As part of your hardening process, ensure that the deployed vRealize Automation appliance uses secure transmission channels.

Note:

You cannot run the join cluster operation after disabling TLS 1.0/1.1 and enabling TLS 1.2

Prerequisites

Complete Enable TLS on Localhost Configuration.

Procedure

  1. Verify that SSLv3, TLS 1.0, and TLS 1.1 are disabled in the HAProxy https handlers on the vRealize Automation appliance.

    Review this file

    Ensure the following is present

    In the appropriate line as shown

    /etc/haproxy/conf.d/20-vcac.cfg

    no-sslv3 no-tlsv10 no-tls11 force-tls12

    bind 0.0.0.0:443 ssl crt /etc/apache2/server.pem ciphers !aNULL:!eNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:@STRENGTH no-sslv3 no-tlsv10 no-tlsv11

    /etc/haproxy/conf.d/30-vro-config.cfg

    no-sslv3 no-tlsv10 no-tls11 force-tls12

    bind :::8283 v4v6 ssl crt /opt/vmware/etc/lighttpd/server.pem ciphers !aNULL:!eNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:@STRENGTH no-sslv3 no-tlsv10 no-tlsv11

  2. Restart the service.
    service haproxy restart
  3. Open the /opt/vmware/etc/lighttpd/lighttpd.conf file, and verify that the correct disable entries appear.
    Note:

    There is no directive to disable TLS 1.0 or TLS 1.1 in Lighttpd. The restriction on TLS 1.0 and TLS 1.1 use can be partially mitigated by enforcing OpenSSL to not use cipher suites of TLS 1.0 and TLS 1.1.

    ssl.use-sslv2 = "disable"
    ssl.use-sslv3 = "disable"
  4. Verify that SSLv3, TLS 1.0, and TLS 1.1 are disabled for the Console Proxy on the vRealize Automation appliance.
    1. Edit the /etc/vcac/security.properties file by adding or modifying the following line:

      consoleproxy.ssl.server.protocols = TLSv1.2

    2. Restart the server by running the following command:

      service vcac-server restart

  5. Verify that SSLv3, TLS 1.0, and TLS 1.1 are disabled for the vCO service.
    1. Locate the <Connector> tag in the /etc/vco/app-server/server.xml file and add the following attribute:

      sslEnabledProtocols = "TLSv1.2"

    2. Restart the vCO service by running the following command.

      service vco-server restart

  6. Verify that SSLv3, TLS 1.0, and TLS 1.1 are disabled for the vRealize Automation service.
    1. Add the following attributes to the <Connector> tag in the /etc/vcac/server.xml file

      sslEnabledProtocols = "TLSv1.2"

    2. Restart the vRealize Automation service by running the following command:

      service vcac-server restart

  7. Verify that SSLv3, TLS 1.0, and TLS 1.1 are disabled for RabbitMQ.

    Open the /etc/rabbitmq/rabbitmq.config file and verify that {versions, ['tlsv1.2', 'tlsv1.1']} are present in the ssl and ssl_options sections.

    [
      {ssl, [
          {versions, ['tlsv1.2', 'tlsv1.1']},
          {ciphers, ["AES256-SHA", "AES128-SHA"]}
      ]},
       {rabbit, [
          {tcp_listeners, [{"127.0.0.1", 5672}]},
          {frame_max, 262144},
          {ssl_listeners, [5671]},
          {ssl_options, [
             {cacertfile, "/etc/rabbitmq/certs/ca/cacert.pem"},
             {certfile, "/etc/rabbitmq/certs/server/cert.pem"},
             {keyfile, "/etc/rabbitmq/certs/server/key.pem"},
             {versions, ['tlsv1.2', 'tlsv1.1']},
             {ciphers, ["AES256-SHA", "AES128-SHA"]},
             {verify, verify_peer},
             {fail_if_no_peer_cert, false}
          ]},
          {mnesia_table_loading_timeout,600000},
          {cluster_partition_handling, autoheal},
          {heartbeat, 600}
       ]},
       {kernel, [{net_ticktime,  120}]}
    ].
    
  8. Restart the RabbitMQ server.

    # service rabbitmq-server restart

  9. Verify that SSLv3, TLS 1.0, and TLS 1.1 are disabled for the vIDM service.

    Open the opt/vmware/horizon/workspace/conf/server.xml file for each instance of the connector containing SSLEnabled="true" and ensure that the following line is present.

    sslEnabledProtocols="TLSv1.2"