How to fix vRealize Orchestrator 6 appliance, weak ephemeral Diffie-Hellman key

VMware

vrealize orchestrator chrome error

I’ve recently deployed the vRealize Orchestrator appliance (6.0.2) and noticed right away that my default browser Firefox, would not load the Orchestrator appliance web panel. Firefox always complained about a weak Diffie-Hellman key.

An error occurred during a connection to ip-address:8281. SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. (Error code: ssl_error_weak_server_ephemeral_dh_key)

At the time I simply ignored it and just tried Google Chrome which it worked fine. That was until the latest release also broke with the same type of error message:

Server has a weak ephemeral Diffie-Hellman public key“.

I now had a problem and contacted VMware support, below is the very easy fix to make vCO 6 work in both the latest version of Firefox and Chrome!

VMware vRealize Orchestrator weak ephemeral Diffie-Hellman key fix

  • SSH into your vCO appliance
  • Make a copy of your server.xml files in both the /etc/vco/app-server and /etc/vco/configuration folders by typing the following command: 
    cp /etc/vco/app-server/server.xml /etc/vco/app-server/server.xml.bak
cp /etc/vco/configuration/server.xml /etc/vco/configuration/server.xml.bak

    Backup vCO config files

  • Now use VI to edit the /etc/vco/app-server/server.xml file, using the up down arrows move the cursor down to the “ciphers” line and press dd on your keyboard to delete the line, then press i to enter insert mode and copy the the below line and press ESC to exit insert mode and press ZZ (case sensitive) 
    ciphers="TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA" />

    Before:vRO server old ciphers
    After:vRO server ciphers

  • Do the exact step above for the /etc/vco/configuration/server.xml file.
  • Finally reboot the vCO appliance by typing “reboot”.
    vRO reboot
  • After the reboot vRealize Orchestrator should work just fine on both Firefox and Chrome now!
    vRO firefox 40

In short, the vRO appliance is configured to use SSLv3 and some of the cipher suites (Diffie-Hellman) are now considered unsafe (POODLE vulnerability) and browsers have started blocking said ciphers.

The above steps resolve the issue by removing the Diffie-Hellman cipher suites from the vCO appliance which in turn make Chrome and Firefox both happy.

Similar Posts

  • ESXi 5.5 free edition removes 32GB memory limit

    VMware
    0 Comments

    There have been a ton of exciting announcements coming out of VMword 2013, one of which is vSphere 5.5 and all of it’s improvements and additions. Along that note, VMware has changed ESXi 5.5 free version to remove the physical RAM limit which was limited to only 32GB in version 5.1.

    The new virtual hardware, version 10, we can now grow our home labs into more powerful VM’s as most all configuration maximums have been doubled:

    Read More “ESXi 5.5 free edition removes 32GB memory limit”

  • How to manually delete NetApp SnapMirror snapshots

    VMware
    0 Comments

    The other day, one of our volumes in the lab environment filled up. This volume has a couple large VM’s on it, coupled with a couple different Veeam backup jobs running using the native Veeam backup methods as well as using NetApp snap mirror to snapshot the volume and then using Veeam to ship it out to Azure.

    At any rate the volume filled up to the point where vCenter wasn’t allowing me to migrate VM’s off the datastore. I really didn’t want to expand the volume just so I could move VM’s off of it.

    Instead, I decided to delete some of the older proof of concept snapshots from SnapMirror. Below are the quick and easy steps to clear up some un-used snapshots and free up some space on the datastore.

    Read More “How to manually delete NetApp SnapMirror snapshots”

  • My VMware View Windows 7 Optimization Guide

    VMware
    10 Comments

    These are the few steps I do when creating a new "Golden" image. Luckily I don’t have to do these steps all the time as I’ll create the "Golden" image when there is a new upgrade such as when we went from View 4.6 to View 5.0.1. I like to have a new fresh machine using new virtual hardware from the start. You could certainly just upgrade the virtual hardware on the "Golden" image, I just prefer to start clean.

    At any rate, here’s my list. Hopefully someone might find it somewhat useful and maybe even others can improve upon it.

    Preparing a new virtual machine

    1. Create New Virtual Machine – FILE > NEW > VIRTUAL MACHINE (CTRL+N)
    2. Under Configuration select CUSTOM.
    3. Select a Name, Folder, Host, Cluster, and Storage.
    4. Under Guest Operating System select Windows and then Windows 7 32bit under the Version drop down.
    5. Select which Network (VLAN) and under Adapter select VMXNET 3.
    6. Configure disk size to 30GB THIN provisioned.

    Read More “My VMware View Windows 7 Optimization Guide”

  • VMware Recertification Policy

    VMware
    1 Comment

    VMware certified

    Starting today, March 10 2014, new VCP certifications must be re-certified within two years of it’s earned date. Anyone who currently has their VCP certification prior to March 10 2013 has until March 10, 2015 to re-certify.

    The new policy gives you three options to re-certify:

    1. Take the current exam for your existing VCP certification solution track. For example, if you are a VCP3, you could take the current VCP5-Data Center Virtualization (VCP5-DCV) exam.
    2. Earn a new VCP certification in a different solution track. For example, if you are a VCP-Cloud, you could recertify by earning VCP5-Desktop (VCP5-DT) certification.
    3. Advance to the next level by earning a VMware Certified Advanced Professional (VCAP) certification. For example, if you are a VCP5-DCV you could earn VCAP5-DCA certification.

    I can understand why they are doing this but I don’t agree with the changes. As per the announcement if you let your certification expire, “Your certification will be revoked,and you will no longer be entitled to use the certification logo or represent yourself as VMware certified“. Really? You mean everything that was done prior and after taking the exam means nothing?

    Read More “VMware Recertification Policy”

  • Update vCenter Server Appliance from 6.5 to 6.5 Update 1

    VMware
    0 Comments

    VMware just released VMware vCenter 6.5 Update 1 just last month, in case you’ve missed it check out the release notes as there are a lot of fixes, improvements and additions.

    In this post we’ll see just how easy it is to update the VMware VCSA. Before you do any VMware update I’d highly recommend checking out the VMware Interoperability Matrices to check compatibility of other VMware products. Once you’ve done that, lets begin!

    Read More “Update vCenter Server Appliance from 6.5 to 6.5 Update 1”

  • Increase incremental backup speed by enabling CBT

    VMware
    2 Comments

    In a recent VMware environment I was working in, we noticed that our incremental backups was taking a long time (like up to 7-8 hours) to complete. After digging around it was found that VMware actually has a feature built-in since version 4 called Change Block Tracking (CBT). CBT will track any blocks that were changed since the last backup and tag them and stores the information in a -CTK file. The obvious benefit is that now the third party software only backs up the changed block and not the entire VM each time, reducing the amount of data being backed thus speeding up backups and even lowers the CPU utilization on the VM host.

    CBT is disabled by default though there are some backup tools that will enable it automatically or you can enable it manually which can easily be done following these steps:

    Read More “Increase incremental backup speed by enabling CBT”

Leave a Reply

Your email address will not be published. Required fields are marked *