RH342 - ch06s07

Bookmark this page

Managing Red Hat Subscriptions

Objectives

Red Hat Subscription Manager

Red Hat Enterprise Linux systems must be entitled to receive software packages. The Red Hat Subscription Manager (RHSM) service manages software entitlements and tracks subscription status with X.509 certificates. The system entitlement process consists of the following steps.

Add products to a system, which occurs when the system or additional software is installed.
Register the system with the Red Hat Customer Portal hosted server or an on-premise Red Hat Satellite server. When successful, the system stores an identity certificate.
Attach subscriptions to the system. When successful, the system stores one or more entitlement certificates.

The subscription-manager tool and rhsmcertd service are both integral to the preceding process. The subscription-manager tool registers systems to the RHSM service and can attach subscriptions to a system. The rhsmcertd service periodically validates current certificates and identifies which certificates require renewal.

RHSM client systems must be able to reach the Red Hat subscription management service and Content Delivery Network (CDN). The default RHSM and CDN servers are subscription.rhsm.redhat.com and cdn.redhat.com, at port 443.

Managing Subscriptions via a GUI

On systems where a GUI is installed, the Red Hat Subscription Manager application is available to configure and manage Red Hat subscriptions. Alternatively, the application is accessible from the web console in the Subscriptions menu.

When the Red Hat Subscription Manager application first launches, a window displays the system's RHSM status, purpose, and any installed products.

Figure 6.1: Red Hat Subscription Manager main menu

Click Register to start the RHSM registration process and display the Register System screen.

Figure 6.2: Red Hat Subscription Manager Register System screen

On the Register System screen, the URL field sets the RHSM server. Selecting Default uses subscription.rhsm.redhat.com. If your organization uses Red Hat Satellite, then provide your Satellite server location instead. If a proxy is required to reach the service, then select Use proxy server and enter the connection information in the additional fields.

With the Method option, systems can register with a Red Hat account or an Activation key. For the Account option, enter your Red Hat Customer Portal user name, password, and organization. Alternatively, for the Activation key option, create a key on the Red Hat Customer Portal, and copy it here.

The screen provides options to automatically attach subscriptions and to subscribe the system to Red Hat Insights. Finish the system registration by clicking Register. The system is now subscribed and ready to install Red Hat software and receive updates.

Managing Subscriptions via the CLI

The subscription-manager command provides the same functionality as the GUI application, and command-line options can override default values. For example, the --serverurl option can specify an RHSM or Satellite server other than subscription.rhsm.redhat.com.

The subscription-manager register command registers a system with the RHSM service. Like the GUI application, use either Red Hat Customer Portal credentials or an activation key to register. Specify usernames and passwords with the --username and --password options, or an activation key with the --activation-key option. By default, subscription-manager prompts for a username and password. You can also use options to specify proxy host and authentication credentials.

[root@host ~]# subscription-manager register
Registering to: subscription.rhsm.redhat.com:443/subscription
Username: redhat-account-username
Password: SecretPassw0rd!
The system has been registered with ID: 30675802-cb74-45b8-a5d6-620f195a031a
The registered system name is: host.lab.example.com

Note

For customized registration commands, the Registration Assistant Red Hat Customer Portal lab is available at `

https://access.redhat.com/labs/registrationassistant`.

After a system is registered, its installed products must become entitled by attaching subscriptions to them.

The --auto-attach option attaches subscriptions during system registration, but might create unintended results by consuming high support service-level subscriptions on a non-production machine. To mitigate this behavior, use the subscription-manager service-level command to set a preferred service level for installed products on this system. For example, subscription-manager service-level --set=Self-Support selects only "Self-Support" subscriptions when using --auto-attach.

The subscription-manager list --installed command displays a list of installed products and their current status.

[root@host ~]# subscription-manager list --installed
-------------------------------------------
    Installed Product Status
-------------------------------------------
Product Name:   Red Hat Enterprise Linux for x86_64
Product ID:     479
Version:        8.4
Arch:           x86_64
Status:         Not Subscribed
Status Details:
Starts:
Ends:

The subscription-manager list --available command lists the subscriptions that are available to attach to a system. The Provides entries show the supported products for this subscription.

[root@host ~]# subscription-manager list --available
-------------------------------------------
    Available Subscriptions
-------------------------------------------
Subscription Name:   Red Hat Developer Subscription for Individuals
Provides:            Red Hat Developer Tools (for RHEL Server for ARM)
                     Red Hat Enterprise Linux for x86_64
                     ...output omitted...
SKU:                 RH00798
Contract:
Pool ID:             2c9280817671500s0176dffde5147c39
Provides Management: No
Available:           3
Suggested:           1
Service Type:
Roles:               Red Hat Enterprise Linux Server
                     Red Hat Enterprise Linux Workstation
                     Red Hat Enterprise Linux Compute Node
Service Level:       Self-Support
Usage:               Development/Test
Add-ons:
Subscription Type:   Standard
Starts:              01/07/2021
Ends:                01/06/2022
Entitlement Type:    Virtual
...output omitted...

The subscription-manager attach command attaches subscriptions to products. Use the --pool option to specify subscriptions via their Pool ID.

[root@host ~]# subscription-manager attach --pool 2c9280817671500s0176dffde5147c39
Successfully attached a subscription for: Red Hat Developer Subscription for Individuals

The subscription-manager repos command manages software repositories. The --list option displays the available software repositories for this product and their enabled state. Alternatively, use --list-enabled and --list-disabled to restrict the list. Use the --enable and --disable options to include or exclude specified repositories. Wildcards can specify multiple repository IDs, and enable or disable more than one ID at a time. Disabling a repository disallows rpm or yum to locate software from those repositories.

[root@host ~]# subscription-manager repos --list-enabled
----------------------------------------------------------
    Available Repositories in /etc/yum.repos.d/redhat.repo
----------------------------------------------------------
Repo ID:   rhel-8-for-x86_64-baseos-rpms
Repo Name: Red Hat Enterprise Linux 8 for x86_64 - BaseOS (RPMs)
Repo URL:  https://cdn.redhat.com/content/dist/rhel8/$releasever/x86_64/baseos/os
Enabled:   1

Repo ID:   rhel-8-for-x86_64-appstream-rpms
Repo Name: Red Hat Enterprise Linux 8 for x86_64 - AppStream (RPMs)
Repo URL:  https://cdn.redhat.com/content/dist/rhel8/$releasever/x86_64/appstream/os
Enabled:   1

The subscription-manager remove command removes attached subscriptions. Using --all matches all attached subscriptions, and using --serial or --pool options matches subscriptions based on their serial number or Pool ID.

View attached subscriptions with the subscription-manager list --consumed command.

[root@host ~]# subscription-manager list --consumed
-------------------------------------------
   Consumed Subscriptions
-------------------------------------------
Subscription Name:   Red Hat Developer Subscription for Individuals
Provides:            Red Hat Developer Tools (for RHEL Server for ARM)
                     Red Hat Enterprise Linux for x86_64
                     ...output omitted...
SKU:                 RH00798
Contract:
Pool ID:             2c9280817671500s0176dffde5147c39
Provides Management: No
Available:           3
Suggested:           1
Service Type:
Roles:               Red Hat Enterprise Linux Server
                     Red Hat Enterprise Linux Workstation
                     Red Hat Enterprise Linux Compute Node
Service Level:       Self-Support
Usage:               Development/Test
Add-ons:
Subscription Type:   Standard
Starts:              01/07/2021
Ends:                01/06/2022
Entitlement Type:    Virutal
...output omitted...

[root@host ~]# subscription-manager remove --pool 2c9280817671500s0176dffde5147c39
1 local certificate has been deleted.
The entitlement server successfully removed these pools:
   2c9280817671500s0176dffde5147c39
...output omitted...

The subscription-manager unregister command removes a system from the RHSM service. This command removes all attached subscriptions to this system and deletes the locally stored identity and entitlement certificates.

[root@host ~]# subscription-manager unregister
Unregistering from: subscription.rhsm.redhat.com:443/subscription
System has been unregistered.

Troubleshooting Red Hat Subscription Management

The Red Hat Subscription Manager (RHSM) service has two primary log files in the /var/log/rhsm directory: rhsm.log and rhsmcertd.log. Log messages generated by the subscription-manager command and Red Hat Subscription Manager GUI application are written to rhsm.log. Log messages generated by rhsmcertd are written to rhsmcertd.log.

Examining Configuration Files

The primary configuration file for RHSM is /etc/rhsm/rhsm.conf, and /etc/rhsm/pluginconf.d might contain additional configuration files for RHSM plug-ins.

In the top section of the rhsm.conf file, the [server] section includes RHSM server variables and the proxy server variables if needed.

[server]
# Server hostname:
hostname = subscription.rhsm.redhat.com

# Server prefix:
prefix = /subscription

# Server port:
port = 443

...output omitted...

# an http proxy server to use
proxy_hostname =

# The scheme to use for the proxy when updating repo definitions, if needed
proxy_scheme = http

# port for http proxy server
proxy_port =

# user name for authenticating to an http proxy, if needed
proxy_user =

# password for basic http proxy auth, if needed
proxy_password =

The [rhsm] section defines the URL for the Red Hat Content Delivery Network (CDN). This section also defines the directories for storing X.509 certificates.

[rhsm]
# Content base URL:
baseurl = https://cdn.redhat.com

...output omitted...

# Server CA certificate location:
ca_cert_dir = /etc/rhsm/ca/

...output omitted...

# Where the certificates should be stored
productCertDir = /etc/pki/product
entitlementCertDir = /etc/pki/entitlement
consumerCertDir = /etc/pki/consumer

...output omitted...

The [rhsmcertd] section defines the runtime intervals for the rhsmcertd daemon.

# Interval to run cert check (in minutes):
certCheckInterval = 240
# Interval to run auto-attach (in minutes):
autoAttachInterval = 1440

The /etc/yum/pluginconf.d/subscription-manager.conf configuration file sets whether YUM uses RHSM repositories. The enabled setting is set to 1 by default.

[main]
enabled=1

Inspecting Certificates

X.509 certificates are stored in /etc/pki subdirectories. The consumer subdirectory stores the server identity key and certificate.

[root@host ~]# ls -l /etc/pki/consumer
total 8
-rw-r-----. 1 root root 2228 Oct 14 07:55 cert.pem
-rw-r-----. 1 root root 3243 Oct 14 07:55 key.pem

The product and product-default subdirectories contain product certificates.

[root@host ~]# ls -l /etc/pki/product-default
total 4
-rw-r--r--. 1 root root 2171 Mar 31  2021 479.pem

The entitlement subdirectory contains the subscription certificates.

[root@host ~]# ls /etc/pki/entitlement
total 340
-rw-r--r--. 1 root root   3243 Oct 14 07:55 7898548-key.pem
-rw-r--r--. 1 root root 343003 Oct 14 07:55 7898548.pem

The rct cat-cert command displays the fields and values that are embedded in RHSM X.509 certificates. Use rct cat-cert to compare entitlement certificate IDs with corresponding product certificate IDs.

[root@host ~]# rct cat-cert /etc/pki/product-default/479.pem | grep ID:
 ID: 479
[root@host ~]# rct cat-cert /etc/pki/entitlement/7898548.pem | grep 'ID: 479'
 ID: 479

Diagnosing Network Connectivity

The subscription-manager command must be able to reach RHSM servers. Use the curl command to diagnose network connectivity issues.

The following example shows a successful connection to Red Hat's CDN.

[root@host ~]# curl --head --key /etc/pki/entitlement/7898548-key.pem --cert /etc/pki/entitlement/7898548.pem --cacert /etc/rhsm/ca/redhat-uep.pem https://cdn.redhat.com
HTTP/1.1 403 Forbidden
Server: AkamaiGHost
Mime-Version: 1.0
Content-Type: text/html
Content-Length: 263
Expires: Thu, 14 Oct 2021 12:23:49 GMT
Date: Thu, 14 Oct 2021 12:23:49 GMT
X-Cache: TCP_DENIED from a204-2-243-134.deploy.akamaitechnologies.com (AkamaiGHost/10.4.4-34529956) (-)
Connection: keep-alive
EJ-HOST: authorizer-prod-dc-iad2-4-9jw2j
X-Akamai-Request-ID: 3e7f845

Disregard the 403 Forbidden HTTP error. If any HTTP response is received, then you successfully verified the ability to locate and reach a CDN server.

References

Registration Assistant subscription-manager(8), rct(8), and rhsmcertd(8) man pages

Discuss Red Hat Enterprise Linux Diagnostics and Troubleshooting

Go to community

Welcome to the Red Hat Enterprise Linux Diagnostics and Troubleshooting (RH342) group!

cschunke

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Enterprise Linux Diagnostics and Troubleshooting! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH342.Read more about Red Hat Enterprise Linux Diagnostics and Troubleshooting here.

445

Revision: rh342-8.4-6dd89bd

Click Create to build all of the virtual machines needed for the classroom lab environment. This may take several minutes to complete. Once created the environment can then be stopped and restarted to pause your experience.
When a lab is created, click Start to run all of the virtual machines in the classroom.
Click Stop to stop all the virtual machines from running. This will not delete your lab.
If you Delete your lab, you will remove all of the virtual machines in your classroom and lose all of your progress.

Virtual machine actions

Click Start to power on the virtual machine.
Click Shutdown to gracefully shut down the virtual machine, preserving disk contents.
Click Power off to forcefully shut down the virtual machine, while still preserving disk contents.
Click Open console to connect to the system console of the virtual machine in a new browser.

Auto-stop timer

The Red Hat Learning Subscription entitles you to set allotment of lab time.
To help conserving your allotted time, the lab environment uses automatic timers to stop or destroy your lab environment when the timer expires.

Click the Auto-stop button [+] to extend the time you would like to spend with the labs.
Click the Auto-destroy button [+] to add day(s) to the auto-destroy timer.

Auto-stop has a maximum of 11 hours, and auto-destroy has a maximum of 14 days.
Be careful to keep the timers set while you are working, so that your environment doesn't shut down unexpectedly.
We also suggest not to set the auto-timers unnecessarily high, which could waste your lab time allotment