Proxying RHEL Yum Repositories

Introduction

Red Hat Enterprise Linux (RHEL) is subscription based and communicates with remote Yum repositories over HTTPS. In order to setup a proxy in Nexus Repository Manager (NXRM) for this scenario, NXRM must trust the remote certificate and also authenticate when requesting packages from the remote server. The following subsections illustrate how to properly configure NXRM for SSL communication with RHEL remote Yum repositories. 

Prerequisites

  • You have a RHEL subscription.
  • You have downloaded SSL certificates for your Red Hat subscription.
  • You have imported your certificates onto your RHEL instance/machine using the 'subscription-manager' command-line tool .
  • Ensure you have the Java keytool installed on your RHEL instance/machine. The Java keytool is part of the JDK, hence if you don't have it installed, you should install JDK 8 to obtain it.

Proxying Yum Repositories on RHEL

Note: For this illustration, we are making use of a RHEL7 docker image i.e registry.redhat.io/rhel7:latest. The latest vesion was 7.7 at the time of writing.

  1. On your RHEL instance, confirm that you have your certificate and associated private key files in your /etc/pki/entitlement directory similar to the screenshot below - if you've imported your RHEL subscription certfificate, the RHEL subscription-manager command-line utility puts the aformentioned files in the aforementioned directory by default.

  2. In your RHEL terminal, run the command below (you should specify your RHEL entitlement certificate and key as appropriate). 

    openssl pkcs12 -export -in /etc/pki/entitlement/4616881636184323465.pem -inkey /etc/pki/entitlement/4616881636184323465-key.pem -name certificate_and_key -out certificate_and_key.p12 -passout pass:password
  3. In your RHEL terminal, run the command below.  After running the command you should have a file called keystore.p12 in your current directory as shown in the screenshot that follows.

    keytool -importkeystore -srckeystore certificate_and_key.p12 -srcstoretype PKCS12 -srcstorepass password -deststorepass password -destkeystore keystore.p12 -deststoretype PKCS12

  4. If you have an existing key store file (i.e not trust store) then you need to import the contents of the keystore.p12 file created in step 3 above into your existing key store file. Do the following:

    1. Make a back up of your existing key store file.

    2. Run the commands below:

      keytool -importkeystore -srckeystore existing_keystore.p12 -srcstoretype PKCS12 -srcstorepass existing_keystore_password -deststorepass password -destkeystore new_combined_keystore.p12 -deststoretype PKCS12
      
      keytool -importkeystore -srckeystore keystore.p12 -srcstoretype PKCS12 -srcstorepass password -deststorepass password -destkeystore new_combined_keystore.p12 -deststoretype PKCS12
  5. Create a nexus.repo  file in /etc/yum.repos.d directory similar to the following

    [nexus]
    name = Nexus Repository
    enabled = 1
    gpgcheck = 1
    baseurl = http://ipaddress:port/repository/rhel-proxy/$releasever/$basearch/os
    ui_repoid_vars = releasever basearch
    gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
    priority=1

    If you have set gpgcheck to 1 (i.e enabled), you'll want to provide the location of the gpgkey, replacing the value we've shown in the example above.

  6. Put the following Java system properties in your $app-dir/bin/nexus.vmoptions file or if the properties already exist in that file, update to reference the new key store. You'll need to make the keystore.p12 or new_combined_keystore.p12 file created above accessible to NXRM on the machine running it.

    -Djavax.net.ssl.keyStore=<path to keystore file>
    -Djavax.net.ssl.keyStorePassword=<keystore password specified earlier for the keytool command>
  7. After making changes to $app-dir/bin/nexus.vmoptions , or the keystore referenced by it, NXRM must be restarted to pick up the change.
  8. In NXRM web UI, setup your yum proxy repository as shown below.

  9. Click on the View Certificate button and on the popup box (shown below), click Add certificate to trust store

  10. Now if you install a package with yum should should see in the terminal that it's downloading packages from the 'nexus' repository as the screen shot below shows for 'yum install nano'

Proxying Yum Repositories on RHEL 8+ with an AWS example

AWS RHEL 8 EC2 instance on which Yum will be proxied:

AWS Amazon Linux EC2 instance running NXRM:


  1. Follow the instructions in the Proxying Yum Repositories on RHEL section with the following exceptions since the EC2 instance is running RHEL8.
    1. The nexus.repo file in /etc/yum.repos.d directory should be similar to the following:

      [nexus_baseos]
      name = Nexus Repository Baseos
      enabled = 1
      gpgcheck = 1
      baseurl = http://ipaddress:port/repository/rhel-proxy/$releasever/$basearch/baseos/os
      ui_repoid_vars = releasever basearch
      gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
      priority=1
      
      [nexus_appstream]
      name = Nexus RHEL x86_64 AppStream Proxy (RPMs)
      enabled = 1
      gpgcheck = 1
      baseurl = http://ipaddress:port/repository/rhel-proxy/$releasever/$basearch/appstream/os
      ui_repoid_vars = releasever basearch
      gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
      priority=1

      If you have set gpgcheck to 1 (i.e enabled), you'll want to provide the location of the gpgkey, replacing the value we've shown in the example above.

    2. In NXRM web UI, when you setup your yum proxy repository as specified in the Proxying Yum Repositories on RHEL section, you should instead specify the remote URL as  h ttps://cdn.redhat.com/content/dist/rhel8 .
  2. Now if you install some packages with yum should should see in the terminal that it's downloading packages from the 'nexus_baseos' and 'nexus_appstream' repositories set up eariler as the screen shots below show. E.g 'yum install httpd' :