"Server has a weak ephemeral Diffie-Hellman public key" error while accessing vRO
search cancel

"Server has a weak ephemeral Diffie-Hellman public key" error while accessing vRO

book

Article ID: 342263

calendar_today

Updated On:

Products

VMware Aria Suite

Issue/Introduction

This article provides a procedure for removing the Diffie-Hellman ciphers from the vRealize Orchestrator Web configuration files.

Symptoms:
  • When accessing VMware vRealize Orchestrator with a Web browser, you see the error:

    Server has a weak ephemeral Diffie-Hellman public key

  • The Web browser is a recent version of Firefox or Chrome.
  • In Internet Explorer, you see the error:

    Page Cannot be Displayed error


Environment

VMware vCenter Orchestrator 5.5.x
VMware vRealize Orchestrator 6.0.x

Cause

This issue occurs because Firefox 39, Chrome 45 and later versions consider Diffie-Hellman ciphers as insecure and block them. When using Internet Explorer it allows the page to load, but the log in attempts fails, even after resetting the password to default.

Resolution

To resolve this issue, remove the Diffie-Hellman ciphers from vRealize Orchestrator:

Note: VMware recommends you to take a backup of the vRealize Orchestrator Appliance/ Windows virtual machine installation before making any changes.

  1. Run these commands to create a backup of the vRealize Orchestrator Appliance configuration files:

    cp /etc/vco/app-server/server.xml /etc/vco/app-server/server.bak
    cp /etc/vco/configuration/server.xml /etc/vco/configuration/server.bak

    In a Windows vRealize Orchestrator installation, you can create a backup copy of the files using Windows explorer. The equivalent Windows paths to the server.xml files are:

    Program files\Vmware\Orchestrator\app-server\conf\server.xml
    Program files\Vmware\Orchestrator\configuration\conf\server.xml

  2. In a vRealize Orchestrator Appliance installation, open these two files using a text editor:

    /etc/vco/app-server/server.xml
    /etc/vco/configuration/server.xml

    In Windows vRealize Orchestrator installation, open these two files using a text editor:

    Program files\Vmware\Orchestrator\app-server\conf\server.xml
    Program files\Vmware\Orchestrator\configuration\conf\server.xml

  3. In each file, locate this line:

    ciphers="TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
    TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
    TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA" />

  4. Modify the line to read:

    ciphers="TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA" />

  5. Run these commands to restart the vRealize Automation Appliance configurator and server services:

    /etc/init.d/vco-configurator restart
    /etc/init.d/vco-server restart

    In a Windows installation, use the Windows Service manager to restart the relevant services.

  6. Clear the browser cache and retry accessing the VMware vRealize Orchestrator Interface.


Powered by Wolken Software