Validating in use Cipher Suites used by VMware Aria Automation & Automation Orchestrator 8.x
search cancel

Validating in use Cipher Suites used by VMware Aria Automation & Automation Orchestrator 8.x

book

Article ID: 326112

calendar_today

Updated On:

Products

VMware Aria Suite

Issue/Introduction

This article provides a means to validate which Cipher Suites are configured for the TLS configuration used by VMware Aria Automation & Automation Orchestrator 8.x

Environment

VMware Aria Automation 8.x
VMware Aria Automation Orchestrator 8.x

Resolution

Prerequisites

  • You have SSH access to the appliances running in the cluster.
  • You have root username and password for each node in the cluster.

Procedure

Process for viewing the ciphers for Aria Automation/Orchestrator below 8.18.1

  1. SSH into each node in the cluster:
  2. Run the following command to view the contents of the values.yaml file for the ingress controller: 
    cat /opt/charts/ingress-ctl/values.yaml

 

  1. Isolate the values located under ssl > cipherSuites.

Example:
Note: These values were pulled from an 8.12.1 environment. Be sure to validate each version or if this is a FIPS enabled cluster.

ssl:
  enforced: false
  # https://docs.traefik.io/configuration/entrypoints/#specify-minimum-tls-version
  tlsMinVersion: VersionTLS12
  cipherSuites: [
        "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
        "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
        "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
        "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
        "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
        "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"
      ]

 

Process for viewing the ciphers for Aria Automation/Orchestrator for 8.18.1 and above

Starting with 8.18.1 the ingress controller has been replaced from the older Traefik to a new Contour with envoy.

  1. SSH into each node in the cluster:
  2. Run the following command to view the configuration for ciphers in the new ingress controller 
    nmap -sV --script ssl-enum-ciphers -p 443 <hostname>

    Output should look similar to this:
    |   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A


|   TLSv1.3: 
|     ciphers: 
|       TLS_AKE_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|       TLS_AKE_WITH_AES_256_GCM_SHA384 (secp256r1) - A
|       TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A
  3. With the new ingress controller in 8.18.1, only the TLS 1.2 ciphers are adjustable manually.

    Changes to the tls: section of the /opt/charts/contour/values.yaml file on each of the nodes

       tls:
     cipher-suites: ['ECDHE-RSA-AES128-GCM-SHA256', 'ECDHE-RSA-AES256-GCM-SHA384']
     fallback-certificate:
  4. Once changes are made on all 3 nodes you would need to run the deploy.sh script on only 1 node to get them to redeploy the pods with the changes 
    /opt/scripts/deploy.sh

 

Additional Information

Any changes made to the values.yaml files will need to be monitored as patches and upgrades to the product will likely revert those configurations back.

The Aria Automation Cumulative Patch 2 for 8.18.1 release will include the removal of the CHACHA20 ciphers from TLS 1.2 and TLS 1.3

Powered by Wolken Software