Search the VMware Knowledge Base (KB)
View by Article ID

Disabling TLS 1.0 in vRealize Automation (2146570)

  • 0 Ratings
Language Editions

Purpose

This article provides steps to disable TLS 1.0 in vRealize Automation.

vRealize Automation uses TLS 1.0 or later for all communications. The actual protocol is negotiated and is the latest possible protocol that is supported by the server and the client. In most cases this is TLS 1.2.

Depending on the security policy, you might need to disable TLS 1.0 in vRealize Automation server components. In this case, newer versions of TLS 1.1 and 1.2 will be used.

Resolution

Prerequisites:
  • Verify that all clients to vRealize Automation services support TLS 1.1 or later. This includes browsers, OS, and tools that connect by using the API. 
  • Load balancers should also be configured to use TLS 1.1 or later.
Note: This configuration neither preserved on upgrade, nor when you add a new node to the cluster. You must update them manually.

Configuration:

Disable TLS 1.0 on these components:
 
  • IaaS

    Configure IaaS to use pooling instead of web sockets:
    1. Update Manager Services config file located at C:\Program Files (x86)\VMware\vCAC\Server\ManagerService.exe.config by adding these values in the appSettings section:


      <add key="Extensibility.Client.RetrievalMethod" value="Polling"/>
      <add key="Extensibility.Client.PollingInterval" value="2000"/>
      <add key="Extensibility.Client.PollingMaxEvents" value="128"/>

    2. Restart the Manager Service in IaaS server.

      VMware vCloud Automation Center Service.

  • vRealize Automation Appliance
    1. Log in to each vRealize Automation as root.
    2. Edit these files using a text editor:

         /etc/haproxy/conf.d/20-vcac.cfg
        /etc/haproxy/conf.d/30-vro-config.cfg


    3. Add no-tlsv10 to the end of lines.

        bind 0.0.0.0:443 ssl crt ..... no-sslv3

    4. Reload haproxy config by running the command:.

      service haproxy reload
  • Console proxy (port 8444)
    1. Log in to each vRealize Automation as root.
    2. Edit file /etc/vcac/security.properties file using a text editor.
    3. Add or modify line consoleproxy.ssl.server.protocols line as

      consoleproxy.ssl.server.protocols=SSLv2Hello,TLSv1.2,TLSv1.1

    4. Restart vcac-server service by running the command:

      service vcac-server restart
  • Disable TLS 1.0 in the IaaS IIS

    To disable TLS 1.0 in the Windows nodes, see the Microsoft Knowledge Base article 245030 .

    Note: The preceding link is correct as of August 29, 2016. If you find the link is broken, provide a feedback and a VMware employee will update the link.

     
  • Management console (port 5480)
    1. Log in to each vRealize Automation  as root .
    2. Open the /opt/vmware/etc/lighttpd/lighttpd.conf using a text editor.
    3. Replace the ssl.cipher-list entry with:

      ssl.cipher-list = "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"

    4. Restart the lighttpd service by running the command:

      service vami-lighttp restart

      Note: This also disables TLS 1.1 protocol.
 
Note: Do not modify the Internal postgres service (port 5432) to disable TLS 1.0 because this breaks the internal tools that monitor the DB.

See Also

Language Editions

zh_cn,2147651

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 0 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.

What can we do to improve this information? (4000 or fewer characters)




Please enter the Captcha code before clicking Submit.
  • 0 Ratings
Actions
KB: