This article provides steps to make compliant the cipher of the key pairs created before VMware Aria Automation Orchestrator 8.14 with Bouncy Castle FIPS Java library bc-fips-1.0.2.4.

Symptoms:
SSH plug-in in VMware Aria Automation Orchestrator 8.14.1 and higher produces the following error message:

com.jcraft.jsch.JSchException: Automation Orchestrator is running in FIPS mode with a security provider version that does not allow non-compliant algorithms. Your private key is encrypted with a non-compliant cipher. To encrypt it with a compliant one, please follow the steps in https://kb.vmware.com/s/article/95579.

VMware Aria Automation Orchestrator 8.14.x

In VMware Aria Automation Orchestrator 8.14.1 and higher, a new version of Bouncy Castle FIPS Java library is used (bc-fips-1.0.2.4) that does not allow the use of non-compliant algorithms.

All previously generated key pairs that are password protected (private key is encrypted) with the SSH plug-in are encrypted with TripleDES/3DES cipher. That is considered non-compliant in the updated bc-fips-1.0.2.4 library when the Orchestrator is running in FIPS mode. This means that the old key pairs, but only those that are password protected, will no longer work with the new version of the SSH plug-in that is shipped with Automation Orchestrator 8.14.1 when it is running in FIPS mode.

Prerequisites

• You have access to Control Center root username and password.
• You have SSH or console access to the virtual appliance(s).

Procedure

In order to continue using the previously generated key pairs (under FIPS mode), which are password protected, you must re-encrypt the private key with a new FIPS compliant cipher. To do that follow the steps below:

1. Using root credentials, log in to VMware Aria Automation Orchestrator Control Center https://Orchestrator_FQDN/vco-controlcenter/
2. In Monitor and Control, select System Properties.
3. Add the following two properties.
   • Property 1
     • key: org.bouncycastle.tripledes.allow_enc
     • value: true
     • Description (optional): KB95579
   • Property 2
     • key: org.bouncycastle.jsse.enable_md5
     • value: true
     • Description (optional): KB95579
   • Example:
4. Save the changes and wait for VMware Aria Automation Orchestrator to restart.
   1. Monitor the service restart by navigating to Manage > Validate Configuration. If there is a restart in progress you will see something similar to the following:
5. Log into Automation Orchestrator client https://Orchestrator_FQDN/orchestration-ui and remove password using the Change key pair passphrase workflow to decrypt the private key file into a plain text one.
6. Navigate back to Control Center and delete both system properties.
   1. Click Save and wait for services to restart.
7. Set a password (or use the same one as before) using the Change key pair passphrase workflow that will encrypt the private key file once again with the new FIPS allowed algorithms AES256/SHA256.

To address 3DES and MD5 as deprecated algorithms, new ones have been implemented: AES256 and SHA256. When using the SSH plug-in in Automation Orchestrator, while in FIPS mode, these new algorithms will be used.