Configuring TLS (Secured Authentication)for vRA-vRO Appliances

  1. Scope and Purpose of the Blog

This blog contains the use-case and requirements for configuring TLS (Secured Authentication) settings on VRA VRO appliances . 

This document aims at mitigating the major risk of vRA vRO communicating with domain controller for LDAP queries in plain text\weak ciphers. 

This document actually configures the server\devices to communicate with domain controllers using TLS(Secured Authentication).

  1. Assumptions and Constraints

Following are the assumptions made while creating this document :

  1. For performance considerations, TLS is not enabled for localhost connections between some application services. Where defence in depth is of concern, enable TLS on all localhost communications.

  2. Disable insecure protocols such as SSLv2, SSLv3, and TLS 1.0 on all load balancers in case If we are terminating TLS on the load balancer. 

  3. vRealize Automation deployment uses strong TLS protocols to secure transmission channels for vRealize Automation appliance components.

  4. VRA VRO Downtime is required for this procedure .

  1. Configuring tls for vRA Appliance Data in-Transit 

    1. Enable TLS on Localhost Configuration  -

By default some localhost communication does not use TLS. We can enable TLS across all localhost connections to provide enhanced security.

Procedure :

  1. Connect to the vRealize Automation appliance using SSH.

  2. Set permissions for the vcac keystore by running the following commands as shown below :

  1. Update the HAProxy configuration.

    1. Open the HAProxy configuration file located at /etc/haproxy/conf.d and choose the 20- vcac.cfg service. 

    2. Locate the lines containing the following string: server local 127.0.0.1… and add the following to the end of such lines: ssl verify none This section contains other lines like the following:

  1. Change the port for backend-horizon from 8080 to 8443.

  1. Get the password of keystorePass

    1. Locate the property certificate.store.password in the /etc/vcac/security.properties file. 

For example, certificate.store.password=s2enc~iom0GXATG+RB8ff7Wdm4Bg==

  1. Decrypt the value using the following command:

vcac-config prop-util -d --p VALUE 

For example, vcac-config prop-util -d --p s2enc~iom0GXATG+RB8ff7Wdm4Bg==

  1. Configure the vRealize Automation service.

    1. Open the /etc/vcac/server.xml file. 

    2. Add the following attribute to the Connector tag, replacing certificate.store.password with the certificate store password value found in etc/vcac/security.properties.

  1. Configure the vRealize Orchestrator service

    1. Open the /etc/vco/app-server.xml file. 

    2. Add the following attribute to the Connector tag, replacing certificate.store.password with the certificate store password value found in etc/vcac/security.properties.

  1. Restart the vRealize Orchestrator, vRealize Automation, and haproxy services.

Note : If the vco-server does not restart, reboot the host computer.


  1. Configure the Virtual Appliance Management Interface.

We can list the status of services by executing the following command on the vRealize Automation virtual appliance.

Note: If we enable SSL on the virtual appliance management interface, the Services tab cannot list the status of vRealize Automation services.

  1. Open the /opt/vmware/share/htdocs/service/café-services/services.py file. 

  2. Change the conn = httplib.HTTP() line to conn = httplib.HTTPS() to enhance security

  1. Enable Federal Information Processing Standard (FIPS) 140-2 Compliance  -


The vRealize Automation appliance now uses the Federal Information Processing Standard (FIPS) 140-2 certified version of OpenSSL for data-in-transit over TLS on all inbound and outbound network traffic. We can enable or disable FIPS mode in the vRealize Automation appliance management interface. You can also configure FIPS from the command line while logged in as root, using the following commands:

 

When FIPS is enabled, inbound and outbound vRealize Automation appliance network traffic on port 443 uses FIPS 140–2 compliant encryption. Regardless of the FIPS setting, vRealize Automation uses AES–256 to protect secured data stored on the vRealize Automation appliance.

 

Note  :Currently vRealize Automation only partially enables FIPS compliance, because some internal components do not yet use certified cryptographic modules. In cases where certified modules have not yet been implemented, the AES–256 based encryption is used in all cryptographic algorithms. 

 

Note:The following procedure will reboot the physical machine when you alter the configuration.

 

Procedure:

  1. Log in as root to the vRealize Automation appliance management interface using – 

https://vrealize-automation-appliance-FQDN:5480

  1. Select vRA > Host Settings.

  2. Click the button under the Actions heading on the upper right to enable or disable FIPS.

  3. Click Yes to restart the vRealize Automation appliance.

  1. Verify that SSLv3, TLS 1.0, and TLS 1.1 are Disabled   -

 

As part of your hardening process, ensure that the deployed vRealize Automation appliance uses secure transmission channels. 

Note: We cannot run the join cluster operation after disabling TLS 1.0/1.1 and enabling TLS 1.2.

 

Prerequisites :

Complete Enable TLS on Localhost Configuration. (Step 3.1 already done)

 

Procedure :

  1. Verify that SSLv3, TLS 1.0, and TLS 1.1 are disabled in the HAProxy https handlers on the vRealize Automation appliance as shown below :

 

  1. Restart the service using service haproxy restart 

  2. Open the /opt/vmware/etc/lighttpd/lighttpd.conf file, and verify that the correct disable entries appear. 

 

Note :There is no directive to disable TLS 1.0 or TLS 1.1 in Lighttpd. The restriction on TLS 1.0 and TLS 1.1 use can be partially mitigated by enforcing OpenSSL to not use cipher suites of TLS 1.0 and TLS 1.1.

 

  1. Verify that SSLv3, TLS 1.0, and TLS 1.1 are disabled for the Console Proxy on the vRealize Automation appliance.

  1. Edit the /etc/vcac/security.properties file by adding or modifying the following line: consoleproxy.ssl.server.protocols = TLSv1.2 

  2. Restart the server by running the following command: service vcac-server restart

 

  1. Verify that SSLv3, TLS 1.0, and TLS 1.1 are disabled for the vCO service.

  1. Locate the tag in the /etc/vco/app-server/server.xml file and add the following attribute: sslEnabledProtocols = "TLSv1.2" 

  2. Restart the vCO service.

  1. Verify that SSLv3, TLS 1.0, and TLS 1.1 are disabled for the vRealize Automation service.

 

  1. Add the following attributes to the tag in the /etc/vcac/server.xml file sslEnabledProtocols = "TLSv1.2"

  2. Restart the vRealize Automation service

 

  1. Verify that SSLv3, TLS 1.0, and TLS 1.1 are disabled for RabbitMQ.

Open the /etc/rabbitmq/rabbitmq.config file and verify that only {versions, ['tlsv1.2']} is present in the ssl and ssl_options sections.

 

 

  1. Restart the RabbitMQ server using service rabbitmq-server restart.

  2. Verify that SSLv3, TLS 1.0, and TLS 1.1 are disabled for the vIDM service.

Open the /opt/vmware/horizon/workspace/conf/server.xml file for each instance of the connector containing SSLEnabled="true" and ensure that the following line is present.

  1. Configuring TLS Cipher Suites for vRealize Automation Components -

For maximum security, we must configure vRealize Automation components to use strong ciphers. 

The encryption cipher negotiated between the server and the browser determines the encryption strength that is used in a TLS session. To ensure that only strong ciphers are selected, disable weak ciphers in vRealize Automation components. 

Configure the server to support only strong ciphers and to use sufficiently large key sizes. Also, configure all ciphers in a suitable order. Disable cipher suites that do not offer authentication such as NULL cipher suites, aNULL, or eNULL. Also disable anonymous Diffie-Hellman key exchange (ADH), export level ciphers (EXP, ciphers containing DES), key sizes smaller than 128 bits for encrypting payload traffic, the use of MD5 as a hashing mechanism for payload traffic, IDEA Cipher Suites, and RC4 cipher suites. Also ensure that cipher suites using Diffie-Hellman (DHE) key exchange are disabled. 

 

  1. Disable Weak Ciphers in HA Proxy:

Review the vRealize Automation appliance HA Proxy Service ciphers against the list of acceptable ciphers and disable all of those considered weak. Disable cipher suites that do not offer authentication such as NULL cipher suites, aNULL, or eNULL. 

Also disable anonymous Diffie-Hellman key exchange (ADH), export level ciphers (EXP, ciphers containing DES), key sizes smaller than 128 bits for encrypting payload traffic, the use of MD5 as a hashing mechanism for payload traffic, IDEA Cipher Suites, and RC4 cipher suites.

 

Procedure:

  1. Review the /etc/haproxy/conf.d/20-vcac.cfg file ciphers entry of the bind directive and disable any that are considered weak.

  1. Review the /etc/haproxy/conf.d/30-vro-config.cfg file ciphers entry of the bind directive and disable any that are considered weak.

 

  1. Disable Weak Ciphers in the vRealize Automation appliance vRealize Automation Appliance Console Proxy Service:

Review the vRealize Automation appliance Console Proxy Service ciphers against the list of acceptable ciphers and disable all of those considered weak. Disable cipher suites that do not offer authentication such as NULL cipher suites, aNULL, or eNULL. 

Also disable anonymous Diffie-Hellman key exchange (ADH), export level ciphers (EXP, ciphers containing DES), key sizes smaller than 128 bits for encrypting payload traffic, the use of MD5 as a hashing mechanism for payload traffic, IDEA Cipher Suites, and RC4 cipher suites.

Procedure :

  1. Open the /etc/vcac/security.properties file in a text editor.

  2. Add a line to the file to disable the unwanted cipher suites. 

Use a variation of the following line: 

consoleproxy.ssl.ciphers.disallowed=cipher_suite_1, cipher_suite_2,etc

For example, to disable the AES 128 and AES 256 cipher suites, add the following line:

  1. Restart the vCAC server. 

  1. Disable Weak Ciphers in the vRealize Automation vCO Service:

Review vRealize Automation appliance vCO Service ciphers against the list of acceptable ciphers and disable all of those considered weak. Disable cipher suites that do not offer authentication such as NULL cipher suites, aNULL, or eNULL. 

Also disable anonymous Diffie-Hellman key exchange (ADH), export level ciphers (EXP, ciphers containing DES), key sizes smaller than 128 bits for encrypting payload traffic, the use of MD5 as a hashing mechanism for payload traffic, IDEA Cipher Suites, and RC4 cipher suites.

Procedure:

  1. Locate the tag in /etc/vco/app-server/server.xml file. 

  2. Edit or add the cipher attribute to use the desired cipher suites. Refer to the following example:

  1. Disable Weak Ciphers in the vRealize Automation Rabbit-MQ  Service:

Review vRealize Automation appliance RabbitMQ Service ciphers against the list of acceptable ciphers and disable all of those that are considered weak. Disable cipher suites that do not offer authentication such as NULL cipher suites, aNULL, or eNULL. 

Also disable anonymous Diffie-Hellman key exchange (ADH), export level ciphers (EXP, ciphers containing DES), key sizes smaller than 128 bits for encrypting payload traffic, the use of MD5 as a hashing mechanism for payload traffic, IDEA Cipher Suites, and RC4 cipher suites.

Procedure:

  1. Evaluate the supported cipher suites. by running the # /usr/sbin/rabbitmqctl eval 'ssl:cipher_suites().' command. 

  2. The ciphers returned in the following example represent only the supported ciphers. The RabbitMQ server does not use or advertise these ciphers unless configured to do so in the rabbitmq.config file.

  1. Select supported ciphers that meet the security requirements for your organization. 

For example, to allow only ECDHE-ECDSA-AES128-GCM-SHA256 & ECDHE-ECDSA-AES256-GCM-SHA384, review the/etc/rabbitmq/rabbitmq.config file and add the following line to ssl and ssl_options.

  1. Restart the RabbitMQ service. 


Note : This blog is for vRA / vRO version 7.x .

Comments

Post a Comment

Popular posts from this blog

VRA_vRO Migration to 8.x

  Scope and Purpose of the Document The document  describes the detailed steps involved in migrating the vRA from 7.6 to 8.x version and testing the functionality post migration .  Assumptions and Constraints Following are the assumptions made while creating this document : VRA 7.6 is being migrated to 8.x version  VRA 7.6 was working fine . Migration Pre-reqs : Backup your vRealize Automation 7 source environment. Since , our source vRealize Automation 7 content has dependencies on vRealize Orchestrator, we must first migrate vRealize Orchestrator. If we migrate vRealize Automation without migrating vRealize Orchestrator first, migration fails. To migrate embedded vRealize Orchestrator content with vRealize Automation, we must first migrate vRealize Orchestrator. Manually create tenants using LCM. vIDM tenant migration is not supported in vRealize Automation 8.2. We must first import and install the IPAM plugin in vRealize Automation Cloud Assembly to migrate an IPA...
Read more

Automatic Snapshot using VRO workflow

Image
Scope and Purpose of the Blog This document contains the usecase and requirements for creating automatic snapshot of  vm(s) using vRO workflow .  The documents describes the detailed steps involved in the execution of the workflow .  The purpose of this task is to use vro workflow to eliminate manual process of taking snapshots .   Assumptions and Constraints Following are the assumptions made while creating this document : VRO is working fine . vRO is able to reach vm in vCenter / Azure platform. Automatic Snapshot Workflow Details : Inputs   - Name  Type  Description name string Snapshot name. The name need not be unique for this virtual machine. description string Snapshot description. memory boolean If TRUE, the snapshot includes a dump of the internal state of the virtual machine (a memory dump). quiesce boolean If TRUE and the virtual machine is powered on when the snapshot is taken, VMware Tools are used to quiesce the file system in the vi...
Read more