Weak ciphers reported on vIDM port 6443 & 8443
Article ID: 401440
Updated On:
Products
VCF Operations/Automation (formerly VMware Aria Suite)
Issue/Introduction
The following weak ciphers were discovered on ports 6443 and 8443 of the VMware Identity Manager appliance.
| Name | Code | KEX | Auth | Encryption | MAC |
| ECDHE-RSA-AES128-SHA256 | 0xC0, 0x27 | ECDH | RSA | AES-CBC(128) | SHA256 |
| ECDHE-RSA-AES256-SHA384 | 0xC0, 0x28 | ECDH | RSA | AES-CBC(256) | SHA384 |
| RSA-AES128-SHA256 | 0x00, 0x3C | RSA | RSA | AES-CBC(128) | SHA256 |
| RSA-AES256-SHA256 | 0x00, 0x3D | RSA | RSA | AES-CBC(256) | SHA256 |
Environment
VMware Identity Manager 3.3.7
Resolution
Below is the update and steps to fix the weak Ciphers related issue.
Pre-Change Checklist:
- Take Snapshots:
- Note: Before making any changes, take a snapshot of all nodes in the vIDM cluster via vCenter.
Single-node deployment:
- Apply changes and restart the node.
Three-node cluster:
- Apply changes to the primary node first, restart it, then apply to the remaining two nodes.
- Important Note: Do not delete snapshots until all post-patch validations are complete.
Java Version Verification:
- Run the following command to check your Java version:
- java --version
- You should see Java 11 or higher
- Note: If it shows Java 8, apply the latest patch from Broadcom: https://knowledge.broadcom.com/external/article/412021
Patch Deployment Steps:
- Copy the Script File
- Note: Ensure the script updateWeakCiphersJava11.sh is available on the target node.
- Make the Script Executable
chmod +x updateWeakCiphersJava11.sh - Run the Script with Server IP
./updateWeakCiphersJava11.sh <server-ip>- Note: Replace <server-ip> with the actual IP address of the node you're patching.
- Perform Remediation & Inventory sync from the LCM.
Attachments
Feedback
Yes
No
Powered by
