RSS

[Integrate NSX with PaloAlto] Solve OVF Import Certificate problem using the OVFTool

Share this page:

In my next post I’ll be focusing on the NSX and Palo Alto integration, and all the improvements this brings to the Micro Segmentation. For now, lets just focus on importing the Palo Alto Virtual FW VM (NSX Version) to the existing vSphere environment.

VMware Environment Details:

ESXi 6.0 on a Physical Host + 5 Nested ESXi 6 (deployed in my Demo Center, as explained here)

vSphere 6.0 Managing Compute and Management Clusters

NSX Vestion 6.2

Palo Alto 7.0.1, Model PAN-PA-VM-1000-HV-E60 (Features: Threat Prevention, BrightCloud, URL Filtering, PAN-DB URL Filtering, GlobalProtect Gateway, GlobalProtect Portal, PA-VM, Premium Support, WildFire License).

IMPORTANT: You will need to be a Palo Alto partner, as their permission is required in order to download their products.

What is OVFTool, and why did I need it?

OVFTool is a Multi-use VMware tool for various OVA/OVF files operations using the Command Line. I found it really handy in this occasion, while trying to deploy the Palo Alto NSX Version of Virtual FW into the existing vSphere 6 environment with NSX 6.2 deployed. The issue was that there was no way to deploy the .OVF due to the certificate error, presented below. The original 3 files in the PA7.0.1 folder are the .MF, .OVF and the .VMDK file, all with the same name (PA-VM-NSX-7.0.1.*).

I tried talking to Palo Alto support, and they proposed signing an .OVF manually, due to a possible corruption of a .MF file. Basically, sometimes when you try to deploy a OVA/OVF, the Manifest File (.mf) will be missing, or corrupt. In this case you will need to sign the file “manually”.  Before you’re able to sign the .OVF VM, you will need two files: file.PEM and file.MF.

Before you start, you will need to download the OVFTool. To do this, you will need a valid VMware username/password.

Before you start “playing around”, I strongly suggest you to read a bit about it, and the operations you can perform in the Official VMware OVF Tool User’s Guide

Create a PEM file

To sign a package, a public/private key pair and certificate that wraps the public key is required. The private key and the certificate, which includes the public key, is stored in a .pem file.

The following OpenSSL command creates a .pem file:

> openssl req -x509 -nodes -sha1 -days 365 -newkey rsa:1024 -keyout x509_for_PA.pem -out x509_for_PA.pem

You will need to specify the standard x509 certificate details while doing this. Check if the .PEM file has been successfully created:

MJ-MacPro:VMware OVF Tool iCloud-MJ$ ls | grep pem

x509_for_PA.pem

MJ-MacPro:VMware OVF Tool iCloud-MJ$ openssl x509  -text -noout -in x509_for_PA.pem

Certificate:

    Data:

        Version: 3 (0x2)

        Serial Number:

            f6:a0:f3:72:e5:5f:0b:bf

        Signature Algorithm: sha1WithRSAEncryption

        Issuer: C=es, ST=Madrid, L=Madrid, O=Logicalis, CN=Logicalis/emailAddress=mateja.jovanovic@es.logicalis.com

        Validity

            Not Before: Oct 20 09:38:14 2015 GMT

            Not After : Oct 19 09:38:14 2016 GMT

        Subject: C=es, ST=Madrid, L=Madrid, O=Logicalis, CN=Logicalis/emailAddress=mateja.jovanovic@es.logicalis.com

        Subject Public Key Info:

            Public Key Algorithm: rsaEncryption

            RSA Public Key: (1024 bit)

                Modulus (1024 bit):

                    00:c4:38:e0:75:5f:34:73:44:e7:fe:9b:35:e5:4b:

                    11:ab:d9:41:e9:e2:d4:cd:fa:f3:d9:e4:04:3b:72:

                    d2:33:a1:b6:f7:99:8d:c2:00:04:07:13:0b:14:d5:

                    3e:cb:ea:7d:b7:3b:5d:d4:82:1d:da:78:09:52:cd:

                    be:7e:cf:01:a0:0e:db:ef:c7:01:74:9e:88:2d:7c:

                    3a:7f:db:3f:a7:f5:7d:38:41:36:ff:55:46:16:d2:

                    76:3d:3a:2d:8d:a7:d4:03:25:d0:31:03:8d:d8:57:

                    d3:5b:6a:e2:db:2f:c6:19:8c:36:bf:b0:e6:c0:f5:

                    8b:c6:67:59:39:ec:83:b9:bb

                Exponent: 65537 (0x10001)

        X509v3 extensions:

            X509v3 Subject Key Identifier:

                71:FD:B9:D9:67:46:0B:2D:47:1D:A9:CF:02:9A:B8:E0:80:87:8A:B9

            X509v3 Authority Key Identifier:

                keyid:71:FD:B9:D9:67:46:0B:2D:47:1D:A9:CF:02:9A:B8:E0:80:87:8A:B9

                DirName:/C=es/ST=Madrid/L=Madrid/O=Logicalis/CN=Logicalis/emailAddress=mateja.jovanovic@es.logicalis.com

                serial:F6:A0:F3:72:E5:5F:0B:BF

            X509v3 Basic Constraints:

                CA:TRUE

    Signature Algorithm: sha1WithRSAEncryption

        27:14:fc:7d:b5:9f:63:1d:08:84:1e:13:b4:9d:85:58:a5:77:

        8a:fa:a9:34:76:4e:a4:91:7e:98:0f:a8:54:2d:a5:1d:cf:5d:

        b7:8c:7c:42:a6:18:da:b4:38:a8:4f:8a:df:c6:c3:92:a5:22:

        e1:40:90:5f:04:97:b4:c2:79:97:5e:1a:74:c1:6f:b6:a4:0f:

        cd:b2:7e:f3:cb:79:5b:ac:71:bb:56:00:8d:7f:58:89:4a:f3:

        f3:b9:dc:a4:5b:ce:09:ad:4b:2e:a4:81:9e:c8:a7:81:11:ec:

        b7:21:8d:58:9e:b2:03:f2:de:fb:84:7e:ac:f7:2e:d3:f6:25:

        9a:53

Create a Manifest (.MF) file

To create the manifest file, run the following command for all files to be signed:

openssl sha1 *.vmdk *.ovf > Final-Signed-VM.mf

Once you´ve created the .MF and .PEM, you can proceed to signing the OVF file using the OVFtool. I had the files in C:/PA7 Folder, but to avoid copy-pasting the entire path, I simply copied them to the folder where OVFTool.exe is (C:\Program Files\VMware\VMware OVF Tool> in Windows environment, /Applications/VMware OVF Tool in Macbook)

You may continue the procedure in Linux/Mac. OVFTool commands are exactly the same. I switched to Windows environment due to a Fusion Library errors (details at the end of this post).

Sign the OVF using the OVFTool

The final step is to execute the OVFTool command in order to create the new, signed OVF:

ovftool –privateKey="x509_for_PA.pem” PA-VM-NSX-7.0.1.ovf Final-Signed-VM.ovf

TIP: Beware of the CAPITAL/non-capital letters errors in your command:

C:\Program Files\VMware\VMware OVF Tool>ovftool –privatekey="x509_for_PA.pem” PA-VM-NSX-7.0.1.ovf Final-Signed-VM.ovf

Error: Unknown option: ‘privatekey’

Completed with errors

C:\Program Files\VMware\VMware OVF Tool>

C:\Program Files\VMware\VMware OVF Tool>

C:\Program Files\VMware\VMware OVF Tool>ovftool –privateKey="x509_for_PA.pem” PA-VM-NSX-7.0.1.ovf Final-Signed-VM.ovf

Opening OVF source: PA-VM-NSX-7.0.1.ovf

The manifest does not validate

Error: Invalid manifest file (line: 1)

Completed with errors

C:\Program Files\VMware\VMware OVF Tool>ovftool –privateKey="x509_for_PA.pem” PA-VM-NSX-7.0.1.ovf Final-Signed-VM.ovf

Opening OVF source: PA-VM-NSX-7.0.1.ovf

The manifest validates

Opening OVF target: Final-Signed-VM.ovf

Writing OVF package: Final-Signed-VM.ovf

Transfer Completed

OPENSSL_Uplink(000007FEEDE66000,08): no OPENSSL_Applink

C:\Program Files\VMware\VMware OVF Tool>

Now we copy the files BACK to the original folder (C:/PA7). The content is displayed below.

C:\PA7>dir

 El volumen de la unidad C no tiene etiqueta.

 El número de serie del volumen es: B416-28D0

 Directorio de C:\PA7

20/10/2015  12:13   

          .

20/10/2015  12:13   

          ..

20/10/2015  12:11     1.552.252.928 Final-Signed-VM-disk1.vmdk

20/10/2015  12:11                 0 Final-Signed-VM.cert.tmp

20/10/2015  12:11               121 Final-Signed-VM.mf

20/10/2015  12:11            10.256 Final-Signed-VM.ovf

               4 archivos  1.552.263.305 bytes

               2 dirs   6.033.895.424 bytes libres

You will now be able to deploy the .OVA to your vSphere.

Note: As you probably noticed, I created the .PEM and .MF in my MacBook, and then passed the files to a Windows VM because of a few Fusion Library errors I´ve been getting. 

Error Details (if someone is interested):

VMware Fusion unrecoverable error: (vthread-4), SSLLoadSharedLibraries: Failed to load OpenSSL libraries. libdir is /Applications/VMware OVF Tool/lib A log file is available in “/var/root/Library/Logs/VMware/vmware-ovftool-16747.log”.