How to configure Inter Node Communication Cipher Suits in vRealize Operations 8.3
search cancel

How to configure Inter Node Communication Cipher Suits in vRealize Operations 8.3

book

Article ID: 342030

calendar_today

Updated On:

Products

VMware Aria Suite

Issue/Introduction

Starting in vRealize Operations 8.3, the Inter Node Communication SSL protocols and cipher suits can be configured to grant higher, or lower, security from the default configuration, based on user environments or needs.

Note: TLSv1.3 is not yet supported in vRealize Operations and cannot be used.

Environment

VMware vRealize Operations 8.3.x
VMware vRealize Operations 8.x

Resolution

To change the SSL protocols and cipher suites of vRealize Operations and it's technologies, the cluster must be taken offline first.
  1. Log into the vRealize Operations Manager Admin UI as the local admin user.
  2. Click Take Offline under Cluster Status.
Note: Wait for Cluster Status to show as Offline.

The sections below will walk through editing a configuration file using the sed command.  After making the desired configuration changes the cluster can be brought back online; see the bottom of this Solution section for steps.


vRealize Operations

Ensure the cluster is taken offline before proceeding.
  1. Log into the Primary node as root via SSH or Console, pressing ALT+F1 in a Console to log in.
  2. Backup the default configuration file:
cp /storage/vcops/user/conf/ssl/secure-communications.properties /storage/vcops/user/conf/ssl/secure-communications.bak
  1. Check the currently configured SSL protocols and cipher suites using the following commands:
  • grep inter_cluster.supported_protocols /storage/vcops/user/conf/ssl/secure-communications.properties
  • grep inter_cluster.supported_cipher_suites /storage/vcops/user/conf/ssl/secure-communications.properties

    Note: If the grep for inter_cluster commands return a blank result, that means that the inter_cluster protocols/inter_cluster cipher suites are not specified directly and default values are in use, which can be found with the following grep for default commands:
  • grep default.supported_protocols /storage/vcops/user/conf/ssl/secure-communications.properties
  • grep default.supported_cipher_suites /storage/vcops/user/conf/ssl/secure-communications.properties
  1. Use one of the following options to replace the SSL protocols and cipher suites, depending on your results from step 3:
    1. If the grep for inter_cluster command results were not blank, use these commands to replace the SSL protocols and cipher suites:
  • sed -i "/^[^#]*inter_cluster.supported_protocols/ c\inter_cluster.supported_protocols = NEW_VALUE" /storage/vcops/user/conf/ssl/secure-communications.properties
  • sed -i "/^[^#]*inter_cluster.supported_cipher_suites/ c\inter_cluster.supported_cipher_suites = NEW_VALUE" /storage/vcops/user/conf/ssl/secure-communications.properties
Note: Replace NEW_VALUE with the new SSL Protocols or cipher suites to be used.

Examples:
  • sed -i "/^[^#]*inter_cluster.supported_protocols/ c\inter_cluster.supported_protocols = TLSv1.2 TLSv1.1 TLSv1" /storage/vcops/user/conf/ssl/secure-communications.properties
  • sed -i "/^[^#]*inter_cluster.supported_cipher_suites/ c\inter_cluster.supported_cipher_suites = TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" /storage/vcops/user/conf/ssl/secure-communications.properties
  1. If the grep for inter_cluster command results were blank, use these commands to replace the SSL protocols and cipher suites:
  • sed -i "/^[^#]*default.supported_protocols/ c\default.supported_protocols = NEW_VALUE" /storage/vcops/user/conf/ssl/secure-communications.properties
  • sed -i "/^[^#]*default.supported_cipher_suites/ c\default.supported_cipher_suites =NEW_VALUE" /storage/vcops/user/conf/ssl/secure-communications.properties
Note: Replace NEW_VALUE with the new SSL Protocols or cipher suites to be used.

Examples:
  • sed -i "/^[^#]*default.supported_protocols/ c\default.supported_protocols = TLSv1.2 TLSv1.1 TLSv1" /storage/vcops/user/conf/ssl/secure-communications.properties
  • sed -i "/^[^#]*default.supported_cipher_suites/ c\default.supported_cipher_suites = TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" /storage/vcops/user/conf/ssl/secure-communications.properties
  1. Repeat steps 1 - 4 on all nodes in the cluster, including Remote Collectors.


Apache

Ensure the cluster is taken offline before proceeding.
  1. Log into the Primary node as root via SSH or Console, pressing ALT+F1 in a Console to log in.
  2. Backup the default configuration file:
cp /usr/lib/vmware-vcopssuite/utilities/conf/vcops-photon-apache.conf /usr/lib/vmware-vcopssuite/utilities/conf/vcops-photon-apache.bak
  1. Check the currently configured SSL protocols and cipher suites using the following commands:
  • grep SSLProtocol /usr/lib/vmware-vcopssuite/utilities/conf/vcops-photon-apache.conf | grep -v '#'
  • grep SSLCipherSuite /usr/lib/vmware-vcopssuite/utilities/conf/vcops-photon-apache.conf | grep -v '#'
  1. Use the following commands to replace the SSL protocols and cipher suites:
  • sed -i -E "s/^[^#]*(SSLProtocol).*/\1 NEW_VALUE/" /usr/lib/vmware-vcopssuite/utilities/conf/vcops-photon-apache.conf
  • sed -i -E "s/^[^#]*(SSLCipherSuite).*/\1 NEW_VALUE/" /usr/lib/vmware-vcopssuite/utilities/conf/vcops-photon-apache.conf
Note: Replace NEW_VALUE with the new SSL Protocols or cipher suites to be used.  You must also add \ before every ! to escape the special character.

Examples:
  • sed -i -E "s/^[^#]*(SSLProtocol).*/\1 TLSv1.2/" /usr/lib/vmware-vcopssuite/utilities/conf/vcops-photon-apache.conf
  • sed -i -E "s/^[^#]*(SSLCipherSuite).*/\1 HIGH:\!aNULL:\!ADH:\!EXP:\!MD5:\!3DES:\!CAMELLIA:\!PSK:\!SRP:\!DH:@STRENGTH/" /usr/lib/vmware-vcopssuite/utilities/conf/vcops-photon-apache.conf
  1. Restart the httpd service by running this command:
service httpd restart
  1. Repeat steps 1 - 5 on all nodes in the cluster, including Remote Collectors.


Cassandra

Ensure the cluster is taken offline before proceeding.
  1. Log into the Primary node as root via SSH or Console, pressing ALT+F1 in a Console to log in.
  2. Backup the default configuration file:
cp /usr/lib/vmware-vcops/user/conf/cassandra/cassandra.template.yaml /usr/lib/vmware-vcops/user/conf/cassandra/cassandra.template.bak
  1. Check the currently configured cipher suites using the following command:
  • grep cipher_suites: /usr/lib/vmware-vcops/user/conf/cassandra/cassandra.template.yaml | grep -v '#'
  1. Use the following command to replace the cipher suites:
  • sed -i -E "s/(^[^#]*cipher_suites:).*/\1 [NEW_VALUE]/" /usr/lib/vmware-vcops/user/conf/cassandra/cassandra.template.yaml
Note: Replace NEW_VALUE with the new SSL Protocols or cipher suites to be used.

Example:
  • sed -i -E "s/(^[^#]*cipher_suites:).*/\1 [TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256]/" /usr/lib/vmware-vcops/user/conf/cassandra/cassandra.template.yaml
  1. Repeat steps 1 - 4 on all nodes in the cluster, including Remote Collectors.


Postgres

Ensure the cluster is taken offline before proceeding.
  1. Log into the Primary node as root via SSH or Console, pressing ALT+F1 in a Console to log in.
  2. Backup the default configuration file:
cp /storage/db/vcops/vpostgres/repl/postgresql.conf /storage/db/vcops/vpostgres/repl/postgresql.bak
  1. Check the currently configured SSL protocols and cipher suites using the following commands:
  • grep ssl_ciphers /storage/db/vcops/vpostgres/repl/postgresql.conf | grep -v '#'
  1. Use the following command to replace the cipher suites:
  • sed -i -E "s/^[^#]*(ssl_ciphers).*/\1 = 'NEW_VALUE'/" /storage/db/vcops/vpostgres/repl/postgresql.conf
Note: Replace NEW_VALUE with the new cipher suites to be used.  You must also add \ before every ! to escape the special character.

Example:
  • sed -i -E "s/^[^#]*(ssl_ciphers).*/\1 = 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:\!aNULL:\!eNULL:\!EXPORT:\!DES:\!RC4:\!3DES:\!MD5:\!PSK'/" /storage/db/vcops/vpostgres/repl/postgresql.conf
  1. Repeat steps 1 - 4 on the Replica node if HA or CA are enabled.

After the configuration changes are made, the cluster can be brought back online.
  1. Log into the vRealize Operations Manager Admin UI as the local admin user.
  2. Click Bring Online under Cluster Status.
Note: Wait for Cluster Status to show as Online.

Additional Information

As a quick reference, the different configuration files can be seen in the chart below.
TechnologyConfiguration File
vRealize Operations/storage/vcops/user/conf/ssl/secure-communications.properties
Apache/usr/lib/vmware-vcopssuite/utilities/conf/vcops-phototon-apache.conf
Cassandra/usr/lib/vmware-vcops/user/conf/cassandra/cassandra.template.yaml
Postgres/storage/db/vcops/vpostgres/repl/postgresql.conf
 

List of available service Ciphers

Apache and Postgres

  • ECDHE-RSA-AES256-GCM-SHA384
  • DHE-RSA-AES256-GCM-SHA384
  • ECDHE-RSA-AES128-GCM-SHA256
  • DHE-RSA-AES128-GCM-SHA256
  • ECDHE-RSA-AES256-SHA384
  • DHE-RSA-AES256-SHA256
  • ECDHE-RSA-AES128-SHA256
  • DHE-RSA-AES128-SHA256
  • ECDHE-RSA-AES256-SHA
  • DHE-RSA-AES256-SHA
  • ECDHE-RSA-AES128-SHA
  • DHE-RSA-AES128-SHA
  • AES256-GCM-SHA384
  • AES128-GCM-SHA256
  • AES256-SHA256
  • AES128-SHA256
  • AES256-SHA
  • AES128-SHA

Cassandra

  • ECDHE-RSA-AES256-GCM-SHA384
  • DHE-RSA-AES256-GCM-SHA384
  • ECDHE-RSA-AES128-GCM-SHA256
  • DHE-RSA-AES128-GCM-SHA256
  • ECDHE-RSA-AES256-SHA384
  • DHE-RSA-AES256-SHA256
  • ECDHE-RSA-AES128-SHA256
  • DHE-RSA-AES128-SHA256
  • ECDHE-RSA-AES256-SHA
  • DHE-RSA-AES256-SHA
  • ECDHE-RSA-AES128-SHA
  • DHE-RSA-AES128-SHA
  • AES256-GCM-SHA384
  • AES128-GCM-SHA256
  • AES256-SHA256
  • AES128-SHA256
  • AES256-SHA
  • AES128-SHA
 

Restoring default configuration files

To restore any of the default configuration files, take the cluster offline first, then run the following command:
cp original_file default_file

Note: Replace original_file with the name of the backed up configuration file, and replace default_file with the default configuration file name.

Example: cp /storage/vcops/user/conf/ssl/secure-communications.bak /storage/vcops/user/conf/ssl/secure-communications.properties


Backing up configuration files

During an upgrade, modified configuration files will be restore to their default state.  It is recommended to backup any modified configuration files prior to upgrading.
To backup any of the configuration files run the following command:
cp config_file backup_file

Note: Replace config_file with the name of the configuration file, and replace backup_file with the name of of backup file of your choosing.

Example: cp /storage/vcops/user/conf/ssl/secure-communications.properties /storage/vcops/user/conf/ssl/secure-communications.backup

To restore the configuration files post-upgrade, you will need to implement the changes manually following the KB article for the version of vRealize Operations you upgraded to so you can conform to the new configuration standards.  Use the backed up configuration file to verify the cipher suites and protocols information previously used.

Powered by Wolken Software