'insufficient security(71)' error when trying to establish a connection between FIPS-enabled VMware Aria Automation Orchestrator and external server via content like workflows or actions
search cancel

'insufficient security(71)' error when trying to establish a connection between FIPS-enabled VMware Aria Automation Orchestrator and external server via content like workflows or actions

book

Article ID: 314803

calendar_today

Updated On:

Products

VMware Aria Suite

Issue/Introduction

Symptoms:

  • 'insufficient security(71)' error when trying to establish a connection between FIPS-enabled VMware Aria Automation Orchestrator server and external server through the application via content like workflows or actions.
  • The /var/log/services-logs/prelude/vco-app/file-logs/vco-server-app.log contains a stack trace similar to:
com.vmware.o11n.plugin.rest.Request - Cannot execute the request
org.bouncycastle.tls.TlsFatalAlert: insufficient_security(71)
at org.bouncycastle.tls.TlsDHUtils.receiveDHConfig(TlsDHUtils.java:139) ~[bctls-fips-1.0.13.jar:1.0.13]
at org.bouncycastle.tls.TlsDHEKeyExchange.processServerKeyExchange(TlsDHEKeyExchange.java:95) ~[bctls-fips-1.0.13.jar:1.0.13]

 

Environment

VMware vRealize Automation 8.x

Cause

The issue arises because the external server to which the Orchestrator is trying to establish connection with does not support ciphers that are secure enough with the FIPS enabled Orchestrator ciphers.{*}

Resolution

To resolve the issue either use the Orchestrator in non-FIPS mode or make your server support FIPS compliant ciphers.

The Orchestrator appliance leverages bouncycastle and the supported ciphers with FIPS enabled are listed on page 26 of the following document.

Attachments

BC-FJA-(D)TLSUserGuide-1.0.13 get_app