Disabling TLS 1.0 in vRealize Automation
search cancel

Disabling TLS 1.0 in vRealize Automation

book

Article ID: 320083

calendar_today

Updated On:

Products

VMware Aria Suite

Issue/Introduction

This article provides steps to disable TLS 1.0 in vRealize Automation.
 
vRealize Automation uses TLS 1.0 or later for all communications. The actual protocol is negotiated and is the latest possible protocol that is supported by the server and the client. In most cases this is TLS 1.2.
 
Depending on the security policy, you might need to disable TLS 1.0 in vRealize Automation server components. In this case, newer versions of TLS 1.1 and 1.2 will be used.


Environment

VMware vRealize Automation 6.2
VMware vRealize Automation 6.2.x
VMware vRealize Automation 7.3.x
VMware vRealize Automation Desktop 6.2
VMware vRealize Automation Desktop 6.2.x
VMware vRealize Automation 7.0.x
VMware vRealize Automation 7.2.x
VMware vRealize Automation 7.1.x

Resolution

Prerequisites:
  • Verify that all clients to vRealize Automation services support TLS 1.1 or later. This includes browsers, OS, and tools that connect by using the API.
  • Load balancers should also be configured to use TLS 1.1 or later.
Note: This configuration neither preserved on upgrade, nor when you add a new node to the cluster. You must update them manually.
 
Configuration:

Disable TLS 1.0 on these components:
 
  • IaaS

    Configure IaaS to use pooling instead of web sockets:
  1. Update Manager Services config file located at C:\Program Files (x86)\VMware\vCAC\Server\ManagerService.exe.config by adding these values in the appSettings section:
<add key="Extensibility.Client.RetrievalMethod" value="Polling"/>
<add key="Extensibility.Client.PollingInterval" value="2000"/>
<add key="Extensibility.Client.PollingMaxEvents" value="128"/>
  1. Restart the Manager Service in IaaS server.
VMware vCloud Automation Center Service.
 
  • vRealize Automation Appliance
  1. Log in to each vRealize Automation as root.
  2. Edit these files using a text editor:

    /etc/haproxy/conf.d/20-vcac.cfg
    /etc/haproxy/conf.d/30-vro-config.cfg
     
  3. Add no-tlsv10 to the end of lines.

    bind 0.0.0.0:8283 ssl crt ..... no-sslv3
     
  4. Reload haproxy config by running the command:.

    service haproxy reload
  • Console proxy (port 8444)
  1. Log in to each vRealize Automation as root.
  2. Edit file /etc/vcac/security.properties file using a text editor.
  3. Add or modify line consoleproxy.ssl.server.protocols line as

    consoleproxy.ssl.server.protocols=SSLv2Hello,TLSv1.2,TLSv1.1
     
  4. Restart vcac-server service by running the command:

    service vcac-server restart
  • Disable TLS 1.0 in the IaaS IIS and dotNet side
  1. To disable TLS 1.0 in the Windows nodes, see the Microsoft Knowledge Base article 245030.
Note: The preceding link is correct as of June 12, 2018. If you find the link is broken, provide a feedback and a VMware employee will update the link.
  1. Enable the "SchUseStrongCrypto" property in the Windows registry to enable dotNet to use as default TLS 1.0+ protocols. You can do this manually or by copying the following into a .reg file and running it as admin on the IaaS servers:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001
 
  • Management console (port 5480)
  1. Log in to each vRealize Automation as root .
  2. Open the /opt/vmware/etc/lighttpd/lighttpd.conf using a text editor.
  3. Replace the ssl.cipher-list entry with:

    ssl.cipher-list = "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"
     
  4. Restart the lighttpd service by running the command:

    service vami-lighttp restart

    Note: This also disables TLS 1.1 protocol.
  • vCO Service
  1. ​Locate the <Connector> tag in the /etc/vco/app-server/server.xml file and add the following attribute to it:
sslEnabledProtocols = "TLSv1.1,TLSv1.2"
  1. ​​​Restart the vCO service by running the following command:
service vco-server restart
  • vRealize Automation service
  1. ​Locate <Connector> tag in the /etc/vcac/server.xml file and add the following attribute to it:
sslEnabledProtocols = "TLSv1.1,TLSv1.2"
  1. Restart the vRealize Automation service by running the following commands.
service vcac-server restart
  • RabbitMQ
  1. Open the /etc/rabbitmq/rabbitmq.config file and verify that tlsv1.2 and tlsv1.1 are added to the ssl and ssl_options sections as shown in the following example.
[
   {ssl, [
      {versions, ['tlsv1.2', 'tlsv1.1']},
      {ciphers, ["AES256-SHA", "AES128-SHA"]}
   ]},
   {rabbit, [
      {tcp_listeners, [{"127.0.0.1", 5672}]},
      {frame_max, 262144},
      {ssl_listeners, [5671]},
      {ssl_options, [
         {cacertfile, "/etc/rabbitmq/certs/ca/cacert.pem"},
         {certfile, "/etc/rabbitmq/certs/server/cert.pem"},
         {keyfile, "/etc/rabbitmq/certs/server/key.pem"},
         {versions, ['tlsv1.2', 'tlsv1.1']},
         {ciphers, ["AES256-SHA", "AES128-SHA"]},
         {verify, verify_peer},
         {fail_if_no_peer_cert, false}
      ]},
      {mnesia_table_loading_timeout,600000},
      {cluster_partition_handling, autoheal},
      {heartbeat, 600}
   ]},
   {kernel, [{net_ticktime,  120}]}
].​
  1. Restart the RabbitMQ server by running the following command:
# service rabbitmq-server restart
Note: Do not modify the Internal postgres service (port 5432) to disable TLS 1.0 because this breaks the internal tools that monitor the DB.


Additional Information

在 vRealize Automation 中禁用 TLS 1.0

Powered by Wolken Software