Communication between vRealize Automation IaaS components and virtual appliances fails after upgrading to vRA 7.3+
Article ID: 326140
Updated On:
Products
VMware Aria Suite
Issue/Introduction
Symptoms:
After explicitly disabling TLS 1.0 on the IaaS, you see these symptoms:
After explicitly disabling TLS 1.0 on the IaaS, you see these symptoms:
- Security errors are evident in the communication between IaaS and CAFE or even between IaaS services such as WAPI, Repository etc.
- During the upgrade, you see errors similar to:
"System.Data.Services.Client.DataServiceTransportException: The underlying connection was closed: An unexpected error >occurred on a receive. ---> System.Net.WebException: The underlying connection was closed: An unexpected error occurred on >a receive. ---> System.ComponentModel.Win32Exception: The client and server cannot communicate, because they do not possess a common algorithm"
Environment
VMware vRealize Automation 7.6.x
VMware vRealize Automation 7.4.x
VMware vRealize Automation 7.5.x
VMware vRealize Automation 7.3.x
VMware vRealize Automation 7.4.x
VMware vRealize Automation 7.5.x
VMware vRealize Automation 7.3.x
Cause
This issue occurs due to a mismatch in agreed upon TLS versions or ciphers suites between the server and client attempting to establish communication.
Resolution
To resolve this issue, enable the correct protocols and cipher suites. For more information, see the Configuring TLS for Infrastructure as a Service Data-in-Transit section of the VMware vRealize Automation Secure Configuration Guide (Configuring TLS for Infrastructure as a Service Data-in-Transit)
Alternative Method:
IISCrypto:
IIS Crypto is a free tool that gives administrators the ability to enable or disable protocols, ciphers, hashes and key exchange algorithms on Windows Server 2008, 2012, 2016 and 2019. It also lets you reorder SSL/TLS cipher suites offered by IIS, change advanced settings, implement Best Practices with a single click, create custom templates and test your website.
Alternative Method:
IISCrypto:
IIS Crypto is a free tool that gives administrators the ability to enable or disable protocols, ciphers, hashes and key exchange algorithms on Windows Server 2008, 2012, 2016 and 2019. It also lets you reorder SSL/TLS cipher suites offered by IIS, change advanced settings, implement Best Practices with a single click, create custom templates and test your website.
- Download IISCrypto from https://www.nartac.com/Products/IISCrypto
- Install / extract the .exe and copy it to the corresponding IaaS Windows hosts.
- Run IISCrypto as administrator
- Check Server / Client check box
- Select "Apply best practices"
- Remove TLS 1.0 and 1.1 from both client and server.
- Select any additional settings dictated by internal security teams / posture
- Hit "Apply"
- Reboot the Windows host
Feedback
Yes
No
Powered by
