| |
Note: If FIPS enabled on Aria Life Cycle Manager workaround not required. |
| Product |
Workaround |
| VMware Aria Suite Lifecycle 8.x |
The resolution is already included in the VMware Aria Suite Lifecycle 8.14 Patch 1.
Note: Later 8.14 PSPACKS 4 & 5 can remove ciphers which can break communication with SDDC Manager. To resolve:
- Log in to the Aria Suite Lifecycle Manager appliance and create a backup of the /etc/ssh/sshd_config file.
- Change the following settings in /etc/ssh/sshd_config file:
Change the MACs line from:
MACs [email protected],[email protected]
To:
MACs [email protected],[email protected],hmac-sha2-512,hmac-sha2-256
- Save the changes to /etc/ssh/sshd_config and restart the SSH service using the command “systemctl restart sshd”
|
| VMware Aria Automation Config |
Note: It is advisable to take a snapshot before implementing these changes and monitor the environment for a few days post-modification.
File to be modified: /etc/ssh/sshd_config
- Log in to the Aria Config appliance and create a backup of the /etc/ssh/sshd_config file.
- Change the following settings in /etc/ssh/sshd_config file:
From:
Ciphers [email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
MACs [email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,hmac-sha1
To:
Ciphers [email protected],[email protected]
MACs [email protected],[email protected],hmac-sha2-512,hmac-sha2-256
KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256
- Save the changes to /etc/ssh/sshd_config and restart the SSH service using the command “systemctl restart sshd”
|
| VMware Aria Operations for Logs |
Remove the deprecated SSH cryptographic settings from Aria Operations for Logs Appliance Remove SHA1 from SSH service in VMware Aria Operations for Logs 8.12.x and 8.14.x
|
| VMware Operations for Networks |
Note: It is advisable to take a snapshot before implementing these changes and monitor the environment for a few days post-modification.
File to be modified: /etc/ssh/sshd_config
- Login with support credentials
- Elevate to ubuntu user with command : ub
- Take a backup of the existing sshd_config file : sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
- Run : sudo vi /etc/ssh/sshd_config and add/replace the following:
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256
MACs [email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512
- Save the changes. Then execute the command "sudo systemctl restart sshd.service", without this the changes won't take effect.
- Repeat this for every node including the collectors.
|
| VMware Aria Automation & Automation Orchestrator |
Note: It is advisable to take a snapshot before implementing these changes and monitor the environment for a few days post-modification.
- Log in to each Aria Automation appliance and take a backup of the /etc/ssh/sshd_config_effective file
- Add or replace the following settings in /etc/ssh/sshd_config_effective file (for versions bellow 8.11.2 modify the /etc/ssh/sshd_config file):
MACs [email protected],[email protected],hmac-sha2-512,hmac-sha2-256
KexAlgorithms diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
Note that the MACs modification removes HMAC-SHA2-512 and HMAC-SHA2-256 algorithms, keeping only the ETM versions.
- Save the changes to /etc/ssh/sshd_config_effective and restart the SSH service using the command "systemctl restart sshd".
|
| VMware Identity Manager 3.3.7 |
Remove the deprecated SSH cryptographic settings from VIDM Appliance Remove the deprecated SSH cryptographic settings from VIDM Appliance |
| VMware Aria Operations |
Remove the deprecated SSH cryptographic settings from Aria Operations Appliance Remove SHA1 from SSH service in VMware Aria Operations 8.12 and later
|
