HCX - Configuring Encryption Protocols for all services
Article ID: 328951
Updated On:
Products
VMware HCX
Issue/Introduction
This document describes the process to configure (enable/disable) encryption protocols across the HCX service infrastructure.
Starting with HCX version 4.0.0 (Feb 2021), TLS1.2 will be the ONLY protocol enabled per FIPS compliance requirements.
Customers having legacy environments that may require support for older encryption protocol will have to manually enable those following these instructions. The changes will get overwritten after appliance redeployment or upgrade, and support for this condition will be available ONLY for temporary Datacenter evacuation projects.
Starting with HCX version 4.0.0 (Feb 2021), TLS1.2 will be the ONLY protocol enabled per FIPS compliance requirements.
Customers having legacy environments that may require support for older encryption protocol will have to manually enable those following these instructions. The changes will get overwritten after appliance redeployment or upgrade, and support for this condition will be available ONLY for temporary Datacenter evacuation projects.
Resolution
The following changes will have to be done at source and target sites, on all the appliances deployed for every Service Mesh. There should be no active migration or configuration workflows. There is no impact to Network Extension services when performing these changes.
- Login into the HCX Connector or Cloud Manager as "admin" user
- Change user to "root"
This section will modify the HCX Connector or Cloud Manager HTTP configuration
- Edit the SSL configuration file to enable(+)/disable(-) protocols for the HTTP server as required
[admin@hcx-connector /opt/vmware/config/apache-httpd]$ vim hcx-ssl.conf
# CipherSuite spec taken from https://wiki.mozilla.org/Security/Server_Side_TLS for modern compatibility
SSLProtocol -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 +TLSv1.2
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-
SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES1
28-SHA256:ECDHE-RSA-AES256-SHA256:ECDH-RSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA:ECDH-RSA-AES256-G
CM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
SSLHonorCipherOrder on
TraceEnable off
- Restart web-engine service
systemctl restart web-engine
This section will modify the IX appliance HBRSVR and MA configuration
- Switch to CCLI prompt and access the IX appliance
[admin@hcx-connector]$ ccli Welcome to HCX Central CLI [admin@hcx-connector] list |------------------------------------------------------------------------| | Id | Node | Address | State | Selected | |------------------------------------------------------------------------| | 0 | NODE1 | 10.145.208.72:9443 | Connected | | |------------------------------------------------------------------------| [admin@hcx-connector] go 0 Switched to node 0. [admin@hcx-connector:NODE1]
-
Get into the SSH prompt for the appliance
[admin@hcx-connector:NODE1] ssh Welcome to HCX Central CLI Last login: Fri Jan 8 21:25:17 2021 from 127.0.0.1 [root@OnPrem-to-Site1-IX-I1 ~]#
- Edit the HBRSVR configuration file to add/remove the entire SSL section. If the section is present, only TLSv1.2 will be used. Legacy protocols cannot be selectively enabled/disabled, just the entire set.
[root@NODE1 /etc/vmware]# vim hbrsrv.xml
<config>
....
<vmacore>
....
<ssl>
<!--
The value 385875968 (i.e. 0x17000000) translates to
"SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1"
when invoking SSL_CTX_set_options().
-->
<sslOptions>385875968</sslOptions>
</ssl>
</vmacore>
....
</config>
- Restart hbrsvr service
systemctl restart hbrsrv
- Edit the appliance configuration to add/remove the specific protocol to be used. If no protocol is specified, all will be enabled.
[root@NODE1 /etc/vmware]# vim config
vix.libdir = "/usr/lib/vmware-vix/lib"
libdir = "/usr/lib/vmware"
authd.proxy.nfc = "vmware-hostd:ha-nfc"
authd.proxy.nfcssl = "vmware-hostd:ha-nfcssl"
authd.proxy.vpxa-nfcssl = "vmware-vpxa:vpxa-nfcssl"
authd.proxy.vpxa-nfc = "vmware-vpxa:vpxa-nfc"
authd.fullpath = "/usr/lib/vmware/bin/vmware-authd"
tls.protocols = "tls1.2"
- Restart mobility agent service
systemctl restart mobilityagent
Feedback
Yes
No
Powered by
