🎫 Candlepin Subscription Management on AlmaLinux: Entitlement Control Made Easy

Welcome to the world of subscription and entitlement management! 🎉 Ready to control software subscriptions like a pro? Candlepin is the open-source powerhouse that manages entitlements for your entire infrastructure! It’s the engine behind subscription management systems, tracking who can use what software! Think of it as your personal license manager that never forgets who’s allowed to use what! 🎭✨

🤔 Why is Candlepin Important?

Candlepin transforms subscription chaos into organized control! 🚀 Here’s why it’s amazing:

• 🎫 Subscription Tracking - Manage software entitlements precisely!
• 📜 Certificate Management - Issue and control access certificates!
• 🔐 Entitlement Pools - Create and manage subscription pools!
• 👥 Multi-Tenant Support - Separate organizations cleanly!
• 📊 Usage Reporting - Track consumption and compliance!
• 🔄 Auto-Attach - Automatically assign best subscriptions!

It’s like having a smart ticket booth for all your software! 🎪

🎯 What You Need

Before building your subscription empire, ensure you have:

• ✅ AlmaLinux server (8 or 9)
• ✅ Root or sudo access
• ✅ At least 4GB RAM (8GB recommended)
• ✅ PostgreSQL 12+
• ✅ Tomcat 9+
• ✅ Java 11 or higher
• ✅ Love for organized licensing! 🎫

📝 Step 1: System Preparation - Setting the Foundation!

Let’s prepare AlmaLinux for Candlepin! 🏗️

# Install Java 11
sudo dnf install -y java-11-openjdk java-11-openjdk-devel

# Verify Java installation
java -version
# Should show: openjdk version "11.0.x"

# Set JAVA_HOME
echo 'export JAVA_HOME=/usr/lib/jvm/java-11-openjdk' >> ~/.bashrc
echo 'export PATH=$PATH:$JAVA_HOME/bin' >> ~/.bashrc
source ~/.bashrc

# Install PostgreSQL
sudo dnf install -y postgresql postgresql-server postgresql-contrib

# Initialize PostgreSQL
sudo postgresql-setup --initdb

# Start and enable PostgreSQL
sudo systemctl enable --now postgresql

Configure PostgreSQL for Candlepin:

# Create Candlepin database and user
sudo -u postgres psql << EOF
CREATE USER candlepin WITH PASSWORD 'CandlePin123!';
CREATE DATABASE candlepin OWNER candlepin;
GRANT ALL PRIVILEGES ON DATABASE candlepin TO candlepin;
EOF

# Configure PostgreSQL authentication
sudo nano /var/lib/pgsql/data/pg_hba.conf
# Change this line:
# local   all             all                                     peer
# To:
# local   all             all                                     md5

# Also add:
# host    candlepin       candlepin       127.0.0.1/32            md5

# Restart PostgreSQL
sudo systemctl restart postgresql

# Test connection
psql -U candlepin -h localhost -d candlepin
# Enter password: CandlePin123!
# Should connect successfully

Perfect! Database is ready! 💾

🔧 Step 2: Installing Candlepin - Your Subscription Engine!

Time to install Candlepin! 🚀

# Install Tomcat
sudo dnf install -y tomcat tomcat-webapps tomcat-admin-webapps

# Configure Tomcat for Candlepin
sudo nano /etc/tomcat/tomcat.conf
# Add:
# JAVA_OPTS="-Xms1024m -Xmx2048m -XX:MaxPermSize=256m"

# Start Tomcat
sudo systemctl enable --now tomcat

Build Candlepin from Source:

# Install build dependencies
sudo dnf install -y git maven npm
sudo dnf groupinstall -y "Development Tools"

# Clone Candlepin repository
cd /opt
sudo git clone https://github.com/candlepin/candlepin.git
cd candlepin

# Build Candlepin
sudo mvn clean install -DskipTests

# The WAR file will be in:
# server/target/candlepin.war

Deploy Candlepin:

# Copy WAR to Tomcat
sudo cp server/target/candlepin.war /usr/share/tomcat/webapps/

# Create Candlepin configuration directory
sudo mkdir -p /etc/candlepin
sudo chown tomcat:tomcat /etc/candlepin

# Create configuration file
sudo nano /etc/candlepin/candlepin.conf

Add configuration:

# Database configuration
jpa.config.hibernate.connection.driver_class=org.postgresql.Driver
jpa.config.hibernate.connection.url=jdbc:postgresql://localhost/candlepin
jpa.config.hibernate.connection.username=candlepin
jpa.config.hibernate.connection.password=CandlePin123!
jpa.config.hibernate.dialect=org.hibernate.dialect.PostgreSQLDialect
jpa.config.hibernate.hbm2ddl.auto=update

# Candlepin settings
candlepin.standalone=true
candlepin.auth.trusted.enable=true
candlepin.auth.oauth.enable=true
candlepin.consumer.facts.match=^system.*

# SSL settings
candlepin.ca_cert=/etc/candlepin/certs/candlepin-ca.crt
candlepin.ca_key=/etc/candlepin/certs/candlepin-ca.key

🌟 Step 3: Certificate Setup - Security First!

Let’s set up certificates for Candlepin! 🔐

# Create certificate directory
sudo mkdir -p /etc/candlepin/certs
cd /etc/candlepin/certs

# Generate CA certificate
sudo openssl genrsa -out candlepin-ca.key 4096
sudo openssl req -new -x509 -days 3650 \
  -key candlepin-ca.key \
  -out candlepin-ca.crt \
  -subj "/C=US/ST=State/L=City/O=MyOrg/CN=Candlepin CA"

# Generate server certificate
sudo openssl genrsa -out candlepin-server.key 2048
sudo openssl req -new \
  -key candlepin-server.key \
  -out candlepin-server.csr \
  -subj "/C=US/ST=State/L=City/O=MyOrg/CN=candlepin.example.com"

# Sign server certificate
sudo openssl x509 -req -days 365 \
  -in candlepin-server.csr \
  -CA candlepin-ca.crt \
  -CAkey candlepin-ca.key \
  -CAcreateserial \
  -out candlepin-server.crt

# Set permissions
sudo chown -R tomcat:tomcat /etc/candlepin/certs
sudo chmod 600 /etc/candlepin/certs/*.key

Configure firewall:

# Open Candlepin ports
sudo firewall-cmd --permanent --add-port=8443/tcp  # HTTPS
sudo firewall-cmd --permanent --add-port=8080/tcp  # HTTP
sudo firewall-cmd --reload

# Restart Tomcat
sudo systemctl restart tomcat

✅ Step 4: Initial Configuration - Creating Your First Org!

Time to configure Candlepin! 🎯

Initialize Database:

# Run database migrations
cd /opt/candlepin
sudo ./server/bin/liquibase \
  --driver=org.postgresql.Driver \
  --url=jdbc:postgresql://localhost/candlepin \
  --username=candlepin \
  --password=CandlePin123! \
  update

# Import initial data
sudo ./server/bin/import_products.py

Create Admin User:

# Use Candlepin CLI
cd /opt/candlepin
./client/bin/candlepin-cli \
  -u admin -p admin \
  create_user \
  --username admin \
  --password Admin123!

# Create organization
./client/bin/candlepin-cli \
  -u admin -p Admin123! \
  create_org \
  --key mycompany \
  --displayName "My Company"

Access Candlepin API:

# Test API access
curl -k -u admin:Admin123! \
  https://localhost:8443/candlepin/status

# Should return JSON with status information

# List organizations
curl -k -u admin:Admin123! \
  https://localhost:8443/candlepin/owners

🌟 Step 5: Managing Subscriptions - Creating Pools!

Let’s create subscription pools! 🏊

Create Product:

# Create a product
curl -k -u admin:Admin123! \
  -X POST \
  -H "Content-Type: application/json" \
  -d '{
    "id": "awesome-product",
    "name": "Awesome Product",
    "attributes": [
      {"name": "version", "value": "1.0"},
      {"name": "arch", "value": "x86_64"},
      {"name": "type", "value": "SVC"}
    ]
  }' \
  https://localhost:8443/candlepin/owners/mycompany/products

Create Subscription Pool:

# Create pool for the product
curl -k -u admin:Admin123! \
  -X POST \
  -H "Content-Type: application/json" \
  -d '{
    "productId": "awesome-product",
    "quantity": 100,
    "startDate": "2024-01-01T00:00:00.000+0000",
    "endDate": "2025-12-31T23:59:59.000+0000",
    "contractNumber": "12345678",
    "accountNumber": "987654321"
  }' \
  https://localhost:8443/candlepin/owners/mycompany/pools

Register Consumer:

# Register a system as consumer
curl -k -u admin:Admin123! \
  -X POST \
  -H "Content-Type: application/json" \
  -d '{
    "type": {"label": "system"},
    "name": "client-system-01",
    "facts": {
      "system.certificate_version": "3.2",
      "cpu.cpu_socket(s)": "2",
      "memory.memtotal": "8388608"
    }
  }' \
  https://localhost:8443/candlepin/consumers?owner=mycompany

🎮 Quick Examples

Example 1: Auto-Attach Subscriptions

# Auto-attach best matching subscription
curl -k -u admin:Admin123! \
  -X PUT \
  https://localhost:8443/candlepin/consumers/{consumer_uuid}/entitlements

# Check attached entitlements
curl -k -u admin:Admin123! \
  https://localhost:8443/candlepin/consumers/{consumer_uuid}/entitlements

Example 2: Subscription Manager Client

On client system:

# Install subscription-manager
sudo dnf install -y subscription-manager

# Configure to use Candlepin
sudo subscription-manager config \
  --server.hostname=candlepin.example.com \
  --server.port=8443 \
  --server.prefix=/candlepin

# Register system
sudo subscription-manager register \
  --org=mycompany \
  --username=admin \
  --password=Admin123!

# List available pools
sudo subscription-manager list --available

# Attach subscription
sudo subscription-manager attach --pool=<pool_id>

# Check status
sudo subscription-manager status

Example 3: Create Content and Repositories

# Create content
curl -k -u admin:Admin123! \
  -X POST \
  -H "Content-Type: application/json" \
  -d '{
    "id": "awesome-content",
    "name": "Awesome Content",
    "type": "yum",
    "label": "awesome-content-label",
    "vendor": "MyCompany",
    "contentUrl": "/content/dist/rhel/server/7/$releasever/$basearch/os",
    "gpgUrl": "file:///etc/pki/rpm-gpg/RPM-GPG-KEY"
  }' \
  https://localhost:8443/candlepin/owners/mycompany/content

# Associate content with product
curl -k -u admin:Admin123! \
  -X POST \
  https://localhost:8443/candlepin/owners/mycompany/products/awesome-product/content/awesome-content

🚨 Fix Common Problems

Problem 1: Candlepin Won’t Start

Symptom: Tomcat starts but Candlepin not accessible 😰

Fix:

# Check Tomcat logs
sudo tail -f /var/log/tomcat/catalina.out

# Common issue: Database connection
# Verify PostgreSQL is running
sudo systemctl status postgresql

# Test database connection
psql -U candlepin -h localhost -d candlepin

# Check Candlepin configuration
sudo cat /etc/candlepin/candlepin.conf

# Verify WAR deployment
ls -la /usr/share/tomcat/webapps/
# Should see candlepin.war and candlepin directory

Problem 2: Certificate Issues

Symptom: SSL/TLS errors when connecting 🔐

Fix:

# Check certificate permissions
ls -la /etc/candlepin/certs/

# Regenerate certificates if needed
cd /etc/candlepin/certs
sudo rm *.crt *.key *.csr
# Follow certificate generation steps again

# Import CA certificate to Java truststore
sudo keytool -import \
  -trustcacerts \
  -alias candlepin-ca \
  -file /etc/candlepin/certs/candlepin-ca.crt \
  -keystore $JAVA_HOME/lib/security/cacerts \
  -storepass changeit

Problem 3: Client Registration Fails

Symptom: subscription-manager can’t register 🚫

Fix:

# On client, check connectivity
curl -k https://candlepin.example.com:8443/candlepin/status

# Import CA certificate on client
sudo wget http://candlepin.example.com/pub/candlepin-ca.crt
sudo cp candlepin-ca.crt /etc/rhsm/ca/

# Update subscription-manager config
sudo subscription-manager config --list

# Clean and retry
sudo subscription-manager clean
sudo subscription-manager register --force

📋 Simple Commands Summary

💡 Tips for Success

🚀 Performance Optimization

Make Candlepin blazing fast:

# Tune PostgreSQL
echo "shared_buffers = 512MB" | sudo tee -a /var/lib/pgsql/data/postgresql.conf
echo "effective_cache_size = 2GB" | sudo tee -a /var/lib/pgsql/data/postgresql.conf
sudo systemctl restart postgresql

# Increase Tomcat heap
sudo nano /etc/tomcat/tomcat.conf
# Set: JAVA_OPTS="-Xms2048m -Xmx4096m"

# Enable connection pooling
# In candlepin.conf:
# jpa.config.hibernate.connection.pool_size=20

# Regular maintenance
vacuumdb -U candlepin -d candlepin -z

🔒 Security Best Practices

Keep Candlepin secure:

1. Use SSL/TLS always - Never plain HTTP! 🔐
2. Strong passwords - Complex credentials! 💪
3. Regular certificate rotation - Update yearly! 🔄
4. Audit logging - Track all actions! 📝
5. Backup regularly - Export manifests! 💾

# Enable audit logging
echo "candlepin.audit.enabled=true" >> /etc/candlepin/candlepin.conf
echo "candlepin.audit.log.file=/var/log/candlepin/audit.log" >> /etc/candlepin/candlepin.conf

# Backup Candlepin data
pg_dump -U candlepin candlepin > candlepin_backup.sql

📊 Monitoring and Reporting

Track subscription usage:

# Get consumption report
curl -k -u admin:Admin123! \
  https://localhost:8443/candlepin/owners/mycompany/consumers/export

# Check pool usage
curl -k -u admin:Admin123! \
  https://localhost:8443/candlepin/owners/mycompany/pools | \
  jq '.[] | {product: .productName, consumed: .consumed, quantity: .quantity}'

# Monitor expired subscriptions
curl -k -u admin:Admin123! \
  "https://localhost:8443/candlepin/owners/mycompany/pools?consumer=expired"

🏆 What You Learned

You’re now a Candlepin subscription expert! 🎓 You’ve successfully:

• ✅ Installed Candlepin on AlmaLinux
• ✅ Configured database and certificates
• ✅ Created organizations and products
• ✅ Set up subscription pools
• ✅ Registered consumer systems
• ✅ Managed entitlements
• ✅ Mastered subscription management

Your subscription platform is enterprise-ready! 🎫

🎯 Why This Matters

Candlepin revolutionizes subscription management! With your entitlement platform, you can:

• 🎫 Control access - Know who uses what!
• 📊 Track usage - Monitor consumption precisely!
• 🔐 Ensure compliance - Stay within licenses!
• 🔄 Automate allocation - Smart subscription assignment!
• 💼 Scale enterprise - Manage thousands of systems!

You’re not just managing licenses - you’re orchestrating an entire subscription ecosystem! Every entitlement is tracked, every system is compliant! 🎭

Keep managing, keep tracking, and remember - with Candlepin, subscription chaos becomes organized bliss! ⭐

May your subscriptions be compliant and your entitlements be clear! 🚀🎫🙌