When using FIPS and after upgrading to versions 8.16.2 you receive an error when trying to add a PowerShell host with Kerberos Authentication
book
Article ID: 326125
calendar_today
Updated On:
Products
VMware Aria Suite
Issue/Introduction
Symptoms:
- You are using either VMware Aria Automation Orchestrator appliances or embedded Automation Orchestrator instances.
- You have recently upgraded to versions 8.16.2.
- This issue presents itself in 8.14 with any stricter custom TLS security provider modifications.
Note: Greenfield deployments of 8.16.2 are not impacted.
Environment
VMware Aria Automation 8.14.0 - 8.16.x
VMware Aria Automation Orchestrator 8.14.0 - 8.16.x
Cause
A security file with a list of security providers was retained during the upgrade and does not contain the SunJGSS security provider added in 8.16.2.
Resolution
This issue is resolved in versions 8.17.0 and above.
Workaround:
Delete the security file on all nodes in the cluster:
- SSH / PuTTy into each appliance in the cluster.
- Run the following command to remove the file:
rm /data/vco/usr/lib/vco/app-server/conf/security/vmware-override-java.security
- Run the following command once on one node to restart all vco services in the cluster:
kubectl rollout restart deployment vco-app -n prelude
Additional Information
Impact/Risks:
Users are unable to user Kerberos authentication for the PowerShell plugin in FIPS mode.
Feedback
thumb_up
Yes
thumb_down
No