7. Configuring Red Hat Subscription Manager

By default, Red Hat Subscription Manager (both GUI and CLI) talk to the subscription service and the Customer Portal for their subscription services and content delivery, respectively. Red Hat Subscription Manager can be configured to use different content servers or subscription services. Other aspects of the Red Hat Subscription Manager — like the locations to look for system and product certificates or the system information used by Red Hat Subscription Manager to identify compatible subscriptions — can also be customized to fit the network environment.

7.1. Red Hat Subscription Manager Configuration Files

The primary configuration file for Red Hat Subscription Manager, both the GUI and CLI tools, is the rhsm.conf configuration file. There are other support files that either influence the Red Hat Subscription Manager service or can help administrators better use the Subscription Manager.

7.1.1. All Files Used by Red Hat Subscription Manager

All of the files related to the configuration of Red Hat Subscription Manager are used by both the GUI and CLI; there is no separate configuration.

Table 6. Red Hat Subscription Manager Files and Directories

File or Directory Description
/etc/rhsm The primary Red Hat Subscription Manager configuration directory.
/etc/rhsm/rhsm.conf The Red Hat Subscription Manager configuration file. This is used by both the GUI and the CLI.
/etc/rhsm/facts Any user-defined JSON files that override or add system facts to determine subscription compatibility. Any facts files must end in .facts.
/var/lib/rhsm/cache/installed_products.json A master list of installed products, which is sent by Subscription Manager to a hosted content service, such as Subscription Asset Manager.
/var/lib/rhsm/facts/facts.json The default system facts filed, gathered by the Subscription Manager.
/var/lib/rhsm/packages/ The package profile cache (a list of installed products) which is gathered and periodically updated by the Subscription Manager.
/var/log/rhsm The Red Hat Subscription Manager log directory.
/var/log/rhsm/rhsm.log The log for the Red Hat Subscription Manager tools.
/var/log/rhsm/rhsmcertd.log The log for the Red Hat Subscription Manager daemon, rhsmcertd.
/etc/pki/consumer The directory which contains the identity certificates used by the system to identify itself to the subscription service.
/etc/pki/consumer/cert.pem The base-64 identity certificate file for the system.
/etc/pki/consumer/key.pem The base-64 identity key file for the system.
/etc/pki/entitlement The directory which contains the certificates for the available subscriptions.
/etc/pki/product/product_serial#.pem The product certificates for installed software products.
/var/run/subsys/rhsm Runtime files for Red Hat Subscription Manager
/etc/init.d/rhsmcertd The subscription certificate daemon.
/etc/cron.daily/rhsm-complianced and /usr/libexec/rhsm-complianced Files to run daily checks and notifications for subscription validity.
/etc/yum/pluginconf.d/rhsmplugin.conf The configuration file to include the Red Hat Subscription Manager plug-in in the yum configuration.
/usr/share/rhsm All of the Python and script files used by both Red Hat Subscription Manager tool to perform subscription tasks.
/usr/share/rhsm/gui All of the Python script and image files used to render the Red Hat Subscription Manager GUI.

7.1.2. About the rhsm.conf File

The main configuration file for the Subscription Manager is rhsm.conf. This file configures several important aspects of how Red Hat Subscription Manager interacts with both subscriptions and content services:
  • The subscription service connection information, including the server host and port
  • The content service to use, in the form of a web address
  • The location of all of the different certificates used by the subscription service, including CA certificates for SSL authentication, identity certificates for the system, and subscription and product certificates
The rhsm.conf file is divided into three sections. Two major sections define the subscription service ([server]) and content and product delivery ([rhsm]). The third section relates to the rhsmcertd daemon. Each assertion is a simple attribute= value pair. Any of the default values can be edited; all possible attributes are present and active in the default rhsm.conf file.

Example 10. Default rhsm.conf File

# Red Hat Subscription Manager Configuration File:

[server]
# Server hostname:
hostname = subscription.rhn.redhat.com

# Server prefix:
prefix = /subscription

# Server port:
port = 443

# Set to 1 to disable certificate validation:
insecure = 0

# Set the depth of certs which should be checked
# when validating a certificate
ssl_verify_depth = 3

# Server CA certificate location:
ca_cert_dir = /etc/rhsm/ca/

# an http proxy server to use
proxy_hostname =

# port for http proxy server
proxy_port = 

# user name for authenticating to an http proxy, if needed
proxy_user =

# password for basic http proxy auth, if needed
proxy_password =

[rhsm]
# Content base URL:
baseurl= https://cdn.redhat.com

# Default CA cert to use when generating yum repo configs:
repo_ca_cert = %(ca_cert_dir)sredhat-uep.pem

# Where the certificates should be stored
productCertDir = /etc/pki/product
entitlementCertDir = /etc/pki/entitlement
consumerCertDir = /etc/pki/consumer

# Manage generation of yum repositories for subscribed content:
manage_repos = 1

[rhsmcertd]
# Frequency of certificate refresh (in minutes):
certFrequency = 240
# Frequency of autoattach check (1440 min = 1 day):
autoattachFrequency = 1440

Table 7. rhsm.conf Parameters

Parameter Description Default Value
[server] Parameters
hostname Gives the IP address or fully-qualified domain name of the subscription service. subscription.rhn.redhat.com
prefix Gives the directory, in the URL, to use to connect to the subscription service. /subscription
port Gives the port to use to connect to the subscription service. 443
insecure Sets whether to use a secure (0) or insecure (1) connection for connections between the Subscription Manager clients and the subscription service. 0
ssl_verify_depth Sets how far back in the certificate chain to verify the certificate. 3
proxy_hostname Gives the hostname of the proxy server. This is required.
proxy_port Gives the port of the proxy server. This is required.
proxy_user Gives the user account to use to access the proxy server. This may not be required, depending on the proxy server configuration.
proxy_password Gives the password credentials to access the proxy server. This may not be required, depending on the proxy server configuration.
ca_cert_dir Gives the location for the CA certificate for the CA which issued the subscription service's certificates. This allows the client to identify and trust the subscription service for authentication for establishing an SSL connection. /etc/rhsm/ca
[rhsm] Parameters
baseurl Gives the full URL to access the content delivery system. https://cdn.redhat.com
repo_ca_cert Identifies the default CA certificate to use to set the yum repo configuration. %(ca_cert_dir)sredhat-uep.pem
productCertDir Sets the root directory where the product certificates are stored and can be accessed by Subscription Manager. /etc/pki/product
consumerCertDir Sets the directory where the identity certificate for the system is stored and can be accessed by Subscription Manager. /etc/pki/consumer
entitlementCertDir Sets the directory where the subscription certificates for the system are stored and can be accessed by Subscription Manager. Each subscription has its own subscription certificate. /etc/pki/entitlement
manage_repos Sets whether the system creates and uses a redhat.repo yum file. This can be 0 for off or 1 for on. 1
[rhsmcertd] Parameters
certFrequency Sets the interval, in minutes, to check and update subscription certificates used by Subscription Manager. 240
autoattachFrequency Sets the interval, in minutes, to check for change subscriptions and installed products and to attach subscriptions, as necessary, to maintain subscription status for all products. 1440