| Summary: | Multiple content certificate support | ||
|---|---|---|---|
| Product: | Red Hat Update Infrastructure for Cloud Providers | Reporter: | Jay Dobies <jason.dobies> |
| Component: | CDS | Assignee: | Lana Brindley <lbrindle> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | wes hayutin <whayutin> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 2.0 | CC: | kbidarka, mhideo, sghai |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-07-29 04:50:56 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
|
Description
Jay Dobies
2011-06-14 13:04:38 UTC
I don't actually have multiple certs yet to test with, but I can include some screenshots of test ones to give you an idea. The entitlements view has changed a bit to show what certificate the entitlement came from. If two or more certificates provide the same entitlement, the certificate with the longest expiration date will be used (longer meaning furthest in the future). I uploaded a test certificate called cert-1.pem which contained two entitlements. Here is the resulting list: ------------------------------------------------------------------------------ rhui (entitlements) => u Full path to the new content certificate: /home/jdob/vault/code/cloude/rhui-2.0/tools/test/data/multi-cert-1/cert-1.pem The RHUI will be updated with the following certificate: Certificate: /home/jdob/vault/code/cloude/rhui-2.0/tools/test/data/multi-cert-1/cert-1.pem Proceed? (y/n) y Red Hat Entitlements RHUI 1.1 Expiration: 06-07-2012 Certificate: cert-1.pem RHUI 1.2 Expiration: 06-07-2012 Certificate: cert-1.pem ------------------------------------------------------------------------------ rhui (entitlements) => (Note that we no longer prompt for a key, but I'll come back to that later). Now I upload cert-2.pem which has different entitlements: Red Hat Entitlements RHEL 5 Expiration: 06-06-2012 Certificate: cert-2.pem RHUI 1.1 Expiration: 06-07-2012 Certificate: cert-1.pem RHUI 1.2 Expiration: 06-07-2012 Certificate: cert-1.pem Then cert-3.pem, which contains the same entitlements as cert-1.pem, but a later expiration date: Red Hat Entitlements RHEL 5 Expiration: 06-06-2012 Certificate: cert-2.pem RHUI 1.1 Expiration: 10-20-2012 Certificate: cert-3.pem RHUI 1.2 Expiration: 10-20-2012 Certificate: cert-3.pem cert-1.pem is still installed, but if we were to try to import RHUI 1.1/1.2, RHUI would use cert-3.pem. = Combined Certificate and Private Keys = Going forward, when cloud providers get their content certificates from Red Hat, each certificate will come as a single file (as compared to a separate certificate and private key). This file is simply the concatenation of the cert and key contents. That's why the above screenshots only ask for the certificate and not the private key. For existing users, it is extremely simple to take their existing content certificates and keys and make these files. It's literally just pasting them into the same file. If you want to include an example: $ cat content.crt content.key > content-2.0.pem Thanks to Jdob for this detailed description on mutli-cert support. I tested this feature and here are my observations: Now First-boot of rhui-manager looks like below. ( may be we can update this in Install guide ) ========================================== [root@dhcp193-60 content-cert]# rhui-manager An entitlement signing CA certificate is required to use RHUI Tools but was not found. Full path to the new signing CA certificate: /root/rhui_certs/ca.crt Full path to the new signing CA certificate private key: /root/rhui_certs/ca.key A RHUI identity certificate is required to use RHUI Tools but was not found. A new identity certificate will be generated now using the CA certificate found at /etc/pki/rhui/entitlement-ca.crt. ......................................+++ ........................+++ Previous authentication credentials could not be found. Logging into the RHUI. If this is the first time using the RHUI, it is recommended to change the user's password in the User Management section of RHUI Tools. RHUI Username: admin RHUI Password: ------------------------------------------------------------------------------ -= Red Hat Update Infrastructure Management Tool =- -= Home =- r manage repositories c manage content delivery servers (CDS) s synchronization status and scheduling e create entitlement certificates and client configuration RPMs n manage Red Hat entitlement certificates u manage users logout removes stored authentication credentials and exits < move to the previous screen ^, home move to the home screen /, clear clears the screen ?, help display help q, quit, exit exit Connected: dhcp193-163.pnq.redhat.com ------------------------------------------------------------------------------ rhui (home) => I tested this feature for 2 content certs and its working as expected. Both certs points to few common entitlement, the cert which has longest expiration date will be used for that entitlement. Here is the output: ==================== ------------------------------------------------------------------------------ rhui (entitlements) => u Full path to the new content certificate: /root/rhui_certs/content_rhui2.0.pem The RHUI will be updated with the following certificate: /root/rhui_certs/content_rhui2.0.pem Proceed? (y/n) y Red Hat Entitlements Red Hat Enterprise Linux Server (RPMs) Expiration: 11-09-2011 Certificate: content_rhui2.0.pem Red Hat Enterprise Linux Server 6 Releases (RPMs) Expiration: 11-09-2011 Certificate: content_rhui2.0.pem Red Hat Enterprise Linux Server 6 Updates (RPMs) Expiration: 11-09-2011 Certificate: content_rhui2.0.pem Red Hat Update Infrastructure 1.1 (RPMs) Expiration: 11-09-2011 Certificate: content_rhui2.0.pem Red Hat Update Infrastructure 1.2 (RPMs) Expiration: 11-09-2011 Certificate: content_rhui2.0.pem ------------------------------------------------------------------------------ rhui (entitlements) => u Full path to the new content certificate: /root/content-cert/content-2.0.pem The RHUI will be updated with the following certificate: /root/content-cert/content-2.0.pem Proceed? (y/n) y Red Hat Entitlements Red Hat Enterprise Linux Server (RPMs) Expiration: 11-09-2011 Certificate: content_rhui2.0.pem Red Hat Enterprise Linux Server (SRPMS) Expiration: 06-25-2011 Certificate: content-2.0.pem Red Hat Enterprise Linux Server (STS) Expiration: 06-25-2011 Certificate: content-2.0.pem Red Hat Enterprise Linux Server 6 Optional Releases (RPMs) Expiration: 06-25-2011 Certificate: content-2.0.pem Red Hat Enterprise Linux Server 6 Optional Releases (SRPMS) Expiration: 06-25-2011 Certificate: content-2.0.pem Red Hat Enterprise Linux Server 6 Optional Updates (RPMs) Expiration: 06-25-2011 Certificate: content-2.0.pem Red Hat Enterprise Linux Server 6 Optional Updates (SRPMS) Expiration: 06-25-2011 Certificate: content-2.0.pem Red Hat Enterprise Linux Server 6 Releases (RPMs) Expiration: 11-09-2011 Certificate: content_rhui2.0.pem Red Hat Enterprise Linux Server 6 Releases (SRPMS) Expiration: 06-25-2011 Certificate: content-2.0.pem Red Hat Enterprise Linux Server 6 Updates (RPMs) Expiration: 11-09-2011 Certificate: content_rhui2.0.pem Red Hat Enterprise Linux Server 6 Updates (SRPMS) Expiration: 06-25-2011 Certificate: content-2.0.pem Red Hat Update Infrastructure 1.1 (RPMs) Expiration: 11-09-2011 Certificate: content_rhui2.0.pem Red Hat Update Infrastructure 1.2 (RPMs) Expiration: 11-09-2011 Certificate: content_rhui2.0.pem Red Hat Update Infrastructure 1.2 (SRPMS) Expiration: 06-25-2011 Certificate: content-2.0.pem ------------------------------------------------------------------------------ rhui (entitlements) => here one cert has expiration date of 06-25-2011 and other has 11-09-2011. It's using longest expiration date cert for same entitlements. (In reply to comment #0) > The early work in RHUI 2.0 assumed a single content certificate from Red Hat. > This turned out to not be ideal and has been changed in 2.0. > > There aren't any rules per se as to how the certificates will be divided up, > but all signs point to there being a content certificate per product. We talk > about the possibility of purchasing the ability to serve RHEL content and later > adding in JBoss products, but don't say that in the user guide since it's not > official that JBoss content will be offered in this way. I think it's just > safest to be abstract about the fact that each product may have its own content > certificate. (If I get any more clarity into this at a later point I'll update > this bug). > > The effects on the user, and thus the user guide, are fairly simple. > > - First boot > > They are no longer required to enter a content certificate before starting RHUI > Manager, so you can take that part out of the first boot. They'll just need to > upload one (or more) before they can do anything useful. > > The only thing they may see in what we've been referring to as "first boot" is > if the current user doesn't have privileges to upload the content certificate > (they are stored in /etc/pki/rhui which has root privileges). In that case, > they are still allowed to use RHUI Manager to do things with custom repos or > CDS instances. We do warn them of this situation: > > "No Red Hat content certificates are installed and the current user does > not have sufficient privileges to upload one. The tool can be used in > this state, however new Red Hat repositories may not be imported. > > Press any key to continue." > > Pressing any key brings them to the normal RHUI home screen. <step> <para> You will require a &RH; content certificate and private key in order to access repositories with RHUI Manager. Each product requires its own content certificate, which is provided by &RH;. Once you have run RHUI Manager for the first time, upload a new content certificate for each product you require by following the directions in <xref linkend="proc-Installation_Guide-Managing_Entitlement_Certificates-Upload_Content_Certificate" />. </para> <para> Content certificates are installed to <filename>/etc/pki/rhui</filename>. This means that you will require write permission to <filename>/etc/pki/rhui</filename> to be able to install a new content certificate. If you do not have the appropriate permissions, RHUI Manager will display the following text during first launch: </para> <screen> No Red Hat content certificates are installed and the current user does not have sufficient privileges to upload one. The tool can be used in this state, however new Red Hat repositories may not be imported. Press any key to continue. </screen> <para> If you see this message, press any key to complete the first launch of RHUI Manager, and continue to the home screen. </para> </step> </procedure> <example id="exam-Installation_Guide-RHUI_Manager_First_Launch-Running_RHUI_Manager_for_the_first_time"> <title>Running RHUI Manager for the first time</title> <para> This example shows the information that RHUI Manager requests when being run for the first time. This information must be provided before RHUI Manager can operate. </para> <screen> An entitlement signing CA certificate is required to use RHUI Tools but was not found. Full path to the new signing CA certificate: /home/example/vault/code/data/entitlement-certs/ca1.crt Full path to the new signing CA certificate private key: /home/example/vault/code/data/entitlement-certs/ca1.key A RHUI identity certificate is required to use RHUI Tools but was not found. A new identity certificate will be generated now using the CA certificate found at /etc/pki/rhui/entitlement-ca.crt. ........+++ ...............+++ Enter pass phrase for /etc/pki/rhui/entitlement-ca-key.pem: </screen> </example> > > - In the case where there is no certificate, the biggest effect is that they > won't be able to import new Red Hat repositories for obvious reasons. There's a > new warning message in there that you may want to update the repo screen > chapter to reflect: > > "------------------------------------------------------------------------------ > rhui (repo) => a > > No Red Hat content certificates have been loaded. Upload > a content certificate to provide entitled products for import. > > ------------------------------------------------------------------------------ > rhui (repo) =>" > <para> You will require a &RH; content certificate and private key in order to access repositories with RHUI Manager. Each product requires its own content certificate, which is provided by &RH;. Once you have run RHUI Manager for the first time, upload a new content certificate for each product you require by following the directions in <xref linkend="proc-Installation_Guide-Managing_Entitlement_Certificates-Upload_Content_Certificate" />. </para> <para> If you attempt to work with repositories without having a valid content certificate, you will see the following error message: </para> > > - I forget if this is already in the guide, but if the user attempts to upload > a new content certificate without having permissions to write to the storage > directory, they see the following message: > > "------------------------------------------------------------------------------ > rhui (entitlements) => u > > The current user does not have write privileges to update content certificates > > ------------------------------------------------------------------------------ > rhui (entitlements) =>" This is already in there, as follows: <note> <title>Note</title> <para> Content certificates are stored on the same system RHUI Manager is installed on, at <filename>/etc/pki/rhui</filename>. For security reasons, this directory requires root permissions. If you do not have the correct permissions, RHUI Manager will not allow you to proceed: </para> <screen> rhui (entitlements) => u The current user does not have write privileges to update the content cert at /etc/pki/rhui/content-cert.crt. ------------------------------------------------------------------------------ rhui (entitlements) => </screen> </note> Revision 1-15 LKB (In reply to comment #1) > I don't actually have multiple certs yet to test with, but I can include some > screenshots of test ones to give you an idea. The entitlements view has changed > a bit to show what certificate the entitlement came from. If two or more > certificates provide the same entitlement, the certificate with the longest > expiration date will be used (longer meaning furthest in the future). > > I uploaded a test certificate called cert-1.pem which contained two > entitlements. Here is the resulting list: > > > ------------------------------------------------------------------------------ > rhui (entitlements) => u > > Full path to the new content certificate: > /home/jdob/vault/code/cloude/rhui-2.0/tools/test/data/multi-cert-1/cert-1.pem > > The RHUI will be updated with the following certificate: > Certificate: > /home/jdob/vault/code/cloude/rhui-2.0/tools/test/data/multi-cert-1/cert-1.pem > > Proceed? (y/n) y > > > Red Hat Entitlements > > RHUI 1.1 > Expiration: 06-07-2012 Certificate: cert-1.pem > > RHUI 1.2 > Expiration: 06-07-2012 Certificate: cert-1.pem > > > ------------------------------------------------------------------------------ > rhui (entitlements) => > > > (Note that we no longer prompt for a key, but I'll come back to that later). > > Now I upload cert-2.pem which has different entitlements: > > Red Hat Entitlements > > RHEL 5 > Expiration: 06-06-2012 Certificate: cert-2.pem > > RHUI 1.1 > Expiration: 06-07-2012 Certificate: cert-1.pem > > RHUI 1.2 > Expiration: 06-07-2012 Certificate: cert-1.pem > > > Then cert-3.pem, which contains the same entitlements as cert-1.pem, but a > later expiration date: > > Red Hat Entitlements > > RHEL 5 > Expiration: 06-06-2012 Certificate: cert-2.pem > > RHUI 1.1 > Expiration: 10-20-2012 Certificate: cert-3.pem > > RHUI 1.2 > Expiration: 10-20-2012 Certificate: cert-3.pem > > > cert-1.pem is still installed, but if we were to try to import RHUI 1.1/1.2, > RHUI would use cert-3.pem. <procedure id="proc-Installation_Guide-Managing_Entitlement_Certificates-Upload_Content_Certificate"> <title>Upload Content Certificate</title> <indexterm> <primary>RHUI Manager</primary> <secondary>upload content certificate</secondary> </indexterm> <step> <para> &RH; might need to issue a new content certificate if your old content certificate is about to expire, or to change the entitlements of the certificate. If &RH; issues a new content certificate, it will need to be uploaded to RHUI. </para> <note> <title>Note</title> <para> When you upload a new content certificate, it will also be updated in the RHUA, and will be used for synchronizing &RH; repositories. For this reason, do not upload a new content certificate before it becomes valid, as it will cause your synchronizations to fail until the valid date is reached. </para> </note> <para> From the Entitlements Manager screen, type <userinput>u</userinput> at the prompt to upload a new content certificate: </para> <screen> rhui (entitlements) => u </screen> <note> <title>Note</title> <para> Content certificates are stored on the same system RHUI Manager is installed on, at <filename>/etc/pki/rhui</filename>. For security reasons, this directory requires root permissions. If you do not have the correct permissions, RHUI Manager will not allow you to proceed: </para> <screen> rhui (entitlements) => u The current user does not have write privileges to update the content cert at /etc/pki/rhui/content-cert.crt. ------------------------------------------------------------------------------ rhui (entitlements) => </screen> </note> </step> <step> <para> Enter the full path to the new content certificate: </para> <screen> Full path to the new content certificate: /home/example/rhui-certs/cert-1.pem </screen> </step> <!-- <step> <para> Enter the full path the to private key for the new certificate: </para> <screen> Full path to the new content certificate private key: /home/example/rhui-certs/content-key.pem </screen> </step>--> <step> <para> The details of the new certificate to be uploaded will be displayed. Type <userinput>y</userinput> at the prompt to confirm the information and upload the packages. RHUI Manager will then list the current certificates: </para> <screen> The RHUI will be updated with the following certificate: Certificate: /home/example/rhui-certs/cert-1.pem Proceed? (y/n) y Red Hat Entitlements RHEL 5 Expiration: 06-06-2012 Certificate: cert-2.pem RHUI 1.1 Expiration: 06-07-2012 Certificate: cert-1.pem RHUI 1.2 Expiration: 06-07-2012 Certificate: cert-1.pem ------------------------------------------------------------------------------ rhui (entitlements) => </screen> </step> </procedure> Revision 1-15 LKB (In reply to comment #2) > = Combined Certificate and Private Keys = > > Going forward, when cloud providers get their content certificates from Red > Hat, each certificate will come as a single file (as compared to a separate > certificate and private key). This file is simply the concatenation of the cert > and key contents. That's why the above screenshots only ask for the certificate > and not the private key. > > For existing users, it is extremely simple to take their existing content > certificates and keys and make these files. It's literally just pasting them > into the same file. If you want to include an example: > > $ cat content.crt content.key > content-2.0.pem <para> RHUI Manager expects that both the content certificate and its provate key will be contained in the same file. If you have existing content certificates with seperate keys, you can create the single file using the <command>cat</command> command at a shell prompt: </para> <screen> $ cat content.crt content.key > content-2.0.pem </screen> Revision 1-15 LKB (In reply to comment #3) > Thanks to Jdob for this detailed description on mutli-cert support. > > I tested this feature and here are my observations: > > Now First-boot of rhui-manager looks like below. ( may be we can update this in > Install guide ) > ========================================== > > [root@dhcp193-60 content-cert]# rhui-manager > An entitlement signing CA certificate is required to use RHUI Tools > but was not found. > > Full path to the new signing CA certificate: > /root/rhui_certs/ca.crt > > Full path to the new signing CA certificate private key: > /root/rhui_certs/ca.key > > A RHUI identity certificate is required to use RHUI Tools but was not found. > A new identity certificate will be generated now using the CA certificate > found at /etc/pki/rhui/entitlement-ca.crt. > > ......................................+++ > ........................+++ > Previous authentication credentials could not be found. Logging into > the RHUI. > > If this is the first time using the RHUI, it is recommended to change > the user's password in the User Management section of RHUI Tools. > > RHUI Username: admin > RHUI Password: > > > ------------------------------------------------------------------------------ > -= Red Hat Update Infrastructure Management Tool =- > > > -= Home =- > > r manage repositories > c manage content delivery servers (CDS) > s synchronization status and scheduling > e create entitlement certificates and client configuration RPMs > n manage Red Hat entitlement certificates > u manage users > > logout > removes stored authentication credentials and exits > > < move to the previous screen > ^, home > move to the home screen > /, clear > clears the screen > ?, help > display help > q, quit, exit > exit > > Connected: dhcp193-163.pnq.redhat.com > ------------------------------------------------------------------------------ > rhui (home) => Updated accordingly in Revision 1-15. LKB Verified in Revision 1-18. Contents in comment5 and 8 are updated in stage guide under section 4.1 RHUI Manger First Launch ==> step4 Contents in comment 6 and 7 are updated under chapter 8 ==> section "procedure 8.3 upload content certificate" I think its good to add following statement as a note under "procedure 8.3 Upload Content Certificate": "If two or more content certificates provide the same entitlement, the certificate with the longest expiration date will be used (longer meaning furthest in the future)." (In reply to comment #10) > I think its good to add following statement as a note under "procedure 8.3 > Upload Content Certificate": > > "If two or more content certificates provide the same entitlement, the > certificate with the longest expiration date will be used (longer meaning > furthest in the future)." <note> <title>Note</title> <para> If two or more content certificates provide the same entitlements, the certificate with an expiration date furthest in the future will be used. </para> </note> Revision 1-21 LKB Verified in stage doc at: ttp://documentation-stage.bne.redhat.com/docs/en-US/Red_Hat_Update_Infrastructure/2.0/html-single/Installation_Guide/index.html#chap-Installation_Guide-Managing_Entitlement_Certificates under chapter 8. Managing Entitlement Certificates ==> Procedure 8.3. Upload Content Certificate ==> 2nd Note. This book is now available at http://docs.redhat.com/docs/en-US/Red_Hat_Update_Infrastructure/2.0/html/Installation_Guide/index.html Please raise a new bug for any further changes. LKB |