Skip to main content

Proxying RHEL Yum Repositories

Red Hat Enterprise Linux (RHEL) is subscription-based and communicates with remote Yum repositories over HTTPS. To set up a proxy in Nexus Repository for this scenario, Nexus Repository must trust the remote certificate and also authenticate when requesting packages from the remote server.

The following demonstrates how to configure Nexus Repository for SSL communication with RHEL remote Yum repositories.

Prerequisites

  • You have a RHEL subscription (See the RHEL site for details).

  • You have downloaded SSL certificates for your Red Hat subscription.

    The RHEL Subscription SSL certificate may expire or become invalid by RHEL systems. Manual validation is required to obtain a new certificate and redo the below steps before the certificate expires and avoid unexpected downtime.

  • You have imported your certificates onto your RHEL instance using the subscription-manager command-line tool that comes with RHEL.

  • Ensure you have the Java keytool installed on your RHEL instance. The Java keytool is part of the JDK; you can install JDK 8 to obtain it.

Proxying Yum Repositories on RHEL

We are using a RHEL7 docker image for the following demonstration.

registry.redhat.io/rhel7:latest

  1. On your RHEL instance, confirm that the certificate and associated private key files are in your entitlement directory.

    /etc/pki/entitlement

    When importing the RHEL subscription certificate, the RHEL subscription-manager command-line utility puts the certificate and associated private key files in this directory by default.

  2. In your RHEL terminal, run the command below (you should specify your RHEL entitlement certificate and key as appropriate).

    openssl pkcs12 -export -in /etc/pki/entitlement/4616881636184323465.pem -inkey /etc/pki/entitlement/4616881636184323465-key.pem -name certificate_and_key -out certificate_and_key.p12 -passout pass:password

  3. In your RHEL terminal, run the command below. After running the command, you should have a file calledkeystore.p12 in your current directory.

    keytool -importkeystore -srckeystore certificate_and_key.p12 -srcstoretype PKCS12 -srcstorepass password -deststorepass password -destkeystore keystore.p12 -deststoretype PKCS12

  4. If you have an existing key store file (i.e., not a trust store), then you need to import the contents of the keystore.p12 file created in step 3 above into your existing key store file.

    On your Nexus server, do the following:

    1. Make a backup of your existing key store file.

    2. Run the commands below:

      keytool -importkeystore -srckeystore existing_keystore.p12 -srcstoretype PKCS12 -srcstorepass existing_keystore_password -deststorepass password -destkeystore new_combined_keystore.p12 -deststoretype PKCS12

keytool -importkeystore -srckeystore keystore.p12 -srcstoretype PKCS12 -srcstorepass password -deststorepass password -destkeystore new_combined_keystore.p12 -deststoretype PKCS12

  5. On your RHEL server, create a nexus.repo file in /etc/yum.repos.d directory similar to the following:

    [nexus]
name = Nexus Repository
enabled = 1
gpgcheck = 1
baseurl = http://ipaddress:port/repository/rhel-proxy/$releasever/$basearch/os
ui_repoid_vars = releasever basearch
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
priority=1

    Note

    With gpgcheck to 1 (i.e., enabled), provide the location of the gpgkey, replacing the value above.

  6. On your Nexus server, put the following Java system properties in your $app-dir/bin/nexus.vmoptions file, or if the properties already exist in that file, update to reference the new key store. You'll need to make thekeystore.p12 or new_combined_keystore.p12 file created above is accessible to Nexus Repository on the machine running it.

    -Djavax.net.ssl.keyStore=<path to keystore file>
-Djavax.net.ssl.keyStorePassword=<keystore password specified earlier for the keytool command>

  7. After making changes to $app-dir/bin/nexus.vmoptions or the keystore it references, you must restart Nexus Repository so that it can pick up the change.

  8. In Nexus Repository web UI, set up a yum proxy repository.

    50626893.png

  9. Click on the View Certificate button; when the Certificate Details pop-up displays, select Add a certificate to trust store.

    proxying_rhel_yum_repo_cert_details.png

  10. If you install a package with yum, you should see in the RHEL terminal that it's downloading packages from the Nexus repository.

Proxying Yum Repositories on RHEL 8+ with an AWS example

AWS RHEL 8 EC2 instance on which Yum will be proxied:

50626944.png

AWS Amazon Linux EC2 instance running Nexus Repository:

50626945.png

  1. Follow the instructions in the Proxying Yum Repositories on RHEL with the following exceptions since the EC2 instance is running RHEL8.

    The nexus.repo file in /etc/yum.repos.d directory should be similar to the following:

    [nexus_baseos]
name = Nexus Repository Baseos
enabled = 1
gpgcheck = 1
baseurl = http://ipaddress:port/repository/rhel-proxy/$releasever/$basearch/baseos/os
ui_repoid_vars = releasever basearch
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
priority=1

[nexus_appstream]
name = Nexus RHEL x86_64 AppStream Proxy (RPMs)
enabled = 1
gpgcheck = 1
baseurl = http://ipaddress:port/repository/rhel-proxy/$releasever/$basearch/appstream/os
ui_repoid_vars = releasever basearch
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
priority=1

    With gpgcheck set to "1" (i.e., enabled), provide the location of the gpgkey by replacing the value we've shown in the example above.

    In the Nexus Repository web UI, when you set up your yum proxy repository as specified in the Proxying Yum Repositories on RHEL, you should instead specify the remote URL.

    https://cdn.redhat.com/content/dist/rhel8

  2. When you install packages with yum (e.g., sudo yum install httpd -y), the terminal shows that it's downloading packages from the 'nexus_baseos' and 'nexus_appstream' repositories set up earlier.