How to access Red Hat Subscription Manager (RHSM) through a firewall or proxy

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux (RHEL)
    • 9.x
    • 8.x
    • 7.x
    • 6.1 (and later)
    • 5.8 (and later)
  • Red Hat Subscription Management (RHSM)
  • Red Hat Satellite
    • 5.6 and 5.7 (if migrated from RHN -> RHSM)
    • 5.8
    • 6

Issue

  • How do I configure my system so that yum can access Red Hat Subscription Management (RHSM) through a firewall or proxy?
  • What URLs and ports do I need to configure in my proxy server to access RHSM?
  • How do I access RHSM (yum) through a firewall?
  • Not able to register due to network error
  • Red Hat Satellite 6 is unable to sync content from Red Hat. I suspect it is the company firewall blocking the traffic. What hostnames do I need to give to the network security team to allow content syncing?
  • Our network team says they need IP addresses to enable them to allow our Red Hat Satellite 6 installation to talk to the Content Delivery Network. We cannot use host names and must use IP address or ranges.

Resolution

  • It is necessary to allow the following host names and ports on the outgoing network firewall to enable yum and subscription-manager to access Red Hat subscription services and Content Delivery Network (This remains the same for issues with Satellite 5.8 and Satellite 6+ syncing):
    • subscription.rhn.redhat.com:443 [https] AND subscription.rhsm.redhat.com:443 [https] (This is the new default address in newer versions of RHEL 7)
    • cdn.redhat.com:443 [https]
    • *.akamaiedge.net:443 [https] OR *.akamaitechnologies.com:443 [https]
  • It is not recommended to specify the IP addresses because the packages are distributed through the Akamai network and the IP addresses are subject to change. However, if your firewall is unable to use host name filtering, Red Hat provides a pool of IP addresses that should provide CDN delivery.
    • For pulling container images need to whitelist aws domain as per article aws
    • If you use china.cdn.redhat.com duo to network delay instead of cdn.redhat.com, you need to allow the domain name china.cdn.redhat.com and port 443 on the outgoing network firewall.

  • Note: If the system is behind an HTTP proxy, add the details in /etc/rhsm/rhsm.conf as follows:

    # an http proxy server to use (enter server FQDN)
proxy_hostname = myproxy.example.com 

# port for http proxy server
proxy_port = 8080

# user name for authenticating to an http proxy, if needed
proxy_user = proxy_username

# password for basic http proxy auth, if needed
proxy_password = proxy_password

Root Cause

  • Firewall or proxy is not configured for access to RHSM.
  • Some firewalls or organizations can not use hostnames and might need more granular control.

Diagnostic Steps

Some example of errors seen when Subscription-Manager was not able to access the above URLs due to firewall and/or proxies

  • Seeing this error (in /var/log/rhsm/rhsm.log) when trying to run subscription-manager register:

    2014-04-16 18:07:53,063 [INFO]  @connection.py:657 - Connection Built: host: subscription.rhn.redhat.com, port: 443, handler: /subscription
2014-04-16 18:07:53,108 [DEBUG]  @connection.py:420 - Loading CA PEM certificates from: /etc/rhsm/ca/
2014-04-16 18:07:53,108 [DEBUG]  @connection.py:402 - Loading CA certificate: '/etc/rhsm/ca/redhat-uep.pem'
2014-04-16 18:07:53,109 [DEBUG]  @connection.py:402 - Loading CA certificate: '/etc/rhsm/ca/candlepin-stage.pem'
2014-04-16 18:07:53,109 [DEBUG]  @connection.py:426 - Using proxy: proxy.example.com:3128
2014-04-16 18:07:53,109 [DEBUG]  @connection.py:441 - Making request: GET https://subscription.rhn.redhat.com:443/subscription/
2014-04-16 18:07:53,173 [ERROR]  @utils.py:361 - Error while checking server version: [Errno 111] Connection refused
2014-04-16 18:07:53,174 [ERROR]  @utils.py:363 - [Errno 111] Connection refused
Traceback (most recent call last):
File "/usr/share/rhsm/subscription_manager/utils.py", line 341, in get_server_versions
if cp.supports_resource("status"):
File "/usr/lib64/python2.6/site-packages/rhsm/connection.py", line 683, in supports_resource
self._load_supported_resources()
File "/usr/lib64/python2.6/site-packages/rhsm/connection.py", line 670, in _load_supported_resources
resources_list = self.conn.request_get("/")
File "/usr/lib64/python2.6/site-packages/rhsm/connection.py", line 541, in request_get
return self._request("GET", method)
File "/usr/lib64/python2.6/site-packages/rhsm/connection.py", line 448, in _request
conn.request(request_type, handler, body=body, headers=headers)
File "/usr/lib64/python2.6/httplib.py", line 914, in request
self._send_request(method, url, body, headers)
File "/usr/lib64/python2.6/httplib.py", line 951, in _send_request
self.endheaders()
File "/usr/lib64/python2.6/site-packages/rhsm/connection.py", line 200, in endheaders
httpslib.HTTPSConnection.endheaders(self)
File "/usr/lib64/python2.6/httplib.py", line 908, in endheaders
self._send_output()
File "/usr/lib64/python2.6/httplib.py", line 780, in _send_output
self.send(msg)
File "/usr/lib64/python2.6/httplib.py", line 739, in send
self.connect()
File "/usr/lib64/python2.6/site-packages/M2Crypto/httpslib.py", line 192, in connect
HTTPConnection.connect(self)
File "/usr/lib64/python2.6/httplib.py", line 720, in connect
self.timeout)
File "/usr/lib64/python2.6/socket.py", line 567, in create_connection
raise error, msg
error: [Errno 111] Connection refused

    Solution: Add the client machine IP to the corporate firewall to allow access to subscription.rhn.redhat.com.

  • Seeing this error when running running yum:

    [root@rhsm ~]# yum update
Loaded plugins: product-id, rhnplugin, security, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
This system is receiving updates from RHN Classic or RHN Satellite.
Error: failed to retrieve repodata/89cb7993fa65f2293e1b188014e0266343598f276e1af053c3189f6db6b488b1-primary.xml.gz from rhel-x86_64-server-6
error was [Errno 14] PYCURL ERROR 22 - "The requested URL returned error: 407 Proxy Authentication Required"

    Solution: Add proxy information to /etc/rhsm/rhsm.conf

  • Seeing this error when registering system behind firewall to RHSM:

    Unable to verify server's identity: (104, 'Connection reset by peer')

  • tcpdump output shows that firewall has rules in WEB Filter that possibly obstruct / modifies packets send to server.

    • Check the time setting on the system:

      • SSL depends on appropriate date and time ranges. Make sure, system has the current time and date.

         # grep ZONE /etc/sysconfig/clock

      • The time should match between the TZ time and the current date/time

         # date

      • RHEL 5 and RHEL 6:

         # ntpq -p

      • RHEL 7:

         # chronyd sources

        or

         # chronyd tracking
 (To check for any jitter)
    • Check intranet and proxy configuration:
      Make sure that the local network has appropriate routes and SSL proxy rules are set, to be able to connect to the outside network.
  • Component
  • yum

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments