top of page

Experienced Technology Product Manager adept at steering success throughout the entire product lifecycle, from conceptualization to market delivery. Proficient in market analysis, strategic planning, and effective team leadership, utilizing data-driven approaches for ongoing enhancements.

  • Twitter
  • LinkedIn
White Background

Enable TLS on Localhost Configuration as part of vRealize Automation Hardening 7.x

I and my peers were assisting a project where vRealize Automation 7.x was supposed to be deployed and hardened.


Found out that there are lots of issues/misconfigurations inside the document for certain sections which has to be called out.


Click here for the hardening guide version 7.6


I would call out certain sections where issues were seen after implementing it. Not all sections will be discussed here as most of them are straight forward.


Problematic sections are

  • "Enable TLS on Localhost Configuration", Page 22

  • "Verify that SSLv3, TLS 1.0, and TLS 1.1" are Disabled, Page 24


Let's start with the section "Enable TLS on Localhost Configuration"


Step 1

Take SSH to vRA appliance


Step 2

Set permissions for the vcac keystore by running the following commands


usermod -A vco,coredump,pivotal vco 
chown vcac.pivotal /etc/vcac/vcac.keystore 
chmod 640 /etc/vcac/vcac.keystore

Execute this as shown in the document, there are no changes to this step


Step 3

According to documentation, it states to perform following steps


Update the HAProxy configuration


Open the HAProxy configuration file located at /etc/haproxy/conf.d and choose the 20- vcac.cfg service


Locate the lines containing the following string:

server local 127.0.0.1… 

and add the following to the end of such lines:

 ssl verify none 

It states that the change has to be performed under the following sections of 20-vcac.cfg file


 backend backend-vrhb
 backend-horizon 
 backend-vro 
 backend-vra 
 backend-artifactory 
 backend-vra-health

But when you take a look at the file , there is no backend-artifactory section in it. So that's a mistake


The only backend's which are available are


backend backend-vrhb
backend backend-horizon
backend backend-vra
backend backend-vra-health
backend backend-vro
backend backend-vco-health

Another important change in the documentation which is missing is that backend-vro port has to be changed from 8280 to 8281


NOTE : TAKE A BACKUP OF ORIGINAL FILES BEFORE CHANGES


/etc/haproxy/20-vcac.cfg file after changes


backend backend-horizon
    mode http
    balance leastconn
    option http-server-close
    option forwardfor
    option redispatch
    http-response replace-value Set-Cookie JSESSIONID=(.*) JSESSIONID_HZN=\1
    http-response replace-value Set-Cookie XSRF-TOKEN=(.*) XSRF-TOKEN_HZN=\1
    http-request replace-value Cookie (.*?)JSESSIONID_HZN=([^;]+)(.*?) \1JSESSIONID=\2\3
    http-request replace-value Cookie (.*?)XSRF-TOKEN_HZN=([^;]+)(.*?) \1XSRF-TOKEN=\2\3
    cookie JSESSIONID prefix
    timeout check 10s
    server local 127.0.0.1:8443 maxconn 500 ssl verify none

backend backend-vra
    mode http
    balance leastconn
    option http-server-close
    option forwardfor
    option redispatch
    http-response replace-value Set-Cookie JSESSIONID=(.*) JSESSIONID_VRA=\1
    http-response replace-value Set-Cookie XSRF-TOKEN=(.*) XSRF-TOKEN_VRA=\1
    http-request replace-value Cookie (.*?)JSESSIONID_VRA=([^;]+)(.*?) \1JSESSIONID=\2\3
    http-request replace-value Cookie (.*?)XSRF-TOKEN_VRA=([^;]+)(.*?) \1XSRF-TOKEN=\2\3
    cookie JSESSIONID prefix
    server local 127.0.0.1:8082 maxconn 1500 cookie A check ssl verify none

backend backend-vra-health
    mode http
    balance leastconn
    option http-server-close
    option log-health-checks
    option httplog
    option forwardfor
    option redispatch
    http-response replace-value Set-Cookie JSESSIONID=(.*) JSESSIONID_VRA=\1
    http-response replace-value Set-Cookie XSRF-TOKEN=(.*) XSRF-TOKEN_VRA=\1
    http-request replace-value Cookie (.*?)JSESSIONID_VRA=([^;]+)(.*?) \1JSESSIONID=\2\3
    http-request replace-value Cookie (.*?)XSRF-TOKEN_VRA=([^;]+)(.*?) \1XSRF-TOKEN=\2\3
    cookie JSESSIONID prefix
    server local 127.0.0.1:8082 cookie A check ssl verify none

backend backend-vro
    mode http
    balance leastconn
    option http-server-close
    option forwardfor
    option redispatch
    http-response replace-value Set-Cookie JSESSIONID=(.*) JSESSIONID_VRO=\1
    http-response replace-value Set-Cookie XSRF-TOKEN=(.*) XSRF-TOKEN_VRO=\1
    http-request replace-value Cookie (.*?)JSESSIONID_VRO=([^;]+)(.*?) \1JSESSIONID=\2\3
    http-request replace-value Cookie (.*?)XSRF-TOKEN_VRO=([^;]+)(.*?) \1XSRF-TOKEN=\2\3
    cookie JSESSIONID prefix
    option httpchk GET /vcac/services/api/health
    server local 127.0.0.1:8281 cookie A check ssl verify none
#    server node2 REMOTE-IP:443 cookie A check ssl verify none

backend backend-vco-health
    mode http
    option http-server-close
    option forwardfor
    option redispatch
    http-response replace-value Set-Cookie JSESSIONID=(.*) JSESSIONID_VRO=\1
    http-response replace-value Set-Cookie XSRF-TOKEN=(.*) XSRF-TOKEN_VRO=\1
    http-request replace-value Cookie (.*?)JSESSIONID_VRO=([^;]+)(.*?) \1JSESSIONID=\2\3
    http-request replace-value Cookie (.*?)XSRF-TOKEN_VRO=([^;]+)(.*?) \1XSRF-TOKEN=\2\3
    cookie JSESSIONID prefix
    server local 127.0.0.1:8280 cookie A check


Step 4

Get the password of keystorePass.

Locate the property certificate.store.password in the /etc/vcac/security.properties file.


Example

certificate.store.password=s2enc~00k52MwbaLOWSpiLLl9d2Q\=\=

Then it asks to decrypt the value using the command the password from the security.properties file

vcac-config prop-util -d --p VALUE

The output would be as below

[master] sbivra:~ # vcac-config prop-util -d --p s2enc~00k52MwbaLOWSpiLLl9d2Q\=\=
password[master] asbvra:~ #

So the decrypted password is actually a plain text password


Step 5

This step asks you to "Configure the vRealize Automation service"


document states

Open the /etc/vcac/server.xml file and it asks to add the below attribute to the Connector tag, replacing certificate.store.password with the certificate store password value found in /etc/vcac/security.properties.


scheme="https" secure="true" SSLEnabled="true" sslProtocol="TLS" keystoreFile="/etc/vcac/ vcac.keystore" keyAlias="apache" keystorePass="certificate.store.password"

But if you follow this as it is you will end up doing as follows


scheme="https" secure="true" SSLEnabled="true" sslProtocol="TLS" keystoreFile="/etc/vcac/ vcac.keystore" keyAlias="apache" keystorePass="s2enc~00k52MwbaLOWSpiLLl9d2Q\=\="

But this is wrong.

You have to use the decrypted password which is nothing but password

The correct attribute is as below

 <Connector URIEncoding="UTF-8" acceptCount="100" acceptorThreadCount="4" address="localhost" connectionTimeout="10000" executor="tomcatThreadPool" maxConnections="1500" maxKeepAliveRequests="120" port="8082" protocol="org.apache.coyote.http11.Http11NioProtocol" redirectPort="443" sslEnabledProtocols = "TLSv1.2" scheme="https" secure="true" SSLEnabled="true" sslProtocol="TLS" keystoreFile="/etc/vcac/vcac.keystore" keyAlias="apache" keystorePass="password"/>

Step 6

Even here you ave to use just the decrypted password in the attribute. Not the encrypted one


The correct attribute is as below



<Connector port="8281" address="127.0.0.1" protocol="com.vmware.o11n.coyote.http11.O11nHttp11Protocol" URIEncoding="UTF-8" connectionTimeout="20000" server=" " scheme="https" secure="true" SSLEnabled="true" sslProtocol="TLS" keystoreFile="/var/lib/vco/app-server/conf/security/jssecacerts" keyAlias="dunes" truststorePass="password" truststoreFile="/var/lib/vco/app-server/conf/security/tctruststore" sslEnabledProtocols="TLSv1.2" ciphers="TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" redirectPort="443" maxHttpHeaderSize="163840"/>




content being updated............


599 views0 comments

댓글

별점 5점 중 0점을 주었습니다.
등록된 평점 없음

평점 추가
bottom of page