[Spacewalk-list] Spacewalk and RHEL client support

Boyd, Robert Robert.Boyd at peoplefluent.com
Tue Dec 22 01:46:22 UTC 2015 

Since I've seen no negative comments back on this thread, I'm going to post here the outline of the process as it has worked for me.  There may be other ways to get the required keys by way of the Red Hat Portal.   The ways that previously worked for me seem to no longer work the same, so I'm not going to refer to how I originally got them.

If you try following the steps I describe here and find something unclear or run into difficulties, please let me know and I can try to help.  It would be nice to have this nailed down in a simple step by step procedure that anyone who has gotten through installing spacewalk will be able to do.

If you're running spacewalk 2.2 or later this is pretty easy.  If you have a RHEL6 or RHEL7 server registered to RHN for updates, almost everything you need is in or pointed to by /etc/yum.repos.d/redhat.repo.

For the Red Hat repositories that you want to import to spacewalk find all of the relevant baseurls in redhat.repo.   You'll set up a single repository for each one that you want to sync with. There are different ways to associate them with channels.  I won't talk about that part of the process here.  You'll have to substitute the appropriate variable things with fixed strings such as in this example:

baseurl = https://cdn.redhat.com/content/dist/rhel/server/6/6Server/$basearch/extras/os

You'll use that string, but substitute x86_64 for $basearch.  Notice that in 6Server the S must be capitalized.

In that file you'll also see references to sslcacert, sslclientkey, and sslclientcert.   These are the file names for the keys that you will need to put into spacewalk and associate with the repositories so that repo-sync will be able to download them.

In the spacewalk GUI Access to update keys:
Navigate to: Systems --> Kickstart --> GPG and SSL Keys 

For Red Hat you will need to enter the CA SSL Key, the Customer Entitlement SSL Key and the 
SSL Client Key.  In the redhat.repo file you'll see something like this:

sslcacert = /etc/rhsm/ca/redhat-uep.pem                                                           (the RHEL CA Signing SSL certificate)
sslclientkey = /etc/pki/entitlement/<a big long number>-key.pem       (RHEL Client Key SSL certificate)
sslclientcert = /etc/pki/entitlement/<the same big long number as above>.pem                (RHEL Entitlement/Client certificate)

The contents of the sslclientcert file is the key you want to register in spacewalk as the Red Hat Entitlement Key.   I created my keys with these names:

RHEL CA Signing Certificate, RHEL Client Key, and RHEL Entitlement.  For each key you create a key, put in the description, select type SSL and paste the contents of the appropriate file into the Key contents field.   Or if you're running the browser on the spacewalk server, you can browse to the file directly and upload from it.

Note:  annual contract renewal will probably require updating the RHEL Entitlement key, capture the contents of the associated file from the spacewalk master server, select all in the Key Update page, paste in the new key contents, click Update Key

When creating your repositories in spacewalk you'll use the appropriate URL, for SSL CA Certificate you use the RHEL CA Signing certificate, for SSL Client Certificate you use the RHEL Entitlement certificate, and for SSL Client Key you use RHEL Client Key.

For creating the channel for RHEL 5 and later for the GPG Key URL use file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release.   For GPG Key ID: FD431D51, and GPG key fingerprint:  567E 347A D004 4ADE 55BA 8A5F 199E 2F91 FD43 1D51

Then once you have the repository associated with a channel, trigger the sync and be sure to set a schedule for pulling your updates.   Some of them I do nightly, some weekly and some monthly depending on which repository it is.

To watch the log of activity on the spacewalk server as root:  (e.g.) tail -f /var/log/rhn/reposync/rhel-x86_64-server-6.log

Please see if this is enough to get you going.  Please let me know if anything I've given you needs revision or isn't clear enough.

And let me know if/how it works for you.

Best of luck,

Robert Boyd

-----Original Message-----
From: spacewalk-list-bounces at redhat.com [mailto:spacewalk-list-bounces at redhat.com] On Behalf Of Schindler, Daniel (STEAG Energy Services GmbH)
Sent: Monday, December 21, 2015 2:05 PM
To: spacewalk-list at redhat.com
Subject: Re: [Spacewalk-list] Spacewalk and RHEL client support

Yes please Robert :)

I'm also really interested.

Regards,
Daniel

More information about the Spacewalk-list mailing list