VMware Cloud Community
DaveIshmael
Enthusiast
Enthusiast

VIB Signing

Hey all - I'm trying to find information on creating and importing certificates that can be used to sign internal VIBs so that we can have a higher acceptance level (VMwareAccepted).  The PartnerSupport and CommunitySupport levels do not work for our needs - we have a requirement to add/alter files outside of the sanctioned locations available for those acceptance levels.

To expand on that question; I assume we need to create our own certificate authority (CA) and import that into vCenter (and pushed to each ESXi host?).  We then use that CA to create/sign the custom VIBs we create for our internal use.  If I am missing something - let me know.  How do we go about accomplishing that goal?

Thanks

Reply
0 Kudos
8 Replies
CoolRam
Expert
Expert

For the creation of vib and signing we need to use the vibauthoring tool where you can set the the acceptance level also.

If you find any answer useful. please mark the answer as correct or helpful.
Reply
0 Kudos
DaveIshmael
Enthusiast
Enthusiast

I'm using the VIB Author for creating the VIB; however, you are required to sign the VIB for anything higher than CommunitySupport.  You can set the acceptance level to something higher (e.g. VMwareAccepted) but in order to deploy that update via VUM, it must be signed (it fails if it isn't signed).  Clearly VMware isn't going to sign an internal VIB created specifically for our organization.  So given that we need to sign the VIB, I am looking for an option where we can create our own CA and import that to sign our own VIBs for internal use.  My question is, how do we go about self signing VIBs with an acceptance level at the VMwareAccepted level so that we can deploy files outside of the sanctioned file/directory locations?

Reply
0 Kudos
CoolRam
Expert
Expert

Did you gone through this Blog What's in a VIB? | VMware vSphere Blog - VMware Blogs

As far i know if you are pushing any vib which is not vmware Vib  you must choose the communitySuppported profile.

If you find any answer useful. please mark the answer as correct or helpful.
Reply
0 Kudos
DaveIshmael
Enthusiast
Enthusiast

Yep, I read that along with the VIB Author PDF for creating custom VIBs.  The issue is that the PartnerSupported and CommunitySupported levels do not allow installing software or modifying the ESXi host outside of the sanctioned locations.  If you need to modify the ESXi host using a VIB, it must be signed at the VMwareAccepted level, which can only be done by VMware.  Since it is unlikely VMware is going to sign an internal VIBs created for an organization, I assume there's another way around that limitation.  My thought is that we can create our own CA and deploy that to our ESXi farm so that we can self sign our corporate VIBs for deployment.  If that is not possible, how are others accomplishing the deployment of custom VIBs without breaking VUM?

Reply
0 Kudos
CoolRam
Expert
Expert

I am not sure with your line "The issue is that the PartnerSupported and CommunitySupported levels do not allow installing software or modifying the ESXi host outside of the sanctioned locations" but in the community supported profile you can insert your vib.

Since the communitySupported means that any vib can inserted to the community supported profile.

If you find any answer useful. please mark the answer as correct or helpful.
Reply
0 Kudos
DaveIshmael
Enthusiast
Enthusiast

With a VIB having the acceptance level of CommunitySupported or PartnerSupported, you can only add files or make modifications to specific locations on the ESXi host (see below).  You cannot, for example, add a startup script to the /etc/rc.local.d directory so that a specific action takes place each time the ESXi host reboots.  As another example, lets say that you want to add a cron job using a custom VIB - you cannot do so using the lower level acceptance levels.  You MUST use a VMwareAccepted acceptance level for your VIB.

Now, you can set that acceptance level value in your VIB, but you cannot deploy that VIB without forcing it at the command line because it is not signed by VMware.  It is my understanding that the only way to get it properly signed by VMware is to submit that VIB for testing and approval.  That process doesn't make sense if you're creating internal VIBs that are not going to be distributed outside of your organization.  As such, there must be a mechanism in place to create and distribute internally created VIBs.

My thought is that we should be able to create our own CA certificate, import that certificate to the ESXi hosts, and then use that certificate to self sign our VIBs for deployment.  While I can understand that deployment of such VIBs are not supported by VMware, it is the most ideal mechanism for deploying and maintaining enterprise-specific modifications to the ESXi hosts (especially when there are many to manage).

Locations Allowed w/ PartnerSupported and CommunitySupported

etc/vmware/shutdown/shutdown/

etc/vmware/pciid/

etc/vmware/vm-support/

etc/vmware/firewall/

etc/vmware/service/

etc/cim/openwsman/

opt/

usr/lib/cim/

usr/lib/pycim/

usr/lib/hostprofiles/plugins/

usr/lib/vmware/

usr/lib/vmware-debug/

var/lib/sfcb/registration/

etc/vmware/driver.map.d

usr/share/hwdata/driver.pciids.d

Reply
0 Kudos
liuchuang001
Contributor
Contributor

is this problem solved? how it was solved?

Reply
0 Kudos
lamw
Community Manager
Community Manager

As the VIB Author document clearly states, VMware MUST be signer for higher acceptance level and the chain of trust is within our bootloader, so you won't be able to influence this even if you import your trusted certs into VC or ESXi, both of which are not in picture because the chain of trust is in the bootloader itself that does the validation on whether a VIB is signed or not

What use case or problem are you attempting to solve with your own internal VIBs? 99.9% of the scenarios should really be things done outside of ESXi host (e.g. leveraging vSphere API). For any 3rd party integrations, the OEM should be working with VMware and if something needs to be installed, they would get it signed and would be part of the chain of trust. 

Reply
0 Kudos