vRSLCM root account remediation shows disconnected on SDDC Manager
search cancel

vRSLCM root account remediation shows disconnected on SDDC Manager

book

Article ID: 372523

calendar_today

Updated On:

Products

VMware Aria Suite

Issue/Introduction

The vRSLCM root password is in a disconnected state under Password Management in the SDDC UI.

Environment

The VCF version in use is 4.x or 5.0.x.

The vRSLCM version is 8.14.x.

Cause

Existence of weak SHA1 algorithms and ciphers on Aria Suite Lifecycle 

Logs snippets on the SDDC Manager /var/log/vmware/vcf/operationsmanager/operationsmanager.log show entries similar to:

 

2024-07-18T01:03:16.222+0000 DEBUG [vcf_om,5e71b200ff4be7ef,f4d5] [c.v.v.s.c.s.SecurityConfigurationServiceImpl,om-exec-26] Security config retrieved {"certi
ficateValidationEnabled":true,"fipsMode":false}
2024-07-18T01:03:16.227+0000 DEBUG [vcf_om,fc41d5dff03039ce,e060] [c.v.v.s.t.DynamicTrustManager,om-exec-3] Checking validity of certificate chain EMAILADDRE
SS=null, CN=VRSLCM01.ACME.COM, OU=VMware Engineering, O=VMware, L=Palo Alto, ST=California, C=US,OU=VMware Engineering, O=VRSLCM01.ACME.COM,
ST=California, C=US, DC=local, DC=vsphere, CN=CA
2024-07-18T01:03:16.227+0000 DEBUG [vcf_om,fc41d5dff03039ce,e060] [c.v.v.s.t.DynamicTrustManager,om-exec-3] Certificate chain EMAILADDRESS=null, CN=VRSLCM01.ACME.COM, OU=VMware Engineering, O=VMware, L=Palo Alto, ST=California, C=US,OU=VMware Engineering, O=VRSLCM01.ACME.COM, ST=California, C=US,
DC=local, DC=vsphere, CN=CA is valid
2024-07-18T01:03:16.258+0000 ERROR [vcf_om,5e71b200ff4be7ef,f4d5] [c.v.evo.sddc.common.util.SshUtil,om-exec-26] Unable to create jsch CLI session:

com.jcraft.jsch.JSchException: Algorithm negotiation fail

        at com.jcraft.jsch.Session.receive_kexinit(Session.java:590)
        at com.jcraft.jsch.Session.connect(Session.java:320)
        at com.vmware.evo.sddc.common.util.SshUtil.getSession(SshUtil.java:678)
        at com.vmware.evo.sddc.common.util.SshUtil.getSession(SshUtil.java:626)
        at com.vmware.evo.sddc.common.util.command.SshCommandExecuter.<init>(SshCommandExecuter.java:46)
        at com.vmware.evo.sddc.common.util.command.SshCommandExecuterFactory.createSshCommandExecuter(SshCommandExecuterFactory.java:71)
        at com.vmware.evo.sddc.common.util.command.SshCommandExecuterFactory.createSshCommandExecuter(SshCommandExecuterFactory.java:42)
        at com.vmware.evo.sddc.common.util.command.SshCommandExecuterFactory$$FastClassBySpringCGLIB$$8ecab67d.invoke(<generated>)
        at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:218)
        at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.j

Resolution

1. Snapshot the vRSLCM appliance
2. SSH to the vRSLCM appliance as root user
3. Backup sshd_config
           cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
4. Edit sshd_config file on the vRSLCM appliance
           vi /etc/ssh/sshd_config
5. Add the following key hash algorithms on the 'MACs' line:
           hmac-sha2-512,hmac-sha2-256
e.g.
     # Example of overriding settings on a per-user basis
     #Match User anoncvs
     #       X11Forwarding no
     #       AllowTcpForwarding no
     Ciphers [email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
     MACs [email protected],[email protected],hmac-sha2-512,hmac-sha2-256
     AllowGroups wheel
     #       PermitTTY no
     #       ForceCommand cvs server
     UsePrivilegeSeparation yes
     RhostsRSAAuthentication no
     DenyGroups cap_vami_users


6. Restart the sshd service
           systemctl restart sshd.service