By default some localhost communication does not use TLS. You can enable TLS across all localhost connections to provide enhanced security.

About this task

Procedure

  1. Connect to the vRealize Automation appliance using SSH.
  2. Set permissions for the vcac keystore by running the following commands.
    chown vcac.pivotal /etc/vcac/vcac.keystore
    chmod 640 /etc/vcac/vcac.keystore
    
  3. Update the HAProxy configuration.
    1. Locate the lines containing the following string

      server local 127.0.0.1…” and add the following to the end of such lines “ssl verify none

      This section contains other lines like the following:

      backend-horizon

      backend-vro

      backend-vra

      backend-artifactory

      backend-vra-health

    2. Change the port for backend-horizon from 8080 to 8443.
  4. Get the password of keystorePass.
    1. Locate the property certificate.store.password in the /etc/vcac/security.properties file.

      For example, certificate.store.password=s2enc~iom0GXATG+RB8ff7Wdm4Bg==

    2. Decrypt the value using the following command:

      vcac-config prop-util -d --p VALUE

      For example, vcac-config prop-util -d --p s2enc~iom0GXATG+RB8ff7Wdm4Bg==

  5. Configure the vRealize Automation service
    1. Open the /etc/vcac/server.xml file.
    2. Add the following attribute to the Connector tag, replacing certificate.store.password with the certificate store password value found in etc/vcac/security.properties.
      scheme=”https” secure=”true” SSLEnabled=”true” sslProtocol=”TLS” keystoreFile=”/etc/vcac/vcac.keystore” keyAlias=”apache” keystorePass=”certificate.store.password”
  6. Configure the vRealize Orchestrator service.
    1. Open the /etc/vco/app/server.xml file
    2. Add the following attribute to the Connector tag, replacing certificate.store.password with the certificate store password value found in etc/vcac/security.properties.
      scheme=”https” secure=”true” SSLEnabled=”true” sslProtocol=”TLS” keystoreFile=”/etc/vcac/vcac.keystore” keyAlias=”apache” keystorePass=”certificate.store.password”
  7. Restart the vRealize Orchestrator, vRealize Automation, and haproxy services.
    service vcac-server restart
    service vco-server restart 
    service haproxy restart
  8. Configure the Virtual Appliance Management Interface.
    1. Open the /opt/vmware/share/htdocs/service/café-services/services.py file.
    2. Change the conn = httplib.HTTP() line to conn = httplib.HTTPS() to enhance security.