SSH plug-in in VMware Aria Automation Orchestrator 8.14.1 and higher fails with Automation Orchestrator is running in FIPS mode with a security provider version that does not allow non-compliant algorithms.
book
Article ID: 326020
calendar_today
Updated On:
Products
VMware Aria Suite
Issue/Introduction
This article provides steps to make compliant the cipher of the key pairs created before VMware Aria Automation Orchestrator 8.14 with Bouncy Castle FIPS Java library bc-fips-1.0.2.4.
Symptoms: SSH plug-in in VMware Aria Automation Orchestrator 8.14.1 and higher produces the following error message:
com.jcraft.jsch.JSchException: Automation Orchestrator is running in FIPS mode with a security provider version that does not allow non-compliant algorithms. Your private key is encrypted with a non-compliant cipher. To encrypt it with a compliant one, please follow the steps in https://kb.vmware.com/s/article/95579.
Environment
VMware Aria Automation Orchestrator 8.14.x
Cause
In VMware Aria Automation Orchestrator 8.14.1 and higher, a new version of Bouncy Castle FIPS Java library is used (bc-fips-1.0.2.4) that does not allow the use of non-compliant algorithms.
All previously generated key pairs that are password protected (private key is encrypted) with the SSH plug-in are encrypted with TripleDES/3DES cipher. That is considered non-compliant in the updated bc-fips-1.0.2.4 library when the Orchestrator is running in FIPS mode. This means that the old key pairs, but only those that are password protected, will no longer work with the new version of the SSH plug-in that is shipped with Automation Orchestrator 8.14.1 when it is running in FIPS mode.
Resolution
Prerequisites
You have access to Control Center root username and password.
You have SSH or console access to the virtual appliance(s).
Procedure
In order to continue using the previously generated key pairs (under FIPS mode), which are password protected, you must re-encrypt the private key with a new FIPS compliant cipher. To do that follow the steps below:
Using root credentials, log in to VMware Aria Automation Orchestrator Control Center https://Orchestrator_FQDN/vco-controlcenter/
In Monitor and Control, select System Properties.
Add the following two properties.
Property 1
key:org.bouncycastle.tripledes.allow_enc
value:true
Description (optional):KB95579
Property 2
key: org.bouncycastle.jsse.enable_md5
value:true
Description (optional):KB95579
Example:
Save the changes and wait for VMware Aria Automation Orchestrator to restart.
Monitor the service restart by navigating to Manage > ValidateConfiguration. If there is a restart in progress you will see something similar to the following:
Log into Automation Orchestrator client https://Orchestrator_FQDN/orchestration-ui and remove password using the Change key pair passphraseworkflow to decrypt the private key file into a plain text one.
Navigate back to Control Center and delete both system properties.
Click Save and wait for services to restart.
Set a password (or use the same one as before) using the Change key pair passphrase workflow that will encrypt the private key file once again with the new FIPS allowed algorithms AES256/SHA256.
Additional Information
To address 3DES and MD5 as deprecated algorithms, new ones have been implemented: AES256 and SHA256. When using the SSH plug-in in Automation Orchestrator, while in FIPS mode, these new algorithms will be used.