Disabling NULL ciphers for Postgres on vRA 7.2.0
Article ID: 340881
Updated On:
Products
VMware Aria Suite
Issue/Introduction
By default, the postgres database on vRealize Automation 7.2.0 is configured to accept some NULL SSL ciphers on port 5432. This article provides steps to disable NULL ciphers.
Environment
VMware vRealize Automation 7.1.x
VMware vRealize Automation 6.2
VMware vRealize Automation 7.0.x
VMware vRealize Automation Desktop 6.2.x
VMware vRealize Automation 6.2.x
VMware vRealize Automation 7.2.x
VMware vRealize Automation 7.3.x
VMware vRealize Automation 6.x
VMware vRealize Automation 7.x
VMware vRealize Automation Desktop 6.2
VMware vRealize Automation 6.2
VMware vRealize Automation 7.0.x
VMware vRealize Automation Desktop 6.2.x
VMware vRealize Automation 6.2.x
VMware vRealize Automation 7.2.x
VMware vRealize Automation 7.3.x
VMware vRealize Automation 6.x
VMware vRealize Automation 7.x
VMware vRealize Automation Desktop 6.2
Resolution
To disable the use of NULL ciphers for postgres:
- Schedule a change window to implement the change to prevent database updates during the outage.
- Take a backup of the vRealize Automation environment.
- Adjust the ssl_ciphers on all vRealize Automation appliance nodes in the cluster.
- Connect to the appliance through console or SSH.
- Navigate to /storage/db/pgdata/
cd /storage/db/pgdata/
- Edit postgresql.conf with a text editor.
- Adjust the ssl_ciphers to the following:
ssl_ciphers = 'TLSv1.2:!aNULL:!eNULL'
- If the database is not in use, run the below command to restart the service on all appliances:
service vpostgres restart
Note: You can also restart the appliance to prevent local vRealize Automation and vRealize Orchestrator services from attempting to interact with the database while it is unavailable.
Additional Information
Note: By default, the option ssl_ciphers appears twice in the postgresql.conf on vRealize Automation 7.2: once in the comments and once in the CUSTOMIZED OPTIONS options section. If multiple occurrences are enabled in the file, the last occurrence will take precedence and you might not notice any changes to the behavior. For best results, confirm that there is only a single occurrence is enabled and that it is configured correctly.
Feedback
Yes
No
Powered by
