HCX - Configuring Encryption Protocols for all services
search cancel

HCX - Configuring Encryption Protocols for all services

book

Article ID: 328951

calendar_today

Updated On:

Products

VMware HCX

Issue/Introduction

This document describes the process to configure (enable/disable) encryption protocols across the HCX service infrastructure.

Starting with HCX version 4.0.0 (Feb 2021), TLS1.2 will be the ONLY protocol enabled per FIPS compliance requirements.

Customers having legacy environments that may require support for older encryption protocol will have to manually enable those following these instructions. The changes will get overwritten after appliance redeployment or upgrade, and support for this condition will be available ONLY for temporary Datacenter evacuation projects.

Resolution

The following changes will have to be done at source and target sites, on all the appliances deployed for every Service Mesh. There should be no active migration or configuration workflows. There is no impact to Network Extension services when performing these changes.
  • Login into the HCX Connector or Cloud Manager as "admin" user
  • Change user to "root"
This section will modify the HCX Connector or Cloud Manager HTTP configuration
  • Edit the SSL configuration file to enable(+)/disable(-) protocols for the HTTP server as required
[admin@hcx-connector /opt/vmware/config/apache-httpd]$ vim hcx-ssl.conf

# CipherSuite spec taken from https://wiki.mozilla.org/Security/Server_Side_TLS for modern compatibility
SSLProtocol  -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 +TLSv1.2
SSLCipherSuite  ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-
SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES1
28-SHA256:ECDHE-RSA-AES256-SHA256:ECDH-RSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA:ECDH-RSA-AES256-G
CM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
SSLHonorCipherOrder     on
TraceEnable off
  • Restart web-engine service
systemctl restart web-engine

This section will modify the IX appliance HBRSVR and MA configuration
  • Switch to CCLI prompt and access the IX appliance
[admin@hcx-connector]$ ccli

Welcome to HCX Central CLI
[admin@hcx-connector] list
|------------------------------------------------------------------------|
| Id | Node                  | Address            | State     | Selected |
|------------------------------------------------------------------------|
| 0  | SM-IX-I1              | 10.145.208.72:9443 | Connected |          |
|------------------------------------------------------------------------|

[admin@hcx-connector] go 0
Switched to node 0.

[admin@hcx-connector:SM-IX-I1]
  • Get into the SSH prompt for the appliance
[admin@hcx-connector:SM-IX-I1] ssh
Welcome to HCX Central CLI
Last login: Fri Jan  8 21:25:17 2021 from 127.0.0.1

[root@OnPrem-to-Site1-IX-I1 ~]# 
  • Edit the HBRSVR configuration file to add/remove the entire SSL section. If the section is present, only TLSv1.2 will be used. Legacy protocols cannot be selectively enabled/disabled, just the entire set.
[root@SM-IX-I1 /etc/vmware]# vim hbrsrv.xml 

<config>
    ....
    <vmacore>
        ....
        <ssl>
            <!--
             The value 385875968 (i.e. 0x17000000) translates to
             "SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1"
             when invoking SSL_CTX_set_options().
            -->
            <sslOptions>385875968</sslOptions>
        </ssl>
    </vmacore>
    ....
</config>
  • Restart hbrsvr service
systemctl restart hbrsrv
  • Edit the appliance configuration to add/remove the specific protocol to be used. If no protocol is specified, all will be enabled.
[root@SM-IX-I1 /etc/vmware]# vim config

vix.libdir = "/usr/lib/vmware-vix/lib"
libdir = "/usr/lib/vmware"
authd.proxy.nfc = "vmware-hostd:ha-nfc"
authd.proxy.nfcssl = "vmware-hostd:ha-nfcssl"
authd.proxy.vpxa-nfcssl = "vmware-vpxa:vpxa-nfcssl"
authd.proxy.vpxa-nfc = "vmware-vpxa:vpxa-nfc"
authd.fullpath = "/usr/lib/vmware/bin/vmware-authd"
tls.protocols = "tls1.2"
  • Restart mobility agent service
systemctl restart mobilityagent