Enable TLS on Localhost Configuration as part of vRealize Automation Hardening 7.x

I and my peers were assisting a project where vRealize Automation 7.x was supposed to be deployed and hardened.

Found out that there are lots of issues/misconfigurations inside the document for certain sections which has to be called out.

Click here for the hardening guide version 7.6

I would call out certain sections where issues were seen after implementing it. Not all sections will be discussed here as most of them are straight forward.

Problematic sections are

• "Enable TLS on Localhost Configuration", Page 22

• "Verify that SSLv3, TLS 1.0, and TLS 1.1" are Disabled, Page 24

Let's start with the section "Enable TLS on Localhost Configuration"

Step 1

Take SSH to vRA appliance

Step 2

Set permissions for the vcac keystore by running the following commands

usermod -A vco,coredump,pivotal vco 
chown vcac.pivotal /etc/vcac/vcac.keystore 
chmod 640 /etc/vcac/vcac.keystore

Execute this as shown in the document, there are no changes to this step

Step 3

According to documentation, it states to perform following steps

Update the HAProxy configuration

Open the HAProxy configuration file located at /etc/haproxy/conf.d and choose the 20- vcac.cfg service

Locate the lines containing the following string:

server local 127.0.0.1… 

and add the following to the end of such lines:

 ssl verify none 

It states that the change has to be performed under the following sections of 20-vcac.cfg file

 backend backend-vrhb
 backend-horizon 
 backend-vro 
 backend-vra 
 backend-artifactory 
 backend-vra-health

But when you take a look at the file , there is no backend-artifactory section in it. So that's a mistake

The only backend's which are available are

backend backend-vrhb
backend backend-horizon
backend backend-vra
backend backend-vra-health
backend backend-vro
backend backend-vco-health

Another important change in the documentation which is missing is that backend-vro port has to be changed from 8280 to 8281

NOTE : TAKE A BACKUP OF ORIGINAL FILES BEFORE CHANGES

/etc/haproxy/20-vcac.cfg file after changes

backend backend-horizon
    mode http
    balance leastconn
    option http-server-close
    option forwardfor
    option redispatch
    http-response replace-value Set-Cookie JSESSIONID=(.*) JSESSIONID_HZN=\1
    http-response replace-value Set-Cookie XSRF-TOKEN=(.*) XSRF-TOKEN_HZN=\1
    http-request replace-value Cookie (.*?)JSESSIONID_HZN=([^;]+)(.*?) \1JSESSIONID=\2\3
    http-request replace-value Cookie (.*?)XSRF-TOKEN_HZN=([^;]+)(.*?) \1XSRF-TOKEN=\2\3
    cookie JSESSIONID prefix
    timeout check 10s
    server local 127.0.0.1:8443 maxconn 500 ssl verify none

backend backend-vra
    mode http
    balance leastconn
    option http-server-close
    option forwardfor
    option redispatch
    http-response replace-value Set-Cookie JSESSIONID=(.*) JSESSIONID_VRA=\1
    http-response replace-value Set-Cookie XSRF-TOKEN=(.*) XSRF-TOKEN_VRA=\1
    http-request replace-value Cookie (.*?)JSESSIONID_VRA=([^;]+)(.*?) \1JSESSIONID=\2\3
    http-request replace-value Cookie (.*?)XSRF-TOKEN_VRA=([^;]+)(.*?) \1XSRF-TOKEN=\2\3
    cookie JSESSIONID prefix
    server local 127.0.0.1:8082 maxconn 1500 cookie A check ssl verify none

backend backend-vra-health
    mode http
    balance leastconn
    option http-server-close
    option log-health-checks
    option httplog
    option forwardfor
    option redispatch
    http-response replace-value Set-Cookie JSESSIONID=(.*) JSESSIONID_VRA=\1
    http-response replace-value Set-Cookie XSRF-TOKEN=(.*) XSRF-TOKEN_VRA=\1
    http-request replace-value Cookie (.*?)JSESSIONID_VRA=([^;]+)(.*?) \1JSESSIONID=\2\3
    http-request replace-value Cookie (.*?)XSRF-TOKEN_VRA=([^;]+)(.*?) \1XSRF-TOKEN=\2\3
    cookie JSESSIONID prefix
    server local 127.0.0.1:8082 cookie A check ssl verify none

backend backend-vro
    mode http
    balance leastconn
    option http-server-close
    option forwardfor
    option redispatch
    http-response replace-value Set-Cookie JSESSIONID=(.*) JSESSIONID_VRO=\1
    http-response replace-value Set-Cookie XSRF-TOKEN=(.*) XSRF-TOKEN_VRO=\1
    http-request replace-value Cookie (.*?)JSESSIONID_VRO=([^;]+)(.*?) \1JSESSIONID=\2\3
    http-request replace-value Cookie (.*?)XSRF-TOKEN_VRO=([^;]+)(.*?) \1XSRF-TOKEN=\2\3
    cookie JSESSIONID prefix
    option httpchk GET /vcac/services/api/health
    server local 127.0.0.1:8281 cookie A check ssl verify none
#    server node2 REMOTE-IP:443 cookie A check ssl verify none

backend backend-vco-health
    mode http
    option http-server-close
    option forwardfor
    option redispatch
    http-response replace-value Set-Cookie JSESSIONID=(.*) JSESSIONID_VRO=\1
    http-response replace-value Set-Cookie XSRF-TOKEN=(.*) XSRF-TOKEN_VRO=\1
    http-request replace-value Cookie (.*?)JSESSIONID_VRO=([^;]+)(.*?) \1JSESSIONID=\2\3
    http-request replace-value Cookie (.*?)XSRF-TOKEN_VRO=([^;]+)(.*?) \1XSRF-TOKEN=\2\3
    cookie JSESSIONID prefix
    server local 127.0.0.1:8280 cookie A check

Step 4

Get the password of keystorePass.

Locate the property certificate.store.password in the /etc/vcac/security.properties file.

Example

certificate.store.password=s2enc~00k52MwbaLOWSpiLLl9d2Q\=\=

Then it asks to decrypt the value using the command the password from the security.properties file

vcac-config prop-util -d --p VALUE

The output would be as below

[master] sbivra:~ # vcac-config prop-util -d --p s2enc~00k52MwbaLOWSpiLLl9d2Q\=\=
password[master] asbvra:~ #

So the decrypted password is actually a plain text password

Step 5

This step asks you to "Configure the vRealize Automation service"

document states

Open the /etc/vcac/server.xml file and it asks to add the below attribute to the Connector tag, replacing certificate.store.password with the certificate store password value found in /etc/vcac/security.properties.

scheme="https" secure="true" SSLEnabled="true" sslProtocol="TLS" keystoreFile="/etc/vcac/ vcac.keystore" keyAlias="apache" keystorePass="certificate.store.password"

But if you follow this as it is you will end up doing as follows

scheme="https" secure="true" SSLEnabled="true" sslProtocol="TLS" keystoreFile="/etc/vcac/ vcac.keystore" keyAlias="apache" keystorePass="s2enc~00k52MwbaLOWSpiLLl9d2Q\=\="

But this is wrong.

You have to use the decrypted password which is nothing but password

The correct attribute is as below

 <Connector URIEncoding="UTF-8" acceptCount="100" acceptorThreadCount="4" address="localhost" connectionTimeout="10000" executor="tomcatThreadPool" maxConnections="1500" maxKeepAliveRequests="120" port="8082" protocol="org.apache.coyote.http11.Http11NioProtocol" redirectPort="443" sslEnabledProtocols = "TLSv1.2" scheme="https" secure="true" SSLEnabled="true" sslProtocol="TLS" keystoreFile="/etc/vcac/vcac.keystore" keyAlias="apache" keystorePass="password"/>

Step 6

Even here you ave to use just the decrypted password in the attribute. Not the encrypted one

The correct attribute is as below

<Connector port="8281" address="127.0.0.1" protocol="com.vmware.o11n.coyote.http11.O11nHttp11Protocol" URIEncoding="UTF-8" connectionTimeout="20000" server=" " scheme="https" secure="true" SSLEnabled="true" sslProtocol="TLS" keystoreFile="/var/lib/vco/app-server/conf/security/jssecacerts" keyAlias="dunes" truststorePass="password" truststoreFile="/var/lib/vco/app-server/conf/security/tctruststore" sslEnabledProtocols="TLSv1.2" ciphers="TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" redirectPort="443" maxHttpHeaderSize="163840"/>

content being updated............