diff --git a/app/controllers/concerns/foreman/controller/registration.rb b/app/controllers/concerns/foreman/controller/registration.rb
index 8287d293dd60..818ce8d625ae 100644
--- a/app/controllers/concerns/foreman/controller/registration.rb
+++ b/app/controllers/concerns/foreman/controller/registration.rb
@@ -26,8 +26,6 @@ def global_registration_vars
       location: (location || User.current.default_location || User.current.my_locations.first),
       hostgroup: host_group,
       operatingsystem: operatingsystem,
-      url_host: registration_url.host,
-      registration_url: registration_url,
       setup_insights: ActiveRecord::Type::Boolean.new.deserialize(params['setup_insights']),
       setup_remote_execution: ActiveRecord::Type::Boolean.new.deserialize(params['setup_remote_execution']),
       packages: params['packages'],
@@ -39,6 +37,7 @@ def global_registration_vars
           .to_h
           .symbolize_keys
           .merge(context)
+          .merge(context_urls)
   end
 
   def safe_render(template)
@@ -82,12 +81,8 @@ def not_found(options = nil)
     false
   end
 
-  def registration_url
-    uri = if params[:url].present?
-            URI.join(params[:url], '/register')
-          else
-            URI(register_url)
-          end
+  def url
+    uri = URI(params[:url] || root_url)
 
     return uri if uri.scheme && uri.host
 
@@ -95,6 +90,10 @@ def registration_url
     fail Foreman::Exception.new(msg)
   end
 
+  def context_urls
+    { url: url, registration_url: URI.join(url, 'register') }
+  end
+
   def host_setup_insights
     return if params['setup_insights'].to_s.blank?
 
diff --git a/app/views/unattended/provisioning_templates/registration/global_registration.erb b/app/views/unattended/provisioning_templates/registration/global_registration.erb
index 1fcfc5ae787c..b3694caad446 100644
--- a/app/views/unattended/provisioning_templates/registration/global_registration.erb
+++ b/app/views/unattended/provisioning_templates/registration/global_registration.erb
@@ -41,6 +41,11 @@ cat << EOF > $SSL_CA_CERT
 <%= foreman_server_ca_cert %>
 EOF
 
+cleanup_and_exit() {
+  rm -f $SSL_CA_CERT
+  exit $1
+}
+
 <% unless @repo.blank? -%>
 echo '#'
 echo '# Adding repository'
@@ -70,7 +75,7 @@ EOF
 
 else
   echo "Unsupported operating system, can't add repository."
-  exit 1
+  cleanup_and_exit 1
 fi
 <% end -%>
 
@@ -100,7 +105,7 @@ echo "#"
 if [ x$ID = xrhel ] || [ x$ID = xcentos ]; then
     register_katello_host(){
         UUID=$(subscription-manager identity | head -1 | awk '{print $3}')
-        curl --silent --show-error --cacert $SSL_CA_CERT --request POST "<%= @registration_url %>" \
+        curl --silent --show-error --cacert $KATELLO_SERVER_CA_CERT --request POST "<%= @registration_url %>" \
              --data "uuid=$UUID" \
              <%= headers.join(' ') %> \
 <%= "          --data 'host[organization_id]=#{@organization.id}' \\\n" if @organization -%>
@@ -112,27 +117,64 @@ if [ x$ID = xrhel ] || [ x$ID = xcentos ]; then
 <%= "          --data 'remote_execution_interface=#{@remote_execution_interface}' \\\n" if @remote_execution_interface.present? -%>
 <%= "          --data 'packages=#{@packages}' \\\n" if @packages.present? -%>
 
-}
+    }
 
-    <% if @force -%>
-    yum remove -y katello-ca-consumer*
-    <% end -%>
+    KATELLO_SERVER_CA_CERT=/etc/rhsm/ca/katello-server-ca.pem
+    RHSM_CFG=/etc/rhsm/rhsm.conf
+
+    # Prepare SSL certificate
+    cp -f $SSL_CA_CERT $KATELLO_SERVER_CA_CERT
+    chmod 644 $KATELLO_SERVER_CA_CERT
 
-    CONSUMER_RPM=$(mktemp --suffix .rpm)
-    curl --silent --show-error --output $CONSUMER_RPM <%= subscription_manager_configuration_url(hostname: @url_host) %>
+    # Prepare subscription-manager
+    yum remove -y katello-ca-consumer*
 
-    # Workaround for systems with enabled FIPS,
-    # where installation of RPM generated on RHEL7 cause 'no digest' error
-    # See https://projects.theforeman.org/issues/32068
-    if [ "$(cat /proc/sys/crypto/fips_enabled)" = "1" ]; then
-        rpm -ivh --nodigest --nofiledigest $CONSUMER_RPM
+    if ! [ -x "$(command -v subscription-manager)" ] ; then
+      if [ "${VERSION_ID:0:1}" -gt 7 ]; then
+        dnf install -y subscription-manager
+      else
+        yum install -y subscription-manager
+      fi
     else
-        yum localinstall $CONSUMER_RPM -y
+      if [ "${VERSION_ID:0:1}" -gt 7 ]; then
+        dnf upgrade -y subscription-manager
+      else
+        yum upgrade -y subscription-manager
+      fi
     fi
 
-    rm -f $CONSUMER_RPM
+    if ! [ -f $RHSM_CFG ] ; then
+      echo "'$RHSM_CFG' not found, cannot configure subscription-manager"
+      cleanup_and_exit 1
+    fi
 
-    subscription-manager register <%= '--force' if @force %> --org='<%= @organization.label %>' --activationkey='<%= activation_keys %>' || <%= @ignore_subman_errors ? 'true' : 'exit 1' %>
+    # Configure subscription-manager
+    test -f $RHSM_CFG.bak || cp $RHSM_CFG $RHSM_CFG.bak
+    subscription-manager config \
+      --server.hostname="<%= @url.host %>" \
+      --server.port="<%= @url.port %>" \
+      --server.prefix="/rhsm" \
+      --rhsm.repo_ca_cert="$KATELLO_SERVER_CA_CERT" \
+      --rhsm.baseurl="<%= @url %>pulp/content"
+
+    # Older versions of subscription manager may not recognize
+    # report_package_profile and package_profile_on_trans options.
+    # So set them separately and redirect out & error to /dev/null
+    # to fail silently.
+    subscription-manager config --rhsm.package_profile_on_trans=1 > /dev/null 2>&1 || true
+    subscription-manager config --rhsm.report_package_profile=1 > /dev/null 2>&1 || true
+
+    # Configuration for EL6
+    if grep --quiet full_refresh_on_yum $RHSM_CFG; then
+      sed -i "s/full_refresh_on_yum\s*=.*$/full_refresh_on_yum = 1/g" $RHSM_CFG
+    else
+      full_refresh_config="#config for on-premise management\nfull_refresh_on_yum = 1"
+      sed -i "/baseurl/a $full_refresh_config" $RHSM_CFG
+    fi
+
+    subscription-manager register <%= '--force' if @force %> \
+      --org='<%= @organization.label %>' \
+      --activationkey='<%= activation_keys %>' || <%= @ignore_subman_errors ? 'true' : 'cleanup_and_exit 1' %>
     register_katello_host | bash
 else
     register_host | bash
@@ -140,3 +182,5 @@ fi
 <% else -%>
 register_host | bash
 <% end -%>
+
+cleanup_and_exit
diff --git a/config/initializers/uri_jail.rb b/config/initializers/uri_jail.rb
new file mode 100644
index 000000000000..f56f031061d8
--- /dev/null
+++ b/config/initializers/uri_jail.rb
@@ -0,0 +1,3 @@
+class URI::Generic::Jail < Safemode::Jail
+  allow :host, :path, :port, :query, :scheme
+end
diff --git a/test/unit/foreman/renderer/scope/macros/base_test.rb b/test/unit/foreman/renderer/scope/macros/base_test.rb
index cf05acccfafc..1dd3b8d68d82 100644
--- a/test/unit/foreman/renderer/scope/macros/base_test.rb
+++ b/test/unit/foreman/renderer/scope/macros/base_test.rb
@@ -139,6 +139,13 @@ class BaseMacrosTest < ActiveSupport::TestCase
     end
   end
 
+  test 'URI::Generic jail test' do
+    allowed = [:host, :path, :port, :query, :scheme]
+    allowed.each do |m|
+      assert URI::HTTP::Jail.allowed?(m), "Method #{m} is not available in URI::HTTP::Jail while should be allowed."
+    end
+  end
+
   context 'subnet helpers' do
     setup do
       host = FactoryBot.build(:host, :with_puppet)