Validate the vSRX Virtual Firewall .ova File for VMware
The vSRX Virtual Firewall open virtual application (OVA) image is securely signed. You can validate the OVA image, if necessary, but you can install or upgrade vSRX Virtual Firewall without validating the OVA image.
Before you validate the OVA image, ensure that the Linux/UNIX PC or Windows PC on which you are performing the validation has the following utilities available: tar, openssl, and ovftool. See the OVF Tool Documentation for details about the VMware Open Virtualization Format (OVF) tool, including a Software Download link.
To validate the OVA image on a Linux machine:
- Download the vSRX Virtual Firewall OVA image and the Juniper Networks Root
certificate file (JuniperRootRSACA.pem) from the vSRX Virtual Firewall Juniper
Networks Software Download page.Note:
You need to download the Juniper Networks Root certificate file only once; you can use the same file to validate OVA images for future releases of vSRX Virtual Firewall.
- (Optional) If you downloaded the OVA image and the certificate
file to a PC running Windows, copy the two files to a temporary directory
on a PC running Linux or UNIX. You can also copy the OVA image and
the certificate file to a temporary directory (/var/tmp or /tmp) on a vSRX Virtual Firewall node.
Ensure that the OVA image file and the Juniper Networks Root certificate file are not modified during the validation procedure. You can do this by providing write access to these files only to the user performing the validation procedure. This is especially important if you use an accessible temporary directory, such as /tmp or /var/tmp, because such directories can be accessed by several users. Take precautions to ensure that the files are not modified by other users during the validation procedure.
- Navigate to the directory containing the OVA image.
-bash-4.1$ ls
JuniperRootCA.pem junos-vsrx-15.1X49-DXX.4-domestic.ova
- Unpack the OVA image by running the following command: tar xf ova-filename
where ova-filename is the filename of the previously downloaded OVA image.
-bash-4.1$ mkdir tmp
-bash-4.1$ cd tmp
-bash-4.1$ tar xf ../junos-vsrx-15.1X49-DXX.4-domestic.ova
- Verify that the unpacked OVA image contains a certificate
chain file (certchain.pem) and a
signature file (vsrx.cert).
-bash-4.1$ ls
certchain.pem junos-vsrx-15.1X49-DXX.4-domestic.cert junos-vsrx-15.1X49-DXX.4-domestic-disk1.vmdk junos-vsrx-15.1X49-DXX.4-domestic.mf junos-vsrx-15.1X49-DXX.4-domestic.ovf
- Validate the unpacked OVF file (extension .ovf) by running
the following command: ovftool ovf-filename
where ovf-filename is the filename of the unpacked OVF file contained within the previously downloaded OVA image.
-bash-4.1$ /usr/lib/vmware-ovftool/ovftool junos-vsrx-15.1X49-DXX.4-domestic.ovf
OVF version: 1.0 VirtualApp: false Name: vSRX Version: JUNOS 15.1 Vendor: Juniper Networks Inc. Product URL: https://www.juniper.net/us/en/products-services/software/security/vsrxseries/ Vendor URL: https://www.juniper.net/ Download Size: 227.29 MB Deployment Sizes: Flat disks: 2.00 GB Sparse disks: 265.25 MB Networks: Name: VM Network Description: The VM Network network Virtual Machines: Name: Juniper Virtual SRX Operating System: freebsdguest Virtual Hardware: Families: vmx-07 Number of CPUs: 2 Cores per socket: 1 Memory: 2.00 GB Disks: Index: 0 Instance ID: 5 Capacity: 2.00 GB Disk Types: IDE NICs: Adapter Type: VMXNET3 Connection: VM Network Adapter Type: VMXNET3 Connection: VM Network Deployment Options: Id: 2GvRAM Label: 2G vRAM Description: 2G Memory
- Validate the signing certificate with the Juniper Networks
Root CA file by running the following command:
openssl verify -CAfile JuniperRootRSACA.pem -untrusted Certificate-Chain-File Signature-file
where JuniperRootRSACA.pem is the Juniper Networks Root CA file, Certificate-Chain-File is the filename of the unpacked certificate chain file (extension .pem) and Signature-file is the filename of the unpacked signature file (extension .cert).
-bash-4.1$ openssl verify -CAfile ../JuniperRootCA.pem -untrusted certchain.pem junos-vsrx-15.1X49-DXX.4-domestic.cert
junos-vsrx-15.1X49-DXX.4-domestic.cert: OK
- (Optional) If you encounter validation issues with the
OVA image:
Determine if the contents of the OVA image have been modified. If the contents have been modified, download the OVA image from the vSRX Virtual Firewall downloads page.
Determine whether the Juniper Networks Root CA file is corrupted or modified. If it was corrupted or modified, download the certificate file from the vSRX Virtual Firewall downloads page.
Retry the preceding validation steps using one or both new files.