hat Customer Portal Subscription Management capabilities. Note, this table may contain statements regarding future services not yet approved for implementation and does not indicate a commitment for delivery.
Feature/Function
|
RHN Classic
|
Red Hat Portal (Red Hat Subscription Management)
|
Red Hat Product Support
| ||
Red Hat Enterprise Linux versions supported
|
All current products and versions in Red Hat Enterprise Linux 4 All current products and versions in Red Hat Enterprise Linux 5 and Red Hat Enterprise Linux 6 All current products and versions in Red Hat including Enterprise Linux 7 are supported via Red Hat Satellite 5.7 But not via RHN Classic Hosted or stand-alone Proxy)
|
Red Hat Enterprise Linux 5 (5.7 and newer) Red Hat Enterprise Linux 6 (6.1 and newer) Red Hat Enterprise Linux 7 Intended for future versions of Red Hat Enterprise Linux
|
Red Hat Enterprise Virtualization versions supported
|
All current products and versions including RHEV 2.1, 2.2, 3.0
|
RHEV 3.0 and newer
|
Red Hat Enterprise Linux Migration to RHSM support?
|
N/A
|
YES, for Red Hat Enterprise Linux 5 (5.8 and newer) - via migration tooling as described in Red Hat Subscription Management
YES, for Red Hat Enterprise Linux 6 (6.3 and newer) - via migration tooling as described in Red Hat Subscription Management and How to migrate a Red Hat Enterprise Linux System from RHN Classic to RHSM
|
Red Hat Satellite 5
|
YES, all versions of 5.x
|
PARTIAL, Satellite 5 certificates can be issued from Customer Portal. Satellite 5.6 or 5.7 can be integrated with SAM 1.3+ to provide subscription status reporting
|
Red Hat Satellite 6
|
NO
|
YES
|
Support for all product SKUs
|
YES, but future product products may not be enabled for RHN Classic
|
YES, with a small number of exceptions and Why aren’t my subscriptions available in Red Hat Subscription Management?
|
Subscription Management Support
| ||
Default Client for installation method
|
Red Hat Enterprise Linux 5 (5.7 and older) Red Hat Enterprise Linux 6 (6.1 and older) All Red Hat Enterprise Linux 4
|
Red Hat Enterprise Linux 6 (6.3 and later) Red Hat Enterprise Linux 5 (5.9 and later) future versions of Red Hat Enterprise Linux
|
Content Basis for Client
|
RHN Classic
rhn-channel command and What is the command "rhn-channel" and how to use it?
|
Red Hat Subscription Manager
subscription-manager command to register and add subscriptions
|
Command line utilities for Client
| yum update (Red Hat Enterprise Linux 5 and later), up2date (Red Hat Enterprise Linux 4)
| yum update
|
System registration
| rhn_register, rhnreg_ks
| subscription-manager register and How to register and subscribe a system to the Red Hat Customer Portal using Red Hat Subscription-Manager
|
Activation keys
|
YES, with Smart Management subscriptions
|
YES, via Red Hat Subscription Asset Manager (SAM), Red Hat Satellite 6, and now also the Red Hat Customer Portal)
|
List subscriptions available to apply to installed system on Client
|
N/A
| subscription-manager list --available
|
Force list all subscriptions on Client
|
N/A
| subscription-manager list --available --all and Why can’t I see available subscriptions for my system in Red Hat Subscription Management?
|
Smart autosubscribe a subscription
|
N/A
| subscription-manager register --autosubscribe How do I subscribe to a channel in Red Hat Subscription Management?
|
Graphical user interface utilities for Client
|
System → Administration → RHN Registration
|
System → Administration → Red Hat Subscription Manager
|
Package update utility
| /usr/bin/yum System → Administration → Add/Remove Software
| /usr/bin/yum System → Administration → Add/Remove Software
|
Yum plugin support
| yum-rhn-plugin (provides rhnplugin.conf)
| subscription-manager (provides subscription-manager.conf and product-id.conf)
|
Web-based administration tool for customers
| ||
Support for updating content through Content Delivery Network
|
YES
|
YES
|
Email errata notifications
|
YES
|
YES
Satellite 6.1: Subscribing to Errata Notifications
|
Support for IP-Based Firewall Rules
| ||
Support for
sosreport diagnostics logging
|
YES
|
YES
|
Optional and Supplementary Channels available?
|
YES, but off by default Many devel packages are not available in Red Hat Enterprise Linux
| |
Support for subscription status
|
PARTIAL, Red Hat Satellite 5.6 or 5.7 can be integrated with Red Hat SAM 1.3+ for subscription status
|
YES
|
Support for subscription consumption reports
|
PARTIAL, Red Hat Satellite 5.6 or 5.7 can be integrated with Red Hat SAM 1.3 for subscription status
|
YES, via Red Hat Subscription Asset Manager FUTURE, via Red Hat Satellite 6
|
System Management Support
| ||
Support for Smart Management Red Hat Enterprise Linux Add-On
|
YES
|
YES, with Red Hat Satellite 6
|
Support for machine provisioning and monitoring
|
YES, with Smart Management subscriptions
|
YES, via Red Hat Satellite 6 provisioning feature
|
Content Management Support
| ||
Content Download GUI
|
YES
|
YES
|
Support for remote updating
|
YES, with Smart Management subscriptions
|
NO
|
Support for offline updating
|
YES, via Red Hat Satellite 5
|
FUTURE, via Red Hat Subscription Asset Manager YES, via Red Hat Satellite 6
|
Support for proxied updating
|
YES, via Red Hat Satellite Proxy 5
|
YES, via Red Hat Subscription Asset Manager (SAM) and Red Hat Satellite 6 Capsule Server
|
2.3.1. Basic RHN Classic to Customer Portal Subscription Management Migration
rhn-migrate-classic-to-rhsm
tool migrates the system profile, registers the system with Customer Portal Subscription Management Subscription Management, and autoattaches the system to the best-matched subscriptions. Optionally, administrators can also set a service level preference for the system, which is used to help evaluate what subscriptions to select.
[root@server ~]# rhn-migrate-classic-to-rhsm --servicelevel=premium RHN Username: jsmith@example.com Password:
Retrieving existing RHN classic subscription information ... +----------------------------------+ System is currently subscribed to: +----------------------------------+ rhel-i386-client-5
/etc/pki/product
directory.
List of channels for which certs are being copied rhel-i386-client-5 Product Certificates copied successfully to /etc/pki/product !!
Preparing to unregister system from RHN classic ... System successfully unregistered from RHN Classic.
Attempting to register system to RHN ... The system has been registered with id: abcd1234 System server.example.com successfully registered to RHN.
Attempting to auto-subscribe to appropriate subscriptions ... Installed Product Current Status: ProductName: Red Hat Enterprise Linux Desktop Status: Subscribed Successfully subscribed.
2.3.2. Migrating to an On-Premise Service
rhn-migrate-classic-to-rhsm
tool migrates the system to Customer Portal Subscription Management (hosted) services by default, using the default configuration for Subscription Manager. For infrastructures which have an on-premise subscription management service such as Subscription Asset Manager, this configuration can be changed so that the migration process registers the systems with the on-premise subscription services and attaches matching subscriptions.
--serverurl
option, which specifies the URL of the on-premise service. In this case, the authorization credentials must also be given for the on-premise subscription management service account (which is independent of the RHN account).
[root@server ~]# rhn-migrate-classic-to-rhsm --serverurl=sam.example.com
2.3.3. Manually Selecting Subscriptions
rhn-migrate-classic-to-rhsm
can open the Subscription Manager UI to allow administrators to select the subscriptions manually.
--gui
option tells the rhn-migrate-classic-to-rhsm
to register the system only and then to open the UI, rather than attaching subscriptions to the system.
[root@server ~]# rhn-migrate-classic-to-rhsm --gui RHN Username: jsmith@example.com Password: Retrieving existing RHN classic subscription information ... ... 8< ... Launching the GUI tool to manually subscribe the system ...

Figure 1. Subscription Selection Tab
2.4. Looking at Channel and Certificate Mappings
/usr/share/rhsm/product/RHEL-5/channel-cert-mapping.txt
) uses simple keys to map the values:
channel_name: product_name-hash-product_cert.pem
rhel-i386-client-workstation-5: Client-Workstation-i386-b0d4c042-6e31-45a9-bd94-ff0b82e43b1a-71.pem
.pem
and the product certificate is installed in the /etc/pki/product
directory. For the rhel-i386-client-workstation-5
, this migrates to the 71.pem
product certificate (the last two digits of the mapping).
jbappplatform-4.3.0-fp-i386-server-5-rpm: none
2.5. About Certificates Used for Products and Subscriptions
.pem
formatted file. This file format stores both keys and certificates in a base-64 blob. For example:
-----BEGIN CERTIFICATE----- MIIDaTCCAtKgAwIBAgICBZYwDQYJKoZIhvcNAQEFBQAwSzEqMCgGA1UEAxMhY2Fu ZGxlcGluMS5kZXZsYWIucGh4MS5yZWRoYXQuY29tMQswCQYDVQQGEwJVUzEQMA4G A1UEBxMHUmFsZWlnaDAeFw0xMDEwMDYxNjMyMDVaFw0xMTEwMDYyMzU5NTlaMC8x LTArBgNVBAMMJDQ4ODFiZDJmLTg2OGItNDM4Yy1hZjk2LThiMWQyODNkYWZmYzCC ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKNyLw6+IMtjY03F7Otxj2GL GTz5VKx1kfWY7q4OD4w+XlBHTkt+2tQV9S+4TFkUZ7XoI80LDL/BONpy/gq5c5cw yKvjv2gjSS/pihgYNXc5zUOIfSj1vb3fHGHOkzdCcZMyWq1z0N/zaLClp/zP/pcM og4NTAg2niNPjFYvkQ+oIl16WmQpefM0y0SY7N7oJd2T8dZjOiuLV2cVZLfwjrwG 9UpkT2J03g+n1ZA9q95ibLD5NVOdTy9+2lfRhdDViZaVoFiQXvg86qBHQ0ieENuF a6bCvGgpTxcBuVXmsnl2+9dnMiwoDqPZp1HB6G2uNmyNe/IvkTOPFJ/ZVbtBTYUC AwEAAaOB8zCB8DARBglghkgBhvhCAQEEBAMCBaAwCwYDVR0PBAQDAgSwMHsGA1Ud IwR0MHKAFGiY1N2UtulxcMFy0j6gQGLTyo6CoU+kTTBLMSowKAYDVQQDEyFjYW5k bGVwaW4xLmRldmxhYi5waHgxLnJlZGhhdC5jb20xCzAJBgNVBAYTAlVTMRAwDgYD VQQHEwdSYWxlaWdoggkA1s54sVacN0EwHQYDVR0OBBYEFGbB5fqOzh32g4Wqrwhc /96IupIgMBMGA1UdJQQMMAoGCCsGAQUFBwMCMB0GA1UdEQQWMBSkEjAQMQ4wDAYD VQQDDAV4ZW9wczANBgkqhkiG9w0BAQUFAAOBgQANxHRsev4fYfnHO9kYcHo4UeK7 owN+fq92gl76iRHRnhzkPlhWL+uV2tyqGG9zJASOX+qEDOqN5sVAB4iNQTDGiUbK z757igD2hsQ4ewv9Vq3QtnajWnfdaUZH919GgWs09Etg6ucsKwgfx1fqjSRLBbOo lZuvBTYROOX6W2vKXw== -----END CERTIFICATE-----
rct
tool with Subscription Manager can be used to extract and view information from these certificates, in a pretty-print format. (So can general PKI management tools like openssl
and pk12util
.)
2.5.1. Summary of Certificates Used by Subscription Services
Table 2. Types of Certificates Used for Content and Subscriptions
Certificate Type | Description | Default Location |
---|---|---|
Identity Certificate | Used to identify the system to the subscription service. This contains a unique ID which is assigned to the system when it is registered to the system. The identity certificate itself is generated by the subscription service when the system is registered and then sent to the system. | /etc/pki/consumer |
Subscription Certificate | Contains a list of products that are available to a system to install, based on the subscriptions that have been attached to the system. The subscription certificate defines the software products, the content delivery location, and validity dates. The presence of a subscription certificate means that the system has used one of the quantities from the subscription. | /etc/pki/entitlement |
Product Certificate | Contains the information about a product after it has been installed. | /etc/pki/product/product_serial#.pem |
CA Certificate | A certificate for the certificate authority which issued the SSL server certificate used by the subscription service. This must be installed on a system for the system to use SSL to connect to the subscription service. | /etc/rhsm/ca/candlepin-ca.pem |
Satellite Certificate | An XML-formatted certificate which contains a product list. This is used by on-premise Satellite 5.x systems, not the newer subscription service. |
2.5.2. The Structure of Identity Certificates
- The system UUID, in the subject CN of the certificate
- The subscription service which the system is registered to, in the issuer field of the certificate
- The user account which registered the system, as the DirName value in the Subject Alt Name
Example 1. Identity Certificate
Certificate: Data: Version: 3 (0x2) Serial Number: 1430 (0x596) Signature Algorithm: sha1WithRSAEncryptionIssuer: CN=subscription.server.example.com, C=US, L=Raleigh
Validity Not Before: Oct 6 16:32:05 2010 GMT Not After : Oct 6 23:59:59 2011 GMTSubject: CN=4881bd2f-868b-438c-af96-8b1d283daffc
Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:a3:72:2f:0e:be:20:cb:63:63:4d:c5:ec:eb:71: 8f:61:8b:19:3c:f9:54:ac:75:91:f5:98:ee:ae:0e: 0f:8c:3e:5e:50:47:4e:4b:7e:da:d4:15:f5:2f:b8: 4c:59:14:67:b5:e8:23:cd:0b:0c:bf:c1:38:da:72: fe:0a:b9:73:97:30:c8:ab:e3:bf:68:23:49:2f:e9: 8a:18:18:35:77:39:cd:43:88:7d:28:f5:bd:bd:df: 1c:61:ce:93:37:42:71:93:32:5a:ad:73:d0:df:f3: 68:b0:a5:a7:fc:cf:fe:97:0c:a2:0e:0d:4c:08:36: 9e:23:4f:8c:56:2f:91:0f:a8:22:5d:7a:5a:64:29: 79:f3:34:cb:44:98:ec:de:e8:25:dd:93:f1:d6:63: 3a:2b:8b:57:67:15:64:b7:f0:8e:bc:06:f5:4a:64: 4f:62:74:de:0f:a7:d5:90:3d:ab:de:62:6c:b0:f9: 35:53:9d:4f:2f:7e:da:57:d1:85:d0:d5:89:96:95: a0:58:90:5e:f8:3c:ea:a0:47:43:48:9e:10:db:85: 6b:a6:c2:bc:68:29:4f:17:01:b9:55:e6:b2:79:76: fb:d7:67:32:2c:28:0e:a3:d9:a7:51:c1:e8:6d:ae: 36:6c:8d:7b:f2:2f:91:33:8f:14:9f:d9:55:bb:41: 4d:85 Exponent: 65537 (0x10001) X509v3 extensions: Netscape Cert Type: SSL Client, S/MIME X509v3 Key Usage: Digital Signature, Key Encipherment, Data Encipherment X509v3 Authority Key Identifier: keyid:68:98:D4:DD:94:B6:E9:71:70:C1:72:D2:3E:A0:40:62:D3:CA:8E:82 DirName:/CN=subscription.server.example.com/C=US/L=Raleigh serial:D6:CE:78:B1:56:9C:37:41 X509v3 Subject Key Identifier: 66:C1:E5:FA:8E:CE:1D:F6:83:85:AA:AF:08:5C:FF:DE:88:BA:92:20 X509v3 Extended Key Usage: TLS Web Client AuthenticationX509v3 Subject Alternative Name:
DirName:/CN=admin-example
Signature Algorithm: sha1WithRSAEncryption 0d:c4:74:6c:7a:fe:1f:61:f9:c7:3b:d9:18:70:7a:38:51:e2: bb:a3:03:7e:7e:af:76:82:5e:fa:89:11:d1:9e:1c:e4:3e:58: 56:2f:eb:95:da:dc:aa:18:6f:73:24:04:8e:5f:ea:84:0c:ea: 8d:e6:c5:40:07:88:8d:41:30:c6:89:46:ca:cf:be:7b:8a:00: f6:86:c4:38:7b:0b:fd:56:ad:d0:b6:76:a3:5a:77:dd:69:46: 47:f7:5f:46:81:6b:34:f4:4b:60:ea:e7:2c:2b:08:1f:c7:57: ea:8d:24:4b:05:b3:a8:95:9b:af:05:36:11:38:e5:fa:5b:6b: ca:5f
2.5.3. The Structure of Subscription Certificates
Note
*.pem
file stored in the subscription certificates directory, /etc/pki/entitlement
. The name of the *.pem
file is a numeric identifier that is generated by the subscription service. This ID is an inventory number that is used to associate a subscription quantity with the system in the software inventory.
Certificate: Data: Version: 3 (0x2) Serial Number: 3c:da:6c:06:90:7f:ff Signature Algorithm: sha1WithRSAEncryption Issuer: CN=candlepin.example.com, C=US, L=City Validity Not Before: Oct 8 17:55:28 2010 GMT Not After : Oct 2 23:59:59 2011 GMT Subject: CN=8a878c912b875189012b8cfbc3f2264a ... [snip] ...
1.3.6.1.4.1.2312.9.2
.product_#.config_#:
..config_value
2
indicates that it is a product entry. product_# is a unique ID which identifies the specific product or variant. config_# relates to the installation information for that product, like its content server or the quantity available.
Note
1.3.6.1.4.1.2312.9
. The subsequent numbers identify different subscription areas:
.2.
is the product-specific information.1.
is the subscription information.4.
contains the contract information, like its ID number and start and end dates.5.
contains the system information, like the system ID which installed a product
Example 2. Annotated Red Hat Enterprise Linux High Availability Product Extensions in a Subscription Certificate
content repository type 1.3.6.1.4.1.2312.9.2.30393.1: ..yum product 1.3.6.1.4.1.2312.9.2.30393.1.1: .HRed Hat Enterprise Linux High Availability (for RHEL Subscription) (RPMs) channel name 1.3.6.1.4.1.2312.9.2.30393.1.2: .Dred-hat-enterprise-linux-high-availability-for-rhel-entitlement-rpms vendor 1.3.6.1.4.1.2312.9.2.30393.1.5: ..Red Hat download URL 1.3.6.1.4.1.2312.9.2.30393.1.6: .Q/content/dist/rhel/entitlement/releases/$releasever/$basearch/highavailability/os key download URL 1.3.6.1.4.1.2312.9.2.30393.1.7: .2file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release flex quantity 1.3.6.1.4.1.2312.9.2.30393.1.4: ..0 quantity 1.3.6.1.4.1.2312.9.2.30393.1.3: ..25 repo enabled setting 1.3.6.1.4.1.2312.9.2.30393.1.8: ..1
2.5.4. The Structure of Product Certificates
*.pem
file stored in the subscription certificates directory, /etc/pki/product/product_serial#.pem
. The name of the *.pem
file is a numeric identifier that is generated by the subscription service. As with subscription tracking, the generated ID is an inventory number, used to track installed products and associate them with systems within the subscription service.
2.5.5. Viewing Certificate Information with the rct Tool
rct
tool performs two tasks:
- It displays the size and statistics of the certificate information (
stat-cert
). - It displays information (headers) contained within the certificate, such as product or content set information (
cat-cert
).
2.5.5.1. Viewing Certificate Sizes and Statistics
stat-cert
command and specifying the PEM file of the certificate to check.
# rct stat-cert /path/to/PEM_FILE
Table 3. Information Returned by stat-cert
Parameter | Description | Possible Values | Certificate Types It Applies To |
---|---|---|---|
Type | Identifies the type of certificate being checked. |
|
|
Version | The version of the certificate formatting which indicates the type of DER encoding used. |
|
|
DER size | The size of the certificate contents (not the size of the certificate file itself). | Size in bytes |
|
Subject Key ID size | The size of the hashed public key for the key associated with the certificate (not the size of the key file itself). | Size in bytes |
|
Content sets | The total number of all available content sets for the system, for all supported versions for products for the system. | Number |
|
[root@server ~]# rct stat-cert /etc/pki/entitlement/2027912482659389239.pem Type: Entitlement Certificate Version: 1.0 DER size: 47555b Subject Key ID size: 553b Content sets: 100
stat-cert
command can still be used to view the size and statistics of the certificates.
[root@server ~]# rct stat-cert /etc/pki/product/69.pem Type: Product Certificate Version: 1.0 DER size: 1558b
[root@server ~]# rct stat-cert /etc/pki/consumer/cert.pem Type: Identity Certificate Version: 1.0 DER size: 1488b Subject Key ID size: 20b
2.5.5.2. Viewing Certificate Information
cat-cert
command.
# rct cat-cert /path/to/PEM_FILE [--no-product] [--no-content]
Note
--no-product
and --no-content
options can be used to cut out the long lists of products and repositories and only return certificate and order information.
Certificate
section. The subject DN of the certificate is in the Subject
section.
[root@server ~]# rct cat-cert /etc/pki/consumer/cert.pem +-------------------------------------------+ Identity Certificate +-------------------------------------------+ Certificate: Path: /etc/pki/consumer/cert.pem Version: 1.0 Serial: 824613308750035399 Start Date: 2012-11-09 16:20:22+00:00 End Date: 2013-11-09 16:20:22+00:00 Alt Name: DirName:/CN=server.example.com Subject: CN: e94bc90e-44a1-4f8c-b6fc-0a3e9d6fac2b
Product
section, which defines the information for the specific installed product, such as its name, product version, and any yum tags used for that product. For example:
[root@server ~]# rct cat-cert /etc/pki/product/69.pem +-------------------------------------------+ Product Certificate +-------------------------------------------+ Certificate: Path: /etc/pki/product/69.pem Version: 1.0 Serial: 12750047592154746449 Start Date: 2012-10-04 18:45:02+00:00 End Date: 2032-09-29 18:45:02+00:00 Subject: CN: Red Hat Product ID [b4f7ac9e-b7ed-45fa-9dcc-323beb20e916] Product: ID: 69 Name: Red Hat Enterprise Linux Server Version: 6.4 Arch: x86_64 Tags: rhel-6,rhel-6-server
Certificate
and Subject
sections, it also has a Product
section that defines the product group that is covered by the subscription.
Order
section that details everything related to the purchase of the subscription (such as the contract number, service level, total quantity, quantities assigned to the system, and other details on the subscription).
Content
section that contains the repository name, associated tags, its URL, and a notice on whether the yum repository is enabled by default.
[root@server ~]# rct cat-cert /etc/pki/entitlement/2027912482659389239.pem +-------------------------------------------+ Entitlement Certificate +-------------------------------------------+ Certificate: Path: /etc/pki/entitlement/2027912482659389239.pem Version: 1.0 Serial: 2027912482659389239 Start Date: 2011-12-31 05:00:00+00:00 End Date: 2012-12-31 04:59:59+00:00 Subject: CN: 8a99f9843adc8b8f013ae5f9de022b73 Product: ID: 69 Name: Red Hat Enterprise Linux Server Version: Arch: x86_64,ia64,x86 Tags: Order: Name: Red Hat Enterprise Linux Server, Premium (8 sockets) (Up to 4 guests) Number: 2673502 SKU: RH0103708 Contract: 10011052 Account: 5206751 Service Level: Premium Service Type: L1-L3 Quantity: 100 Quantity Used: 1 Socket Limit: 8 Virt Limit: Virt Only: False Subscription: Stacking ID: Warning Period: 0 Provides Management: 0 Content: Type: yum Name: Red Hat Enterprise Linux 6 Server (RPMs) Label: rhel-6-server-rpms Vendor: Red Hat URL: /content/dist/rhel/server/6/$releasever/$basearch/os GPG: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release Enabled: True Expires: 86400 Required Tags: rhel-6-server
cat-cert
command results can be truncated by using the --no-product
or --no-content
options to remove the Product
and Content
sections (respectively).
2.5.6. The Structure of Satellite Certificates (Classic Style of Certificates)
Important
- System subscriptions are subscriptions for services that can be performed, such as monitoring, provisioning, and virtualization.
- Channel subscriptions, or content subscriptions, provide access to the different software product download channels on Red Hat Network. These include Red Hat Enterprise Linux add-ons like Supplementary and FastTrack and layered products like Red Hat Directory Server.
<rhn-cert-field name="configuration_area">value</rhn-cert-field>
name
argument identifies what entity is being configured. This can be the organization which ordered the subscription (name="owner"
), the start and end dates for the subscription (name="issued"
and name="expires"
), or the subscription itself. A system subscription uses the name
argument to set the service being covered; every content subscription is set as a name="channel-family"
type, with the specific product identified in an additional family
argument.
name
argument, while the value is between the tags. The last lines of the certificate also set metadata for the subscription, including the version of the Satellite and the signature that signs the XML document (and allows the XML file to be used as a certificate).
<rhn-cert-field name="product">RHN-SATELLITE-001</rhn-cert-field> <rhn-cert-field name="owner">Example Corp</rhn-cert-field> <rhn-cert-field name="issued">2009-04-07 10:18:33</rhn-cert-field> <rhn-cert-field name="expires">2009-11-25 00:00:00</rhn-cert-field> ... [snip] ... <rhn-cert-field name="satellite-version">5.3</rhn-cert-field> <rhn-cert-field name="generation">2</rhn-cert-field> <rhn-cert-signature> -----BEGIN PGP SIGNATURE----- Version: Crypt::OpenPGP 1.03 iQBGBAARAwAGBQJJ22C+AAoJEJ5ynaAAAAkyyZ0An18+4hK5Ozt4HWieFvahsTnF aPcaAJ0e5neOfdDZRLOgDE+Tp/Im3Hc3Rg== =gqP7 -----END PGP SIGNATURE----- </rhn-cert-signature>
name="slot"
field lists how many total systems are allowed to use this Satellite certificate to receive content. It is a global quantity.
<rhn-cert-field name="slots">119</rhn-cert-field>
name
argument and then setting the quantity as the value within the tags.
<rhn-cert-field name="provisioning-slots">117</rhn-cert-field> <rhn-cert-field name="monitoring-slots">20</rhn-cert-field> <rhn-cert-field name="virtualization_host">67</rhn-cert-field>
rhel-server
family, while a specific Virtualization Server subscription provides an additional rhel-server-vt
family.
<rhn-cert-field name="channel-families" quantity="95" family="rhel-server"/> <rhn-cert-field name="channel-families" quantity="67" family="rhel-server-vt"/>
rhel-*
family, because that refers to the platform the product is supported on. In this example, Red Hat Directory Server is in the rhel-rhdirserv
family.
<rhn-cert-field name="channel-families" quantity="3" family="rhel-rhdirserv"/>
<rhn-cert-field name="channel-families" quantity="212" family="rhn-tools"/>
3. Revision History
Revision History | |||
---|---|---|---|
Revision 1.5-0 | February 28, 2017 | Anni Bond | |
| |||
Revision 1.4-12 | January 11, 2016 | Red Hat Subscription Management Documentation Team | |
| |||
Revision 1.4-10 | September 10, 2014 | Deon Ballard | |
| |||
Revision 1.3-5 | September 18, 2013 | Deon Ballard | |
|