Update RedHat certificate paths in Patch Global Config

Version 4
    Share:|

    We know that RedHat will periodically revoke the certificates used by the subscription-manager client and that subscription-manager will automatically refresh the certificates.  Unfortunately these will not be automatically refreshed in BSA.  One option is to run a NSH Script Job periodically to update the settings in Patch Global Config.  There should only be one set of certificates in the /etc/pki/entitlements directory so we can run something like the below:

     

    #!/bin/nsh

     

    #blcli_setoption serviceProfileName defaultProfile
    #blcli_setoption roleName BLAdmins
    # uncomment above for interactive run
    blcli_connect
    repoHost="blprov01-88.local"
    certDirectory="/etc/pki/entitlement"
    cfgFile="/tmp/pgc.$$"
    blcli_execute FileServer getHost
    blcli_storeenv fsHost
    blcli_execute FileServer getRootPath
    blcli_storeenv fsRoot
    fileServer="//${fsHost}${fsRoot}"
    certFile="$(find "//${repoHost}${certDirectory}" -name "*.pem" ! -name "*key.pem" -print)"
    keyFile="$(find "//${repoHost}${certDirectory}" -name "*key.pem" -print)"
    echo "Found Cert: ${certFile}"
    echo "Found Key: ${keyFile}"
    echo "REDHAT.RH_SSL_CLI_CERT_FILE_OPTION=${certFile}" >> "${cfgFile}"
    echo "REDHAT.RH_SSL_CLI_KEY_FILE_OPTION=${keyFile}" >> "${cfgFile}"
    blcli_execute PatchGlobalConfiguration setPatchGlobalConfigurationOptions "${cfgFile}"
    # move the old ones out of the way since the above only updates the database
    [[ -f "${fileServer}/patch/GlobalConstants/rh-sslclientcert.pem" ]] && rm -f "${fileServer}/patch/GlobalConstants/rh-sslclientcert.pem"
    [[ -f "${fileServer}/patch/GlobalConstants/rh-sslclientkey.pem" ]] && rm -f "${fileServer}/patch/GlobalConstants/rh-sslclientkey.pem"
    cp "${certFile}" "${fileServer}/patch/GlobalConstants/rh-sslclientcert.pem"
    cp "${keyFile}" "${fileServer}/patch/GlobalConstants/rh-sslclientkey.pem"
    [[ -f "${cfgFile}" ]] && rm -f "${cfgFile}"
    

     

    This is a blind update - there is no blcli call to see what the current setting is to compare. This could be scheduled to run before the RedHat CUJ to ensure any certificate changes are reflected in the PGC settings.