When using FIPS and after upgrading to versions 8.16.2 you receive an error when trying to add a PowerShell host with Kerberos Authentication
search cancel

When using FIPS and after upgrading to versions 8.16.2 you receive an error when trying to add a PowerShell host with Kerberos Authentication

book

Article ID: 326125

calendar_today

Updated On:

Products

VMware Aria Suite

Issue/Introduction

Symptoms:

  • You are using either VMware Aria Automation Orchestrator appliances or embedded Automation Orchestrator instances.
  • You have recently upgraded to versions 8.16.2.
    • This issue presents itself in 8.14 with any stricter custom TLS security provider modifications.

Note: Greenfield deployments of 8.16.2 are not impacted.

  • You are using FIPS.
  • You receive an error similar to the following when trying to add a PowerShell host with Kerberos authentication: 
    Unsupported mechanism requested: 1.2.840.113554.1.2.2

Environment

VMware Aria Automation 8.14.0 - 8.16.x
VMware Aria Automation Orchestrator 8.14.0 - 8.16.x

Cause

A security file with a list of security providers was retained during the upgrade and does not contain the SunJGSS security provider added in 8.16.2.

Resolution

This issue is resolved in versions 8.17.0 and above.

Workaround:

Delete the security file on all nodes in the cluster:

  1. SSH / PuTTy into each appliance in the cluster.
  2. Run the following command to remove the file: 
    rm /data/vco/usr/lib/vco/app-server/conf/security/vmware-override-java.security
  3. Run the following command once on one node to restart all vco services in the cluster: 
    kubectl rollout restart deployment vco-app -n prelude



Additional Information

Impact/Risks:
Users are unable to user Kerberos authentication for the PowerShell plugin in FIPS mode.

Powered by Wolken Software