โˆž
+
play
+
+
kotlin
+
+
+
atom
+
+
+
choo
c#
oauth
+
=
pandas
+
go
+
tls
+
+
+
+
+
+
+
_
+
+
%
+
azure
+
nvim
surrealdb
+
<=
smtp
+
surrealdb
+
+
spring
+
spacy
py
k8s
+
html
kotlin
pnpm
+
f#
remix
+
mocha
groovy
+
+
+
+
preact
+
===
npm
|>
+
bun
dns
+
+
!==
backbone
+
+
c#
0x
{}
+
gitlab
prometheus
+
+
+
+
bun
Back to Blog
๐ŸŽซ Candlepin Subscription Management on AlmaLinux: Entitlement Control Made Easy
candlepin subscription almalinux

๐ŸŽซ Candlepin Subscription Management on AlmaLinux: Entitlement Control Made Easy

Published Sep 6, 2025

Master Candlepin on AlmaLinux! Learn installation, subscription management, entitlement pools, certificate handling, and client registration. Perfect beginner's guide to subscription control!

5 min read
0 views
Table of Contents

๐ŸŽซ Candlepin Subscription Management on AlmaLinux: Entitlement Control Made Easy

Welcome to the world of subscription and entitlement management! ๐ŸŽ‰ Ready to control software subscriptions like a pro? Candlepin is the open-source powerhouse that manages entitlements for your entire infrastructure! Itโ€™s the engine behind subscription management systems, tracking who can use what software! Think of it as your personal license manager that never forgets whoโ€™s allowed to use what! ๐ŸŽญโœจ

๐Ÿค” Why is Candlepin Important?

Candlepin transforms subscription chaos into organized control! ๐Ÿš€ Hereโ€™s why itโ€™s amazing:

  • ๐ŸŽซ Subscription Tracking - Manage software entitlements precisely!
  • ๐Ÿ“œ Certificate Management - Issue and control access certificates!
  • ๐Ÿ” Entitlement Pools - Create and manage subscription pools!
  • ๐Ÿ‘ฅ Multi-Tenant Support - Separate organizations cleanly!
  • ๐Ÿ“Š Usage Reporting - Track consumption and compliance!
  • ๐Ÿ”„ Auto-Attach - Automatically assign best subscriptions!

Itโ€™s like having a smart ticket booth for all your software! ๐ŸŽช

๐ŸŽฏ What You Need

Before building your subscription empire, ensure you have:

  • โœ… AlmaLinux server (8 or 9)
  • โœ… Root or sudo access
  • โœ… At least 4GB RAM (8GB recommended)
  • โœ… PostgreSQL 12+
  • โœ… Tomcat 9+
  • โœ… Java 11 or higher
  • โœ… Love for organized licensing! ๐ŸŽซ

๐Ÿ“ Step 1: System Preparation - Setting the Foundation!

Letโ€™s prepare AlmaLinux for Candlepin! ๐Ÿ—๏ธ

# Install Java 11
sudo dnf install -y java-11-openjdk java-11-openjdk-devel

# Verify Java installation
java -version
# Should show: openjdk version "11.0.x"

# Set JAVA_HOME
echo 'export JAVA_HOME=/usr/lib/jvm/java-11-openjdk' >> ~/.bashrc
echo 'export PATH=$PATH:$JAVA_HOME/bin' >> ~/.bashrc
source ~/.bashrc

# Install PostgreSQL
sudo dnf install -y postgresql postgresql-server postgresql-contrib

# Initialize PostgreSQL
sudo postgresql-setup --initdb

# Start and enable PostgreSQL
sudo systemctl enable --now postgresql

Configure PostgreSQL for Candlepin:

# Create Candlepin database and user
sudo -u postgres psql << EOF
CREATE USER candlepin WITH PASSWORD 'CandlePin123!';
CREATE DATABASE candlepin OWNER candlepin;
GRANT ALL PRIVILEGES ON DATABASE candlepin TO candlepin;
EOF

# Configure PostgreSQL authentication
sudo nano /var/lib/pgsql/data/pg_hba.conf
# Change this line:
# local   all             all                                     peer
# To:
# local   all             all                                     md5

# Also add:
# host    candlepin       candlepin       127.0.0.1/32            md5

# Restart PostgreSQL
sudo systemctl restart postgresql

# Test connection
psql -U candlepin -h localhost -d candlepin
# Enter password: CandlePin123!
# Should connect successfully

Perfect! Database is ready! ๐Ÿ’พ

๐Ÿ”ง Step 2: Installing Candlepin - Your Subscription Engine!

Time to install Candlepin! ๐Ÿš€

# Install Tomcat
sudo dnf install -y tomcat tomcat-webapps tomcat-admin-webapps

# Configure Tomcat for Candlepin
sudo nano /etc/tomcat/tomcat.conf
# Add:
# JAVA_OPTS="-Xms1024m -Xmx2048m -XX:MaxPermSize=256m"

# Start Tomcat
sudo systemctl enable --now tomcat

Build Candlepin from Source:

# Install build dependencies
sudo dnf install -y git maven npm
sudo dnf groupinstall -y "Development Tools"

# Clone Candlepin repository
cd /opt
sudo git clone https://github.com/candlepin/candlepin.git
cd candlepin

# Build Candlepin
sudo mvn clean install -DskipTests

# The WAR file will be in:
# server/target/candlepin.war

Deploy Candlepin:

# Copy WAR to Tomcat
sudo cp server/target/candlepin.war /usr/share/tomcat/webapps/

# Create Candlepin configuration directory
sudo mkdir -p /etc/candlepin
sudo chown tomcat:tomcat /etc/candlepin

# Create configuration file
sudo nano /etc/candlepin/candlepin.conf

Add configuration:

# Database configuration
jpa.config.hibernate.connection.driver_class=org.postgresql.Driver
jpa.config.hibernate.connection.url=jdbc:postgresql://localhost/candlepin
jpa.config.hibernate.connection.username=candlepin
jpa.config.hibernate.connection.password=CandlePin123!
jpa.config.hibernate.dialect=org.hibernate.dialect.PostgreSQLDialect
jpa.config.hibernate.hbm2ddl.auto=update

# Candlepin settings
candlepin.standalone=true
candlepin.auth.trusted.enable=true
candlepin.auth.oauth.enable=true
candlepin.consumer.facts.match=^system.*

# SSL settings
candlepin.ca_cert=/etc/candlepin/certs/candlepin-ca.crt
candlepin.ca_key=/etc/candlepin/certs/candlepin-ca.key

๐ŸŒŸ Step 3: Certificate Setup - Security First!

Letโ€™s set up certificates for Candlepin! ๐Ÿ”

# Create certificate directory
sudo mkdir -p /etc/candlepin/certs
cd /etc/candlepin/certs

# Generate CA certificate
sudo openssl genrsa -out candlepin-ca.key 4096
sudo openssl req -new -x509 -days 3650 \
  -key candlepin-ca.key \
  -out candlepin-ca.crt \
  -subj "/C=US/ST=State/L=City/O=MyOrg/CN=Candlepin CA"

# Generate server certificate
sudo openssl genrsa -out candlepin-server.key 2048
sudo openssl req -new \
  -key candlepin-server.key \
  -out candlepin-server.csr \
  -subj "/C=US/ST=State/L=City/O=MyOrg/CN=candlepin.example.com"

# Sign server certificate
sudo openssl x509 -req -days 365 \
  -in candlepin-server.csr \
  -CA candlepin-ca.crt \
  -CAkey candlepin-ca.key \
  -CAcreateserial \
  -out candlepin-server.crt

# Set permissions
sudo chown -R tomcat:tomcat /etc/candlepin/certs
sudo chmod 600 /etc/candlepin/certs/*.key

Configure firewall:

# Open Candlepin ports
sudo firewall-cmd --permanent --add-port=8443/tcp  # HTTPS
sudo firewall-cmd --permanent --add-port=8080/tcp  # HTTP
sudo firewall-cmd --reload

# Restart Tomcat
sudo systemctl restart tomcat

โœ… Step 4: Initial Configuration - Creating Your First Org!

Time to configure Candlepin! ๐ŸŽฏ

Initialize Database:

# Run database migrations
cd /opt/candlepin
sudo ./server/bin/liquibase \
  --driver=org.postgresql.Driver \
  --url=jdbc:postgresql://localhost/candlepin \
  --username=candlepin \
  --password=CandlePin123! \
  update

# Import initial data
sudo ./server/bin/import_products.py

Create Admin User:

# Use Candlepin CLI
cd /opt/candlepin
./client/bin/candlepin-cli \
  -u admin -p admin \
  create_user \
  --username admin \
  --password Admin123!

# Create organization
./client/bin/candlepin-cli \
  -u admin -p Admin123! \
  create_org \
  --key mycompany \
  --displayName "My Company"

Access Candlepin API:

# Test API access
curl -k -u admin:Admin123! \
  https://localhost:8443/candlepin/status

# Should return JSON with status information

# List organizations
curl -k -u admin:Admin123! \
  https://localhost:8443/candlepin/owners

๐ŸŒŸ Step 5: Managing Subscriptions - Creating Pools!

Letโ€™s create subscription pools! ๐ŸŠ

Create Product:

# Create a product
curl -k -u admin:Admin123! \
  -X POST \
  -H "Content-Type: application/json" \
  -d '{
    "id": "awesome-product",
    "name": "Awesome Product",
    "attributes": [
      {"name": "version", "value": "1.0"},
      {"name": "arch", "value": "x86_64"},
      {"name": "type", "value": "SVC"}
    ]
  }' \
  https://localhost:8443/candlepin/owners/mycompany/products

Create Subscription Pool:

# Create pool for the product
curl -k -u admin:Admin123! \
  -X POST \
  -H "Content-Type: application/json" \
  -d '{
    "productId": "awesome-product",
    "quantity": 100,
    "startDate": "2024-01-01T00:00:00.000+0000",
    "endDate": "2025-12-31T23:59:59.000+0000",
    "contractNumber": "12345678",
    "accountNumber": "987654321"
  }' \
  https://localhost:8443/candlepin/owners/mycompany/pools

Register Consumer:

# Register a system as consumer
curl -k -u admin:Admin123! \
  -X POST \
  -H "Content-Type: application/json" \
  -d '{
    "type": {"label": "system"},
    "name": "client-system-01",
    "facts": {
      "system.certificate_version": "3.2",
      "cpu.cpu_socket(s)": "2",
      "memory.memtotal": "8388608"
    }
  }' \
  https://localhost:8443/candlepin/consumers?owner=mycompany

๐ŸŽฎ Quick Examples

Example 1: Auto-Attach Subscriptions

# Auto-attach best matching subscription
curl -k -u admin:Admin123! \
  -X PUT \
  https://localhost:8443/candlepin/consumers/{consumer_uuid}/entitlements

# Check attached entitlements
curl -k -u admin:Admin123! \
  https://localhost:8443/candlepin/consumers/{consumer_uuid}/entitlements

Example 2: Subscription Manager Client

On client system:

# Install subscription-manager
sudo dnf install -y subscription-manager

# Configure to use Candlepin
sudo subscription-manager config \
  --server.hostname=candlepin.example.com \
  --server.port=8443 \
  --server.prefix=/candlepin

# Register system
sudo subscription-manager register \
  --org=mycompany \
  --username=admin \
  --password=Admin123!

# List available pools
sudo subscription-manager list --available

# Attach subscription
sudo subscription-manager attach --pool=<pool_id>

# Check status
sudo subscription-manager status

Example 3: Create Content and Repositories

# Create content
curl -k -u admin:Admin123! \
  -X POST \
  -H "Content-Type: application/json" \
  -d '{
    "id": "awesome-content",
    "name": "Awesome Content",
    "type": "yum",
    "label": "awesome-content-label",
    "vendor": "MyCompany",
    "contentUrl": "/content/dist/rhel/server/7/$releasever/$basearch/os",
    "gpgUrl": "file:///etc/pki/rpm-gpg/RPM-GPG-KEY"
  }' \
  https://localhost:8443/candlepin/owners/mycompany/content

# Associate content with product
curl -k -u admin:Admin123! \
  -X POST \
  https://localhost:8443/candlepin/owners/mycompany/products/awesome-product/content/awesome-content

๐Ÿšจ Fix Common Problems

Problem 1: Candlepin Wonโ€™t Start

Symptom: Tomcat starts but Candlepin not accessible ๐Ÿ˜ฐ

Fix:

# Check Tomcat logs
sudo tail -f /var/log/tomcat/catalina.out

# Common issue: Database connection
# Verify PostgreSQL is running
sudo systemctl status postgresql

# Test database connection
psql -U candlepin -h localhost -d candlepin

# Check Candlepin configuration
sudo cat /etc/candlepin/candlepin.conf

# Verify WAR deployment
ls -la /usr/share/tomcat/webapps/
# Should see candlepin.war and candlepin directory

Problem 2: Certificate Issues

Symptom: SSL/TLS errors when connecting ๐Ÿ”

Fix:

# Check certificate permissions
ls -la /etc/candlepin/certs/

# Regenerate certificates if needed
cd /etc/candlepin/certs
sudo rm *.crt *.key *.csr
# Follow certificate generation steps again

# Import CA certificate to Java truststore
sudo keytool -import \
  -trustcacerts \
  -alias candlepin-ca \
  -file /etc/candlepin/certs/candlepin-ca.crt \
  -keystore $JAVA_HOME/lib/security/cacerts \
  -storepass changeit

Problem 3: Client Registration Fails

Symptom: subscription-manager canโ€™t register ๐Ÿšซ

Fix:

# On client, check connectivity
curl -k https://candlepin.example.com:8443/candlepin/status

# Import CA certificate on client
sudo wget http://candlepin.example.com/pub/candlepin-ca.crt
sudo cp candlepin-ca.crt /etc/rhsm/ca/

# Update subscription-manager config
sudo subscription-manager config --list

# Clean and retry
sudo subscription-manager clean
sudo subscription-manager register --force

๐Ÿ“‹ Simple Commands Summary

TaskCommandPurpose
Check statuscurl /candlepin/statusSystem health
List orgscurl /candlepin/ownersShow organizations
Create productcurl POST /owners/{org}/productsAdd product
Create poolcurl POST /owners/{org}/poolsAdd subscription
Register consumercurl POST /consumersAdd system
Attach subscriptioncurl PUT /consumers/{id}/entitlementsAssign subscription
List poolssubscription-manager listAvailable subscriptions
Check compliancesubscription-manager statusSystem compliance
Export manifestcurl /owners/{org}/exportBackup subscriptions
Import manifestcurl POST /owners/{org}/importRestore subscriptions

๐Ÿ’ก Tips for Success

๐Ÿš€ Performance Optimization

Make Candlepin blazing fast:

# Tune PostgreSQL
echo "shared_buffers = 512MB" | sudo tee -a /var/lib/pgsql/data/postgresql.conf
echo "effective_cache_size = 2GB" | sudo tee -a /var/lib/pgsql/data/postgresql.conf
sudo systemctl restart postgresql

# Increase Tomcat heap
sudo nano /etc/tomcat/tomcat.conf
# Set: JAVA_OPTS="-Xms2048m -Xmx4096m"

# Enable connection pooling
# In candlepin.conf:
# jpa.config.hibernate.connection.pool_size=20

# Regular maintenance
vacuumdb -U candlepin -d candlepin -z

๐Ÿ”’ Security Best Practices

Keep Candlepin secure:

  1. Use SSL/TLS always - Never plain HTTP! ๐Ÿ”
  2. Strong passwords - Complex credentials! ๐Ÿ’ช
  3. Regular certificate rotation - Update yearly! ๐Ÿ”„
  4. Audit logging - Track all actions! ๐Ÿ“
  5. Backup regularly - Export manifests! ๐Ÿ’พ
# Enable audit logging
echo "candlepin.audit.enabled=true" >> /etc/candlepin/candlepin.conf
echo "candlepin.audit.log.file=/var/log/candlepin/audit.log" >> /etc/candlepin/candlepin.conf

# Backup Candlepin data
pg_dump -U candlepin candlepin > candlepin_backup.sql

๐Ÿ“Š Monitoring and Reporting

Track subscription usage:

# Get consumption report
curl -k -u admin:Admin123! \
  https://localhost:8443/candlepin/owners/mycompany/consumers/export

# Check pool usage
curl -k -u admin:Admin123! \
  https://localhost:8443/candlepin/owners/mycompany/pools | \
  jq '.[] | {product: .productName, consumed: .consumed, quantity: .quantity}'

# Monitor expired subscriptions
curl -k -u admin:Admin123! \
  "https://localhost:8443/candlepin/owners/mycompany/pools?consumer=expired"

๐Ÿ† What You Learned

Youโ€™re now a Candlepin subscription expert! ๐ŸŽ“ Youโ€™ve successfully:

  • โœ… Installed Candlepin on AlmaLinux
  • โœ… Configured database and certificates
  • โœ… Created organizations and products
  • โœ… Set up subscription pools
  • โœ… Registered consumer systems
  • โœ… Managed entitlements
  • โœ… Mastered subscription management

Your subscription platform is enterprise-ready! ๐ŸŽซ

๐ŸŽฏ Why This Matters

Candlepin revolutionizes subscription management! With your entitlement platform, you can:

  • ๐ŸŽซ Control access - Know who uses what!
  • ๐Ÿ“Š Track usage - Monitor consumption precisely!
  • ๐Ÿ” Ensure compliance - Stay within licenses!
  • ๐Ÿ”„ Automate allocation - Smart subscription assignment!
  • ๐Ÿ’ผ Scale enterprise - Manage thousands of systems!

Youโ€™re not just managing licenses - youโ€™re orchestrating an entire subscription ecosystem! Every entitlement is tracked, every system is compliant! ๐ŸŽญ

Keep managing, keep tracking, and remember - with Candlepin, subscription chaos becomes organized bliss! โญ

May your subscriptions be compliant and your entitlements be clear! ๐Ÿš€๐ŸŽซ๐Ÿ™Œ