8.6. The Structure of Satellite Certificates (Classic Style of Certificates)


Satellite certificates are used by Satellite 5.x deployments. They are not used on Red Hat Enterprise Linux or by any certificate-based subscription service.
Every system has to have a secure, authoritative way to identify what subscriptions are available. For Satellite 5.x systems, this identification is done through a digitally-signed XML document that lists the products and quantities that a customer has purchased.
As with subscription certificates, a Satellite certificate contains the information about the subscription that was purchased, including the total number of systems that can be registered against that subscription and its start and end dates.
There are two types of subscriptions:
  • System subscriptions are subscriptions for services that can be performed, such as monitoring, provisioning, and virtualization.
  • Channel subscriptions, or content subscriptions, provide access to the different software product download channels on Red Hat Network. These include Red Hat Enterprise Linux add-ons like Supplementary and FastTrack and layered products like Red Hat Directory Server.
Both types can be included in a single Satellite certificate.
A system subscription and the metadata for a subscription are both configured similarly in the certificate:
<rhn-cert-field name="configuration_area">value</rhn-cert-field>
The name argument identifies what entity is being configured. This can be the organization which ordered the subscription (name="owner"), the start and end dates for the subscription (name="issued" and name="expires"), or the subscription itself. A system subscription uses the name argument to set the service being covered; every content subscription is set as a name="channel-family" type, with the specific product identified in an additional family argument.
The first section of the Satellite certificate is the metadata. The metadata identifies the organization which purchased it and the start and end dates of the subscription. The field being set is in the name argument, while the value is between the tags. The last lines of the certificate also set metadata for the subscription, including the version of the Satellite and the signature that signs the XML document (and allows the XML file to be used as a certificate).
  <rhn-cert-field name="product">RHN-SATELLITE-001</rhn-cert-field>
  <rhn-cert-field name="owner">Example Corp</rhn-cert-field>
  <rhn-cert-field name="issued">2009-04-07 10:18:33</rhn-cert-field>
  <rhn-cert-field name="expires">2009-11-25 00:00:00</rhn-cert-field>

... [snip] ...

  <rhn-cert-field name="satellite-version">5.3</rhn-cert-field>
  <rhn-cert-field name="generation">2</rhn-cert-field>
Version: Crypt::OpenPGP 1.03

The name="slot" field lists how many total systems are allowed to use this Satellite certificate to receive content. It is a global quantity.
  <rhn-cert-field name="slots">119</rhn-cert-field>
The system subscriptions are set by identifying the service type in the name argument and then setting the quantity as the value within the tags.
  <rhn-cert-field name="provisioning-slots">117</rhn-cert-field>
  <rhn-cert-field name="monitoring-slots">20</rhn-cert-field>
  <rhn-cert-field name="virtualization_host">67</rhn-cert-field>
The content subscriptions can include any combination of products, including base Red Hat Enterprise Linux subscriptions, variations of Red Hat Enterprise Linux, Red Hat Enterprise Linux add-ons, and general software products. General Red Hat Enterprise Linux server subscriptions are listed in the rhel-server family, while a specific Virtualization Server subscription provides an additional rhel-server-vt family.
  <rhn-cert-field name="channel-families" quantity="95" family="rhel-server"/>
  <rhn-cert-field name="channel-families" quantity="67" family="rhel-server-vt"/>
Add-ons and products for Red Hat Enterprise Linux systems (but not necessarily operating system products) are also in a rhel-* family, because that refers to the platform the product is supported on. In this example, Red Hat Directory Server is in the rhel-rhdirserv family.
  <rhn-cert-field name="channel-families" quantity="3" family="rhel-rhdirserv"/>
Most subscriptions will also include a subscription tool set to manage and enable within clients features such as provisioning or configuration management when registered to RHN Classic or Satellite 5.x.
  <rhn-cert-field name="channel-families" quantity="212" family="rhn-tools"/>