Dell VxRail Security Configuration Guide

Verification

Validate the digital signature and the SHA 512 digests for all files.

1. To download the VxRail updates feature, perform the following:
   1. From VMware vSphere Web Client, select the Inventory icon.
   2. Select the VxRail cluster and click the Configure tab.
   3. Select VxRail > Updates.
   4. To upload software to VxRail Manager, select an option from the following tabs:
      • System: Lists the Current VxRail System Version and the Installed Components and Versions.
      • Internet Updates: Downloads a new version of the VxRail software. You must have Internet access. If more than one version is available, select ALL Available System Updates or Recommended System Updates.
      • Local Updates: Uploads a new version of the software from your local storage if you do not have Internet access.
2. Connect to VxRail Manager using an SSH client such as PuTTy.
3. Log in as mystic.
4. Go to the location of the extracted LCM bundle and list the code-signed artifacts.

   >cd /data/store2/lcm/unpacked

   >ls -l LCMsign*
   

   -rw-r--r-- 1 tcserver pivotal 15669 Jun  9 06:33 LCMsigninput.txt
   -rw-r--r-- 1 tcserver pivotal 15669 Jun  9 06:33 LCMsigninput.txt

   
   
   
   
   

   Where:

   • LCMsigninput.txt is the manifest of file names and original sha384 message digests.
   • LCMsigninput.txt.signed contains the public key and digital signature certificate.
5. To verify the publisher and the certification chain are trusted, enter:

   > timestamp=$(cat timestamp.txt)

   > linux_ts=$(date -d "${timestamp:0:8} ${timestamp:8:4}" +"%s")

   > openssl verify -attime $linux_ts -untrusted signing_root.crt -untrusted signing_intermedia.crt signing_ee.crt

   Sample output for validation success:

   > signing_ee.crt: OK

6. To extract the public key from the signature file, enter:
   >openssl x509 -in LCMsigninput.txt.signed -pubkey -noout > ~/LCMsigninput.txt.pubkey

   NOTE:The mystic user cannot write to the LCM directories so the output file is written to the mystic home directory.
7. To extract the binary signature from the signature file, enter:
   >cat LCMsigninput.txt.signed | sed -e 's/.*= \([^ ]\+\)$/\1/' | xxd -r -p > ~/LCMsigninput.txt.binsig
   NOTE:The mystic user cannot write to the LCM directories. The output file is written to the mystic home directory.
8. To verify the digital signature, enter:
   >openssl dgst -sha512 -verify ~/LCMsigninput.txt.pubkey -signature ~/LCMsigninput.txt.binsig LCMsigninput.txt

   If Verified OK displays, the integrity of the manifest file is assured and the file digests can be trusted.  If Verified Failure displays, ensure that the LCM bundle is obtained from a trusted source such as Internet updates (mentioned in step1 to 4) or downloaded from Dell Technologies.

9. To verify the LCM bundle contents against the message digests, enter:
   >sha512sum -c LCMsigninput.txt

   This command calculates the sha512 digest for each file in the extracted bundle and compares the result with digests that are recorded in the signed manifest. The verified file name displays and if the digests match, the result is OK. If the digests do not match, the files were modified or corrupted.

   Complete the upgrade process.