Subscription based entitlements/certificates (RHEL7 support)

[stephenjamieson]

Well, time to clean up the up2date mess 👍

[jhoekx]

@dagwieers asked to gather all information in this issue so a good approach to support it can be found.

To access any data: client side certificates are used for access to the RH CDN at https://cdn.redhat.com/content/dist/rhel/server/7/$releasever/$basearch/<channel>. The client certificate can be downloaded from the RH customer portal. The server certificate is available in /etc/rhsm/ca/redhat-uep.pem.

Once authenticated, it's just a yum repository.

[stephenjamieson]

I think reposync can be adapted and mrepo can take care of the certificate storage, not sure about getting the certs from redhat though

[elentar]

To expand on what jhoekx said: The client certificate you need is the entitlement certificate, not the identify certificate. Although it's possible to create a system ("Unit") through the RHN gui and grant it an entitlement, that certificate won't work unless a system has registered itself to it, apparently.

The certificates are stored locally on the system in /etc/pki/entitlement, if the system is registered.

The changes committed to https://github.com/agmt/mrepo are almost sufficient to pull down RHEL 7 packages with mrepo, the only thing is missing is to define the CA cert in lftp. Once I added that it worked for me.

[arajnor]

Hello Guys,

I need help on mrepo. Shortly to say I've RHEL 6.6 system on which I've configured mrepo. Now I want to create repository for RHEL 7, Could you please give me steps to create repository for RHEL 7 .

=== Error==
[root@yumrepo01 ~]# gensystemid -u rhlogin1 -p passwd1 --release=7Server --arch=x86_64 /var/mrepo/7Server-x86_64/
gensystemid: Error registering system.
Error Class Code: 74
Error Class Info:
Red Hat Network Classic is not supported for RHEL 7 systems.
To register with Red Hat Subscription Management please run:
subscription-manager register --auto-attach
Get more information at access.redhat.com/knowledge
Explanation:
An error has occurred while processing your request. If this problem
persists please enter a bug report at bugzilla.redhat.com.
If you choose to submit the bug report, please be sure to include
details of what you were trying to do when this error occurred and
details on how to reproduce this problem.
===== End of Error ===

[arajnor]

I've configured repo file for rhel 7 in /etc/mrepo.conf.d/

here is file

[rhel7Server]
name = Red Hat Enterprise Linux Server $release ($arch)
release = 7
arch = x86_64
metadata = repomd

ISO images

iso = rhel-server-$release.?-$arch-dvd.iso supp-server-$release.?-rhel-$release-$arch-dvd.iso

os = https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/os
sslkey = /usr/share/keys/key.pem
sslcert = /usr/share/keys/cert.pem
sslca = /etc/rhsm/ca/redhat-uep.pem

could you please let me know from which location which certificates files need to be copied.

[jorgeeb4]

When will you have a compatible version of RHEL 7?

[quartoxuna]

It seems, since RHEL7 there is no support for the RedHat Network (RHN) anymore, so the apporach with gensystemid would result in the message posted by arajnor.

For RHEL7 you have to register your system for on of your subskriptions using the subscription-manager tool (https://access.redhat.com/documentation/en-US/Red_Hat_Subscription_Management/1/html-single/RHSM/index.html).

Since our subscription does not contain repositories I can only assume, that MREPO could be able to connect to these repositories. But there could also be another problem, since the RHSM has certificate verficiation for the client side.

Is MREPO capable of the sslkey,sslcert and sslca parameters? Because in my setup MREPO interprets them as repositories...