Table of Contents

Summary

Due to ciphers being deprecated for security reasons we have to edit the allowed ciphers for the VMware Cloud Director Appliance Management UI Interface (VAMI), main portal interface, and SSH. This document goes over how to alter those allowed ciphers.

VAMI

  1. SSH into the VMware Cloud Director (vCD) appliance.
  2. Edit the nginx config file:
    vi /etc/nginx/sites-available/vcd_ova_ui.conf
    
  3. Locate the line that has ssl_ciphers in it.
  4. Remove the existing ciphers allowed within the quotes and add the following. NOTE: These ciphers will be altered through time, please update yours accordingly to have the latest allowed ciphers.
    !aNULL:ECDH-RSA-AES256-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-GCM-SHA256
    
  5. Save the file.
  6. Restart services.
    systemctl restart nginx.service && systemctl restart vcd_ova_ui.service
    systemctl restart vpostgres.service
    

Main Portal Interface

  1. SSH into the VMware Cloud Director (vCD) appliance.
  2. Determine the existing ciphers that are allowed by running the following command. Examine the output and confirm if any inappropriate ciphers are listed.
    cd /opt/vmware/vcloud-director/bin
    ./cell-management-tool ciphers -a  
    
  3. Now we need to tell vCD which ciphers we want it to use for the main UI. NOTE: These ciphers will be altered through time, please update yours accordingly to have the latest allowed ciphers.
    ./cell-management-tool ciphers -d TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384
    
  4. This should immediately configure these and start allowing it to run with the appropriate ciphers, if it does not simply restart the vcd services.
    systemctl restart vmware-vcd.service
    

SSH

  1. SSH into the VMware Cloud Director (vCD) appliance.
  2. Determine the existing ciphers that are allowed by running the following command. Examine the output and confirm if any inappropriate ciphers are listed.
    cat /etc/ssh/sshd_config | grep 'Ciphers\|MACs'
    
  3. Examine the ciphers and then determine what we need to edit in these ciphers. Open the file to edit.
    vi /etc/ssh/sshd_config
    
  4. You will be updating the two lines for ‘Ciphers’ and ‘MACs’. NOTE: These ciphers will be altered through time, please update yours accordingly to have the latest allowed ciphers.
    #Match User anoncvs
    Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
    MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
    
  5. Restart SSHd service.
    systemctl restart sshd.service