Skip to main content

VMware vRA Disable sslv3 and Enable TLS1.2 for better security and compliance


===========================================================================================
Link: https://docs.vmware.com/en/vRealize-Automation/7.3/com.vmware.vra.install.upgrade.doc/GUID-1B4E85C5-B980-416F-96B0-160B4C816671.html#GUID-1B4E85C5-B980-416F-96B0-160B4C816671
===========================================================================================
Update the HAProxy configuration

cd /etc/haproxy/conf.d/

cat 20-vcac.cfg

backend backend-vrhb
    mode http
    balance roundrobin
    option forwardfor
    server server1 127.0.0.1:8090 check ssl verify none
/*Yellow Highlighted above lines contains ssl verify none, no change */
backend backend-horizon
    mode http
    balance leastconn
    option http-server-close
    option forwardfor
    option redispatch
    http-response replace-value Set-Cookie JSESSIONID=(.*) JSESSIONID_HZN=\1
    http-response replace-value Set-Cookie XSRF-TOKEN=(.*) XSRF-TOKEN_HZN=\1
    http-request replace-value Cookie (.*?)JSESSIONID_HZN=([^;]+)(.*?) \1JSESSIONID=\2\3
    http-request replace-value Cookie (.*?)XSRF-TOKEN_HZN=([^;]+)(.*?) \1XSRF-TOKEN=\2\3
    cookie JSESSIONID prefix
    timeout check 10s
    server local 127.0.0.1:8443 maxconn 500 ssl verify none
/*Yellow Highlighted above lines replace port 8080 to 8443 and add word ssl verify none*/

backend backend-vra
    mode http
    balance leastconn
    option http-server-close
    option forwardfor
    option redispatch
    http-response replace-value Set-Cookie JSESSIONID=(.*) JSESSIONID_VRA=\1
    http-response replace-value Set-Cookie XSRF-TOKEN=(.*) XSRF-TOKEN_VRA=\1
    http-request replace-value Cookie (.*?)JSESSIONID_VRA=([^;]+)(.*?) \1JSESSIONID=\2\3
    http-request replace-value Cookie (.*?)XSRF-TOKEN_VRA=([^;]+)(.*?) \1XSRF-TOKEN=\2\3
    cookie JSESSIONID prefix
    server local 127.0.0.1:8082 maxconn 1500 cookie A check ssl verify none
/* Yellow Highlighted above lines add word ssl verify none */

backend backend-vra-health
    mode http
    balance leastconn
    option http-server-close
    option log-health-checks
    option httplog
    option forwardfor
    option redispatch
    http-response replace-value Set-Cookie JSESSIONID=(.*) JSESSIONID_VRA=\1
    http-response replace-value Set-Cookie XSRF-TOKEN=(.*) XSRF-TOKEN_VRA=\1
    http-request replace-value Cookie (.*?)JSESSIONID_VRA=([^;]+)(.*?) \1JSESSIONID=\2\3
    http-request replace-value Cookie (.*?)XSRF-TOKEN_VRA=([^;]+)(.*?) \1XSRF-TOKEN=\2\3
    cookie JSESSIONID prefix
    server local 127.0.0.1:8082 cookie A check ssl verify none
/* Yellow Highlighted above lines add word ssl verify none */
backend backend-vro
    mode http
    balance leastconn
    option http-server-close
    option forwardfor
    option redispatch
    http-response replace-value Set-Cookie JSESSIONID=(.*) JSESSIONID_VRO=\1
    http-response replace-value Set-Cookie XSRF-TOKEN=(.*) XSRF-TOKEN_VRO=\1
    http-request replace-value Cookie (.*?)JSESSIONID_VRO=([^;]+)(.*?) \1JSESSIONID=\2\3
    http-request replace-value Cookie (.*?)XSRF-TOKEN_VRO=([^;]+)(.*?) \1XSRF-TOKEN=\2\3
    cookie JSESSIONID prefix
    option httpchk GET /vcac/services/api/health
    server local 127.0.0.1:8280 cookie A check ssl verify none
/* Yellow Highlighted above lines add word ssl verify none */

#    server node2 REMOTE-IP:443 cookie A check ssl verify none
    server node1 chprdvra01.corp.ad.sbi:443 cookie A check ssl verify none backup
    server node2 iprbscva01.corp.ad.sbi:443 cookie A check ssl verify none backup
backend backend-vco-health
    mode http
    option http-server-close
    option forwardfor
    option redispatch
    http-response replace-value Set-Cookie JSESSIONID=(.*) JSESSIONID_VRO=\1
    http-response replace-value Set-Cookie XSRF-TOKEN=(.*) XSRF-TOKEN_VRO=\1
    http-request replace-value Cookie (.*?)JSESSIONID_VRO=([^;]+)(.*?) \1JSESSIONID=\2\3
    http-request replace-value Cookie (.*?)XSRF-TOKEN_VRO=([^;]+)(.*?) \1XSRF-TOKEN=\2\3
    cookie JSESSIONID prefix
    server local 127.0.0.1:8280 cookie A check ssl verify none
/* Yellow Highlighted above lines add word ssl verify none */

============================================================
Get the password of keystorePass
cat /etc/vcac/security.properties
certificate.store.password=s2enc~rWjGkrikQMCz2bJsorki2A\=\=

vcac-config prop-util -d --p s2enc~rWjGkrikQMCz2bJsorki2A\=\=


==============================================================
Configure the vRealize Automation service

cat /etc/vcac/server.xml

<Connector URIEncoding="UTF-8" acceptCount="100" acceptorThreadCount="4" address="localhost" connectionTimeout="10000" executor="tomcatThreadPool" maxConnections="1500" maxKeepAliveRequests="120" port="8082" protocol="org.apache.coyote.http11.Http11NioProtocol" redirectPort="443" scheme="https" secure="true" SSLEnabled="true" sslProtocol="TLS"  sslEnabledProtocols="TLSv1.2" keystoreFile="/etc/vcac/vcac.keystore" keyAlias="apache" keystorePass="s2enc~rWjGkrikQMCz2bJsorki2A\=\=" />
/*add green highlighted line */

==============================================================
Configure the vRealize Orchestrator service
cat /etc/vco/app-server/server.xml

<Connector port="8280" address="127.0.0.1" protocol="HTTP/1.1" URIEncoding="UTF-8"
                   connectionTimeout="20000" server=" "
                   redirectPort="443" maxHttpHeaderSize="163840" scheme="https" secure="true" SSLEnabled="true" sslProtocol="TLS" sslEnabledProtocols="TLSv1.2" keystoreFile="/etc/vcac/vcac.keystore" keyAlias="apache" keystorePass="s2enc~rWjGkrikQMCz2bJsorki2A\=\=" />

/*add green highlighted line */

==============================================================

Configure the Virtual Appliance Management Interface

cat /opt/vmware/share/htdocs/service/cafe-services/services.py
conn = httplib.HTTPS()

/*modify above line from HTTP() to HTTPS() */

=========================================================================
Link: https://docs.vmware.com/en/vRealize-Automation/7.3/com.vmware.vra.install.upgrade.doc/GUID-67B8D027-8074-48BE-8890-2F3BA982A94A.html
=========================================================================

chprdvra01:~ # hostname
chprdvra01.corp.ad.sbi
chprdvra01:~ # cat /etc/haproxy/conf.d/20-vcac.cfg | grep no-ssl
    bind 0.0.0.0:443 ssl crt /etc/apache2/server.pem ciphers !aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:@STRENGTH no-sslv3  no-tlsv10 no-tlsv11 force-tls12

/*add green highlighted line */

chprdvra01:~ # cat /etc/haproxy/conf.d/30-vro-config.cfg | grep no-ssl
    bind :::8283 v4v6 ssl crt /opt/vmware/etc/lighttpd/server.pem ciphers TLSv1+HIGH:!aNULL:!eNULL:!3DES:!RC4:!CAMELLIA:!DH:!kECDHE:@STRENGTH no-sslv3 no-tlsv10 no-tlsv11 force-tls12

/*add green highlighted line */

chprdvra01:~ # cat /opt/vmware/etc/lighttpd/lighttpd.conf | grep "ssl.use"
ssl.use-sslv2 = "disable"
ssl.use-sslv3 = "disable"

/* Modify yellow highlighted line as above */

chprdvra01:~ # cat /etc/vcac/security.properties | grep consoleproxy
consoleproxy.ssl.server.protocols=TLSv1.2

/*add green highlighted line */

chprdvra01:~ # cat /etc/vco/app-server/server.xml | grep sslEnabledProtocols
redirectPort="443" maxHttpHeaderSize="163840" scheme="https" secure="true" SSLEnabled="true" sslProtocol="TLS" sslEnabledProtocols="TLSv1.2" keystoreFile="/etc/vcac/vcac.keystore" keyAlias="apache" keystorePass=" s2enc~rWjGkrikQMCz2bJsorki2A\=\="  />

/* Modify yellow highlighted line as above */

chprdvra01:~ # cat /etc/vcac/server.xml | grep sslEnabledProtocols
executor="tomcatThreadPool" maxConnections="1500" maxKeepAliveRequests="120" port="8082" protocol="org.apache.coyote.http11.Http11NioProtocol" redirectPort="443" scheme="https" secure="true" SSLEnabled="true" sslProtocol="TLS"  sslEnabledProtocols="TLSv1.2" keystoreFile="/etc/vcac/vcac.keystore" keyAlias="apache" keystorePass=" s2enc~rWjGkrikQMCz2bJsorki2A\=\=" />

/* Modify yellow highlighted line as above */

chprdvra01:~ # cat /etc/rabbitmq/rabbitmq.config
[
   {ssl, [
      {versions, ['tlsv1.2', 'tlsv1.1']},
      {ciphers, ["AES256-SHA", "AES128-SHA"]}
   ]},
   {rabbit, [
      {tcp_listeners, [{"127.0.0.1", 5672}]},
      {frame_max, 262144},
      {ssl_listeners, [5671]},
      {ssl_options, [
         {cacertfile, "/etc/rabbitmq/certs/ca/cacert.pem"},
         {certfile, "/etc/rabbitmq/certs/server/cert.pem"},
         {keyfile, "/etc/rabbitmq/certs/server/key.pem"},
         {versions, ['tlsv1.2', 'tlsv1.1']},
         {ciphers, ["AES256-SHA", "AES128-SHA"]},
         {verify, verify_peer},
         {fail_if_no_peer_cert, false}
      ]},
      {mnesia_table_loading_timeout,600000},
      {cluster_partition_handling, autoheal},
      {heartbeat, 600}
   ]},
   {kernel, [{net_ticktime,  120}]}
].

/* Modify yellow highlighted line as above */

chprdvra01:~ # cat /opt/vmware/horizon/workspace/conf/server.xml  | grep sslEnabledProtocols
                sslEnabledProtocols="TLSv1.1,TLSv1.2"
                sslEnabledProtocols="TLSv1.1,TLSv1.2"
chprdvra01:~ #
//Remove TLS1.1
chprdvra01:~ # cat /opt/vmware/horizon/workspace/conf/server.xml  | grep sslEnabledProtocols
                sslEnabledProtocols="TLSv1.2"
                sslEnabledProtocols="TLSv1.2"

/* Remove TLSv1.1, Modify yellow highlighted line as above */

chprdvra01:~ #



Comments

Post a Comment

Popular posts from this blog

Vmware view Sysprep customization steps

Post a Comment
Read more

VMware View Desktop Error 'The Display Protocol for this Desktop is currently blocked by a firewall'

Post a Comment
Read more

user profile conflict in c drive and d drive or user profile is not creating in d drive

Post a Comment
Read more

VMware View Display Protocol Error

Post a Comment
Read more