{Edited Oct 19 2015 to reflect updated information inVMKB 2131619}
Recent versions of Google Chrome and Mozilla Firefox have begun rejecting connections using SSLv3 ciphers. Chrome complains of a weak ephemeral Diffie-Hellman public key, calling it a “disastrous misconfiguration”. Firefox’s message also complains of a weak ephemeral Diffie-Hellman key in Server Key Exchange, but doesn’t foreshadow impending doom.
Interestingly (I guess), Internet Explorer 11, still happily connects…
Let’s fix Orchestrator so that we can use FF and Chrome…
Procedure
Confirmed this works on the vCO Appliance v5.5.2.1 through v6.0.2.1 and on the vRealize Automation Appliance v6.2.x
- SSH into the appliance
- Enter this to navigate to the configuration for the configuration page
cd /etc/vco/configuration
- Enter this to backup the server.xml file
cp ./server.xml ./serverxml.backup
- Use vi, or whatever you’re familiar with, to edit server.xml and replace the line that reads (as one line)
ciphers=“TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA”with (again, as one line)
ciphers=“TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_3DES_EDE_CBC_SHA” - save the file
- Repeat the steps above for /etc/vco/app-server/server.xml
- Restart the vco-server and vcp-configurator services
service restart vco-server
service restart vco-configurator
That’s it, you should be good to go. There’s probably other VMware applications that will need the same treatment though.
Brian Ragazzi 