How to fix vRealize Orchestrator 6 appliance, weak ephemeral Diffie-Hellman key

Written by VMware

vrealize orchestrator chrome error

I’ve recently deployed the vRealize Orchestrator appliance (6.0.2) and noticed right away that my default browser Firefox, would not load the Orchestrator appliance web panel. Firefox always complained about a weak Diffie-Hellman key.

An error occurred during a connection to ip-address:8281. SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. (Error code: ssl_error_weak_server_ephemeral_dh_key)

At the time I simply ignored it and just tried Google Chrome which it worked fine. That was until the latest release also broke with the same type of error message:

Server has a weak ephemeral Diffie-Hellman public key“.

I now had a problem and contacted VMware support, below is the very easy fix to make vCO 6 work in both the latest version of Firefox and Chrome!

VMware vRealize Orchestrator weak ephemeral Diffie-Hellman key fix

  • SSH into your vCO appliance
  • Make a copy of your server.xml files in both the /etc/vco/app-server and /etc/vco/configuration folders by typing the following command:
    cp /etc/vco/app-server/server.xml /etc/vco/app-server/server.xml.bak
    cp /etc/vco/configuration/server.xml /etc/vco/configuration/server.xml.bak

    Backup vCO config files

  • Now use VI to edit the /etc/vco/app-server/server.xml file, using the up down arrows move the cursor down to the “ciphers” line and press dd on your keyboard to delete the line, then press i to enter insert mode and copy the the below line and press ESC to exit insert mode and press ZZ (case sensitive)

    Before:vRO server old ciphers
    After:vRO server ciphers

  • Do the exact step above for the /etc/vco/configuration/server.xml file.
  • Finally reboot the vCO appliance by typing “reboot”.
    vRO reboot
  • After the reboot vRealize Orchestrator should work just fine on both Firefox and Chrome now!
    vRO firefox 40

In short, the vRO appliance is configured to use SSLv3 and some of the cipher suites (Diffie-Hellman) are now considered unsafe (POODLE vulnerability) and browsers have started blocking said ciphers.

The above steps resolve the issue by removing the Diffie-Hellman cipher suites from the vCO appliance which in turn make Chrome and Firefox both happy.