As part of your hardening process, ensure that the deployed vRealize Automation appliance uses secure transmission channels.

Prerequisites

Complete Enable TLS on Localhost Configuration.

Procedure

  1. Verify that SSLv3 is disabled in the HAProxy https handlers on the vRealize Automation appliance.

    Review this file

    Ensure the following is present

    In the appropriate line as shown

    /etc/haproxy/conf.d/20-vcac.cfg

    no-sslv3

    bind 0.0.0.0:443 ssl crt /etc/apache2/server.pem ciphers TLSv1+HIGH:!aNULL:!eNULL:!3DES:!RC4:!CAMELLIA:!DH:!kECDHE:@STRENGTH no-sslv3 no-tlsv10

    /etc/haproxy/conf.d/30-vro-config.cfg

    no-sslv3

    bind :8283 ssl crt /opt/vmware/etc/lighttpd/server.pem ciphers TLSv1+HIGH:!aNULL:!eNULL:!3DES:!RC4:!CAMELLIA:!DH:!kECDHE:@STRENGTH no-sslv3 no-tlsv10

  2. Open the /opt/vmware/etc/lighttpd/lighttpd.conf file, and verify that the correct disable entries appear.
    ssl.use-sslv2 = "disable"
    ssl.use-sslv3 = "disable"
  3. Verify that SSLv3 is disabled for the Console Proxy on the vRealize Automation appliance.
    1. Edit the /etc/vcac/security.properties file by adding or modifying the following line:

      consoleproxy.ssl.server.protocols = TLSv1.2, TLSv1.1

    2. Restart the server by running the following command:

      service vcac-server restart

  4. Verify that SSLv3 is disabled for the vCO service.
    1. Locate the <Connector> tag in the /etc/vco/app-server/server.xml file and add the following attribute:

      sslEnabledProtocols = "TLSv1.1,TLSv1.2"

    2. Restart the vCO service by running the following command.

      service vco-server restart

  5. Verify that SSLv3 us disabled for the vRealize Automation service.
    1. Add the following attributes to the <Connector> tag in the /etc/vcac/server.xml file

      sslEnabledProtocols = "TLSv1.1,TLSv1.2"

    2. Restart the vRealize Automation service by running the following command:

      service vcac-server restart

  6. Verify that SSLv3 is disabled for RabbitMQ.

    Open the /etc/rabbitmq/rabbitmq.config file and verify that {versions, ['tlsv1.2', 'tlsv1.1']} are present in the ssl and ssl_options sections.

    [
      {ssl, [
          {versions, ['tlsv1.2', 'tlsv1.1']},
          {ciphers, ["AES256-SHA", "AES128-SHA"]}
      ]},
       {rabbit, [
          {tcp_listeners, [{"127.0.0.1", 5672}]},
          {frame_max, 262144},
          {ssl_listeners, [5671]},
          {ssl_options, [
             {cacertfile, "/etc/rabbitmq/certs/ca/cacert.pem"},
             {certfile, "/etc/rabbitmq/certs/server/cert.pem"},
             {keyfile, "/etc/rabbitmq/certs/server/key.pem"},
             {versions, ['tlsv1.2', 'tlsv1.1']},
             {ciphers, ["AES256-SHA", "AES128-SHA"]},
             {verify, verify_peer},
             {fail_if_no_peer_cert, false}
          ]},
          {mnesia_table_loading_timeout,600000},
          {cluster_partition_handling, autoheal},
          {heartbeat, 600}
       ]},
       {kernel, [{net_ticktime,  120}]}
    ].
    
  7. Restart the RabbitMQ server by running the following command:

    # service rabbitmq-server restart

  8. Verify that SSLv3 is disabled for the vIDM service.

    Open the /opt/vmware/horizon/workspace/config/server.xml file for each instance of the connector containing SSLEnabled="true" and ensure that the following line is present.

    sslEnabledProtocols="TLSv1.1,TLSv1.2"