OVF and OVA Archives
OVF
Open Virtualization Format is a standard for packaging and distributing software to be run in virtual machines is a file format that supports the exchange of VMware virtual machines across products and platforms. When you export a virtual machine as an OVFOpen Virtualization Format is a standard for packaging and distributing software to be run in virtual machines, you create a directory that contains an OVFOpen Virtualization Format is a standard for packaging and distributing software to be run in virtual machines file (.ovf) and the virtual disk files (.vmdk). The integrity of the distribution is assured by two additional files in the same directory:
- The manifest file (.mf) contains the hash values of the files.
- The certificate file (.cert) contains the digest of the manifest file and the certified public key that is used to confirm the integrity of the manifest file.
OVAAn OVF package archived in a single file is a single file distribution of the same OVFOpen Virtualization Format is a standard for packaging and distributing software to be run in virtual machines file package.
Ovftool is VMware's CLICommand Line Interface that allows importing and exporting of the VMware appliances. It is also used to sign OVFOpen Virtualization Format is a standard for packaging and distributing software to be run in virtual machines/OVAAn OVF package archived in a single file files and to verify their integrity by using the OpenSSL cryptography library.
Prerequisites
CORE integration with ovftool has been tested in the following setting:
- Ovftool version 4.3.x
- Linux RHEL 7.2
Note
According to VMware OVF Tool Release Notes, ovftool 4.3.0 supports the following Linux distributions:
- CentOS 7.1 and earlier
- Fedora 22 and earlier
- Oracle Linux 7.1
- RedHat Enterprise Linux (RHEL) 7.1 and earlier
- SUSE Linux Enterprise Server (SLES) 12.1 and earlier
- Ubuntu 15.04 and earlier
Setup
CORE Setup
Set up CORE according to the instructions found in CORE Setup.
Ovftool Steps
On the CORE client, perform these actions using the administrator:
- Obtain and install the
ovftoolbundle: - /usr/lib/vmware-ovftool/libssl.so.1.0.2
- /usr/lib/vmware-ovftool/libcrypto.so.1.0.2
- Obtain a sample OVAAn OVF package archived in a single file package for the verification of the setup. For example, download "Damn Small Linux " (DSL) OVAAn OVF package archived in a single file from the following site:
https://osdn.net/projects/sfnet_ovarepo/downloads/Damn Small Linux.ova/
Rename it for the simplicity to
dsl.ova.Use
wraror7zto examine its content:7za l dsl.ova
Date Time Attr Size Compressed Name ------------------- ----- ------------ ------------ ------------------------ 2011-05-14 12:48:30 ..... 5606 5632 Damn Small Linux.ovf 2011-05-14 12:48:30 ..... 60570624 60570624 Damn_Small_Linux-disk1.vmdk 2011-05-14 12:48:30 ..... 147 512 Damn Small Linux.mf ------------------- ----- ------------ ------------ ------------------------The file is not signed (.cert file is missing).
sudo ./VMware-ovftool-4.3.0-7948156-lin.x86_64.bundle
Note
The oftool installs its own libssl.so.1.0.2 and libcrypto.so.1.0.2 libraries:
Signing OVF
You may either create the signing key PEMBase64 encoded DER wrapped by "--- BEGIN <type> ---" and "--- END <type> ----" that complies with the ovftool requirements or adapt the existing file for use by CORE.
- To import ovftool-ready PEMBase64 encoded DER wrapped by "--- BEGIN <type> ---" and "--- END <type> ----" files to CORE, use the
ucl import -i <PEMcommand. It (a) imports both the key and the certificate and (b) obfuscates the key in the provided PEMBase64 encoded DER wrapped by "--- BEGIN <type> ---" and "--- END <type> ----" File> --purpose S --obfuscateBase64 encoded DER wrapped by "--- BEGIN <type> ---" and "--- END <type> ----" file. - The created file is ready to be used by the ovftool.
Examine the Signed OVA
Examine the content of the signed OVAAn OVF package archived in a single file file:
7za l dsl-signed.ova
Optionally, perform the following:
- Extract the
dsl-signed.certfile and examine its content:
7za e dsl-signed.ova
less dsl-signed.cert
Note that the cert file contains both the digest and the public key.
- Examine the
ekm.logfile on the EP1 server to observe the signing sequence:
user@ovf aux212@ovf 931C4A3ED247022FE04A1101E4FCE897 ovf Connect N/A 0 0 N/A {"id":"8d55df868c9045ab286af266e234f99dc3f08712cb4152c75cb56b3527bc67b4","user":"ubuntu","domain":"ip-192-168-0-212.dyadicsec.local","host":"ip-192-168-0-212.dyadicsec.local","version":"2.0.1910.39816","command":"/usr/lib/vmware-ovftool/ovftool.bin --privateKey=myself.pem --shaAlgorithm=SHA256 dsl.ova dsl-signed.ova"}
user@ovf aux212@ovf 931C4A3ED247022FE04A1101E4FCE897 ovf GetAttributes 0x006c9389440371e906 0 0 0 OK
user@ovf aux212@ovf 931C4A3ED247022FE04A1101E4FCE897 ovf GetAttributes 0x006c9389440371e906 0 0 0 OK
user@ovf aux212@ovf 931C4A3ED247022FE04A1101E4FCE897 ovf DyLogin N/A 0 0 0 OK
user@ovf aux212@ovf 931C4A3ED247022FE04A1101E4FCE897 ovf Sign
Verify
Note
By design, the verification of an OVFOpen Virtualization Format is a standard for packaging and distributing software to be run in virtual machines file's authenticity is self-contained - both the digest and the certificate are contained in the CERT file.
To verify the authenticity of the OVFOpen Virtualization Format is a standard for packaging and distributing software to be run in virtual machines file, place its CERT file in the same folder and run the ovftool:
ovftool dsl-signed.ovf
If the authenticity of the package is confirmed, the command presents its metadata. Else the following message is displayed:
Error: Signature does not validate against certificate (signing is compromised)