Skip to main content

Proxying RHEL Yum Repositories

Red Hat Enterprise Linux (RHEL) is subscription-based and communicates with remote Yum repositories over HTTPS. In order to set up a proxy in Nexus Repository for this scenario, Nexus Repository must trust the remote certificate and also authenticate when requesting packages from the remote server. The following subsections illustrate how to properly configure Nexus Repository for SSL communication with RHEL remote Yum repositories.

Prerequisites

  • You have a RHEL subscription (See the RHEL site for details).

  • You have downloaded SSL certificates for your Red Hat subscription.

  • You have imported your certificates onto your RHEL instance/machine using the subscription-managercommand-line tool that comes with RHEL.

  • Ensure you have the Java keytool installed on your RHEL instance/machine. The Java keytool is part of the JDK; you can install JDK 8 to obtain it.

Proxying Yum Repositories on RHEL

Note

For this illustration, we are making use of a RHEL7 docker image (i.e., registry.redhat.io/rhel7:latest). The latest vesion was 7.7 at the time of writing.

  1. On your RHEL instance, confirm that you have your certificate and associated private key files in your /etc/pki/entitlement directory. If you've imported your RHEL subscription certfificate, the RHEL subscription-manager command-line utility puts the certificate and associated private key files in the aforementioned directory by default.

  2. In your RHEL terminal, run the command below (you should specify your RHEL entitlement certificate and key as appropriate).

    openssl pkcs12 -export -in /etc/pki/entitlement/4616881636184323465.pem -inkey /etc/pki/entitlement/4616881636184323465-key.pem -name certificate_and_key -out certificate_and_key.p12 -passout pass:password
  3. In your RHEL terminal, run the command below. After running the command, you should have a file calledkeystore.p12 in your current directory.

    keytool -importkeystore -srckeystore certificate_and_key.p12 -srcstoretype PKCS12 -srcstorepass password -deststorepass password -destkeystore keystore.p12 -deststoretype PKCS12
  4. If you have an existing key store file (i.e., not trust store), then you need to import the contents of the keystore.p12 file created in step 3 above into your existing key store file.

    On your Nexus server, do the following:

    1. Make a backup of your existing key store file.

    2. Run the commands below:

      keytool -importkeystore -srckeystore existing_keystore.p12 -srcstoretype PKCS12 -srcstorepass existing_keystore_password -deststorepass password -destkeystore new_combined_keystore.p12 -deststoretype PKCS12
      
      keytool -importkeystore -srckeystore keystore.p12 -srcstoretype PKCS12 -srcstorepass password -deststorepass password -destkeystore new_combined_keystore.p12 -deststoretype PKCS12
  5. On your RHEL server, create anexus.repofile in/etc/yum.repos.ddirectory similar to the following:

    [nexus]
    name = Nexus Repository
    enabled = 1
    gpgcheck = 1
    baseurl = http://ipaddress:port/repository/rhel-proxy/$releasever/$basearch/os
    ui_repoid_vars = releasever basearch
    gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
    priority=1

    Note

    If you have set gpgcheck to 1 (i.e., enabled), you'll want to provide the location of the gpgkey, replacing the value we've shown in the example above.

  6. On your Nexus server, put the following Java system properties in your $app-dir/bin/nexus.vmoptions file or if the properties already exist in that file, update to reference the new key store. You'll need to make thekeystore.p12 or new_combined_keystore.p12file created above accessibleto Nexus Repositoryon the machine running it.

    -Djavax.net.ssl.keyStore=<path to keystore file>
    -Djavax.net.ssl.keyStorePassword=<keystore password specified earlier for the keytool command>
  7. After making changes to $app-dir/bin/nexus.vmoptions or the keystore it references, you must restart Nexus Repository so that it can pick up the change.

  8. In Nexus Repository web UI, set up your yum proxy repository. (Also see Repository Management for information on setting up a repository.)

    50626893.png
  9. Click on the View Certificate button; when the Certificate Details pop-up displays, select Add certificate to trust store.

    proxying_rhel_yum_repo_cert_details.png
  10. If you install a package with yum, you should should see in the RHEL terminal that it's downloading packages from the nexus repository.

Proxying Yum Repositories on RHEL 8+ with an AWS example

AWS RHEL 8 EC2 instance on which Yum will be proxied:

50626944.png

AWS Amazon Linux EC2 instance running Nexus Repository:

50626945.png
  1. Follow the instructions in the Proxying Yum Repositories on RHEL section with the following exceptions since the EC2 instance is running RHEL8.

    1. The nexus.repo file in /etc/yum.repos.d directory should be similar to the following:

      [nexus_baseos]
      name = Nexus Repository Baseos
      enabled = 1
      gpgcheck = 1
      baseurl = http://ipaddress:port/repository/rhel-proxy/$releasever/$basearch/baseos/os
      ui_repoid_vars = releasever basearch
      gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
      priority=1
      
      [nexus_appstream]
      name = Nexus RHEL x86_64 AppStream Proxy (RPMs)
      enabled = 1
      gpgcheck = 1
      baseurl = http://ipaddress:port/repository/rhel-proxy/$releasever/$basearch/appstream/os
      ui_repoid_vars = releasever basearch
      gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
      priority=1

      Note

      If you have gpgcheck set to "1" (i.e., enabled), provide the location of the gpgkey by replacing the value we've shown in the example above.

    2. In the Nexus Repository web UI, when you set up your yum proxy repository as specified in the Proxying Yum Repositories on RHEL section, you should instead specify the remote URL as https://cdn.redhat.com/content/dist/rhel8.

  2. If you install packages with yum (e.g., sudo yum install httpd -y), you should see in the terminal that it's downloading packages from the 'nexus_baseos' and 'nexus_appstream' repositories set up eariler.