Review the vRealize Automation appliance Console Proxy Service ciphers against the list of acceptable ciphers and disable all of those considered weak.
Disable cipher suites that do not offer authentication such as NULL cipher suites, aNULL, or eNULL. Also disable anonymous Diffie-Hellman key exchange (ADH), export level ciphers (EXP, ciphers containing DES), key sizes smaller than 128 bits for encrypting payload traffic, the use of MD5 as a hashing mechanism for payload traffic, IDEA Cipher Suites, and RC4 cipher suites.
- Open the /etc/vcac/security.properties file in a text editor.
- Add a line to the file to disable the unwanted cipher suites.
Use a variation of the following line:
For example, to disable the AES 128 and AES 256 cipher suites, add the following line:
consoleproxy.ssl.ciphers.disallowed=TLS_DH_DSS_WITH_AES_128_CBC_SHA, TLS_DH_DSS_WITH_AES_256_CBC_SHA, TLS_DH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA
- Restart the server using the following command.
service vcac-server restart