During a penetration test as part of an audit for the Aria Automation environment, it was identified that outdated elliptical curves (secp521r1 and X25519) are being used on port 443. This does not comply with the information security requirement CRYPTO.A29 "Recommended elliptic curves".

VMware Aria Automation 8.x

The use of non-approved elliptic curves (secp521r1 and X25519) was identified on port 443 during a penetration test, indicating a potential security risk and non-compliance with current security standards and recommendations.

To ensure the system meets current security standards and recommendations, follow these steps to disable the outdated elliptical curves:

Perform the following on all nodes (in case of HA):

Edit the Ingress Controller Configuration:
Locate and edit the file /opt/charts/ingress-ctl/values.yaml on each node.
Remove the cipher suite TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 that was flagged by the security scan.

Deploy the Changes:
On one of the nodes, execute the deploy script to apply the changes. Note that this operation requires downtime:

/opt/scripts/deploy.sh