How to fix vRealize Orchestrator 6 appliance, weak ephemeral Diffie-Hellman key

VMware

vrealize orchestrator chrome error

I’ve recently deployed the vRealize Orchestrator appliance (6.0.2) and noticed right away that my default browser Firefox, would not load the Orchestrator appliance web panel. Firefox always complained about a weak Diffie-Hellman key.

An error occurred during a connection to ip-address:8281. SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. (Error code: ssl_error_weak_server_ephemeral_dh_key)

At the time I simply ignored it and just tried Google Chrome which it worked fine. That was until the latest release also broke with the same type of error message:

Server has a weak ephemeral Diffie-Hellman public key“.

I now had a problem and contacted VMware support, below is the very easy fix to make vCO 6 work in both the latest version of Firefox and Chrome!

VMware vRealize Orchestrator weak ephemeral Diffie-Hellman key fix

  • SSH into your vCO appliance
  • Make a copy of your server.xml files in both the /etc/vco/app-server and /etc/vco/configuration folders by typing the following command: 
    cp /etc/vco/app-server/server.xml /etc/vco/app-server/server.xml.bak
cp /etc/vco/configuration/server.xml /etc/vco/configuration/server.xml.bak

    Backup vCO config files

  • Now use VI to edit the /etc/vco/app-server/server.xml file, using the up down arrows move the cursor down to the “ciphers” line and press dd on your keyboard to delete the line, then press i to enter insert mode and copy the the below line and press ESC to exit insert mode and press ZZ (case sensitive) 
    ciphers="TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA" />

    Before:vRO server old ciphers
    After:vRO server ciphers

  • Do the exact step above for the /etc/vco/configuration/server.xml file.
  • Finally reboot the vCO appliance by typing “reboot”.
    vRO reboot
  • After the reboot vRealize Orchestrator should work just fine on both Firefox and Chrome now!
    vRO firefox 40

In short, the vRO appliance is configured to use SSLv3 and some of the cipher suites (Diffie-Hellman) are now considered unsafe (POODLE vulnerability) and browsers have started blocking said ciphers.

The above steps resolve the issue by removing the Diffie-Hellman cipher suites from the vCO appliance which in turn make Chrome and Firefox both happy.

Similar Posts

  • How to convert VMDK to OVF file format

    VMware
    0 Comments

    Here is a quick and easy way to convert a VMDK to OVF file format using the OVF Tool from VMware.

    1. First download and install the VMware OVF Tool for your operating system.
    2. Open a command prompt as Administrator and navigate to the OVF Tool install directory: 
      
cd C:\Program Files\VMware\VMware OVF Tool

      vmdk to ovf command prompt

    3. Next, type in the following command to convert VMDK to OVF: 
      
ovftool.exe \virtualmachine.vmx \virtualmachine.ovf

      convert vmdk to ovf command

    After a few minutes time you should you should see a “Transfer Completed, Completed successfully” message and your VMDK to OVF file conversion is complete and ready for use.
    convert vmdk to ovf complete

  • VMware vCenter 5.0 Update 1a released

    VMware
    0 Comments

    VMware vCenter 5.0 Update 1a has just been released and is the first major update since version 5.0.

    The main improvements being:

    • vCenter Server 5.0 Update 1a introduces support for the following vCenter Databases
      • Oracle 11g Enterprise Edition, Standard Edition, Standard ONE Edition Release 2 [11.2.0.3] – 64 bit
      • Oracle 11g Enterprise Edition, Standard Edition, Standard ONE Edition Release 2 [11.2.0.3] – 32 bit
    • vCenter Server Appliance Database Support: The DB2 express embedded database provided with the vCenter Server Appliance has been replaced with VMware vPostgres database. This decreases the appliance footprint and reduces the time to deploy vCenter Server further.

    Read More “VMware vCenter 5.0 Update 1a released”

  • Set default printer for View floating desktop and Persona Management

    VMware
    5 Comments

    Sometime ago I asked a question over at the VMware forum about how to set default network printers on a VMware View 5.0 floating pool that used Persona Management as Persona Management wasn’t keeping this user setting on it’s own. The printers would be added to the VM just not remember the default printer setting. I’ll admit I forgot to update the thread, but a work around was devised which I’ll share below.

    Read More “Set default printer for View floating desktop and Persona Management”

  • VMware View client now availabe for Android!

    VMware
    0 Comments

    VMware has announced that they have released a View Client for Android tablets available on the Android Market now. Here are just a few of the features found on the new client.

    • A new look and feel – The View Client for Android features the NEW blue look and feel of the VMware View clients!
    • Multiple broker support – If you have more than one VMware View broker in your organization, you can can easily access your desktop from all of them via the Android client
    • Desktop Shortcuts – Quickly connect with as many as four recent desktop via shortcuts
    • Virtual trackpad – Control your desktop on a granular level just like you would control the mouse on a laptop
    • Custom keyboard toolbar – Super easy access to all of the special keys not found on the Android default keynboard
    • Honeycomb 3.x support – Made from the ground up for the new generation of Android tablets
    • Custom gestures – Invoke keyboard, scrolling, etc are as easy as ever and simple to use
    • VMware View Security Server support (best experience) – No need to have VPN when you use VMware View Security Server
    • Background tasking – Switch between apps on your tablet and come right back

  • How to install VMware vCenter Log Insight

    VMware
    0 Comments

    VMware vCenter Log Insight

    Log Insight is a real-time log management and analytics solution, and one of VMware’s newest product. Log Insight was recently updated to version 2.0 and available to download here.

    Below we’ll go through the steps to installing VMware Log Insight and you’ll soon see just how easy it is to get Log Insight up and running.

    Read More “How to install VMware vCenter Log Insight”

  • How to change vCenter Operations Manager session timeout

    VMware
    1 Comment

    I’ve been using vCenter Operations Manager for a while now at work for all the great information that can be found about our environment so I tend to log into vCOp at the start of the morning and then come back to as I may or may not need it thoughout the day. One thing that has kind of annoyed me is having to constantly log into the standard UI multiple times a day due to the default 30 minute timeout value.

    Luckily, with a bit of SSH and a few commands we can increase this timeout to anything we like or even disable it all together!

    Read More “How to change vCenter Operations Manager session timeout”

Leave a Reply

Your email address will not be published. Required fields are marked *