Share This:

Depending on your licensing agreement with RedHat, the entitlements to the repositories you are using in a single Patch Catalog may be spread across multiple certificates.  Alternatively, you may need to maintain multiple Patch Catalogs, each with separate repository servers, and each needing their own set of entitlement certificates, and you cannot use the single set defined in the Patch Global Configuration.  Currently it is not possible to handle either of these situations.  With a small update to the both of these situations can be handled.  Also, since this will bypass the Patch Global Configuration settings for the entitlement certificate and key, you no longer have to worry about the case when RedHat revokes the certificates and subscription-manager on your repository server gets new certificates in /etc/pki/entitlements.


Standard disclaimer here:  this is not supported, will be removed by an upgrade, may not work in future versions, and may not work in your environment, etc etc.


What we need to do is look at the url defined in the repository configuration generated by the Catalog Update Job and search for it in the entitlement certificates present on the system.  Then we can update the generated repository configuration with the appropriate certificate present on the repository server.


First, locate the support-files-1.0-SNAPSHOT.jar file in the NSH/br/stdlib directory on an appserver.  Extract the script from this file into a temporary directory:

#unzip /opt/bmc/bladelogic/NSH/br/stdlib/support-files-1.0-SNAPSHOT.jar -d /tmp com/bmc/sa/patchfeed/redhat/
Archive:  /opt/bmc/bladelogic/NSH/br/stdlib/support-files-1.0-SNAPSHOT.jar
  inflating: /tmp/com/bmc/sa/patchfeed/redhat/  


Around line 348, just above:

print_log "Started executing yum metadata generator script" 


add the following function:

    while read repo
        echo "REPO: ${repo}"
        for cert in /etc/pki/entitlement/*[0-9].pem
            echo "Checking ${cert}..." | tee -a $log_file_name
            if grep -q "$(awk -v val="URL:" '{if ($1 == val) print $2 }' <<< "$(rct cat-cert "${cert}")"  | sed "s/\$basearch/${repoArch}/g;s/\$releasever/\.\*/g")" <<< "$(awk -v val="baseurl" '{if ($1 == val) print $3}' <<< "$(yum-config-manager -c ./yum.conf ${repo})")"
                echo "Using ${cert} for ${repo}"  | tee -a $log_file_name
                yum-config-manager -c ./yum.conf --save --setopt=${repo}.sslclientkey=${cert%.*}-key.pem
                yum-config-manager -c ./yum.conf --save --setopt=${repo}.sslclientcert=${cert}
    done <<< "$(awk -v val="repo:" '{ if ($2 == val ) print $3}' <<< "$(yum-config-manager -c ./yum.conf )")"


After the export LD_LIBRARY_PATH="" around line 353 (after the addition above) call the function:

echo "Started executing yum metadata generator script" 

cd $repoDir


Copy the support-files-1.0-SNAPSHOT.jar to the root of the temporary directory where you extracted it earlier.  Then replace the in the zip with the altered version:

cd /tmp
# cp /opt/bmc/bladelogic/NSH/br/stdlib/support-files-1.0-SNAPSHOT.jar .
# zip support-files-1.0-SNAPSHOT.jar com/bmc/sa/patchfeed/redhat/ 
 updating: com/bmc/sa/patchfeed/redhat/ (deflated 75%)


Stop the application server services.

Make a backup of the original support-files-1.0-SNAPSHOT.jar somewhere outside of the application server install directory.

Delete the NSH/br/stdlib/support-files-1.0-SNAPSHOT.jar

Copy the altered support-files-1.0-SNAPSHOT.jar into NSH/br/stdlib

On Linux the file should be owned by root and be owner read and write, group read, and everyone read (644)

Start the application server services


This will now look for entitlement certificates in the /etc/pki/entitlements directory on the repository server, ignoring what is defined in Patch Global Configuration.  As long as that directory contains your entitlement certificates for all of the repositories you have in your Patch Catalog, the Catalog Update Job should run without errors related to missing entitlements for one of the repositories being downloaded.


The same alteration can be performed to the offline downloader, with the support-files-1.0-SNAPSHOT.jar existing in the <downloader dir>/lib directory.


Since an upgrade will overwrite the altered jar file, you will need to perform the above modifications after an upgrade and re-test the Catalog Update Job after an upgrade.