Chapter 3. Creating an entitlement certificate and a client configuration RPM

Procedure

1. Navigate to the Red Hat Update Infrastructure Management Tool home screen:

   [root@rhua ~]# rhui-manager

2. Press e to select create entitlement certificates and client configuration RPMs.
3. Press e to select generate an entitlement certificate.

4. Select which repositories to include in the entitlement certificate by typing the number of the repository at the prompt. Typing the number of a repository places an x next to the name of that repository. Continue until all repositories you want to add have been checked.

   Important

   Include only repositories for a single RHEL version in a single entitlement. Adding repositories for multiple RHEL versions leads to an unusable yum configuration file.

5. Press c at the prompt to confirm.

6. Enter a name for the certificate. This name helps identify the certificate within the Red Hat Update Infrastructure Management Tool and generate the name of the certificate and key files.

   Name of the certificate. This will be used as the name of the certificate file
   (name.crt) and its associated private key (name.key). Choose something that will
   help identify the products contained with it.

7. Enter a path to save the certificate. Leave the field blank to save it to the current working directory.

8. Enter the number of days the certificate should be valid for. Leave the field blank for 365 days. The details of the repositories to be included in the certificate display.

   Repositories to be included in the entitlement certificate:
   
     Red Hat Repositories
       Red Hat Enterprise Linux 8 for ARM 64 - AppStream (Debug RPMs) from RHUI
       Red Hat Enterprise Linux 8 for ARM 64 - AppStream (RPMs) from RHUI
       Red Hat Enterprise Linux 8 for ARM 64 - AppStream (Source RPMs) from RHUI
   
       Proceed? (y/n)

9. Press y at the prompt to confirm the information and create the entitlement certificate.

Verification

1. You will see a similar message if the entitlement certificate was created:

   ..........................+++++
   ....+++++
   Entitlement certificate created at ./rhel8-for-rhui4.crt
   
   ------------------------------------------------------------------------------

Procedure

1. Use the following command to create an entitlement certificate from the RHUI CLI:

   # rhui-manager client cert --repo_label rhel-8-for-x86_64-appstream-eus-rhui-source-rpms --name rhuiclientexample --days 365 --dir /root/clientcert
   .............................................+++++
   ...............................................................................+++++
   Entitlement certificate created at /root/clientcert/rhuiclientexample.crt

   Note

   Use Red Hat repository labels, not IDs. To get a list of all labels, run the rhui-manager client labels command. If you include a protected custom repository in the certificate, use the repository’s ID instead.

Verification

1. A similar message displays if you successfully created and entitlement certificate:

   Entitlement certificate created at /root/clientcert/rhuiclientexample.crt

Procedure

1. In your client RPM, or on the machine where the RPM is installed, run the following command specifying the path where the client entitlement certificate is stored:

   # openssl x509 -noout -text -in /etc/pki/rhui/product/content.crt | grep bit

2. Check the RSA key length:

   • If the length is 2048 bits, then the client entitlement certificate is not compliant with the FUTURE policy.
   • If the length is 4096 bits, then the client entitlement certificate is compliant with the FUTURE policy.

Procedure

1. Navigate to the Red Hat Update Infrastructure Management Tool home screen:

   [root@rhua ~]# rhui-manager

2. Press e to select create entitlement certificates and client configuration RPMs.
3. From the Client Entitlement Management screen, press c to select create a client configuration RPM from an entitlement certificate.

4. Enter the full path of a local directory to save the configuration files to:

   Full path to local directory in which the client configuration files generated by this tool
   should be stored (if this directory does not exist, it will be created):

5. Enter the name of the RPM.
6. Enter the version of the configuration RPM. The default version is 2.0.
7. Enter the release of the configuration RPM. The default release is 1.
8. Enter the full path to the entitlement certificate authorizing the client to access specific repositories.
9. Enter the full path to the private key for the entitlement certificate.
10. Select any unprotected custom repositories to be included in the client configuration.
11. Press c to confirm selections or ? for more commands.

Verification

1. A similar message displays if the RPM was successfully created:

   Successfully created client configuration RPM.
   Location: /tmp/clientrpmtest-2.0/build/RPMS/noarch/clientrpmtest-2.0-1.noarch.rpm

Procedure

1. Use the following command to create an RPM with the RHUI CLI:

   # rhui-manager client rpm --entitlement_cert /root/clientcert/rhuiclientexample.crt --private_key /root/clientcert/rhuiclientexample.key --rpm_name clientrpmtest --dir /tmp --unprotected_repos unprotected_repo1
   Successfully created client configuration RPM.
   Location: /tmp/clientrpmtest-2.0/build/RPMS/noarch/clientrpmtest-2.0-1.noarch.rpm

   Note

   When using the CLI, you can also specify the URL of the proxy server to use with RHUI repositories, or you can use _none_ (including the underscores) to override any global yum settings on a client machine. To specify a proxy, use the --proxy parameter.

Verification

1. A similar message displays if you successfully created a client configuration RPM:

   Successfully created client configuration RPM.
   Location: /tmp/clientrpmtest-2.0/build/RPMS/noarch/clientrpmtest-2.0-1.noarch.rpm

Procedure

1. In the following example, you will create a custom repository for the client configuration RPM for base Red Hat Enterprise Linux 8 on the x86_64 architecture:

   # rhui-manager repo create_custom --protected --repo_id client-config-rhel-8-x86_64 --display_name "RHUI Client Configuration for RHEL 8 on x86_64" --gpg_public_keys /root/RPM-GPG-KEY-my-cloud

   You can use a different repository ID and display name if desired, and ensure you specify the actual GPG key file.

2. Add the relevant Red Hat repositories. The following YAML file contains the typical set of repositories for base Red Hat Enterprise Linux 8 on the x86_64 architecture, using unversioned repositories:

   # cat rhel-8-x86_64.yaml
   name: Red Hat Enterprise Linux 8 on x86_64
   repo_ids:
     - codeready-builder-for-rhel-8-x86_64-rhui-debug-rpms-8
     - codeready-builder-for-rhel-8-x86_64-rhui-rpms-8
     - codeready-builder-for-rhel-8-x86_64-rhui-source-rpms-8
     - rhel-8-for-x86_64-appstream-rhui-debug-rpms-8
     - rhel-8-for-x86_64-appstream-rhui-rpms-8
     - rhel-8-for-x86_64-appstream-rhui-source-rpms-8
     - rhel-8-for-x86_64-baseos-rhui-debug-rpms-8
     - rhel-8-for-x86_64-baseos-rhui-rpms-8
     - rhel-8-for-x86_64-baseos-rhui-source-rpms-8
     - rhel-8-for-x86_64-supplementary-rhui-debug-rpms-8
     - rhel-8-for-x86_64-supplementary-rhui-rpms-8
     - rhel-8-for-x86_64-supplementary-rhui-source-rpms-8

   To add and synchronize all these repositories using the YAML file above, run the following command:

   # rhui-manager repo add_by_file --file rhel-8-x86_64.yaml --sync_now

3. Create an entitlement certificate. You will need a list of repository labels that are to be allowed in the certificate. Repository labels are often identical to repository IDs, except when the repository ID contains a specific Red Hat Enterprise Linux minor version, in which case the label does not contain the minor version but only the major version. In the case of base Red Hat Enterprise Linux repositories, the IDs are identical, so you can extract them from the YAML file above, using the following Python code:

   import yaml
   with open("rhel-8-x86_64.yaml") as repoyaml:
       repodata = yaml.safe_load(repoyaml)
       print(",".join(repodata["repo_ids"]))

   Copy the output to the clipboard and store it as an environment variable; for example, $labels:

   # labels=<paste the contents of the clipboard here>

   In addition to the Red Hat Enterprise Linux repository labels, you also need to add the custom repository to the comma-separated list of labels when creating the entitlement certificate. Run the following command to create the entitlement certificate allowing access to both the Red Hat Enterprise Linux repositories and the custom repository:

   # rhui-manager client cert --name rhel-8-x86_64 --dir /root --days 3650 --repo_label $labels,client-config-rhel-8-x86_64

   If your company’s policy allows certificates to be valid for only one year, two years, etc., change the value of the --days argument accordingly.

   This command creates the files /root/rhel-8-x86_64.crt and /root/rhel-8-x86_64.key. You will need them in the next step.

4. Create a client configuration RPM:

   # rhui-manager client rpm --dir /tmp --rpm_name rhui-client-rhel-8-x86_64 --rpm_version 1.0 --entitlement_cert /root/rhel-8-x86_64.crt --private_key /root/rhel-8-x86_64.key

   Use an RPM name or version of your choice. With the values above, the command creates the RPM and prints its location, which is:

   /tmp/rhui-client-rhel-8-x86_64-1.0/build/RPMS/noarch/rhui-client-rhel-8-x86_64-1.0-1.noarch.rpm

5. Transfer this RPM from the RHUA to your system and sign it with the appropriate GPG key—the private key that corresponds to the public key that you used as the --gpg_public_keys parameter when you created the custom repository. You can then, for example, have the signed RPM preinstalled on Red Hat Enterprise Linux 8 x86_64 images in your cloud environment. You also need to transfer the signed RPM back to the RHUA and upload it to the custom repository for Red Hat Enterprise Linux 8 on x86_64:

   # rhui-manager packages upload --repo_id client-config-rhel-8-x86_64 --packages /root/signed/rhui-client-rhel-8-x86_64-1.0-1.noarch.rpm

Verification

1. Check the contents of the custom repository:

   # rhui-manager packages list --repo_id client-config-rhel-8-x86_64

   This command is supposed to print the RPM file that you have uploaded.

2. Once you have configured your CDS and HAProxy nodes, which is described later in this guide, you can also install the client configuration RPM on a test VM and verify access to all the relevant repositories by running the following command on the test VM:

   # yum -v repolist

   This command is supposed to print the configured Red Hat Enterprise Linux 8 repositories and the custom repository for client configuration RPMs.

1. If you used 1.0 in the previous invocation, use e.g. 2.0 now, and keep the rest of the parameters:

   # rhui-manager client rpm --dir /tmp --rpm_name rhui-client-rhel-8-x86_64 --rpm_version 2.0 ...

2. Then, again, sign the newer RPM, transfer it to the RHUA, and upload it to the custom repository:

   # rhui-manager packages upload --repo_id client-config-rhel-8-x86_64 --packages /root/signed/rhui-client-rhel-8-x86_64-2.0-1.noarch.rpm

3. Client VMs on which the previous version of the RPM is installed will now be able to update to the newer version. Note that it may be necessary to clean the dnf cache on the client VM to make dnf reload the repodata, which was updated when the newer RPM was uploaded.