Did anything change in the CA location? How should a user obtain the pem for registration to Satellite?

http://satellitepub/katello-ca-consumer-latest.noarch.rpm is the correct bootstrap path, I'm not sure where the candlepin one came from.

Would node work with this? I think we expect pem, not a rpm.

(In reply to Yaniv Dary from comment #7)
> Would node work with this? I think we expect pem, not a rpm.

At this moment, in rhev-h we expect the certificate not rpm.
The certificate that the doc mention, probably extracted from the rpm.

I have found this KCS that mention how to extract from katello-ca-consumer-latest.noarch.rpm too:

How to register RHEV-H with Red Hat Satellite 6 server?
https://access.redhat.com/solutions/1479783

I would expect that this changed in katello at some point.

Checking for the certificate is part of registration which I inherited, and I'm not sure of the need for that requirement, but it's been tested and verified on QE's sat6 environment.

It's possible to fetch the rpm and extract the cert on rhev-h directly, though I'd rather avoid making changes to the legacy code at this point unless there's a strict need, since there's a well-documented means to do this.

Can we update the docs to point to the kB article?

(In reply to Ryan Barry from comment #9)
> I would expect that this changed in katello at some point.
> 
> Checking for the certificate is part of registration which I inherited, and
> I'm not sure of the need for that requirement, but it's been tested and
> verified on QE's sat6 environment.
> 
> It's possible to fetch the rpm and extract the cert on rhev-h directly,
> though I'd rather avoid making changes to the legacy code at this point
> unless there's a strict need, since there's a well-documented means to do
> this.
> 
> Can we update the docs to point to the kB article?

The kbase recommends dropping to shell which isn't supported.

We will not support using the rpm on RHEV-H 3.6.

But the mechanism to use an RPM should work on RHVH 4.0.

Thus I suggest to add the kbase, because this will allow users to address the problem - even if dropping to shell is not supported.

Yaniv, please move to ocs if you think it should be documented, otherwise please close this bug as currentrelease.

But this means that all sat6 integration is dependent on weird unsupported flow and for a very long time (Sep 2017). We can do the unpacking of the rpm in RHEV-H to make it work.

Please discuss this with Moran on Sat support. If he decides to not fix this, please move to docs.

(In reply to Yaniv Dary from comment #10)
> The kbase recommends dropping to shell which isn't supported.

Only the first step of the kbase is necessary.

Once the .pem is hosted somewhere, the TUI takes over the rest, and no manual changes to rhsm.conf are needed.

A workaround:

Extract the PEM on the satellite server (first part of the kbase)

Log into the RHEV-H TUI:

Put the path to the .pem in the "CA Cert" field.

Registration works.

No unsupported steps (on the shell) on the RHEV host are needed. Only one step on the satellite server.

(In reply to Yaniv Dary from comment #12)
> But this means that all sat6 integration is dependent on weird unsupported
> flow and for a very long time (Sep 2017). We can do the unpacking of the rpm
> in RHEV-H to make it work.

Note that unpacking the RPM on the RHEV host means that the RHEV code must be aware of how the RPM is used in order to facilitate registration:

How is it packed? Is something happening on the %post scripts which we must also perform?

Where does the PEM go?

Do users still need to take additional steps in the TUI? Can all information (satellite server, etc) be inferred from the RPM?

Do we know exactly which files are being touched so they can be persisted?

And we must support continue to support this. It would be better (in my opinion) to extract the PEM on the satellite host, and use that for registration. It's my understanding that this is the current flow used by QE, so it should be well tested.

I have registered RHVH 4.0 to Satellite6.1/6.2 successfully before. 
I think it is right to use the test steps the customer shared for RHEV-H <3.6. But for RHVH 4.0, we should install the CA to RHVH host since NGN does not have TUI at all. The detail steps are list as below:

1. SSH the satellite server
   #ssh admin@<satellite IP>

2. Copy the rpm package e.g : "katello-ca-consumer-satellite61.redhat.com-1.0-1.noarch.rpm" to your host.
   #scp /var/www/html/pub/katello-ca-xxxx.noarch.rpm <host destination>

3. Install the CA rpm
   #rpm -ivh xxxx.rpm

4. Register RHVH via cockpit WebUI or subscription-manager CLI

Test Version:
rhevh-7.2-20160920.1.el7ev.iso 
satellite server is 6.1

Test Steps:
1 Extract the rpm file /var/www/html/pub/katello-ca-consumer-latest.noarch.rpm in /tmp.
 
 [root@satellite /tmp]# rpm2cpio katello-ca-consumer-latest.noarch.rpm | cpio -idv

2 Move the CA pem to /var/www/html/pub/
 [root@satellite /tmp]# mv /tmp/etc/rhsm/ca/*.pem /var/www/html/pub/

3 Restore selinux context
 [root@satellite /tmp]# restorecon -Rv /var/www/html/pub/

4. Using http://<sat-fqdn>/pub/katello-default-ca.pem as CA URL

5. Fill other info for registering satellite

6. Save

Test Result:
RHEVH register to satellite successfully.

Hi Weiwang,

(In reply to weiwang from comment #18)
> Test Version:
> rhevh-7.2-20160920.1.el7ev.iso 
> satellite server is 6.1
> 
> Test Steps:
> 1 Extract the rpm file
> /var/www/html/pub/katello-ca-consumer-latest.noarch.rpm in /tmp.
>  
>  [root@satellite /tmp]# rpm2cpio katello-ca-consumer-latest.noarch.rpm |
> cpio -idv
> 
> 2 Move the CA pem to /var/www/html/pub/
>  [root@satellite /tmp]# mv /tmp/etc/rhsm/ca/*.pem /var/www/html/pub/
> 
> 3 Restore selinux context
>  [root@satellite /tmp]# restorecon -Rv /var/www/html/pub/
> 
> 4. Using http://<sat-fqdn>/pub/katello-default-ca.pem as CA URL
> 
> 5. Fill other info for registering satellite
> 
> 6. Save
> 
> Test Result:
> RHEVH register to satellite successfully.

Could you please share the steps you have used to register 3.6 into the sat 6.2 ?

Thanks!

Test Steps:
1. Clean install RHEV-H on machine

2. Configure NIC with dhcp/static

3. Go to RHSM Registration page

4. Fill in the username and password of satellite6

5. Select the "satellite" type

6. Fill in the satellite server URL and CA URL got it according to the customer steps

7. Fill in the Organization, then selecting "save"

8. The registering result will be displayed successfully.

Hi, 

Update about this case:

I have talked with one of Sat/SpaceWalk contributors (Marcelo Mello) and he agrees that our Sat 6.2 support is not working properly from his tests. Discussing the situation with him, he offered help to create a patch and test against all his Sat servers from 5 to 6.2.

On Satellite 6.2, subscription-manager enforces an organization and library to be specified when registering a system. This patch added the environment option when the customer decides to register a system via username+password. 

Furthermore, the versions after >= 6.1 includes a katello-server-ca.crt under /pub directory by default. To be able to register, instead of checking for an only for a PEM file extension (present only on Red Hat Satellite <= 6.0.8) it now checks for katello-server-ca.crt. 
Also added some further tests to validate the entries provided by the user when combining activation_key or username/password/org/library. 
Tested patch on Red Hat Satellite 6.2 with 3rd party CA and self-signed CA and worked fine. Tested also with Satellite 6.1 and worked fine. Tested with Satellite 6.0.8 and worked with katello-server-ca.pem too.
 
To make possible to register RHEV-H on Satellite <= 6.0.8, the sysadmin will need to export/extract the PEM file manually from thekatello-ca-consumer-latest.noarch RPM. Any Satellite higher than 6.1 is not required to export the certificate, since it will be executed automatically by Satellite. 

Testing instructions:

  Satellite 5.x:

     Inform username+password. Then pass URL i.e: https://mysat5.example.com and CA URL i.e. https://mysat5.example.com/pub/RHN-ORG-TRUSTED-SSL-CERT. 

     If using activation key, don't need username+password.

 
  Satellite 6.0.8 or lower

    It is required to extract the PEM file from the  katello-ca-consumer-latest.noarch.rpm. 

    A good way to do would be:

# cd /tmp
# rpm2cpio /var/www/html/pub/katello-ca-consumer-latest.noarch.rpm | cpio -idmv
# cat etc/rhsm/ca/candlepin-local.pem etc/rhsm/ca/katello-server-ca.pem  >> /var/www/html/pub/katello-server-ca.crt
# restorecon -Rv /var/www/html/pub/katello-server-ca.crt
# chmod  644 /var/www/html/pub/katello-server-ca.crt

  note: if the certificate has .pem extension will work too. 

    Inform username+password. Then pass URL i.e: https://mysat6.example.com and CA URL i.e. https://mysat6.example.com/pub/katello-server-ca.crt

     If using activation key, don't need username+password. 


  Satellite 6.1 or higher

    Inform username+password. Then pass URL i.e: https://mysat6.example.com and CA URL i.e. https://mysat6.example.com/pub/katello-server-ca.crt

     If using activation key, don't need username+password.


Please let me know if you have any further questions. 
mmello

Hello Wei Wang,

Tests to validate this report are listed in comment#26.

Thanks!

Test Version:
rhev-hypervisor7-7.3-20170110.1.iso
ovirt-node-3.6.1-40.0.el7ev.noarch

First, for satellite 5.7
Test Steps:
1. Clean install RHEVH
2. Input below information:
   username: admin
   password: xxxxxx
   type: satellite
   URL: https://example57.redhat.com
   CA URL: https://example57.redhat.com/pub/RHN-ORG-TRUSTED-SSL-CERT
3. Register to satellite

Results:
RHEVH register to satellite5.7 failed, and report a new bug https://bugzilla.redhat.com/show_bug.cgi?id=1412118

Second, for satellite 6.0.8
Results:
Pending for test environment is setting up now. I will test with satellite 6.0.8 when it is ready.

Third, for satellite 6.2
Test Steps:
1. Clean install RHEVH
2. Input below information:
   username: admin
   password: xxxxxx
   type: satellite
   URL: https://example62.redhat.com
   CA URL: https://example62.redhat.com/pub/katello-server-ca.crt
   Organization: <organization name>
   environment: <libray>
3. Register to satellite

Results:
RHEVH register to satellite6.2 successfully.

(In reply to Wei Wang from comment #29)
> Test Version:
> rhev-hypervisor7-7.3-20170110.1.iso
> ovirt-node-3.6.1-40.0.el7ev.noarch
> 
> First, for satellite 5.7
> Test Steps:
> 1. Clean install RHEVH
> 2. Input below information:
>    username: admin
>    password: xxxxxx
>    type: satellite
>    URL: https://example57.redhat.com
>    CA URL: https://example57.redhat.com/pub/RHN-ORG-TRUSTED-SSL-CERT
> 3. Register to satellite
> 
> Results:
> RHEVH register to satellite5.7 failed, and report a new bug
> https://bugzilla.redhat.com/show_bug.cgi?id=1412118

As discussed in the bug#1412118 it was an issue in the initial sat57 server.
In a second server, just worked out of box.

> 
> Second, for satellite 6.0.8
> Results:
> Pending for test environment is setting up now. I will test with satellite
> 6.0.8 when it is ready.

Sure, thanks!

> 
> Third, for satellite 6.2
> Test Steps:
> 1. Clean install RHEVH
> 2. Input below information:
>    username: admin
>    password: xxxxxx
>    type: satellite
>    URL: https://example62.redhat.com
>    CA URL: https://example62.redhat.com/pub/katello-server-ca.crt
>    Organization: <organization name>
>    environment: <libray>
> 3. Register to satellite
> 
> Results:
> RHEVH register to satellite6.2 successfully.

Great, thanks!

As we discussed Wei Wang,

In the sat 6.0.8 you might find a issue if any fact field is > 255 chars [1].
In my case, the proc_cpuinfo.common.flags had > 255 chars. 

In the log file rhsm.log you could find an error like:
 "['Problem creating unit Consumer [id = 8a8c53095994.....]" [2]

To double check, you might run the below command and see if any field is > 255:
   # Press F2 to go to shell
   # subscription-manager facts --list

To fix my case, I have updated proc_cpuinfo.common.flags field reducing the flags and re-executing the registration via TUI.

- Press F2 (go to console)
- Workaround for proc_cpuinfo.common.flags:

# echo '{"proc_cpuinfo.common.flags":"fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ss syscall nx pdpe1gb rdtscp lm constant_tsc rep_good nopl pni pclmulqdq vmx ssse3 fma cx16 pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes"}' > /etc/rhsm/facts/cpuinfo_override.facts

# persist /etc/rhsm/facs/cpuinfo_override.facts
# exit (Get back to TUI and try again the registration)

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1310827#c3

A similar KCS is available here:
https://access.redhat.com/solutions/1414243

Thanks!

Test Version:
rhev-hypervisor7-7.3-20170110.1.iso
ovirt-node-3.6.1-40.0.el7ev.noarch
satellite 6.0.8

Test Steps:
1. # cd /tmp
# rpm2cpio /var/www/html/pub/katello-ca-consumer-latest.noarch.rpm | cpio -idmv
# cat etc/rhsm/ca/candlepin-local.pem etc/rhsm/ca/katello-server-ca.pem  >> /var/www/html/pub/katello-server-ca.crt
# restorecon -Rv /var/www/html/pub/katello-server-ca.crt
# chmod  644 /var/www/html/pub/katello-server-ca.crt

2. Clean install RHEVH
3. Do according to comment32
4. Input below information:
   username: admin
   password: xxxxxx
   type: satellite
   URL: https://example608.redhat.com
   CA URL: https://example608.redhat.com/pub/katello-server-ca
5. Register to satellite

Results:
RHEVH register to satellite 6.0.8 successfully.

The bug cannot be reproduced, change status to VERIFIED