Disabling Weak TLS/SSL Ciphers in Apache for Aria Operations
Article ID: 441850
Updated On:
Products
Issue/Introduction
A security penetration test identified weak TLS/SSL ciphers in use within the /usr/lib/vmware-vcopssuite/utilities/conf/vcops-photon-apache.conf (Apache server configuration) for the VMware Aria Operations environment.
The target ciphers to be disabled are:
TLS_CHACHA20_POLY1305_SHA256ECDHE-RSA-CHACHA20-POLY1305ECDHE-RSA-AES128-SHAECDHE-RSA-AES128-SHA256ECDHE-RSA-AES256-SHAECDHE-RSA-AES256-SHA384
Environment
VMware Aria Operations 8.18.2
Cause
The default SSLCipherSuite directive within the Apache server configuration file permits several legacy or weak ciphers to ensure backward compatibility. These ciphers must be explicitly disabled using the negation operator (!) inside the configuration suite string to align with hardening benchmarks.
Resolution
Before executing any configuration modifications or service restarts, ensure a valid backup or offline snapshot of the Aria Operations nodes has been taken.
If you are modifying a cluster environment, these steps must be executed on all relevant nodes (including Primary, Replica, and Data nodes).
Log in to the Aria Operations node as
rootvia SSH.Update the Apache configuration file to explicitly block (
!) the weak ciphers by running the followingsedcommand:sed -i '/^[^#]*SSLCipherSuite[[:space:]]/c\SSLCipherSuite HIGH:!aNULL!ADH:!EXP:!MD5:!3DES:!CAMELLIA:!PSK:!SRP:!DH:!AES256-GCM-SHA384:!AES256-SHA256:!AES256-SHA:!AES128-GCM-SHA256:!AES128-SHA256:!AES128-SHA:!TLS_CHACHA20_POLY1305_SHA256:!ECDHE-RSA-CHACHA20-POLY1305:!ECDHE-RSA-AES128-SHA:!ECDHE-RSA-AES128-SHA256:!ECDHE-RSA-AES256-SHA:!ECDHE-RSA-AES256-SHA384:@STRENGTH' /usr/lib/vmware-vcopssuite/utilities/conf/vcops-photon-apache.conf
Restart the Apache HTTPD service to apply the remediation changes:
service httpd restart
Feedback
