Openscap is not working in Katello

Openscap scanning is not working in my katello. I tried both puppet and ansible way. Both are failing
Expected outcome:
Scanning should execute
Foreman and Katello versions:
2.2.5 and 3.17
Distribution and version:
RHEL 7.7
Other relevant data:
These are the errors after assigning policy to the host.

Any help would be appreciated

it seems that the foreman-scap-client is not installed on your target system

do you get something like that if you search for it:

rpm -qa | grep scap

You can get the package from the client repo: Index of /client/2.2/el7/x86_64


Target system is the system where I installed katello foreman. right? @jtruestedt

No, it is the client which should be scanned. The scan is a local execution of the foreman_scap_client command which is part of the rubygem-foreman_scap_client (Red Hat family) or ruby_scap_client (Debian family, if I remember correct).


Target system is the system where you want to have your compliance checked and then sent to your katello/foreman.

1 Like

I have installed foreman_scap_client in my client machine

[root@localhost ~]# rpm -qa | grep scap

And after running the openscap scan from my foreman server, this is the error Iā€™m facing now



now you have the openscap-client on your client machine, but it has no configuration.

When you add an openscap policy in your foreman, you can distribute it via ansible, puppet or manual and select the target hostgroup.
If you chose Ansible or Puppet (you need to install the correct role/module on your katello), you can trigger a puppet run or an ansible-role-execution and then your client should be configured and then it should be able to upload a report.

1 Like

I added ansible role to the host and ran the ansible role to the client machine and that generated the config file. After that I ran the openscap from the foreman server and I am getting this error


You have not set the variables for Ansible.
If you imported the role and variables, you have to set:
foreman_scap_client_server to the URL of your katello
foreman_scap_client_port - i think the default in the scap-plugin is 9090
foreman_scap_client_policies (type array) to: ā€œ<%= @host.policies_enc %>ā€

there are other variables available but you need to configure those 3 at least

I think it has been set @jtruestedt

but your screenshot tries to download the policy from an url without hostname (https::8080/ā€¦) so somewhere it is misconfigured

Figured out the way to add server name. This is the error now


Is your client registered via subscription-manager?
Now it is a certificate issue, probably that the ca is not trusted?

Maybe also something you have to configure via Ansible? (I never had to configure something there)

Yes, client is registered via subscription manager @jtruestedt

And I have cross checked the certificate path also.


Should i have to change anything in the ansible role ca_cert_path?


I have never changed this variable, so you should not need to change it.

So the certificate/ca your katello uses is trusted on your client?
Could you try to curl the URL from your client?

[root@localhost ~]# curl
curl: (60) SSL certificate problem: self signed certificate in certificate chain
More details here:

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.


so i think you have to trust your certificate (chain) on the client, that this works or try to ignore the certificates - but this is not openscap-related