Chapter 9. Managing activation keys
Activation keys provide a method to automate system registration and subscription attachment. You can create multiple keys and associate them with different environments and content views. For example, you might create a basic activation key with a subscription for Red Hat Enterprise Linux workstations and associate it with content views from a particular environment.
If you have Simple Content Access (SCA) enabled on Satellite, you cannot attach subscriptions to your activation key. With SCA enabled, you do not need to have subscriptions attached to your hosts. Note that SCA is enabled by default for newly created organizations. To learn more about SCA, see Simple Content Access.
You can use activation keys during content host registration to improve the speed, simplicity and consistency of the process. Note that activation keys are used only when hosts are registered. If changes are made to an activation key, it is applicable only to hosts that are registered with the amended activation key in the future. The changes are not made to existing hosts.
Activation keys can define the following properties for content hosts:
- Associated subscriptions and subscription attachment behavior
- Available products and repositories
- A lifecycle environment and a content view
- Host collection membership
- System purpose
Content view conflicts between host creation and registration
When you provision a host, Satellite uses provisioning templates and other content from the content view that you set in the host group or host settings. When the host is registered, the content view from the activation key overwrites the original content view from the host group or host settings. Then Satellite uses the content view from the activation key for every future task, for example, rebuilding a host.
When you rebuild a host, ensure that you set the content view that you want to use in the activation key and not in the host group or host settings.
Using the same activation key with multiple content hosts
You can apply the same activation key to multiple content hosts if it contains enough subscriptions. However, activation keys set only the initial configuration for a content host. When the content host is registered to an organization, the organization’s content can be attached to the content host manually.
Using multiple activation keys with a content host
A content host can be associated with multiple activation keys that are combined to define the host settings. In case of conflicting settings, the last specified activation key takes precedence. You can specify the order of precedence by setting a host group parameter as follows:
$ hammer hostgroup set-parameter \ --hostgroup "My_Host_Group" \ --name "My_Activation_Key" \ --value "name_of_first_key", "name_of_second_key", ...
9.1. Best practices for activation keys
- Create an activation key for each use case. This structures, modularizes, and simplifies content management on hosts.
-
Use a naming convention for activation keys to indicate the content and lifecycle environment, for example,
red-hat-enterprise-linux-webserver
. - Automate activation key management by using a Hammer script or an Ansible playbook.
9.2. Creating an activation key
You can use activation keys to define a specific set of subscriptions to attach to hosts during registration. The subscriptions that you add to an activation key must be available within the associated content view.
If you have Simple Content Access (SCA) enabled on Satellite, you cannot attach subscriptions to your activation key. With SCA enabled, you do not need to have subscriptions attached to your hosts. Note that SCA is enabled by default for newly created organizations. To learn more about SCA, see Simple Content Access.
Subscription Manager attaches subscriptions differently depending on the following factors:
- Are there any subscriptions associated with the activation key?
- Is the auto-attach option enabled?
- For Red Hat Enterprise Linux 8 hosts: Is there system purpose set on the activation key?
Note that Satellite automatically attaches subscriptions only for the products installed on a host. For subscriptions that do not list products installed on Red Hat Enterprise Linux by default, such as the Extended Update Support (EUS) subscription, use an activation key specifying the required subscriptions and with the auto-attach disabled.
Based on the previous factors, there are three possible scenarios for subscribing with activation keys:
Activation key that attaches subscriptions automatically.
With no subscriptions specified and auto-attach enabled, hosts using the activation key search for the best fitting subscription from the ones provided by the content view associated with the activation key. This is similar to entering the
subscription-manager --auto-attach
command. For Red Hat Enterprise Linux 8 hosts, you can configure the activation key to set system purpose on hosts during registration to enhance the automatic subscriptions attachment.Activation key providing a custom set of subscription for auto-attach.
If there are subscriptions specified and auto-attach is enabled, hosts using the activation key select the best fitting subscription from the list specified in the activation key. Setting system purpose on the activation key does not affect this scenario.
Activation key with the exact set of subscriptions.
If there are subscriptions specified and auto-attach is disabled, hosts using the activation key are associated with all subscriptions specified in the activation key. Setting system purpose on the activation key does not affect this scenario.
Custom products
If a custom product, typically containing content not provided by Red Hat, is assigned to an activation key, this product is always enabled for the registered content host regardless of the auto-attach setting.
To use the CLI instead of the Satellite web UI, see the CLI procedure.
Procedure
- In the Satellite web UI, navigate to Content > Lifecycle > Activation Keys and click Create Activation Key.
- In the Name field, enter the name of the activation key.
- If you want to set a limit, clear the Unlimited hosts checkbox, and in the Limit field, enter the maximum number of systems you can register with the activation key. If you want unlimited hosts to register with the activation key, ensure the Unlimited Hosts checkbox is selected.
- Optional: In the Description field, enter a description for the activation key.
- From the Environment list, select the environment to use.
- From the Content View list, select a content view to use.
If Simple Content Access (SCA) is enabled:
- In the Repository Sets tab, ensure only your named repository is enabled.
If SCA is not enabled:
- Click the Subscriptions tab, then click the Add submenu.
- Click the checkbox under the subscription you created before.
- Click Add Selected.
- Click Save.
- Optional: For Red Hat Enterprise Linux 8 hosts, in the System Purpose section, you can configure the activation key with system purpose to set on hosts during registration to enhance subscriptions auto attachment.
CLI procedure
Create the activation key:
# hammer activation-key create \ --name "My_Activation_Key" \ --unlimited-hosts \ --description "Example Stack in the Development Environment" \ --lifecycle-environment "Development" \ --content-view "Stack" \ --organization "My_Organization"
Optional: For Red Hat Enterprise Linux 8 hosts, enter the following command to configure the activation key with system purpose to set on hosts during registration to enhance subscriptions auto attachment.
# hammer activation-key update \ --organization "My_Organization" \ --name "My_Activation_Key" \ --service-level "Standard" \ --purpose-usage "Development/Test" \ --purpose-role "Red Hat Enterprise Linux Server" \ --purpose-addons "addons"
Obtain a list of your subscription IDs:
# hammer subscription list --organization "My_Organization"
Attach the Red Hat Enterprise Linux subscription UUID to the activation key:
# hammer activation-key add-subscription \ --name "My_Activation_Key" \ --subscription-id My_Subscription_ID \ --organization "My_Organization"
List the product content associated with the activation key:
If Simple Content Access (SCA) is enabled:
# hammer activation-key product-content \ --content-access-mode-all true \ --name "My_Activation_Key" \ --organization "My_Organization"
If SCA is not enabled:
# hammer activation-key product-content \ --name "My_Activation_Key" \ --organization "My_Organization"
Override the default auto-enable status for the Red Hat Satellite Client 6 repository. The default status is set to disabled. To enable, enter the following command:
# hammer activation-key content-override \ --name "My_Activation_Key" \ --content-label rhel-7-server-satellite-client-6-rpms \ --value 1 \ --organization "My_Organization"
9.3. Updating subscriptions associated with an activation key
This procedure is only valid if you have Simple Content Access (SCA) disabled on your Satellite. With SCA enabled, you do not need to have subscriptions attached to your hosts. Note that SCA is enabled by default for newly created organizations. To learn more about SCA, see Simple Content Access.
Use this procedure to change the subscriptions associated with an activation key. To use the CLI instead of the Satellite web UI, see the CLI procedure.
Note that changes to an activation key apply only to machines provisioned after the change. To update subscriptions on existing content hosts, see Section 2.7, “Updating Red Hat subscriptions on multiple hosts”.
Procedure
- In the Satellite web UI, navigate to Content > Lifecycle > Activation Keys and click the name of the activation key.
- Click the Subscriptions tab.
- To remove subscriptions, select List/Remove, and then select the checkboxes to the left of the subscriptions to be removed and then click Remove Selected.
- To add subscriptions, select Add, and then select the checkboxes to the left of the subscriptions to be added and then click Add Selected.
- Click the Repository Sets tab and review the repositories' status settings.
- To enable or disable a repository, select the checkbox for a repository and then change the status using the Select Action list.
- Click the Details tab, select a content view for this activation key, and then click Save.
CLI procedure
List the subscriptions that the activation key currently contains:
# hammer activation-key subscriptions \ --name My_Activation_Key \ --organization "My_Organization"
Remove the required subscription from the activation key:
# hammer activation-key remove-subscription \ --name "My_Activation_Key" \ --subscription-id ff808181533518d50152354246e901aa \ --organization "My_Organization"
For the
--subscription-id
option, you can use either the UUID or the ID of the subscription.Attach new subscription to the activation key:
# hammer activation-key add-subscription \ --name "My_Activation_Key" \ --subscription-id ff808181533518d50152354246e901aa \ --organization "My_Organization"
For the
--subscription-id
option, you can use either the UUID or the ID of the subscription.List the product content associated with the activation key:
# hammer activation-key product-content \ --name "My_Activation_Key" \ --organization "My_Organization"
Override the default auto-enable status for the required repository:
# hammer activation-key content-override \ --name "My_Activation_Key" \ --content-label content_label \ --value 1 \ --organization "My_Organization"
For the
--value
option, enter1
for enable,0
for disable.
9.4. Using activation keys for host registration
You can use activation keys to complete the following tasks:
- Registering new hosts during provisioning through Red Hat Satellite. The kickstart provisioning templates in Red Hat Satellite contain commands to register the host using an activation key that is defined when creating a host.
-
Registering existing Red Hat Enterprise Linux hosts. Configure Subscription Manager to use Satellite Server for registration and specify the activation key when running the
subscription-manager register
command.
You can register hosts with Satellite using the host registration feature in the Satellite web UI, Hammer CLI, or the Satellite API. For more information, see Registering Hosts in Managing hosts.
Procedure
- In the Satellite web UI, navigate to Hosts > Register Host.
- From the Activation Keys list, select the activation keys to assign to your host.
- Click Generate to create the registration command.
- Click on the files icon to copy the command to your clipboard.
- Connect to your host using SSH and run the registration command.
-
Check the
/etc/yum.repos.d/redhat.repo
file and ensure that the appropriate repositories have been enabled.
CLI procedure
Generate the host registration command using the Hammer CLI:
# hammer host-registration generate-command \ --activation-keys "My_Activation_Key"
If your hosts do not trust the SSL certificate of Satellite Server, you can disable SSL validation by adding the
--insecure
flag to the registration command.# hammer host-registration generate-command \ --activation-keys "My_Activation_Key" \ --insecure true
- Connect to your host using SSH and run the registration command.
-
Check the
/etc/yum.repos.d/redhat.repo
file and ensure that the appropriate repositories have been enabled.
API procedure
Generate the host registration command using the Satellite API:
# curl -X POST https://satellite.example.com/api/registration_commands \ --user "My_User_Name" \ -H 'Content-Type: application/json' \ -d '{ "registration_command": { "activation_keys": ["My_Activation_Key_1, My_Activation_Key_2"] }}'
If your hosts do not trust the SSL certificate of Satellite Server, you can disable SSL validation by adding the
--insecure
flag to the registration command.# curl -X POST https://satellite.example.com/api/registration_commands \ --user "My_User_Name" \ -H 'Content-Type: application/json' \ -d '{ "registration_command": { "activation_keys": ["My_Activation_Key_1, My_Activation_Key_2"], "insecure": true }}'
Use an activation key to simplify specifying the environments. For more information, see Managing Activation Keys in Managing content.
To enter a password as a command line argument, use
username:password
syntax. Keep in mind this can save the password in the shell history. Alternatively, you can use a temporary personal access token instead of a password. To generate a token in the Satellite web UI, navigate to My Account > Personal Access Tokens.- Connect to your host using SSH and run the registration command.
-
Check the
/etc/yum.repos.d/redhat.repo
file and ensure that the appropriate repositories have been enabled.
Multiple activation keys
You can use multiple activation keys when registering a content host. You can then create activation keys for specific subscription sets and combine them according to content host requirements. For example, the following command registers a content host to your organization with both VDC and OpenShift subscriptions:
# subscription-manager register \
--activationkey="ak-VDC,ak-OpenShift" \
--org="My_Organization"
Settings conflicts
If there are conflicting settings in activation keys, the rightmost key takes precedence.
- Settings that conflict: Service Level, Release Version, Environment, Content View, and Product Content.
- Settings that do not conflict and the host gets the union of them: Subscriptions and Host Collections.
- Settings that influence the behavior of the key itself and not the host configuration: Content Host Limit and Auto-Attach.
9.5. Enabling auto-attach
When auto-attach is enabled on an activation key and there are subscriptions associated with the key, the subscription management service selects and attaches the best-matched associated subscriptions based on a set of criteria like currently installed products, architecture, and preferences like service level.
This procedure is only valid if you have Simple Content Access (SCA) disabled on your Satellite. With SCA enabled, you do not need to have subscriptions attached to your hosts. Note that SCA is enabled by default for newly created organizations. To learn more about SCA, see Simple Content Access.
You can enable auto-attach and have no subscriptions associated with the key. This type of key is commonly used to register virtual machines when you do not want the virtual machine to consume a physical subscription, but to inherit a host-based subscription from the hypervisor. For more information, see Configuring virtual machine subscriptions.
Auto-attach is enabled by default. Disable the option if you want to force attach all subscriptions associated with the activation key.
Procedure
- In the Satellite web UI, navigate to Content > Lifecycle > Activation Keys.
- Click the activation key name that you want to edit.
- Click the Subscriptions tab.
- Click the edit icon next to Auto-Attach.
- Select or clear the checkbox to enable or disable auto-attach.
- Click Save.
CLI procedure
Enter the following command to enable auto-attach on the activation key:
# hammer activation-key update --name "My_Activation_Key" \ --organization "My_Organization" --auto-attach true
9.6. Setting the service level
You can configure an activation key to define a default service level for the new host created with the activation key. Setting a default service level selects only the matching subscriptions to be attached to the host. For example, if the default service level on an activation key is set to Premium, only subscriptions with premium service levels are attached to the host upon registration.
Procedure
- In the Satellite web UI, navigate to Content > Lifecycle > Activation Keys.
- Click the activation key name you want to edit.
- Click the edit icon next to Service Level.
- Select the required service level from the list. The list only contains service levels available to the activation key.
- Click Save.
CLI procedure
Set the service level to Premium on your activation key:
# hammer activation-key update \ --name "My_Activation_Key" \ --organization "My_Organization" \ --service-level premium
9.7. Enabling and disabling repositories on activation key
As a Simple Content Access (SCA) user, you can enable or disable repositories on an activation key in the Satellite web UI.
Procedure
- In the Satellite web UI, navigate to Content > Lifecycle > Activation Keys.
- Select an activation key.
- Select the Repository Sets tab.
- From the dropdown, you can filter the Repository type column to Custom or Red Hat, if desired.
- Select the desired repositories or click the Select All checkbox to select all repositories.
- From the Select Action list, select Override to Enabled, Override to Disabled, or Reset to Default.