Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 890000

Summary: Can not auto-subscribe against SAM-20121221.n.1 server
Product: [Retired] Subscription Asset Manager Reporter: xingge <gxing>
Component: candlepinAssignee: Jordan OMara <jomara>
Status: CLOSED ERRATA QA Contact: SAM QE List <sam-qe-list>
Severity: high Docs Contact:
Priority: unspecified    
Version: 1.2CC: athomas, bkearney, ldai, liliu, mstead, omaciel, sgao, tomckay
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-02-21 19:21:12 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
The manifest that the SAM server use
none
subscribe via sam web ui none

Description xingge 2012-12-24 10:09:17 UTC 
Description of problem:
After register to the SAM-20121221.n.1 server, auto-subscribe failed

Version-Release number of selected component (if applicable):
katello-cli-common-1.2.1-11h.el6_3.noarch
katello-selinux-1.2.1-1h.el6_3.noarch
katello-headpin-all-1.2.1-10h.el6_3.noarch
katello-headpin-1.2.1-10h.el6_3.noarch
katello-candlepin-cert-key-pair-1.0-1.noarch
katello-glue-candlepin-1.2.1-10h.el6_3.noarch
katello-common-1.2.1-10h.el6_3.noarch
katello-configure-1.2.3-1h.el6_3.noarch
katello-cli-1.2.1-11h.el6_3.noarch
katello-certs-tools-1.2.1-1h.el6_3.noarch
candlepin-tomcat6-0.7.23-1.el6_3.noarch
candlepin-0.7.23-1.el6_3.noarch
thumbslug-selinux-0.0.28-1.el6_3.noarch
thumbslug-0.0.28-1.el6_3.noarch
subscription-manager-1.1.14-1.el6.x86_64

How reproducible:
always

Steps to Reproduce:
1.register to the SAM server
#subscribe-manager register --username=admin
password:
The system has been registered with id: aafa57dc-bd1c-47c5-88c0-9c67f3bd7a6d
2.auto-subscribe some subscription
#subscription-manager subscribe --auto
Installed Product Current Status:
Product Name:         	Red Hat Enterprise Linux Server
Status:               	Not Subscribed

Actual results:
auto-subscribe failed

Expected results:
auto-subscribe should be success

Additional info:
When list available subscriptions it shows:

[root@virtlab-66-84-79 ~]# subscription-manager list --available
+-------------------------------------------+
    Available Subscriptions
+-------------------------------------------+
Subscription Name:    	Red Hat Employee Subscription
SKU:                  	SYS0395
Pool Id:              	8ac28c703bcaee4d013bcaf3e76500a1
Quantity:             	50
Service Level:        	None
Service Type:         	None
Multi-Entitlement:    	No
Ends:                 	09/27/2013
System Type:          	Physical

Subscription Name:    	60 Day Supported CloudForms Evaluation
SKU:                  	SER0408
Pool Id:              	8ac28c703bcaee4d013bcaf3e7f600b6
Quantity:             	30
Service Level:        	Premium
Service Type:         	L1-L3
Multi-Entitlement:    	No
Ends:                 	01/01/2013
System Type:          	Physical

Subscription Name:    	Resilient Storage (8 sockets)
SKU:                  	RH1316844
Pool Id:              	8ac28c703bcaee4d013bcaf3e6ab0081
Quantity:             	18
Service Level:        	Layered
Service Type:         	L1-L3
Multi-Entitlement:    	No
Ends:                 	02/24/2013
System Type:          	Physical

Subscription Name:    	Scalable File System (8 sockets)
SKU:                  	RH1416373
Pool Id:              	8ac28c703bcaee4d013bcaf3e86d00c3
Quantity:             	10
Service Level:        	Layered
Service Type:         	L1-L3
Multi-Entitlement:    	No
Ends:                 	02/24/2013
System Type:          	Physical

And when register the Red Hat Employee Subscription which can be autosubscribed at the former sam version with Pool ID it shows:
[root@virtlab-66-84-79 ~]# subscription-manager subscribe --pool=8ac28c703bcaee4d013bcaf3e76500a1
The support of V3 certificates is not enabled on the server and is required for large content set subscription: Red Hat Employee Subscription

It seems that the SAM server doesn't enable V3 certificates.
Comment 1 xingge 2012-12-24 10:11:34 UTC 
Created attachment 668428 [details]
The manifest that the SAM server use
Comment 2 gaoshang 2012-12-25 03:29:52 UTC 
Created attachment 668670 [details]
subscribe via sam web ui
Comment 3 gaoshang 2012-12-25 03:31:28 UTC 
When attach Red Hat Employee Subscription via SAM Web UI, following error message pop up:

    Resources::Candlepin::Consumer: 500 Internal Server Error {"displayMessage":"The support of V3 certificates is not enabled on the server and is required for large content set subscription: Red Hat Employee Subscription"} (POST /candlepin/consumers/803c5e73-014a-4ef1-b718-a730773c579f/entitlements?pool=8ac28c703bcaee4d013bcaf3e76500a1&quantity=1) (RestClient::InternalServerError)
    {"displayMessage":"The support of V3 certificates is not enabled on the server and is required for large content set subscription: Red Hat Employee Subscription"}
    Click here for more details.

see pic attached above.
Comment 4 Michael Stead 2013-01-07 14:59:05 UTC 
I believe that this is behaving as expected.

By default, candlepin disables cert v3 support. This was done so that candlepin could be released before v3 certificate support was ready, and eliminated the need to disable v3 support on any new deployments.

*The enable/disable v3 support option will eventually be removed, and v3 support will be the norm.*

A check was added to candlepin to not allow attaching a subscription with a large number of content sets. This was because there are issues with using very large certificates on the CDN. This is likely why you could subscribe on older versions of SAM.

Adding the following property to candlepin's config file and restarting tomcat should resolve the issue you are seeing.

candlepin.enable_cert_v3=true


I suggest closing this BZ as NOTABUG.
Comment 5 gaoshang 2013-01-11 06:43:21 UTC 
(In reply to comment #4)
> I believe that this is behaving as expected.
> 
> By default, candlepin disables cert v3 support. This was done so that
> candlepin could be released before v3 certificate support was ready, and
> eliminated the need to disable v3 support on any new deployments.
> 
> *The enable/disable v3 support option will eventually be removed, and v3
> support will be the norm.*
> 
> A check was added to candlepin to not allow attaching a subscription with a
> large number of content sets. This was because there are issues with using
> very large certificates on the CDN. This is likely why you could subscribe
> on older versions of SAM.
> 
> Adding the following property to candlepin's config file and restarting
> tomcat should resolve the issue you are seeing.
> 
> candlepin.enable_cert_v3=true
> 
> 
> I suggest closing this BZ as NOTABUG.

Thanks Michael, we can enable cert v3 support now on SAM server following your instruction.

1. Add candlepin.enable_cert_v3=true to /etc/candlepin/candlepin.conf 
[root@samserv ~]# cat /etc/candlepin/candlepin.conf 
#
# WARNING: THIS CONFIGURATION WAS GENERATED BY KATELLO-CONFIGURE TOOL,
# CHANGES WILL LIKELY BE OVERWRITTEN.
#

jpa.config.hibernate.dialect=org.hibernate.dialect.PostgreSQLDialect
jpa.config.hibernate.connection.driver_class=org.postgresql.Driver
jpa.config.hibernate.connection.url=jdbc:postgresql:candlepin
jpa.config.hibernate.hbm2ddl.auto=validate
jpa.config.hibernate.connection.username=candlepin

jpa.config.hibernate.connection.password=$1$6eXPhiSNbY2FDHGNinLamQ==
candlepin.consumer_system_name_pattern = .+
candlepin.environment_content_filtering=false
module.config.katello=org.candlepin.katello.KatelloModule
candlepin.auth.oauth.enabled = true
candlepin.auth.oauth.consumer.katello.secret = 7nfvOrPVyMBRdgi8t3aunBlp27GIj8YZ
candlepin.crl.file = /var/lib/candlepin/candlepin-crl.crl
candlepin.enable_cert_v3=true

candlepin.auth.oauth.consumer.thumbslug.secret = 7nfvOrPVyMBRdgi8t3aunBlp27GIj8YZ

2. restart tomcat
service tomcat6 restart

After cert v3 enable, autosubscribe succeed.
Comment 6 Tom McKay 2013-01-11 14:31:08 UTC 
katello-configure will be updated to enable cert v3 in SAM installations
Comment 8 gaoshang 2013-01-14 05:51:51 UTC 
Since katello-configure will be updated to enable cert v3 in SAM installations, I'll verify this bug when new SAM build comes out.
Comment 9 Og Maciel 2013-01-16 21:33:37 UTC 
Verified:

* candlepin-0.7.23-1.el6_3.noarch
* candlepin-tomcat6-0.7.23-1.el6_3.noarch
* elasticsearch-0.19.9-5.el6_3.noarch
* katello-candlepin-cert-key-pair-1.0-1.noarch
* katello-certs-tools-1.2.1-1h.el6_3.noarch
* katello-cli-1.2.1-12h.el6_3.noarch
* katello-cli-common-1.2.1-12h.el6_3.noarch
* katello-common-1.2.1-14h.el6_3.noarch
* katello-configure-1.2.3-2h.el6_3.noarch
* katello-glue-candlepin-1.2.1-14h.el6_3.noarch
* katello-headpin-1.2.1-14h.el6_3.noarch
* katello-headpin-all-1.2.1-14h.el6_3.noarch
* katello-selinux-1.2.1-2h.el6_3.noarch
* thumbslug-0.0.28-1.el6_3.noarch
* thumbslug-selinux-0.0.28-1.el6_3.noarch
Comment 11 errata-xmlrpc 2013-02-21 19:21:12 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0544.html