๐ซ Candlepin Subscription Management on AlmaLinux: Entitlement Control Made Easy
Welcome to the world of subscription and entitlement management! ๐ Ready to control software subscriptions like a pro? Candlepin is the open-source powerhouse that manages entitlements for your entire infrastructure! Itโs the engine behind subscription management systems, tracking who can use what software! Think of it as your personal license manager that never forgets whoโs allowed to use what! ๐ญโจ
๐ค Why is Candlepin Important?
Candlepin transforms subscription chaos into organized control! ๐ Hereโs why itโs amazing:
- ๐ซ Subscription Tracking - Manage software entitlements precisely!
- ๐ Certificate Management - Issue and control access certificates!
- ๐ Entitlement Pools - Create and manage subscription pools!
- ๐ฅ Multi-Tenant Support - Separate organizations cleanly!
- ๐ Usage Reporting - Track consumption and compliance!
- ๐ Auto-Attach - Automatically assign best subscriptions!
Itโs like having a smart ticket booth for all your software! ๐ช
๐ฏ What You Need
Before building your subscription empire, ensure you have:
- โ AlmaLinux server (8 or 9)
- โ Root or sudo access
- โ At least 4GB RAM (8GB recommended)
- โ PostgreSQL 12+
- โ Tomcat 9+
- โ Java 11 or higher
- โ Love for organized licensing! ๐ซ
๐ Step 1: System Preparation - Setting the Foundation!
Letโs prepare AlmaLinux for Candlepin! ๐๏ธ
# Install Java 11
sudo dnf install -y java-11-openjdk java-11-openjdk-devel
# Verify Java installation
java -version
# Should show: openjdk version "11.0.x"
# Set JAVA_HOME
echo 'export JAVA_HOME=/usr/lib/jvm/java-11-openjdk' >> ~/.bashrc
echo 'export PATH=$PATH:$JAVA_HOME/bin' >> ~/.bashrc
source ~/.bashrc
# Install PostgreSQL
sudo dnf install -y postgresql postgresql-server postgresql-contrib
# Initialize PostgreSQL
sudo postgresql-setup --initdb
# Start and enable PostgreSQL
sudo systemctl enable --now postgresqlConfigure PostgreSQL for Candlepin:
# Create Candlepin database and user
sudo -u postgres psql << EOF
CREATE USER candlepin WITH PASSWORD 'CandlePin123!';
CREATE DATABASE candlepin OWNER candlepin;
GRANT ALL PRIVILEGES ON DATABASE candlepin TO candlepin;
EOF
# Configure PostgreSQL authentication
sudo nano /var/lib/pgsql/data/pg_hba.conf
# Change this line:
# local all all peer
# To:
# local all all md5
# Also add:
# host candlepin candlepin 127.0.0.1/32 md5
# Restart PostgreSQL
sudo systemctl restart postgresql
# Test connection
psql -U candlepin -h localhost -d candlepin
# Enter password: CandlePin123!
# Should connect successfullyPerfect! Database is ready! ๐พ
๐ง Step 2: Installing Candlepin - Your Subscription Engine!
Time to install Candlepin! ๐
# Install Tomcat
sudo dnf install -y tomcat tomcat-webapps tomcat-admin-webapps
# Configure Tomcat for Candlepin
sudo nano /etc/tomcat/tomcat.conf
# Add:
# JAVA_OPTS="-Xms1024m -Xmx2048m -XX:MaxPermSize=256m"
# Start Tomcat
sudo systemctl enable --now tomcatBuild Candlepin from Source:
# Install build dependencies
sudo dnf install -y git maven npm
sudo dnf groupinstall -y "Development Tools"
# Clone Candlepin repository
cd /opt
sudo git clone https://github.com/candlepin/candlepin.git
cd candlepin
# Build Candlepin
sudo mvn clean install -DskipTests
# The WAR file will be in:
# server/target/candlepin.warDeploy Candlepin:
# Copy WAR to Tomcat
sudo cp server/target/candlepin.war /usr/share/tomcat/webapps/
# Create Candlepin configuration directory
sudo mkdir -p /etc/candlepin
sudo chown tomcat:tomcat /etc/candlepin
# Create configuration file
sudo nano /etc/candlepin/candlepin.confAdd configuration:
# Database configuration
jpa.config.hibernate.connection.driver_class=org.postgresql.Driver
jpa.config.hibernate.connection.url=jdbc:postgresql://localhost/candlepin
jpa.config.hibernate.connection.username=candlepin
jpa.config.hibernate.connection.password=CandlePin123!
jpa.config.hibernate.dialect=org.hibernate.dialect.PostgreSQLDialect
jpa.config.hibernate.hbm2ddl.auto=update
# Candlepin settings
candlepin.standalone=true
candlepin.auth.trusted.enable=true
candlepin.auth.oauth.enable=true
candlepin.consumer.facts.match=^system.*
# SSL settings
candlepin.ca_cert=/etc/candlepin/certs/candlepin-ca.crt
candlepin.ca_key=/etc/candlepin/certs/candlepin-ca.key๐ Step 3: Certificate Setup - Security First!
Letโs set up certificates for Candlepin! ๐
# Create certificate directory
sudo mkdir -p /etc/candlepin/certs
cd /etc/candlepin/certs
# Generate CA certificate
sudo openssl genrsa -out candlepin-ca.key 4096
sudo openssl req -new -x509 -days 3650 \
-key candlepin-ca.key \
-out candlepin-ca.crt \
-subj "/C=US/ST=State/L=City/O=MyOrg/CN=Candlepin CA"
# Generate server certificate
sudo openssl genrsa -out candlepin-server.key 2048
sudo openssl req -new \
-key candlepin-server.key \
-out candlepin-server.csr \
-subj "/C=US/ST=State/L=City/O=MyOrg/CN=candlepin.example.com"
# Sign server certificate
sudo openssl x509 -req -days 365 \
-in candlepin-server.csr \
-CA candlepin-ca.crt \
-CAkey candlepin-ca.key \
-CAcreateserial \
-out candlepin-server.crt
# Set permissions
sudo chown -R tomcat:tomcat /etc/candlepin/certs
sudo chmod 600 /etc/candlepin/certs/*.keyConfigure firewall:
# Open Candlepin ports
sudo firewall-cmd --permanent --add-port=8443/tcp # HTTPS
sudo firewall-cmd --permanent --add-port=8080/tcp # HTTP
sudo firewall-cmd --reload
# Restart Tomcat
sudo systemctl restart tomcatโ Step 4: Initial Configuration - Creating Your First Org!
Time to configure Candlepin! ๐ฏ
Initialize Database:
# Run database migrations
cd /opt/candlepin
sudo ./server/bin/liquibase \
--driver=org.postgresql.Driver \
--url=jdbc:postgresql://localhost/candlepin \
--username=candlepin \
--password=CandlePin123! \
update
# Import initial data
sudo ./server/bin/import_products.pyCreate Admin User:
# Use Candlepin CLI
cd /opt/candlepin
./client/bin/candlepin-cli \
-u admin -p admin \
create_user \
--username admin \
--password Admin123!
# Create organization
./client/bin/candlepin-cli \
-u admin -p Admin123! \
create_org \
--key mycompany \
--displayName "My Company"Access Candlepin API:
# Test API access
curl -k -u admin:Admin123! \
https://localhost:8443/candlepin/status
# Should return JSON with status information
# List organizations
curl -k -u admin:Admin123! \
https://localhost:8443/candlepin/owners๐ Step 5: Managing Subscriptions - Creating Pools!
Letโs create subscription pools! ๐
Create Product:
# Create a product
curl -k -u admin:Admin123! \
-X POST \
-H "Content-Type: application/json" \
-d '{
"id": "awesome-product",
"name": "Awesome Product",
"attributes": [
{"name": "version", "value": "1.0"},
{"name": "arch", "value": "x86_64"},
{"name": "type", "value": "SVC"}
]
}' \
https://localhost:8443/candlepin/owners/mycompany/productsCreate Subscription Pool:
# Create pool for the product
curl -k -u admin:Admin123! \
-X POST \
-H "Content-Type: application/json" \
-d '{
"productId": "awesome-product",
"quantity": 100,
"startDate": "2024-01-01T00:00:00.000+0000",
"endDate": "2025-12-31T23:59:59.000+0000",
"contractNumber": "12345678",
"accountNumber": "987654321"
}' \
https://localhost:8443/candlepin/owners/mycompany/poolsRegister Consumer:
# Register a system as consumer
curl -k -u admin:Admin123! \
-X POST \
-H "Content-Type: application/json" \
-d '{
"type": {"label": "system"},
"name": "client-system-01",
"facts": {
"system.certificate_version": "3.2",
"cpu.cpu_socket(s)": "2",
"memory.memtotal": "8388608"
}
}' \
https://localhost:8443/candlepin/consumers?owner=mycompany๐ฎ Quick Examples
Example 1: Auto-Attach Subscriptions
# Auto-attach best matching subscription
curl -k -u admin:Admin123! \
-X PUT \
https://localhost:8443/candlepin/consumers/{consumer_uuid}/entitlements
# Check attached entitlements
curl -k -u admin:Admin123! \
https://localhost:8443/candlepin/consumers/{consumer_uuid}/entitlementsExample 2: Subscription Manager Client
On client system:
# Install subscription-manager
sudo dnf install -y subscription-manager
# Configure to use Candlepin
sudo subscription-manager config \
--server.hostname=candlepin.example.com \
--server.port=8443 \
--server.prefix=/candlepin
# Register system
sudo subscription-manager register \
--org=mycompany \
--username=admin \
--password=Admin123!
# List available pools
sudo subscription-manager list --available
# Attach subscription
sudo subscription-manager attach --pool=<pool_id>
# Check status
sudo subscription-manager statusExample 3: Create Content and Repositories
# Create content
curl -k -u admin:Admin123! \
-X POST \
-H "Content-Type: application/json" \
-d '{
"id": "awesome-content",
"name": "Awesome Content",
"type": "yum",
"label": "awesome-content-label",
"vendor": "MyCompany",
"contentUrl": "/content/dist/rhel/server/7/$releasever/$basearch/os",
"gpgUrl": "file:///etc/pki/rpm-gpg/RPM-GPG-KEY"
}' \
https://localhost:8443/candlepin/owners/mycompany/content
# Associate content with product
curl -k -u admin:Admin123! \
-X POST \
https://localhost:8443/candlepin/owners/mycompany/products/awesome-product/content/awesome-content๐จ Fix Common Problems
Problem 1: Candlepin Wonโt Start
Symptom: Tomcat starts but Candlepin not accessible ๐ฐ
Fix:
# Check Tomcat logs
sudo tail -f /var/log/tomcat/catalina.out
# Common issue: Database connection
# Verify PostgreSQL is running
sudo systemctl status postgresql
# Test database connection
psql -U candlepin -h localhost -d candlepin
# Check Candlepin configuration
sudo cat /etc/candlepin/candlepin.conf
# Verify WAR deployment
ls -la /usr/share/tomcat/webapps/
# Should see candlepin.war and candlepin directoryProblem 2: Certificate Issues
Symptom: SSL/TLS errors when connecting ๐
Fix:
# Check certificate permissions
ls -la /etc/candlepin/certs/
# Regenerate certificates if needed
cd /etc/candlepin/certs
sudo rm *.crt *.key *.csr
# Follow certificate generation steps again
# Import CA certificate to Java truststore
sudo keytool -import \
-trustcacerts \
-alias candlepin-ca \
-file /etc/candlepin/certs/candlepin-ca.crt \
-keystore $JAVA_HOME/lib/security/cacerts \
-storepass changeitProblem 3: Client Registration Fails
Symptom: subscription-manager canโt register ๐ซ
Fix:
# On client, check connectivity
curl -k https://candlepin.example.com:8443/candlepin/status
# Import CA certificate on client
sudo wget http://candlepin.example.com/pub/candlepin-ca.crt
sudo cp candlepin-ca.crt /etc/rhsm/ca/
# Update subscription-manager config
sudo subscription-manager config --list
# Clean and retry
sudo subscription-manager clean
sudo subscription-manager register --force๐ Simple Commands Summary
| Task | Command | Purpose |
|---|---|---|
| Check status | curl /candlepin/status | System health |
| List orgs | curl /candlepin/owners | Show organizations |
| Create product | curl POST /owners/{org}/products | Add product |
| Create pool | curl POST /owners/{org}/pools | Add subscription |
| Register consumer | curl POST /consumers | Add system |
| Attach subscription | curl PUT /consumers/{id}/entitlements | Assign subscription |
| List pools | subscription-manager list | Available subscriptions |
| Check compliance | subscription-manager status | System compliance |
| Export manifest | curl /owners/{org}/export | Backup subscriptions |
| Import manifest | curl POST /owners/{org}/import | Restore subscriptions |
๐ก Tips for Success
๐ Performance Optimization
Make Candlepin blazing fast:
# Tune PostgreSQL
echo "shared_buffers = 512MB" | sudo tee -a /var/lib/pgsql/data/postgresql.conf
echo "effective_cache_size = 2GB" | sudo tee -a /var/lib/pgsql/data/postgresql.conf
sudo systemctl restart postgresql
# Increase Tomcat heap
sudo nano /etc/tomcat/tomcat.conf
# Set: JAVA_OPTS="-Xms2048m -Xmx4096m"
# Enable connection pooling
# In candlepin.conf:
# jpa.config.hibernate.connection.pool_size=20
# Regular maintenance
vacuumdb -U candlepin -d candlepin -z๐ Security Best Practices
Keep Candlepin secure:
- Use SSL/TLS always - Never plain HTTP! ๐
- Strong passwords - Complex credentials! ๐ช
- Regular certificate rotation - Update yearly! ๐
- Audit logging - Track all actions! ๐
- Backup regularly - Export manifests! ๐พ
# Enable audit logging
echo "candlepin.audit.enabled=true" >> /etc/candlepin/candlepin.conf
echo "candlepin.audit.log.file=/var/log/candlepin/audit.log" >> /etc/candlepin/candlepin.conf
# Backup Candlepin data
pg_dump -U candlepin candlepin > candlepin_backup.sql๐ Monitoring and Reporting
Track subscription usage:
# Get consumption report
curl -k -u admin:Admin123! \
https://localhost:8443/candlepin/owners/mycompany/consumers/export
# Check pool usage
curl -k -u admin:Admin123! \
https://localhost:8443/candlepin/owners/mycompany/pools | \
jq '.[] | {product: .productName, consumed: .consumed, quantity: .quantity}'
# Monitor expired subscriptions
curl -k -u admin:Admin123! \
"https://localhost:8443/candlepin/owners/mycompany/pools?consumer=expired"๐ What You Learned
Youโre now a Candlepin subscription expert! ๐ Youโve successfully:
- โ Installed Candlepin on AlmaLinux
- โ Configured database and certificates
- โ Created organizations and products
- โ Set up subscription pools
- โ Registered consumer systems
- โ Managed entitlements
- โ Mastered subscription management
Your subscription platform is enterprise-ready! ๐ซ
๐ฏ Why This Matters
Candlepin revolutionizes subscription management! With your entitlement platform, you can:
- ๐ซ Control access - Know who uses what!
- ๐ Track usage - Monitor consumption precisely!
- ๐ Ensure compliance - Stay within licenses!
- ๐ Automate allocation - Smart subscription assignment!
- ๐ผ Scale enterprise - Manage thousands of systems!
Youโre not just managing licenses - youโre orchestrating an entire subscription ecosystem! Every entitlement is tracked, every system is compliant! ๐ญ
Keep managing, keep tracking, and remember - with Candlepin, subscription chaos becomes organized bliss! โญ
May your subscriptions be compliant and your entitlements be clear! ๐๐ซ๐
