The PowerShell Host plugin does not work with VMware Aria Automation 8.14 environments and displays an error when authenticating Kerberos by user.
search cancel

The PowerShell Host plugin does not work with VMware Aria Automation 8.14 environments and displays an error when authenticating Kerberos by user.

book

Article ID: 345951

calendar_today

Updated On:

Products

VCF Operations/Automation (formerly VMware Aria Suite)

Issue/Introduction

VMware Aria Automation Orchestrator 8.13 and above, when attempting to use Kerberos authentication the user displays an error:

"Unsupported mechanism requested: 1.2.840.113554.1.2.2"



Environment

VMware Aria Automation 8.14.x

Cause

The PowerShell plugin relies on the SunJGSS security provider, which is not FIPS compatible and, therefore, is not used in FIPS mode.

Starting with Java 17, the SunJGSS provider cannot be used at runtime unless it is explicitly exposed using a JVM parameter.

Resolution

Workaround for PowerShell Host Plugin Authentication Issue in VMware Aria Automation 8.14

Currently, there is no official resolution for this issue. However, you can follow the workaround below based on your FIPS compliance requirements.

Possible Workarounds:

  1. Use the appliance without FIPS mode (for new installations).

  2. Use an alternative authentication method instead of Kerberos.

  3. Utilize Polyglot PowerShell scripts as an alternative approach.

  4. If FIPS compliance is not strictly required, you can modify the environment by adding the following JVM parameter:

     
    --add-exports java.security.jgss/sun.security.jgss=ALL-UNNAMED

    Note: This setting will not persist after an upgrade.

Steps to apply the addition of JVM parameter workaround:

1. Run the following command.

kubectl -n prelude edit deployment vco-app

2. Edit deployment YAML file - find the JVM_OPTS for the vco-server:

name: JVM_OPTS
value: -DCONSOLE_LOG_PATTERN= -DLOG_FILE=/var/log/collected-logs/vco-server-app.log

Add the line to the JVM_OPTS value.

--add-exports java.security.jgss/sun.security.jgss=ALL-UNNAMED

3. Save the file.

This will allow the vco server to use SunJGSS provider, which is not in the list of FIPS-approved providers.

Applying this workaround allows the vCO server to use the SunJGSS provider, which is not included in the list of FIPS-approved providers.

Additional Information

In any case, when Kerberos authentication is used in FIPs mode, make sure that the supplied algorithms in krb5.conf are FIPS-compliant, depending on the desired FIPS level.

See here for examples:https://www.ibm.com/docs/en/zos/2.5.0?topic=service-configuration-encryption-types-fips-level

Impact/Risks:
  • FIPS mode environments that use PowerShell plugin with Kerberos authentication.


Powered by Wolken Software