Chapter 7. Client Entitlements

The Create Certificates and Configuration RPMs screen is used to create new entitlement certificates and configuration RPMs.
When Red Hat issues the original entitlement certificate, it will grant access to the repositories you requested. When you create client entitlement certificates, you will need to decide how to sub-divide your clients, and create a separate certificate for each one. Each certificate can then be used to create individual RPMs for installation on the appropriate guest images. For example, you might create separate certificates for clients that require access to Red Hat Enterprise Linux 5 and those that require access to Red Hat Enterprise Linux 5 and JBoss channels.
To access the Create Certificates and Configuration RPMs screen, go to the Home screen and type e at the prompt: 
------------------------------------------------------------------------------
             -= Red Hat Update Infrastructure Management Tool =-


-= Client Entitlement Management =-

   e   generate an entitlement certificate
   c   create a client configuration RPM from an entitlement certificate

                                                           Connected: rhua.example.com
------------------------------------------------------------------------------
rhui (client) =>

Procedure 7.1. Generate an Entitlement Certificate

  1. From the Create Certificates and Configuration RPMs screen, type e at the prompt to generate a new Red Hat entitlement certificate: 
    rhui (client) => e
  2. A list of all available repositories will be displayed. This includes all custom repositories, and all products that have been granted entitlements in the content certificate that Red Hat granted. Select which repositories to include in the entitlement certificate by typing the number of the repository at the prompt. Typing the number of a repository will place a checkmark next to the name of that repository. Continue until all repositories you wish to add have been checked, and then type c at the prompt to confirm.
    Repositories that are shown with an asterisk (*) indicates that they are deployed in the RHUI. 
    Select one or more repositories to include in the entitlement certificate:
(an * next to a Red Hat repository indicates it is deployed in the RHUI)

  Custom Repositories
    -  1 : /protected/$basearch/os
             Repo 1
             Repo 2

  Red Hat Repositories
    -  2 : Red Hat Enterprise Linux Server (RPMs)
    -  3 : Red Hat Enterprise Linux Server (SRPMS)
    -  4 : Red Hat Enterprise Linux Server (STS)
    -  5 : Red Hat Enterprise Linux Server 6 Optional Releases (RPMs)
    -  6 : Red Hat Enterprise Linux Server 6 Optional Releases (SRPMS)
    -  7 : Red Hat Enterprise Linux Server 6 Optional Updates (RPMs)
    -  8 : Red Hat Enterprise Linux Server 6 Optional Updates (SRPMS)
    -  9 : Red Hat Enterprise Linux Server 6 Releases (RPMs)
    -  10: Red Hat Enterprise Linux Server 6 Releases (SRPMS)
    -  11: Red Hat Enterprise Linux Server 6 Updates (RPMs)
    -  12: Red Hat Enterprise Linux Server 6 Updates (SRPMS)
    -  13: Red Hat Update Infrastructure 1.2 (RPMs) *
    -  14: Red Hat Update Infrastructure 1.2 (SRPMS) *

Enter value from (1-14) to toggle selection, 'c' to confirm selections, or '?'
for more commands: 1

Select one or more repositories to include in the entitlement certificate:
(an * next to a Red Hat repository indicates it is deployed in the RHUI)

  Custom Repositories
    x  1 : /protected/$basearch/os
             Repo 1
             Repo 2

  Red Hat Repositories
    -  2 : Red Hat Enterprise Linux Server (RPMs)
    -  3 : Red Hat Enterprise Linux Server (SRPMS)
    -  4 : Red Hat Enterprise Linux Server (STS)
    -  5 : Red Hat Enterprise Linux Server 6 Optional Releases (RPMs)
    -  6 : Red Hat Enterprise Linux Server 6 Optional Releases (SRPMS)
    -  7 : Red Hat Enterprise Linux Server 6 Optional Updates (RPMs)
    -  8 : Red Hat Enterprise Linux Server 6 Optional Updates (SRPMS)
    -  9 : Red Hat Enterprise Linux Server 6 Releases (RPMs)
    -  10: Red Hat Enterprise Linux Server 6 Releases (SRPMS)
    -  11: Red Hat Enterprise Linux Server 6 Updates (RPMs)
    -  12: Red Hat Enterprise Linux Server 6 Updates (SRPMS)
    -  13: Red Hat Update Infrastructure 1.2 (RPMs) *
    -  14: Red Hat Update Infrastructure 1.2 (SRPMS) *

Enter value from (1-14) to toggle selection, 'c' to confirm selections, or '?'
for more commands: 13-14

Select one or more repositories to include in the entitlement certificate:
(an * next to a Red Hat repository indicates it is deployed in the RHUI)

  Custom Repositories
    x  1 : /protected/$basearch/os
             Repo 1
             Repo 2

  Red Hat Repositories
    -  2 : Red Hat Enterprise Linux Server (RPMs)
    -  3 : Red Hat Enterprise Linux Server (SRPMS)
    -  4 : Red Hat Enterprise Linux Server (STS)
    -  5 : Red Hat Enterprise Linux Server 6 Optional Releases (RPMs)
    -  6 : Red Hat Enterprise Linux Server 6 Optional Releases (SRPMS)
    -  7 : Red Hat Enterprise Linux Server 6 Optional Updates (RPMs)
    -  8 : Red Hat Enterprise Linux Server 6 Optional Updates (SRPMS)
    -  9 : Red Hat Enterprise Linux Server 6 Releases (RPMs)
    -  10: Red Hat Enterprise Linux Server 6 Releases (SRPMS)
    -  11: Red Hat Enterprise Linux Server 6 Updates (RPMs)
    -  12: Red Hat Enterprise Linux Server 6 Updates (SRPMS)
    x  13: Red Hat Update Infrastructure 1.2 (RPMs) *
    x  14: Red Hat Update Infrastructure 1.2 (SRPMS) *

Enter value from (1-14) to toggle selection, 'c' to confirm selections, or '?'
for more commands: c
  3. Enter a name for the certificate. This name is used to identify the certificate within RHUI Manager, and is also used to generate the name of the certificate and key files. 
    Name of the certificate. This will be used as the name of the certificate file
(name.crt) and its associated private key (name.key). Choose something that
will help identify the products contained with it:
rhui_and_custom
  4. Enter a path to save the certificate to. Leave the field blank to save to the current working directory: 
    Local directory in which to save the generated certificate [current directory]:
/tmp/certs
  5. Enter the number of days the certificate should be valid for. Leave the field blank for 365 days: 
    Number of days the certificate should be valid [365]:
  6. The details of the repositories to be included in the certificate will be displayed. Type y at the prompt to confirm the information and create the entitlement certificate.
    If your CA private key requires a pass phrase to sign certificates, enter it at the prompt. 
    Repositories to be included in the entitlement certificate:

  Custom Entitlements
    /protected/$basearch/os

  Red Hat Repositories
    Red Hat Update Infrastructure 1.2 (RPMs)
    Red Hat Update Infrastructure 1.2 (SRPMS)

Proceed? (y/n) y

......+++
..+++
Enter pass phrase for /etc/pki/rhui/entitlement-ca-key.pem:
Entitlement certificate created at /tmp/certs/rhui_and_custom.crt

------------------------------------------------------------------------------
rhui (client) =>

Procedure 7.2. Create a Client Configuration RPM

  1. From the Create Certificates and Configuration RPMs screen, type c at the prompt to create a client configuration RPM: 
    rhui (client) => c
  2. Enter a path to a local directory to save the configuration files to. Leave the field blank to save to the current working directory: 
    Local directory in which the client configuration files generated by this tool
should be stored (if this directory does not exist, it will be created):
/tmp/test-client
  3. Enter a name for the RPM. Do not specify the .rpm extension: 
    Name of the RPM:
test-client
  4. Enter a version number for the configuration RPM. Leave the field blank to use version 2.0: 
    Version of the configuration RPM [2.0]:
  5. Enter the full path to the entitlement certificate to be used (the entitlement certificate is generated in Procedure 7.1, “Generate an Entitlement Certificate”): 
    Full path to the entitlement certificate authorizing 
the client to access specific channels:
/tmp/certs/rhui_and_custom.crt
  6. Enter the full path to the private key to be used with the entitlement certificate (the private key is generated in Procedure 7.1, “Generate an Entitlement Certificate”): 
    Full path to the private key for the above entitlement certificate:
/tmp/certs/rhui_and_custom.key
  7. Enter the full path to the CA certificate that was used to sign the CDS SSL certificates. This is used by yum on the client, when it attempts to connect to the CDS: 
    Full path to the CA certificate used to sign the CDS SSL certificate:
/etc/pki/rhui/entitlement-ca.crt
  8. All CDS instances are able to function as load balancers. You will be required to nominate one CDS as a primary load balancer, however if that CDS becomes unavailable, or is unable to function as a load balancer, load balancing tasks will fall to the other available CDS instances. Select a CDS instance to be the primary load balancer for the client: 
    Select the CDS instance that should be the primary load balancer for the
client. All other CDS instances will be listed as back up load balancers
in the client's mirror list:

  1  - cds-1.example.com
  2  - cds-2.example.com
Enter value (1-2) or 'b' to abort: 2
    A list of the CDS instances to be used for load balancing will be displayed, in priority order: 
    Load Balancer Order:
  cds-2.example.com
  cds-1.example.command
  9. A list of all unprotected repositories will be displayed. Select which repositories (if any) to include in the RPM by typing the number of the repository at the prompt. Typing the number of a repository will place a checkmark next to the name of that repository. Continue until all repositories you wish to add have been checked, and then type c at the prompt to confirm. If you don't want to add any repositories to the RPM, leave all repositories unchecked and type c at the prompt to confirm.
    Unprotected repositories that are added to the RPM will be included in the generated .repo file, along with the repository definitions for all entitlements included in the certificate. 
    Select any unprotected repositories to be included in the client configuration:
  -  1 : Unprotected Repo 1
Enter value from (1-1) to toggle selection, 'c' to confirm selections, or '?'
for more commands: 1

Select any unprotected repositories to be included in the client configuration:
  x  1 : Unprotected Repo 1
Enter value from (1-1) to toggle selection, 'c' to confirm selections, or '?'
for more commands: c
  10. The client configuration RPM will be created, and the location of the file displayed: 
    Successfully created client configuration RPM.
RPMs can be found at /tmp/test-client

------------------------------------------------------------------------------
rhui (client) =>