Prerequisites:
- Verify that all clients to vRealize Automation services support TLS 1.1 or later. This includes browsers, OS, and tools that connect by using the API.
- Load balancers should also be configured to use TLS 1.1 or later.
Note: This configuration neither preserved on upgrade, nor when you add a new node to the cluster. You must update them manually.
Configuration:
Disable TLS 1.0 on these components:
- IaaS
Configure IaaS to use pooling instead of web sockets:
- Update Manager Services config file located at C:\Program Files (x86)\VMware\vCAC\Server\ManagerService.exe.config by adding these values in the appSettings section:
<add key="Extensibility.Client.RetrievalMethod" value="Polling"/>
<add key="Extensibility.Client.PollingInterval" value="2000"/>
<add key="Extensibility.Client.PollingMaxEvents" value="128"/>
- Restart the Manager Service in IaaS server.
VMware vCloud Automation Center Service.
- vRealize Automation Appliance
- Log in to each vRealize Automation as root.
- Edit these files using a text editor:
/etc/haproxy/conf.d/20-vcac.cfg
/etc/haproxy/conf.d/30-vro-config.cfg
- Add no-tlsv10 to the end of lines.
bind 0.0.0.0:8283 ssl crt ..... no-sslv3
- Reload haproxy config by running the command:.
service haproxy reload
- Console proxy (port 8444)
- Log in to each vRealize Automation as root.
- Edit file /etc/vcac/security.properties file using a text editor.
- Add or modify line consoleproxy.ssl.server.protocols line as
consoleproxy.ssl.server.protocols=SSLv2Hello,TLSv1.2,TLSv1.1
- Restart vcac-server service by running the command:
service vcac-server restart
- Disable TLS 1.0 in the IaaS IIS and dotNet side
- To disable TLS 1.0 in the Windows nodes, see the Microsoft Knowledge Base article 245030.
Note: The preceding link is correct as of June 12, 2018. If you find the link is broken, provide a feedback and a VMware employee will update the link.
- Enable the "SchUseStrongCrypto" property in the Windows registry to enable dotNet to use as default TLS 1.0+ protocols. You can do this manually or by copying the following into a .reg file and running it as admin on the IaaS servers:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001
- Management console (port 5480)
- Log in to each vRealize Automation as root .
- Open the /opt/vmware/etc/lighttpd/lighttpd.conf using a text editor.
- Replace the ssl.cipher-list entry with:
ssl.cipher-list = "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"
- Restart the lighttpd service by running the command:
service vami-lighttp restart
Note: This also disables TLS 1.1 protocol.
- Locate the <Connector> tag in the /etc/vco/app-server/server.xml file and add the following attribute to it:
sslEnabledProtocols = "TLSv1.1,TLSv1.2"
- Restart the vCO service by running the following command:
service vco-server restart
- vRealize Automation service
- Locate <Connector> tag in the /etc/vcac/server.xml file and add the following attribute to it:
sslEnabledProtocols = "TLSv1.1,TLSv1.2"
- Restart the vRealize Automation service by running the following commands.
service vcac-server restart
- Open the /etc/rabbitmq/rabbitmq.config file and verify that tlsv1.2 and tlsv1.1 are added to the ssl and ssl_options sections as shown in the following example.
[
{ssl, [
{versions, ['tlsv1.2', 'tlsv1.1']},
{ciphers, ["AES256-SHA", "AES128-SHA"]}
]},
{rabbit, [
{tcp_listeners, [{"127.0.0.1", 5672}]},
{frame_max, 262144},
{ssl_listeners, [5671]},
{ssl_options, [
{cacertfile, "/etc/rabbitmq/certs/ca/cacert.pem"},
{certfile, "/etc/rabbitmq/certs/server/cert.pem"},
{keyfile, "/etc/rabbitmq/certs/server/key.pem"},
{versions, ['tlsv1.2', 'tlsv1.1']},
{ciphers, ["AES256-SHA", "AES128-SHA"]},
{verify, verify_peer},
{fail_if_no_peer_cert, false}
]},
{mnesia_table_loading_timeout,600000},
{cluster_partition_handling, autoheal},
{heartbeat, 600}
]},
{kernel, [{net_ticktime, 120}]}
].
- Restart the RabbitMQ server by running the following command:
# service rabbitmq-server restart
Note: Do not modify the Internal postgres service (port 5432) to disable TLS 1.0 because this breaks the internal tools that monitor the DB.