Enable TLS on Localhost Configuration as part of vRealize Automation Hardening 7.x
Enable TLS on Localhost Configuration as part of vRealize Automation Hardening 7.x
-
-
Jul 2, 2020
-
3 min read
Rated NaN out of 5 stars.
I and my peers were assisting a project where vRealize Automation 7.x was supposed to be deployed and hardened.
Found out that there are lots of issues/misconfigurations inside the document for certain sections which has to be called out.
Click here for the hardening guide version 7.6
I would call out certain sections where issues were seen after implementing it. Not all sections will be discussed here as most of them are straight forward.
Problematic sections are
- “Enable TLS on Localhost Configuration”, Page 22
- “Verify that SSLv3, TLS 1.0, and TLS 1.1” are Disabled, Page 24
Let’s start with the section “Enable TLS on Localhost Configuration”
Step 1
Take SSH to vRA appliance
Step 2
Set permissions for the vcac keystore by running the following commands
usermod -A vco,coredump,pivotal vco
chown vcac.pivotal /etc/vcac/vcac.keystore
chmod 640 /etc/vcac/vcac.keystoreExecute this as shown in the document, there are no changes to this step
Step 3
According to documentation, it states to perform following steps
Update the HAProxy configuration
Open the HAProxy configuration file located at /etc/haproxy/conf.d and choose the 20- vcac.cfg service
Locate the lines containing the following string:
server local 127.0.0.1…and add the following to the end of such lines:
ssl verify noneIt states that the change has to be performed under the following sections of 20-vcac.cfg file
backend backend-vrhb
backend-horizon
backend-vro
backend-vra
backend-artifactory
backend-vra-healthBut when you take a look at the file , there is no backend-artifactory section in it. So that’s a mistake
The only backend’s which are available are
backend backend-vrhb
backend backend-horizon
backend backend-vra
backend backend-vra-health
backend backend-vro
backend backend-vco-healthAnother important change in the documentation which is missing is that backend-vro port has to be changed from 8280 to 8281
NOTE : TAKE A BACKUP OF ORIGINAL FILES BEFORE CHANGES
/etc/haproxy/20-vcac.cfg file after changes
backend backend-horizon
mode http
balance leastconn
option http-server-close
option forwardfor
option redispatch
http-response replace-value Set-Cookie JSESSIONID=(.*) JSESSIONID_HZN=\1
http-response replace-value Set-Cookie XSRF-TOKEN=(.*) XSRF-TOKEN_HZN=\1
http-request replace-value Cookie (.*?)JSESSIONID_HZN=([^;]+)(.*?) \1JSESSIONID=\2\3
http-request replace-value Cookie (.*?)XSRF-TOKEN_HZN=([^;]+)(.*?) \1XSRF-TOKEN=\2\3
cookie JSESSIONID prefix
timeout check 10s
server local 127.0.0.1:8443 maxconn 500 ssl verify none
backend backend-vra
mode http
balance leastconn
option http-server-close
option forwardfor
option redispatch
http-response replace-value Set-Cookie JSESSIONID=(.*) JSESSIONID_VRA=\1
http-response replace-value Set-Cookie XSRF-TOKEN=(.*) XSRF-TOKEN_VRA=\1
http-request replace-value Cookie (.*?)JSESSIONID_VRA=([^;]+)(.*?) \1JSESSIONID=\2\3
http-request replace-value Cookie (.*?)XSRF-TOKEN_VRA=([^;]+)(.*?) \1XSRF-TOKEN=\2\3
cookie JSESSIONID prefix
server local 127.0.0.1:8082 maxconn 1500 cookie A check ssl verify none
backend backend-vra-health
mode http
balance leastconn
option http-server-close
option log-health-checks
option httplog
option forwardfor
option redispatch
http-response replace-value Set-Cookie JSESSIONID=(.*) JSESSIONID_VRA=\1
http-response replace-value Set-Cookie XSRF-TOKEN=(.*) XSRF-TOKEN_VRA=\1
http-request replace-value Cookie (.*?)JSESSIONID_VRA=([^;]+)(.*?) \1JSESSIONID=\2\3
http-request replace-value Cookie (.*?)XSRF-TOKEN_VRA=([^;]+)(.*?) \1XSRF-TOKEN=\2\3
cookie JSESSIONID prefix
server local 127.0.0.1:8082 cookie A check ssl verify none
backend backend-vro
mode http
balance leastconn
option http-server-close
option forwardfor
option redispatch
http-response replace-value Set-Cookie JSESSIONID=(.*) JSESSIONID_VRO=\1
http-response replace-value Set-Cookie XSRF-TOKEN=(.*) XSRF-TOKEN_VRO=\1
http-request replace-value Cookie (.*?)JSESSIONID_VRO=([^;]+)(.*?) \1JSESSIONID=\2\3
http-request replace-value Cookie (.*?)XSRF-TOKEN_VRO=([^;]+)(.*?) \1XSRF-TOKEN=\2\3
cookie JSESSIONID prefix
option httpchk GET /vcac/services/api/health
server local 127.0.0.1:8281 cookie A check ssl verify none
# server node2 REMOTE-IP:443 cookie A check ssl verify none
backend backend-vco-health
mode http
option http-server-close
option forwardfor
option redispatch
http-response replace-value Set-Cookie JSESSIONID=(.*) JSESSIONID_VRO=\1
http-response replace-value Set-Cookie XSRF-TOKEN=(.*) XSRF-TOKEN_VRO=\1
http-request replace-value Cookie (.*?)JSESSIONID_VRO=([^;]+)(.*?) \1JSESSIONID=\2\3
http-request replace-value Cookie (.*?)XSRF-TOKEN_VRO=([^;]+)(.*?) \1XSRF-TOKEN=\2\3
cookie JSESSIONID prefix
server local 127.0.0.1:8280 cookie A checkStep 4
Get the password of keystorePass.
Locate the property certificate.store.password in the /etc/vcac/security.properties file.
Example
certificate.store.password=s2enc~00k52MwbaLOWSpiLLl9d2Q\=\=Then it asks to decrypt the value using the command the password from the security.properties file
vcac-config prop-util -d --p VALUEThe output would be as below
[master] sbivra:~ # vcac-config prop-util -d --p s2enc~00k52MwbaLOWSpiLLl9d2Q\=\=
password[master] asbvra:~ #So the decrypted password is actually a plain text password
Step 5
This step asks you to “Configure the vRealize Automation service”
document states
Open the /etc/vcac/server.xml file and it asks to add the below attribute to the Connector tag, replacing certificate.store.password with the certificate store password value found in /etc/vcac/security.properties.
scheme="https" secure="true" SSLEnabled="true" sslProtocol="TLS" keystoreFile="/etc/vcac/ vcac.keystore" keyAlias="apache" keystorePass="certificate.store.password"But if you follow this as it is you will end up doing as follows
scheme="https" secure="true" SSLEnabled="true" sslProtocol="TLS" keystoreFile="/etc/vcac/ vcac.keystore" keyAlias="apache" keystorePass="s2enc~00k52MwbaLOWSpiLLl9d2Q\=\="But this is wrong.
You have to use the decrypted password which is nothing but password
The correct attribute is as below
<Connector URIEncoding="UTF-8" acceptCount="100" acceptorThreadCount="4" address="localhost" connectionTimeout="10000" executor="tomcatThreadPool" maxConnections="1500" maxKeepAliveRequests="120" port="8082" protocol="org.apache.coyote.http11.Http11NioProtocol" redirectPort="443" sslEnabledProtocols = "TLSv1.2" scheme="https" secure="true" SSLEnabled="true" sslProtocol="TLS" keystoreFile="/etc/vcac/vcac.keystore" keyAlias="apache" keystorePass="password"/>Step 6
Even here you ave to use just the decrypted password in the attribute. Not the encrypted one
The correct attribute is as below
<Connector port="8281" address="127.0.0.1" protocol="com.vmware.o11n.coyote.http11.O11nHttp11Protocol" URIEncoding="UTF-8" connectionTimeout="20000" server=" " scheme="https" secure="true" SSLEnabled="true" sslProtocol="TLS" keystoreFile="/var/lib/vco/app-server/conf/security/jssecacerts" keyAlias="dunes" truststorePass="password" truststoreFile="/var/lib/vco/app-server/conf/security/tctruststore" sslEnabledProtocols="TLSv1.2" ciphers="TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" redirectPort="443" maxHttpHeaderSize="163840"/>content being updated…