vRSLCM root account remediation shows disconnected on SDDC Manager
search cancel

vRSLCM root account remediation shows disconnected on SDDC Manager

book

Article ID: 372523

calendar_today

Updated On:

Products

VCF Operations/Automation (formerly VMware Aria Suite) VMware SDDC Manager

Issue/Introduction

The vRSLCM root password is in a disconnected state under Password Management in the SDDC UI.

Environment

  • VCF 4.x/ 5.0.x.
  • vRSLCM 8.14.x.
  • VMware SDDC Manager. 

Cause

  • Existence of weak SHA1 algorithms and ciphers on Aria Suite Lifecycle.
  • Logs snippets on the SDDC Manager /var/log/vmware/vcf/operationsmanager/operationsmanager.log show entries similar to:
[yyyy-mm-dd]T[hh:mm:ss] DEBUG [vcf_om,5e71b200ff4be7ef,f4d5] [c.v.v.s.c.s.SecurityConfigurationServiceImpl,om-exec-26] Security config retrieved {"certi
ficateValidationEnabled":true,"fipsMode":false}
[yyyy-mm-dd]T[hh:mm:ss] DEBUG [vcf_om,fc41d5dff03039ce,e060] [c.v.v.s.t.DynamicTrustManager,om-exec-3] Checking validity of certificate chain EMAILADDRE
SS=null, CN=VRSLCM01.DOMAIN.COM, OU=VMware Engineering, O=VMware, L=Palo Alto, ST=California, C=US,OU=VMware Engineering, O=VRSLCM01.DOMAIN.COM,
ST=California, C=US, DC=local, DC=vsphere, CN=CA
[yyyy-mm-dd]T[hh:mm:ss] DEBUG [vcf_om,fc41d5dff03039ce,e060] [c.v.v.s.t.DynamicTrustManager,om-exec-3] Certificate chain EMAILADDRESS=null, CN=VRSLCM01.ACME.COM, OU=VMware Engineering, O=VMware, L=Palo Alto, ST=California, C=US,OU=VMware Engineering, O=VRSLCM01.DOMAIN.COM, ST=California, C=US,
DC=local, DC=vsphere, CN=CA is valid
[yyyy-mm-dd]T[hh:mm:ss] ERROR [vcf_om,5e71b200ff4be7ef,f4d5] [c.v.evo.sddc.common.util.SshUtil,om-exec-26] Unable to create jsch CLI session:
com.jcraft.jsch.JSchException: Algorithm negotiation fail
        at com.jcraft.jsch.Session.receive_kexinit(Session.java:590)
        at com.jcraft.jsch.Session.connect(Session.java:320)
        at com.vmware.evo.sddc.common.util.SshUtil.getSession(SshUtil.java:678)
        at com.vmware.evo.sddc.common.util.SshUtil.getSession(SshUtil.java:626)
        at com.vmware.evo.sddc.common.util.command.SshCommandExecuter.<init>(SshCommandExecuter.java:46)
        at com.vmware.evo.sddc.common.util.command.SshCommandExecuterFactory.createSshCommandExecuter(SshCommandExecuterFactory.java:71)
        at com.vmware.evo.sddc.common.util.command.SshCommandExecuterFactory.createSshCommandExecuter(SshCommandExecuterFactory.java:42)
        at com.vmware.evo.sddc.common.util.command.SshCommandExecuterFactory$$FastClassBySpringCGLIB$$8ecab67d.invoke(<generated>)
        at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:218)
        at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.j)

Resolution

1. Snapshot the vRSLCM appliance
2. SSH to the vRSLCM appliance as root user
3. Backup sshd_config
           cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
4. Edit sshd_config file on the vRSLCM appliance
           vi /etc/ssh/sshd_config
5. Add the following key hash algorithms on the 'MACs' line:
           hmac-sha2-512,hmac-sha2-256
e.g.
     # Example of overriding settings on a per-user basis
     #Match User anoncvs
     #       X11Forwarding no
     #       AllowTcpForwarding no
     Ciphers [email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
     MACs [email protected],[email protected],hmac-sha2-512,hmac-sha2-256
     AllowGroups wheel
     #       PermitTTY no
     #       ForceCommand cvs server
     UsePrivilegeSeparation yes
     RhostsRSAAuthentication no
     DenyGroups cap_vami_users

6. Restart the sshd service
           systemctl restart sshd.service 

Powered by Wolken Software