Steps for removing weak SHA1 algorithms and ciphers from VMware Aria Products
search cancel

Steps for removing weak SHA1 algorithms and ciphers from VMware Aria Products

book

Article ID: 326133

calendar_today

Updated On:

Products

VMware VMware Aria Suite VMware Aria Operations 8.x VMware Aria Operations for Networks

Issue/Introduction

Symptoms:
Qualys scans have determined that a weak cipher is in used on port 22.

Environment

Identity Manager 3.3.7
Aria Suite Lifecyle Manager 8.x
Aria Automation 8.x
Aria Automation Config 8.x
Aria Operations 8.x
Aria Operations for Logs 8.12.x
Aria Operations for Logs 8.14.x
Aria Operations for Networks 6.x

Cause

  • Qualys scans have determined that a weak cipher is in used on port 22.
  • The cipher(s) in questions for this product are:
    • key exchange diffie-hellman-group14-sha1
    • host key ssh-rsa
    • MAC [email protected]
    • MAC hmac-sha1

Resolution

  Note: If FIPS enabled on Aria Life Cycle Manager workaround not required. 
Product  Workaround
VMware Aria Suite Lifecycle 8.x

The resolution is already included in the VMware Aria Suite Lifecycle 8.14 Patch 1.

Note: Later 8.14 PSPACKS 4 & 5 can remove ciphers which can break communication with SDDC Manager. To resolve:

  1. Log in to the Aria Suite Lifecycle Manager appliance and create a backup of the /etc/ssh/sshd_config file.
  2. Change the following settings in /etc/ssh/sshd_config file:

    Change the MACs line from:

    MACs [email protected],[email protected]

    To:
    MACs [email protected],[email protected],hmac-sha2-512,hmac-sha2-256

  3. Save the changes to /etc/ssh/sshd_config and restart the SSH service using the command “systemctl restart sshd
VMware Aria Automation Config

Note: It is advisable to take a snapshot before implementing these changes and monitor the environment for a few days post-modification.

File to be modified: /etc/ssh/sshd_config

  1. Log in to the Aria Config appliance and create a backup of the /etc/ssh/sshd_config file.
  2. Change the following settings in /etc/ssh/sshd_config file:

    From:

    Ciphers [email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
    MACs [email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,hmac-sha1

    To:

    Ciphers [email protected],[email protected]
    MACs [email protected],[email protected],hmac-sha2-512,hmac-sha2-256
    KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256

  3. Save the changes to /etc/ssh/sshd_config and restart the SSH service using the command “systemctl restart sshd
VMware Aria Operations for Logs

Remove the deprecated SSH cryptographic settings from Aria Operations for Logs Appliance Remove SHA1 from SSH service in VMware Aria Operations for Logs 8.12.x and 8.14.x

VMware Operations for Networks

Note: It is advisable to take a snapshot before implementing these changes and monitor the environment for a few days post-modification.

File to be modified: /etc/ssh/sshd_config

  1. Login with support credentials
  2. Elevate to ubuntu user with command : ub
  3. Take a backup of the existing sshd_config file : sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
  4. Run : sudo vi /etc/ssh/sshd_config and add/replace the following:

    Ciphers aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
    KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256
    MACs [email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512

  5. Save the changes. Then execute the command "sudo systemctl restart sshd.service", without this the changes won't take effect.
  6. Repeat this for every node including the collectors.
VMware Aria Automation & Automation Orchestrator

Note: It is advisable to take a snapshot before implementing these changes and monitor the environment for a few days post-modification.

  1. Log in to each Aria Automation appliance and take a backup of the /etc/ssh/sshd_config_effective file
  2. Add or replace the following settings in /etc/ssh/sshd_config_effective file (for versions bellow 8.11.2 modify the /etc/ssh/sshd_config file):

    MACs [email protected],[email protected],hmac-sha2-512,hmac-sha2-256
    KexAlgorithms diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256

    Note that the MACs modification removes HMAC-SHA2-512 and HMAC-SHA2-256 algorithms, keeping only the ETM versions.

  3. Save the changes to /etc/ssh/sshd_config_effective and restart the SSH service using the command "systemctl restart sshd".
VMware Identity Manager 3.3.7 Remove the deprecated SSH cryptographic settings from VIDM Appliance Remove the deprecated SSH cryptographic settings from VIDM Appliance
VMware Aria Operations

 
 Remove the deprecated SSH cryptographic settings from Aria Operations Appliance Remove SHA1 from SSH service in VMware Aria Operations 8.12 and later


If you face any issue or need help, please open a case with our Technical Support.

Creating and managing Broadcom support cases