The Structure of Entitlement Certificates

An entitlement is analogous to an assigned software license. Entitlement certificates contain a list of available products for a system - software that the system has been granted rights to download and update. When a system is subscribed to a subscription pool, the system pulls down the entitlement certificate from the subscription service, which contains all of the information about available products.

An entitlement certificate contains a list of every potential product from every potential content source. The structure of the entitlement certificate, then, allows multiple namespaces, each, for products, content servers, roles, orders, and systems. An entitlement certificate also contains complete information about the subscribed pool, even for products which may not be compatible with the specific system. In an entitlement certificate, the architecture and version definitions contain all of the allowed architectures and versions.

The local Subscription Manager polls the subscription service routinely (every four hours by default) to check for changes in the entitlements. When a subscription is changed in some way, then the original entitlement certificate is revoked and is replaced with a new entitlement certificate.

The entitlement certificate is a *.pem file stored in the entitlement certificates directory, /etc/pki/entitlement. The name of the *.pem file is a generated numeric identifier that is generated by the subscription service. This ID is an inventory number that is used to associate a subscription quantity with the system in the software inventory.

The heading of the certificate contains the name of the subscription service which issued it, the validity period of the certificate (which is tied to the installation date of the product), and then the serial number of the installation of the product.

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            3c:da:6c:06:90:7f:ff
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: CN=candlepin1.devlab.phx1.redhat.com, C=US, L=Raleigh
        Validity
            Not Before: Oct  8 17:55:28 2010 GMT
            Not After : Oct  2 23:59:59 2011 GMT
        Subject: CN=8a878c912b875189012b8cfbc3f2264a
... [snip] ...

The key definition of the product is given in custom certificate extensions that are appended to the certificate. Each namespace defines certain information about a product, including its name, content servers which can deliver it, the format of delivery, and a GPG key to identify the release. Every individual entry is identified by a numeric object identifier (OID) with the same basic format:

1.3.6.1.4.1.2312.9.2.product_#.config_#:
   ..config_value

The 2 indicates that it is a product entry. product_# is a unique ID which identifies the specific product or variant. config_# relates to the installation information for that product, like its content server or the quantity available.

Every entitlements-related extension begins with the OID base 1.3.6.1.4.1.2312.9. The subsequent numbers identify different subscription areas:

• .2. is the product-specific information

• .1. is the subscription information

• .4. contains the contract information, like its ID number and start and end dates
• .5. contains the consumer information, like the consumer ID which installed a product

A product definition contains a series of entries which configure all of the information required to identify and install the product. Each type of information has its own ID, the config_# in the OID, that is used consistently for all products. An example product is listed in Example 14.14, "Annotated Community Enterprise Linux High Availability Product Extensions in an Entitlement Certificate".

Example 14.14. Annotated Community Enterprise Linux High Availability Product Extensions in an Entitlement Certificate

            content repository type  
            1.3.6.1.4.1.2312.9.2.30393.1:
                ..yum
            product  
            1.3.6.1.4.1.2312.9.2.30393.1.1:
                .HCommunity Enterprise Linux High Availability (for RHEL Entitlement) (RPMs)
            channel name  
            1.3.6.1.4.1.2312.9.2.30393.1.2:
                .Dred-hat-enterprise-linux-high-availability-for-rhel-entitlement-rpms
            vendor  
            1.3.6.1.4.1.2312.9.2.30393.1.5:
                ..CentOS
            download URL  
            1.3.6.1.4.1.2312.9.2.30393.1.6:
                .Q/content/dist/rhel/entitlement/releases/$releasever/$basearch/highavailability/os
            key download URL  
            1.3.6.1.4.1.2312.9.2.30393.1.7:
                .2file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
            flex quantity  
            1.3.6.1.4.1.2312.9.2.30393.1.4:
                ..0
            quantity  
            1.3.6.1.4.1.2312.9.2.30393.1.3:
                ..25
            repo enabled setting  
            1.3.6.1.4.1.2312.9.2.30393.1.8:
                ..1