Disabling NULL ciphers for Postgres on vRA 7.2.0
search cancel

Disabling NULL ciphers for Postgres on vRA 7.2.0


Article ID: 340881


Updated On:


VMware Aria Suite


By default, the postgres database on vRealize Automation 7.2.0 is configured to accept some NULL SSL ciphers on port 5432. This article provides steps to disable NULL ciphers.


VMware vRealize Automation 7.1.x
VMware vRealize Automation 6.2
VMware vRealize Automation 7.0.x
VMware vRealize Automation Desktop 6.2.x
VMware vRealize Automation 6.2.x
VMware vRealize Automation 7.2.x
VMware vRealize Automation 7.3.x
VMware vRealize Automation 6.x
VMware vRealize Automation 7.x
VMware vRealize Automation Desktop 6.2


To disable the use of NULL ciphers for postgres:

  1. Schedule a change window to implement the change to prevent database updates during the outage.
  2. Take a backup of the vRealize Automation environment.
  3. Adjust the ssl_ciphers on all vRealize Automation appliance nodes in the cluster.

    1. Connect to the appliance through console or SSH.
    2. Navigate to /storage/db/pgdata/

      cd /storage/db/pgdata/

    3. Edit postgresql.conf with a text editor.
    4. Adjust the ssl_ciphers to the following:

      ssl_ciphers = 'TLSv1.2:!aNULL:!eNULL'

  4. If the database is not in use, run the below command to restart the service on all appliances:

    service vpostgres restart

    Note: You can also restart the appliance to prevent local vRealize Automation and vRealize Orchestrator services from attempting to interact with the database while it is unavailable.

Additional Information

Note: By default, the option ssl_ciphers appears twice in the postgresql.conf on vRealize Automation 7.2: once in the comments and once in the CUSTOMIZED OPTIONS options section. If multiple occurrences are enabled in the file, the last occurrence will take precedence and you might not notice any changes to the behavior. For best results, confirm that there is only a single occurrence is enabled and that it is configured correctly.