Symptoms:
In VMware vRealize Orchestrator 8.4.1 and later versions, you experience these symptoms

• Connecting to TLS1.0 or TLS1.1 services fail.
• When you try establishing the connection, you see entries on the /services-logs/prelude/vco-app/file-logs/vco-server-app.log file similar to

  The server selected protocol version TLS10 is not accepted by client preferences [TLS12]

VMware vRealize Orchestrator 8.6.x
VMware vRealize Orchestrator 8.7.x
VMware vRealize Automation 8.10.x
VMware vRealize Orchestrator 8.9.x
VMware vRealize Automation 8.7.x
VMware vRealize Automation 8.9.x
VMware vRealize Automation 8.3.x
VMware vRealize Orchestrator 8.10.x
VMware vRealize Automation 8.6.x
VMware vRealize Automation 8.5.x
VMware vRealize Orchestrator 8.5.x
VMware vRealize Automation 8.4.x
VMware vRealize Automation 8.8.x
VMware vRealize Orchestrator 8.8.x
VMware vRealize Orchestrator 8.4.x

vRA/vRO supports only TLS 1.2 out-of-the-box for strengthened security.

This is a known issue affecting VMware vRealize Orchestrator 8.4.1 and later versions.

Currently, there is no resolution.

Workaround:

Prerequisites

• Please take simultaneous non-memory snapshots of each virtual appliance(s) in the cluster.
• You have access to root user and password
• You have SSH or console access to each virtual appliance.

Procedure

1. SSH / PuTTy into one vRO virtual appliance in the cluster
2. Run the below command

   vracli cluster exec -- bash -c 'base64 -d <<< IyBDcmVhdGUgY3VzdG9tIHByb2ZpbGUgZGlyZWN0b3J5Cm1rZGlyIC1wIC9ldGMvdm13YXJlLXByZWx1ZGUvcHJvZmlsZXMvc2VjdXJpdHktY29ubmVjdGlvbi1wcm9maWxlLwoKIyBDcmVhdGUgdGhlIHJlcXVpcmVkIGRpcmVjdG9yeSB0cmVlIHRoYXQgd2lsbCBiZSB1c2VkIHdoZW4gdGhlIHByb2ZpbGUgaXMgYWN0aXZlCm1rZGlyIC1wIC9ldGMvdm13YXJlLXByZWx1ZGUvcHJvZmlsZXMvc2VjdXJpdHktY29ubmVjdGlvbi1wcm9maWxlL2hlbG0vcHJlbHVkZV92Y28vCgojIENyZWF0ZSAiY2hlY2siIGZpbGUgdGhhdCBpcyBhbiBleGVjdXRhYmxlIGZpbGUgcnVuIGJ5IGRlcGxveSBzY3JpcHQuCmNhdCA8PEVPRiA+IC9ldGMvdm13YXJlLXByZWx1ZGUvcHJvZmlsZXMvc2VjdXJpdHktY29ubmVjdGlvbi1wcm9maWxlL2NoZWNrCiMhL2Jpbi9iYXNoCmV4aXQgMApFT0YKY2htb2QgNzU1IC9ldGMvdm13YXJlLXByZWx1ZGUvcHJvZmlsZXMvc2VjdXJpdHktY29ubmVjdGlvbi1wcm9maWxlL2NoZWNrCgojIENvcHkgdlJPIHJlc291cmNlIG1ldHJpY3MgZmlsZSB0byB5b3VyIGN1c3RvbSBwcm9maWxlCmNhdCA8PEVPRiA+IC9ldGMvdm13YXJlLXByZWx1ZGUvcHJvZmlsZXMvc2VjdXJpdHktY29ubmVjdGlvbi1wcm9maWxlL2hlbG0vcHJlbHVkZV92Y28vODAtcmVzb3VyY2VzLnlhbWwKc2VydmVySmF2YU9wdHM6CiAgImphdmEuc2VjdXJpdHkucHJvcGVydGllcyI6ICcvdXNyL2xpYi92Y28vanZtLnNlY3VyaXR5JwpFT0YKY2htb2QgNjQ0IC9ldGMvdm13YXJlLXByZWx1ZGUvcHJvZmlsZXMvc2VjdXJpdHktY29ubmVjdGlvbi1wcm9maWxlL2hlbG0vcHJlbHVkZV92Y28vODAtcmVzb3VyY2VzLnlhbWwKCiMgQ29weSB2Uk8ganZtLnNlY3VyaXR5IGZpbGUgdGhhdCBpcyBnb2luZyB0byBvdmVycmlkZSB0aGUgZGVmYXVsdCBqYXZhLnNlY3VyaXR5CmNhdCA8PEVPRiA+IC9kYXRhL3Zjby91c3IvbGliL3Zjby9qdm0uc2VjdXJpdHkKamRrLnRscy5kaXNhYmxlZEFsZ29yaXRobXM9U1NMdjMsIFJDNCwgREVTLCBNRDV3aXRoUlNBLApFT0YKY2htb2QgNjQ0IC9kYXRhL3Zjby91c3IvbGliL3Zjby9qdm0uc2VjdXJpdHkK | bash'

3. ​Start vRA services by running the following command

   /opt/scripts/deploy.sh

Procedure to remove TLS 1.0 and TLS 1.1 configurations

Please follow these steps to delete the custom profile and disable the use of TLS1.0 or TLS1.1 protocols for connection.

1. Run the following command 

   vracli cluster exec -- bash -c 'base64 -d <<< IyBEZWxldGUgcHJvZmlsZSBkaXJlY3RvcnkgYW5kIHRoZSBvdmVycmlkaW5nIGZpbGUKcm0gLXJmIC9ldGMvdm13YXJlLXByZWx1ZGUvcHJvZmlsZXMvc2VjdXJpdHktY29ubmVjdGlvbi1wcm9maWxlCnJtIC1yZiAvZGF0YS92Y28vdXNyL2xpYi92Y28vanZtLnNlY3VyaXR5Cg== | bash'

2. ​Start vRA services by running the following command

   /opt/scripts/deploy.sh

Impact/Risks:
This may be a blocker for customers if there is a need to contact external HTTP / web systems with weaker security protocols such as TLS 1.0 and TLS 1.1.