This article provides information on supported steps to disable the use of Static Key Ciphers in VMware vRealize Automation 7.5.x and 7.6.x.

VMware vRealize Automation 7.6.x
VMware vRealize Automation 7.5.x

Note: This requires a service restart. Ensure the environment has a backup before proceeding.

On all vRealize Automation VAs:

Change #1

1. For Port 443 (vRA core services), edit the file /etc/haproxy/conf.d/20-vcac.cfg.
2. Change:
   
   frontend https-in
       log 127.0.0.1       local0 debug
       bind 0.0.0.0:80
       bind 0.0.0.0:443 ssl crt /etc/apache2/server.pem ciphers !aNULL:!eNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:@STRENGTH no-sslv3 no-tlsv10 no-tlsv11
   
   To:
   
   frontend https-in
       log 127.0.0.1       local0 debug
       bind 0.0.0.0:80
       bind 0.0.0.0:443 ssl crt /etc/apache2/server.pem ciphers !aNULL:!eNULL:kECDH+AESGCM:ECDH+AESGCM:kECDH+AES:ECDH+AES:@STRENGTH no-sslv3 no-tlsv10 no-tlsv11
           
3. Save the file.
4. Run the command service haproxy restart.

Change #2

1. For port 5480 (VAMI), edit the file /opt/vmware/etc/lighhtpd/lighttpd.conf.
2. set the "ssl.cipher-list" parameter at the bottom of the file as:
   
   ssl.cipher-list = "!aNULL:!eNULL:kECDH+AESGCM:ECDH+AESGCM:kECDH+AES:ECDH+AES:@STRENGTH no-sslv3 no-tlsv10 no-tlsv11"
    
3. Save the file.
4. Run the command vami-lighttp restart.

Change #3

1. For port 8443 (vIDM Management), edit the file /opt/vmware/horizon/workspace/conf/catalina.properties.
2. set the "nio-ssl.cipher.list" line towards the bottom of the file as follows:
   
   TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
    
3. Save the file.
4. Run the command service horizon-workspace restart.
5. Run the command service elasticsearch restart.

On all vRealize Automation IaaS-Web Nodes:

To edit The cipher list to:

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA

Follow these steps:

1. Open the Group Policy Editor (gpedit.msc).
2. On the left hand side, navigate to Computer Configuration > Administrative Templates > Network.
3. Click on SSL Configuration Settings.
4. On the right hand side, select/open SSL Cipher Suite Order.
   Note: By default, the Not Configured option is set, but this may be different.
    
5. Click on the Enabled button to edit your server’s Cipher Suites:
   
   The SSL Cipher Suites field will fill with text once you click the button. If you want to see what Cipher Suites your server is currently offering, copy the text from the SSL Cipher Suites field and paste it into a text editor to review.
   The text is one long, unbroken string, with cypher options are separated by a comma. The list cannot be longer than 1,023 characters. 
    
6. Copy the provided cipher list for vRA IaaS machines and paste it into the SSL Cipher Suites field.
7. Click OK.
8. Reboot the machine.

Validation

Verify through a scanner or by other means the VAs and IaaS nodes on the port changes are made.
Note: Resultset of supported cipher should be similar but might not be exact from this list:

Supported Server Cipher(s):

Preferred TLSv1.2  256 bits  ECDHE-RSA-AES256-SHA384       Curve P-256 DHE 256
Accepted  TLSv1.2  128 bits  ECDHE-RSA-AES128-SHA256       Curve P-256 DHE 256
Accepted  TLSv1.2  256 bits  ECDHE-RSA-AES256-SHA          Curve P-256 DHE 256
Accepted  TLSv1.2  128 bits  ECDHE-RSA-AES128-SHA          Curve P-256 DHE 256
Preferred TLSv1.1  256 bits  ECDHE-RSA-AES256-SHA          Curve P-256 DHE 256
Accepted  TLSv1.1  128 bits  ECDHE-RSA-AES128-SHA          Curve P-256 DHE 256
Preferred TLSv1.0  256 bits  ECDHE-RSA-AES256-SHA          Curve P-256 DHE 256
Accepted  TLSv1.0  128 bits  ECDHE-RSA-AES128-SHA          Curve P-256 DHE 256

result with sslscan over VA machine:443

Supported Server Cipher(s):

Preferred TLSv1.2  256 bits  ECDHE-RSA-AES256-GCM-SHA384   Curve P-256 DHE 256
Accepted  TLSv1.2  256 bits  ECDHE-RSA-AES256-SHA384       Curve P-256 DHE 256
Accepted  TLSv1.2  256 bits  ECDHE-RSA-AES256-SHA          Curve P-256 DHE 256
Accepted  TLSv1.2  128 bits  ECDHE-RSA-AES128-GCM-SHA256   Curve P-256 DHE 256
Accepted  TLSv1.2  128 bits  ECDHE-RSA-AES128-SHA256       Curve P-256 DHE 256
Accepted  TLSv1.2  128 bits  ECDHE-RSA-AES128-SHA          Curve P-256 DHE 256