As part of your hardening process, ensure that the deployed vRealize Automation appliance uses secure transmission channels.

Note: You cannot run the join cluster operation after disabling TLS 1.0/1.1 and enabling TLS 1.2

Prerequisites

Complete Enable TLS on Localhost Configuration.

Procedure

  1. Verify that SSLv3, TLS 1.0, and TLS 1.1 are disabled in the HAProxy https handlers on the vRealize Automation appliance.
    Review this file Ensure the following is present In the appropriate line as shown
    /etc/haproxy/conf.d/20-vcac.cfg no-sslv3 no-tlsv10 no-tlsv11 force-tlsv12 bind 0.0.0.0:443 ssl crt /etc/apache2/server.pem ciphers !aNULL:!eNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:@STRENGTH no-sslv3 no-tlsv10 no-tlsv11
    /etc/haproxy/conf.d/30-vro-config.cfg no-sslv3 no-tlsv10 no-tlsv11 force-tlsv12 bind :::8283 v4v6 ssl crt /opt/vmware/etc/lighttpd/server.pem ciphers !aNULL:!eNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:@STRENGTH no-sslv3 no-tlsv10 no-tlsv11
  2. Restart the service.
    service haproxy restart
  3. Verify that SSLv3, TLS 1.0, and TLS 1.1 are disabled for the Lighttpd service.
    1. Edit the /opt/vmware/etc/lighttpd/lighttpd.conf file to have the correct "disable" entries.
      ssl.use-sslv2 = "disable"
      ssl.use-sslv3 = "disable"
      ssl.use-tlsv10 = "disable"
      ssl.use-tlsv11 = "disable"
      ssl.use-tlsv12 = "enable"
    2. Restart Lighttpd service by running the /opt/vmware/etc/init.d/vami-lighttp restart command.
  4. Verify that SSLv3, TLS 1.0, and TLS 1.1 are disabled for the Console Proxy on the vRealize Automation appliance.
    1. Edit the /etc/vcac/security.properties file by adding or modifying the following line:
      consoleproxy.ssl.server.protocols = TLSv1.2
    2. Restart the server by running the following command:
      service vcac-server restart
  5. Verify that SSLv3, TLS 1.0, and TLS 1.1 are disabled for the vCO service.
    1. Locate the <Connector> tag in the /etc/vco/app-server/server.xml file and add the following attribute:
      sslEnabledProtocols = "TLSv1.2"
    2. Restart the vCO service by running the following command.
      service vco-server restart
  6. Verify that SSLv3, TLS 1.0, and TLS 1.1 are disabled for the vRealize Automation service.
    1. Add the following attributes to the <Connector> tag in the /etc/vcac/server.xml file
      sslEnabledProtocols = "TLSv1.2"
    2. Restart the vRealize Automation service by running the following command:
      service vcac-server restart
  7. Verify that SSLv3, TLS 1.0, and TLS 1.1 are disabled for RabbitMQ.
    Open the /etc/rabbitmq/rabbitmq.config file and verify that only {versions, ['tlsv1.2']} is present in the ssl and ssl_options sections.
    [
      {ssl, [
          {versions, ['tlsv1.2']},
          {ciphers, ["AES256-SHA", "AES128-SHA"]}
      ]},
       {rabbit, [
          {tcp_listeners, [{"127.0.0.1", 5672}]},
          {frame_max, 262144},
          {ssl_listeners, [5671]},
          {ssl_options, [
             {cacertfile, "/etc/rabbitmq/certs/ca/cacert.pem"},
             {certfile, "/etc/rabbitmq/certs/server/cert.pem"},
             {keyfile, "/etc/rabbitmq/certs/server/key.pem"},
             {versions, ['tlsv1.2']},
             {ciphers, ["AES256-SHA", "AES128-SHA"]},
             {verify, verify_peer},
             {fail_if_no_peer_cert, false}
          ]},
          {mnesia_table_loading_timeout,600000},
          {cluster_partition_handling, autoheal},
          {heartbeat, 600}
       ]},
       {kernel, [{net_ticktime,  120}]}
    ].
    
  8. Restart the RabbitMQ server.
    # service rabbitmq-server restart
  9. Verify that SSLv3, TLS 1.0, and TLS 1.1 are disabled for the vIDM service.
    1. Take a backup of /opt/vmware/horizon/workspace/conf/catalina.properties.
    2. Remove TLS version 1.1 from the following flag:
      nio-ssl.ssl.protocols=TLSv1.1,TLSv1.2

      The flag post modification should be

      nio-ssl.ssl.protocols=TLSv1.2