AutoDeploy and AutoIT-VNF validate image signatures using the certificate and public key provided as part of the release ISO. Figure 1 illustrates the AutoDeploy release signing validation workflow. Figure 2 depicts the workflow for AutoIT-VNF.
Figure 5. AutoDeploy Release Image Signature Validation Workflow
As shown in Figure 1, certificate validation is performed through an API call to Cisco Security severs. As such, the Domain Name Service (DNS) must be configured on the Auto Deploy VM enabling it to connect to the Internet.
Status messages for the AutoDeploy validation workflow can be viewed by executing the show log <transaction-id> | display xml command.
The following is an example output:
Fri May 19 00:31:47 UTC 2017 [Task: 1495153905253/vnf-pkg4] Uploading config file(s)
Fri May 19 00:31:47 UTC 2017 [Task: 1495153905253/vnf-pkg4] Uploading image file(s)
Fri May 19 00:31:47 UTC 2017 [Task: 1495153905253/vnf-pkg4] Validation of ISO called for OS linux
Fri May 19 00:31:47 UTC 2017 [Task: 1495153905253/vnf-pkg4] Executing /tmp mount -t iso9660 -o loop /home/ubuntu/isos/usp-5_1_0-631.iso /tmp/5061946078503935925
Fri May 19 00:31:47 UTC 2017 [Task: 1495153905253/vnf-pkg4] Command exited with return code: 0
Fri May 19 00:31:47 UTC 2017 [Task: 1495153905253/vnf-pkg4] Executing . ls -lah /tmp/5061946078503935925/repo
Fri May 19 00:31:47 UTC 2017 [Task: 1495153905253/vnf-pkg4] Command exited with return code: 0
Fri May 19 00:31:47 UTC 2017 [Task: 1495153905253/vnf-pkg4] Executing . python /opt/cisco/signing/cisco_openpgp_verify_release.py -e /tmp/5061946078503935925/repo/USP_RPM_CODE_REL_KEY-CCO_RELEASE.cer -G /tmp/5061946078503935925/repo/rel.gpg
Fri May 19 00:31:47 UTC 2017 [Task: 1495153905253/vnf-pkg4] Command exited with return code: 0
Fri May 19 00:31:47 UTC 2017 [Task: 1495153905253/vnf-pkg4] ISO validation successful
Fri May 19 00:31:47 UTC 2017 [Task: 1495153905253/vnf-pkg4] Executing . umount /tmp/5061946078503935925
Fri May 19 00:31:47 UTC 2017 [Task: 1495153905253/vnf-pkg4] Command exited with return code: 0
Fri May 19 00:31:47 UTC 2017 [Task: 1495153905253/vnf-pkg4] Executing . rm -r /tmp/5061946078503935925
Fri May 19 00:31:47 UTC 2017 [Task: 1495153905253/vnf-pkg4] Command exited with return code: 0
Fri May 19 00:31:47 UTC 2017 [Task: 1495153905253/vnf-pkg4] Uploading ISO file
The status is also viewable through the AutoDeploy upstart logs /var/log/upstart/autodeploy.log:
2017-05-19T00:31:47,056 DEBUG [VnfPackageTask:227] [pool-5-thread-2] This ISO has rel.gpg, will continue with validation
2017-05-19T00:31:47,057 DEBUG [Task:52] [pool-5-thread-2] Executing . python /opt/cisco/signing/cisco_openpgp_verify_release.py -e /tmp/5061946078503935925/repo/USP_RPM_CODE_REL_KEY-CCO_RELEASE.cer -G /tmp/5061946078503935925/repo/rel.gpg
2017-05-19T00:31:47,562 DEBUG [VnfPackageTask:299] [pool-5-thread-2] Output: ^[[92mDownloading CA certificate from http://www.cisco.com/security/pki/certs/crcam2.cer ...^[[0m
2017-05-19T00:31:47,563 DEBUG [VnfPackageTask:299] [pool-5-thread-2] Output: ^[[92mSuccessfully downloaded crcam2.cer.^[[0m
2017-05-19T00:31:47,563 DEBUG [VnfPackageTask:299] [pool-5-thread-2] Output: ^[[92mDownloading SubCA certificate from http://www.cisco.com/security/pki/certs/innerspace.cer ...^[[0m
2017-05-19T00:31:47,564 DEBUG [VnfPackageTask:299] [pool-5-thread-2] Output: ^[[92mSuccessfully downloaded innerspace.cer.^[[0m
2017-05-19T00:31:47,565 DEBUG [VnfPackageTask:299] [pool-5-thread-2] Output: ^[[92mSuccessfully verified Cisco root, subca and end-entity certificate chain.^[[0m
2017-05-19T00:31:47,565 DEBUG [VnfPackageTask:299] [pool-5-thread-2] Output: ^[[92mSuccessfully fetched a public key from /tmp/5061946078503935925/repo/USP_RPM_CODE_REL_KEY-CCO_RELEASE.cer.^[[0m
2017-05-19T00:31:47,565 DEBUG [VnfPackageTask:299] [pool-5-thread-2] Output: ^[[92mSuccessfully authenticated /tmp/5061946078503935925/repo/rel.gpg key using Cisco X.509 certificate trust chain.^[[0m
2017-05-19T00:31:47,565 DEBUG [Task:52] [pool-5-thread-2] Command exited with return code: 0
2017-05-19T00:31:47,566 DEBUG [Task:52] [pool-5-thread-2] ISO validation successful
2017-05-19T00:31:47,567 DEBUG [Task:52] [pool-5-thread-2] Executing . umount /tmp/5061946078503935925
2017-05-19T00:31:47,583 DEBUG [Task:52] [pool-5-thread-2] Command exited with return code: 0
2017-05-19T00:31:47,583 DEBUG [Task:52] [pool-5-thread-2] Executing . rm -r /tmp/5061946078503935925
2017-05-19T00:31:47,585 DEBUG [Task:52] [pool-5-thread-2] Command exited with return code: 0
Figure 6. AutoIT-VNF Release Image Signature Validation Workflow
AutoIT logs display whether or not the public key was extracted and installed into the ISO database. The logs are located in /var/log/cisco/usp/auto-it/autoit.log.
The following is an example output:
2017-05-19 00:33:06,868 - INFO: Mounting ISO to /tmp/tmpRfy_rf/iso_mount
2017-05-19 00:33:06,914 - INFO: Installing GPG key '/tmp/tmpRfy_rf/iso_mount/repo/rel.gpg'
2017-05-19 00:33:07,278 - INFO: Installing ISO
2017-05-19 00:35:37,762 - INFO: Unmouting /tmp/tmpRfy_rf/iso_mount
2017-05-19 00:35:37,821 - INFO: ISO successfully loaded
Additionally, though the automation workflow handles the public key and RPM validation as described above, you can view the public key when logged on to the AutoIT-VNF VM by entering the following commands:
sudo su uspadmin
rpm --root /opt/cisco/usp/namespaces/5.1.0-631/.chroot_base/ -q gpg-pubkey
The above command displays the public key.
rpm --root /opt/cisco/usp/namespaces/<version>/.chroot_base/ -K /opt/cisco/usp/isos/<version>/repo/usp-auto-it-bundle-<bundle_version>.x86_64.rpm
The above command displays whether or not the RPM signature matched the key (‘OK’).