Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Validate the vSRX Virtual Firewall .ova File for VMware

The vSRX Virtual Firewall open virtual application (OVA) image is securely signed. You can validate the OVA image, if necessary, but you can install or upgrade vSRX Virtual Firewall without validating the OVA image.

Before you validate the OVA image, ensure that the Linux/UNIX PC or Windows PC on which you are performing the validation has the following utilities available: tar, openssl, and ovftool. See the OVF Tool Documentation for details about the VMware Open Virtualization Format (OVF) tool, including a Software Download link.

To validate the OVA image on a Linux machine:

  1. Download the vSRX Virtual Firewall OVA image and the Juniper Networks Root certificate file (JuniperRootRSACA.pem) from the vSRX Virtual Firewall Juniper Networks Software Download page.
    Note:

    You need to download the Juniper Networks Root certificate file only once; you can use the same file to validate OVA images for future releases of vSRX Virtual Firewall.

  2. (Optional) If you downloaded the OVA image and the certificate file to a PC running Windows, copy the two files to a temporary directory on a PC running Linux or UNIX. You can also copy the OVA image and the certificate file to a temporary directory (/var/tmp or /tmp) on a vSRX Virtual Firewall node.

    Ensure that the OVA image file and the Juniper Networks Root certificate file are not modified during the validation procedure. You can do this by providing write access to these files only to the user performing the validation procedure. This is especially important if you use an accessible temporary directory, such as /tmp or /var/tmp, because such directories can be accessed by several users. Take precautions to ensure that the files are not modified by other users during the validation procedure.

  3. Navigate to the directory containing the OVA image.

    -bash-4.1$ ls

  4. Unpack the OVA image by running the following command: tar xf ova-filename

    where ova-filename is the filename of the previously downloaded OVA image.

    -bash-4.1$ mkdir tmp

    -bash-4.1$ cd tmp

    -bash-4.1$ tar xf ../junos-vsrx-15.1X49-DXX.4-domestic.ova

  5. Verify that the unpacked OVA image contains a certificate chain file (certchain.pem) and a signature file (vsrx.cert).

    -bash-4.1$ ls

  6. Validate the unpacked OVF file (extension .ovf) by running the following command: ovftool ovf-filename

    where ovf-filename is the filename of the unpacked OVF file contained within the previously downloaded OVA image.

    -bash-4.1$ /usr/lib/vmware-ovftool/ovftool junos-vsrx-15.1X49-DXX.4-domestic.ovf

  7. Validate the signing certificate with the Juniper Networks Root CA file by running the following command:

    openssl verify -CAfile JuniperRootRSACA.pem -untrusted Certificate-Chain-File Signature-file

    where JuniperRootRSACA.pem is the Juniper Networks Root CA file, Certificate-Chain-File is the filename of the unpacked certificate chain file (extension .pem) and Signature-file is the filename of the unpacked signature file (extension .cert).

    -bash-4.1$ openssl verify -CAfile ../JuniperRootCA.pem -untrusted certchain.pem junos-vsrx-15.1X49-DXX.4-domestic.cert

  8. (Optional) If you encounter validation issues with the OVA image:
    1. Determine if the contents of the OVA image have been modified. If the contents have been modified, download the OVA image from the vSRX Virtual Firewall downloads page.

    2. Determine whether the Juniper Networks Root CA file is corrupted or modified. If it was corrupted or modified, download the certificate file from the vSRX Virtual Firewall downloads page.

    3. Retry the preceding validation steps using one or both new files.