Registering Red Hat Enterprise Linux Clients with RHUI
If you are running Red Hat Enterprise Linux clients directly, rather than using SUSE Linux Enterprise Server with Expanded Support, you need to use Red Hat sources to retrieve and update packages. This section contains information about using Red Hat update infrastructure (RHUI) to register traditional and Salt clients running Red Hat Enterprise Linux operating systems. If you are running your clients in a public cloud, such as Amazon EC2, use this method.
It is possible to use RHUI in conjunction with the Red Hat content delivery network (CDN) to manage your Red Hat Enterprise Linux subscriptions. For information about using Red Hat CDN, see Registering Red Hat Enterprise Linux Clients with CDN.
Red Hat Enterprise Linux clients are based on Red Hat and are unrelated to SUSE Linux Enterprise Server with Expanded Support, RES, or SUSE Linux Enterprise Server. You are responsible for connecting SUSE Manager Server to the Red Hat update infrastructure. All clients that get updates using this RHUI certificate need to be correctly licensed, please check with your cloud provider and the Red Hat terms of service for more information. |
When Red Hat Enterprise Linux clients registered with RHUI are switched off, Red Hat might declare the certificate invalid. In this case, you need to turn the client on again, or get a new RHUI certificate. |
Traditional clients are available on Red Hat Enterprise Linux 6 and 7 only. Red Hat Enterprise Linux 8 clients are supported as Salt clients. |
1. Import Entitlements and Certificates
Red Hat clients require a Red Hat certificate authority (CA) and entitlement certificate, and an entitlement key.
Red Hat clients use a URL to replicate repositories. The URL changes depending on where the Red Hat client is registered.
Red Hat clients can be registered in three different ways:
-
Red Hat content delivery network (CDN) at redhat.com
-
Red Hat Satellite Server
-
Red Hat update infrastructure (RHUI) in the cloud
This guide covers clients registered to Red Hat update infrastructure (RHUI). You must have at least one system registered to RHUI, with an authorized subscription for repository content.
For information about using Red Hat content delivery network (CDN) instead, see Registering Red Hat Enterprise Linux Clients with CDN.
Satellite certificates for client systems require a Satellite server and subscription. Clients using Satellite certificates are not supported with SUSE Manager Server. |
The entitlement certificates and keys need to be copied from the client system to a location that the SUSE Manager Server can access.
The keys and certificates might have slightly different names to those shown here.
Your entitlement certificate and the Red Hat CA Certificate file have file extensions of .crt
.
The key has a file extension of .key
.
-
Copy your entitlement certificate and key from the client system, to a location that the SUSE Manager Server can access:
Amazon EC2:
cp /etc/pki/rhui/product/content-<version>.crt /<example>/entitlement/ cp /etc/pki/rhui/content-<version>.key /<example>/entitlement/
Azure:
-
Check the certificate chain using the command:
openssl s_client -connect rhui-1.microsoft.com:443 -showcerts
A sample output will look like the following:
CONNECTED(00000003) depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2 verify return:1 depth=1 C = US, O = Microsoft Corporation, CN = Microsoft Azure TLS Issuing CA 06 verify return:1 depth=0 C = US, ST = WA, L = Redmond, O = Microsoft Corporation, CN = rhui-1.microsoft.com verify return+
-
Check the second certificate (
CN = Microsoft Azure
), if it is the same on your VM, note the certificate name. Refer to the https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/certificate-authorities to download the certificate. Click the AIA link to download the certificate. The certificate will be downloaded with the.cer
suffix. Convert it to.crt
with the command:openssl x509 -inform DER -in <example.cer> -out <example.crt>
Google Cloud Platform:
cp /etc/pki/rhui/product/content.crt /<example>/entitlement/ cp /etc/pki/rhui/key.pem /<example>/entitlement/
-
-
Copy the Red Hat CA Certificate file from the client system, to the same location as the entitlement certificate and key:
Amazon EC2:
cp /etc/pki/rhui/cdn.redhat.com-chain.crt /<example>/entitlement
Azure:
Upload the converted certifcate to /<example>/entitlement
Google Cloud Platform:
cp /etc/pki/rhui/ca.crt /<example>/entitlement
To manage repositories on your Red Hat client, you need to import the CA and entitlement certificates to the SUSE Manager Server. This requires that you perform the import procedure three times, to create three entries: one each for the entitlement certificate, the entitlement key, and the Red Hat certificate.
-
On the SUSE Manager Server Web UI, navigate to
. -
Click Create Stored Key/Cert and set these parameters for the entitlement certificate:
-
In the
Description
field, typeEntitlement-Cert-Date
. -
In the
Type
field, selectSSL
. -
In the
Select file to upload
field, browse to the location where you saved the entitlement certificate, and select the.crt
certificate file.
-
-
Click Create Key.
-
Click Create Stored Key/Cert and set these parameters for the entitlement key:
-
In the
Description
field, typeEntitlement-Key-Date
. -
In the
Type
field, selectSSL
. -
In the
Select file to upload
field, browse to the location where you saved the entitlement key, and select the.key
key file.
-
-
Click Create Key.
-
Click Create Stored Key/Cert and set these parameters for the Red Hat certificate:
-
In the
Description
field, typeredhat-cert
. -
In the
Type
field, selectSSL
. -
In the
Select file to upload
field, browse to the location where you saved the Red Hat certificate, and select the certificate file.
-
-
Click Create Key.
2. Prepare Custom Repositories and Channels
To mirror the software from RHUI, you need to create custom channels and repositories in SUSE Manager that are linked to RHUI by a URL. You must have entitlements to these products in your Red Hat Portal for this to work correctly. You can use the yum utility to get the URLs of the repositories you want to mirror:
yum repolist -v | grep baseurl
You can use these repository URLs to create custom repositories. This allows you to mirror only the content you need to manage your clients.
You can only create custom versions of Red Hat repositories if you have the correct entitlements in your Red Hat Portal. |
The details you need for this procedure are:
Option | Setting |
---|---|
Repository URL |
The content URL provided by RHUI |
Has Signed Metadata? |
Uncheck all Red Hat Enterprise repositories |
SSL CA Certificate |
|
SSL Client Certificate |
|
SSL Client Key |
|
-
On the SUSE Manager Server Web UI, navigate to
. -
Click Create Repository and set the appropriate parameters for the repository.
-
Click Create Repository.
-
Repeat for all repositories you need to create.
The channels you need for this procedure are:
OS Version | Base Product | Base Channel |
---|---|---|
Red Hat 6 |
RHEL6 Base x86_64 |
rhel6-pool-x86_64 |
Red Hat 7 |
RHEL7 Base x86_64 |
rhel7-pool-x86_64 |
Red Hat 8 |
RHEL or SLES ES or CentOS 8 Base |
rhel8-pool-x86_64 |
Red Hat 6 is now at end-of-life, and the ISO images provided in the repository are out of date. Bootstrapping new Red Hat 6 clients using these packages will fail. If you need to bootstrap new Red Hat 6 clients, follow the troubleshooting procedure in Troubleshooting Clients. |
-
On the SUSE Manager Server Web UI, navigate to
. -
Click Create Channel and set the appropriate parameters for the channels.
-
In the
Parent Channel
field, select the appropriate base channel. -
Click Create Channel.
-
Repeat for all channels you need to create. There should be one custom channel for each custom repository.
You can check that you have created all the appropriate channels and repositories, by navigating to
.
For Red Hat 8 clients, add both the Base and AppStream channels. You require packages from both channels. If you do not add both channels, you cannot create the bootstrap repository, due to missing packages. |
When you have created all the channels, you can associate them with the repositories you created:
-
On the SUSE Manager Server Web UI, navigate to
, and click the channel to associate. -
Navigate to the
Repositories
tab, and check the repository to associate with this channel. -
Click Update Repositories to associate the channel and the repository.
-
Repeat for all channels and repositories you need to associate.
-
OPTIONAL: Navigate to the
Sync
tab to set a recurring schedule for synchronization of this repository. -
Click Sync Now to begin synchronization immediately.
3. Add Software Channels
Before you register Red Hat clients to your SUSE Manager Server, you need to add the required software channels, and synchronize them.
Your SUSE Manager subscription entitles you to the tools channels for SUSE Linux Enterprise Server with Expanded Support (also known as Red Hat Expanded Support or RES). You must use the client tools channel to create the bootstrap repository. This procedure applies to both Salt and traditional clients.
The products you need for this procedure are:
OS Version | Product Name |
---|---|
Red Hat 6 |
RHEL6 Base x86_64 |
Red Hat 7 |
RHEL7 Base x86_64 |
Red Hat 8 |
RHEL or SLES ES or CentOS 8 Base |
Red Hat 6 is now at end-of-life, and the ISO images provided in the repository are out of date. Bootstrapping new Red Hat 6 clients using these packages will fail. If you need to bootstrap new Red Hat 6 clients, follow the troubleshooting procedure in Troubleshooting Clients. |
-
In the SUSE Manager Web UI, navigate to
. -
Locate the appropriate products for your client operating system and architecture using the search bar, and check the appropriate product. This will automatically check all mandatory channels. Also all recommended channels are checked as long as the
include recommended
toggle is turned on. Click the arrow to see the complete list of related products, and ensure that any extra products you require are checked. -
Click Add Products and wait until the products have finished synchronizing.
The AppStream repository provides modular packages. This results in the SUSE Manager Web UI showing incorrect package information. You cannot perform package operations such as installing or upgrading directly from modular repositories using the Web UI or API. You can use the AppStream filter with content lifecycle management (CLM) to transform modular repositories into regular repositories.
Make sure to include Alternatively, you can use Salt states to manage modular packages on Salt clients, or use the |
To use RHUI, you need to manually add the required HTTP headers to the configuration file. Without them, you cannot successfully perform a client synchronization.
-
Locate the
X-RHUI-ID
andX-RHUI-SIGNATURE
HTTP headers from your RHUI instance. You can use these commands on the Red Hat client to get the values from the cloud instance metadata API at169.254.169.254
:echo "X-RHUI-ID=$(curl -s http://169.254.169.254/latest/dynamic/instance-identity/document|base64|tr -d '\n')" echo "X-RHUI-SIGNATURE=$(curl -s http://169.254.169.254/latest/dynamic/instance-identity/signature|base64|tr -d '\n')"
-
Open the
/etc/rhn/spacewalk-repo-sync/extra_headers.conf
configuration file, and add or edit these lines with the correct information:[<channel_label_1>] X-RHUI-ID=<value> X-RHUI-SIGNATURE=<value> [<channel_label_2>] X-RHUI-ID=<value> X-RHUI-SIGNATURE=<value>
Replace [literal]``<channel_label_X>`` above with channel names such as [literal]``rhel8-baseos-repo``:
[rhel8-baseos-repo] X-RHUI-ID=... X-RHUI-SIGNATURE=...
4. Check Synchronization Status
-
In the SUSE Manager Web UI, navigate to
and select theProducts
tab. This dialog displays a completion bar for each product when they are being synchronized. -
Alternatively, you can navigate to
, then click the channel associated to the repository. Navigate to theRepositories
tab, then clickSync
and checkSync Status
.
-
At the command prompt on the SUSE Manager Server, as root, use the
tail
command to check the synchronization log file:tail -f /var/log/rhn/reposync/<channel-label>.log
-
Each child channel generates its own log during the synchronization progress. You need to check all the base and child channel log files to be sure that the synchronization is complete.
Red Hat Enterprise Linux channels can be very large. Synchronization can sometimes take several hours. |
5. Register Clients
To register your Red Hat clients, you need a bootstrap repository. By default, bootstrap repositories are automatically created, and regenerated daily for all synchronized products. You can manually create the bootstrap repository from the command prompt, using this command:
mgr-create-bootstrap-repo
For more information on registering your clients, see Client Registration Overview.
To register and use Red Hat Enterprise Linux 6 clients, you need to configure the SUSE Manager Server to support older types of SSL encryption.
For more information, see |