I and my peers were assisting a project where vRealize Automation 7.x was supposed to be deployed and hardened.
Found out that there are lots of issues/misconfigurations inside the document for certain sections which has to be called out.
Click here for the hardening guide version 7.6
I would call out certain sections where issues were seen after implementing it. Not all sections will be discussed here as most of them are straight forward.
Problematic sections are
"Enable TLS on Localhost Configuration", Page 22
"Verify that SSLv3, TLS 1.0, and TLS 1.1" are Disabled, Page 24
Let's start with the section "Enable TLS on Localhost Configuration"
Step 1
Take SSH to vRA appliance
Step 2
Set permissions for the vcac keystore by running the following commands
usermod -A vco,coredump,pivotal vco
chown vcac.pivotal /etc/vcac/vcac.keystore
chmod 640 /etc/vcac/vcac.keystore
Execute this as shown in the document, there are no changes to this step
Step 3
According to documentation, it states to perform following steps
Update the HAProxy configuration
Open the HAProxy configuration file located at /etc/haproxy/conf.d and choose the 20- vcac.cfg service
Locate the lines containing the following string:
server local 127.0.0.1…
and add the following to the end of such lines:
ssl verify none
It states that the change has to be performed under the following sections of 20-vcac.cfg file
backend backend-vrhb
backend-horizon
backend-vro
backend-vra
backend-artifactory
backend-vra-health
But when you take a look at the file , there is no backend-artifactory section in it. So that's a mistake
The only backend's which are available are
backend backend-vrhb
backend backend-horizon
backend backend-vra
backend backend-vra-health
backend backend-vro
backend backend-vco-health
Another important change in the documentation which is missing is that backend-vro port has to be changed from 8280 to 8281
NOTE : TAKE A BACKUP OF ORIGINAL FILES BEFORE CHANGES
/etc/haproxy/20-vcac.cfg file after changes
backend backend-horizon
mode http
balance leastconn
option http-server-close
option forwardfor
option redispatch
http-response replace-value Set-Cookie JSESSIONID=(.*) JSESSIONID_HZN=\1
http-response replace-value Set-Cookie XSRF-TOKEN=(.*) XSRF-TOKEN_HZN=\1
http-request replace-value Cookie (.*?)JSESSIONID_HZN=([^;]+)(.*?) \1JSESSIONID=\2\3
http-request replace-value Cookie (.*?)XSRF-TOKEN_HZN=([^;]+)(.*?) \1XSRF-TOKEN=\2\3
cookie JSESSIONID prefix
timeout check 10s
server local 127.0.0.1:8443 maxconn 500 ssl verify none
backend backend-vra
mode http
balance leastconn
option http-server-close
option forwardfor
option redispatch
http-response replace-value Set-Cookie JSESSIONID=(.*) JSESSIONID_VRA=\1
http-response replace-value Set-Cookie XSRF-TOKEN=(.*) XSRF-TOKEN_VRA=\1
http-request replace-value Cookie (.*?)JSESSIONID_VRA=([^;]+)(.*?) \1JSESSIONID=\2\3
http-request replace-value Cookie (.*?)XSRF-TOKEN_VRA=([^;]+)(.*?) \1XSRF-TOKEN=\2\3
cookie JSESSIONID prefix
server local 127.0.0.1:8082 maxconn 1500 cookie A check ssl verify none
backend backend-vra-health
mode http
balance leastconn
option http-server-close
option log-health-checks
option httplog
option forwardfor
option redispatch
http-response replace-value Set-Cookie JSESSIONID=(.*) JSESSIONID_VRA=\1
http-response replace-value Set-Cookie XSRF-TOKEN=(.*) XSRF-TOKEN_VRA=\1
http-request replace-value Cookie (.*?)JSESSIONID_VRA=([^;]+)(.*?) \1JSESSIONID=\2\3
http-request replace-value Cookie (.*?)XSRF-TOKEN_VRA=([^;]+)(.*?) \1XSRF-TOKEN=\2\3
cookie JSESSIONID prefix
server local 127.0.0.1:8082 cookie A check ssl verify none
backend backend-vro
mode http
balance leastconn
option http-server-close
option forwardfor
option redispatch
http-response replace-value Set-Cookie JSESSIONID=(.*) JSESSIONID_VRO=\1
http-response replace-value Set-Cookie XSRF-TOKEN=(.*) XSRF-TOKEN_VRO=\1
http-request replace-value Cookie (.*?)JSESSIONID_VRO=([^;]+)(.*?) \1JSESSIONID=\2\3
http-request replace-value Cookie (.*?)XSRF-TOKEN_VRO=([^;]+)(.*?) \1XSRF-TOKEN=\2\3
cookie JSESSIONID prefix
option httpchk GET /vcac/services/api/health
server local 127.0.0.1:8281 cookie A check ssl verify none
# server node2 REMOTE-IP:443 cookie A check ssl verify none
backend backend-vco-health
mode http
option http-server-close
option forwardfor
option redispatch
http-response replace-value Set-Cookie JSESSIONID=(.*) JSESSIONID_VRO=\1
http-response replace-value Set-Cookie XSRF-TOKEN=(.*) XSRF-TOKEN_VRO=\1
http-request replace-value Cookie (.*?)JSESSIONID_VRO=([^;]+)(.*?) \1JSESSIONID=\2\3
http-request replace-value Cookie (.*?)XSRF-TOKEN_VRO=([^;]+)(.*?) \1XSRF-TOKEN=\2\3
cookie JSESSIONID prefix
server local 127.0.0.1:8280 cookie A check
Step 4
Get the password of keystorePass.
Locate the property certificate.store.password in the /etc/vcac/security.properties file.
Example
certificate.store.password=s2enc~00k52MwbaLOWSpiLLl9d2Q\=\=
Then it asks to decrypt the value using the command the password from the security.properties file
vcac-config prop-util -d --p VALUE
The output would be as below
[master] sbivra:~ # vcac-config prop-util -d --p s2enc~00k52MwbaLOWSpiLLl9d2Q\=\=
password[master] asbvra:~ #
So the decrypted password is actually a plain text password
Step 5
This step asks you to "Configure the vRealize Automation service"
document states
Open the /etc/vcac/server.xml file and it asks to add the below attribute to the Connector tag, replacing certificate.store.password with the certificate store password value found in /etc/vcac/security.properties.
scheme="https" secure="true" SSLEnabled="true" sslProtocol="TLS" keystoreFile="/etc/vcac/ vcac.keystore" keyAlias="apache" keystorePass="certificate.store.password"
But if you follow this as it is you will end up doing as follows
scheme="https" secure="true" SSLEnabled="true" sslProtocol="TLS" keystoreFile="/etc/vcac/ vcac.keystore" keyAlias="apache" keystorePass="s2enc~00k52MwbaLOWSpiLLl9d2Q\=\="
But this is wrong.
You have to use the decrypted password which is nothing but password
The correct attribute is as below
<Connector URIEncoding="UTF-8" acceptCount="100" acceptorThreadCount="4" address="localhost" connectionTimeout="10000" executor="tomcatThreadPool" maxConnections="1500" maxKeepAliveRequests="120" port="8082" protocol="org.apache.coyote.http11.Http11NioProtocol" redirectPort="443" sslEnabledProtocols = "TLSv1.2" scheme="https" secure="true" SSLEnabled="true" sslProtocol="TLS" keystoreFile="/etc/vcac/vcac.keystore" keyAlias="apache" keystorePass="password"/>
Step 6
Even here you ave to use just the decrypted password in the attribute. Not the encrypted one
The correct attribute is as below
<Connector port="8281" address="127.0.0.1" protocol="com.vmware.o11n.coyote.http11.O11nHttp11Protocol" URIEncoding="UTF-8" connectionTimeout="20000" server=" " scheme="https" secure="true" SSLEnabled="true" sslProtocol="TLS" keystoreFile="/var/lib/vco/app-server/conf/security/jssecacerts" keyAlias="dunes" truststorePass="password" truststoreFile="/var/lib/vco/app-server/conf/security/tctruststore" sslEnabledProtocols="TLSv1.2" ciphers="TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" redirectPort="443" maxHttpHeaderSize="163840"/>
content being updated............
Comments