Disable TLS 1.0 in applicable vRealize Automation components.

About this task

There is no directive to disable TLS 1.0 in Lighttpd. The restriction on TLS 1.0 use can be partially mitigated by enforcing that OpenSSL does not use cipher suites of TLS 1.0 as described in step 2 below.

Procedure

  1. Disable TLS 1.0 in the HAProxy https handler on the vRealize Automation appliance.
    1. Append no-tlsv10 to the end of the following entry in the /etc/haproxy/conf.d/20-vcac.cfg file.

      bind 0.0.0.0:443 ssl crt /etc/apache2/server.pem ciphers TLSv1+HIGH:!aNULL:!eNULL:!3DES:!RC4:!CAMELLIA:!DH:!kECDHE:@STRENGTH no-sslv3 no-tlsv10

    2. Append no-tlsv10 to the end of the following entry in the /etc/haproxy/conf.d/30-vro-config.cfg file.

      bind :8283 ssl crt /opt/vmware/etc/lighttpd/server.pem ciphers TLSv1+HIGH:!aNULL:!eNULL:!3DES:!RC4:!CAMELLIA:!DH:!kECDHE:@STRENGTH no-sslv3 no-tls10

    Note:

    To re-enable TLS 1.0 remove no-tlsv10 from the bind directive.

  2. Verify in Lighttpd that OpenSSL does not use cipher suites of TLS 1.0
    1. Edit the ssl.cipher-list line in the /opt/vmware/etc/lighttpd/lighttpd.conf file as follows.
      ssl.cipher-list = "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"
    2. Restart lighttpd using the following command:

      service vami-lighttp restart

  3. Disable TLS 1.0 for the Console Proxy on the vRealize Automation appliance.
    1. Add or modify the following line in the /etc/vcac/security.properties file.

      consoleproxy.ssl.server.protocols = TLSv1.2, TLSv1.1

    2. Restart the server by running the following command:

      service vcac-server restart

    Note:

    To re-enable TLS 1.0, add TLSv1 as follows and then restart the vcac-server service:

    consoleproxy.ssl.server.protocols = TLSv1.2,TLSv1.1, TLSv1

  4. Disable TLS 1.0 for the vCO service.
    1. Locate the <Connector> tag in the /etc/vco/app/server/server.xml file and add the following attribute to it:

      sslEnabledProtocols = "TLSv1.1,TLSv1.2"

    2. Restart the vCO service by running the following command:

      service vco-server restart

  5. Disable TLS 1.0 for the vRealize Automation service.
    1. Locate <Connector> tag in the /etc/vcac/server.xml file and add the following attribute to it:

      sslEnabledProtocols = "TLSv1.1,TLSv1.2"

    2. Restart the vRealize Automation service by running the following commands.

      service vcac-server restart

    Note:

    To re-enable TLS 1.0, add TLSv1 to sslEnabledProtocols. For example, sslEnabledProtocols = "TLSv1.1,TLSv1.2,TLSv1"

  6. Disable TLS 1.0 for RabbitMQ.
    1. Open the /etc/rabbitmq/rabbitmq.config file and verify that tlsv1.2 and tlsv1.1 are added to the ssl and ssl_options sections as shown in the following example.
      [
         {ssl, [
            {versions, ['tlsv1.2', 'tlsv1.1']},
            {ciphers, ["AES256-SHA", "AES128-SHA"]}
         ]},
         {rabbit, [
            {tcp_listeners, [{"127.0.0.1", 5672}]},
            {frame_max, 262144},
            {ssl_listeners, [5671]},
            {ssl_options, [
               {cacertfile, "/etc/rabbitmq/certs/ca/cacert.pem"},
               {certfile, "/etc/rabbitmq/certs/server/cert.pem"},
               {keyfile, "/etc/rabbitmq/certs/server/key.pem"},
               {versions, ['tlsv1.2', 'tlsv1.1']},
               {ciphers, ["AES256-SHA", "AES128-SHA"]},
               {verify, verify_peer},
               {fail_if_no_peer_cert, false}
            ]},
            {mnesia_table_loading_timeout,600000},
            {cluster_partition_handling, autoheal},
            {heartbeat, 600}
         ]},
         {kernel, [{net_ticktime,  120}]}
      ].
    2. Restart the RabbitMQ server by running the following command:

      # service rabbitmq-server restart