top of page

Enable TLS on Localhost Configuration as part of vRealize Automation Hardening 7.x

I and my peers were assisting a project where vRealize Automation 7.x was supposed to be deployed and hardened.


Found out that there are lots of issues/misconfigurations inside the document for certain sections which has to be called out.


Click here for the hardening guide version 7.6


I would call out certain sections where issues were seen after implementing it. Not all sections will be discussed here as most of them are straight forward.


Problematic sections are

  • "Enable TLS on Localhost Configuration", Page 22

  • "Verify that SSLv3, TLS 1.0, and TLS 1.1" are Disabled, Page 24


Let's start with the section "Enable TLS on Localhost Configuration"


Step 1

Take SSH to vRA appliance


Step 2

Set permissions for the vcac keystore by running the following commands


usermod -A vco,coredump,pivotal vco 
chown vcac.pivotal /etc/vcac/vcac.keystore 
chmod 640 /etc/vcac/vcac.keystore

Execute this as shown in the document, there are no changes to this step


Step 3

According to documentation, it states to perform following steps


Update the HAProxy configuration


Open the HAProxy configuration file located at /etc/haproxy/conf.d and choose the 20- vcac.cfg service


Locate the lines containing the following string: 

server local 127.0.0.1

and add the following to the end of such lines:

 ssl verify none

It states that the change has to be performed under the following sections of 20-vcac.cfg file


 backend backend-vrhb
 backend-horizon 
 backend-vro 
 backend-vra 
 backend-artifactory 
 backend-vra-health

But when you take a look at the file , there is no backend-artifactory section in it. So that's a mistake


The only backend's which are available are 


backend backend-vrhb
backend backend-horizon
backend backend-vra
backend backend-vra-health
backend backend-vro
backend backend-vco-health

Another important change in the documentation which is missing is that backend-vro port has to be changed from 8280 to 8281


NOTE : TAKE A BACKUP OF ORIGINAL FILES BEFORE CHANGES


/etc/haproxy/20-vcac.cfg file after changes 


backend backend-horizon
    mode http
    balance leastconn
    option http-server-close
    option forwardfor
    option redispatch
    http-response replace-value Set-Cookie JSESSIONID=(.*) JSESSIONID_HZN=\1
    http-response replace-value Set-Cookie XSRF-TOKEN=(.*) XSRF-TOKEN_HZN=\1
    http-request replace-value Cookie (.*?)JSESSIONID_HZN=([^;]+)(.*?) \1JSESSIONID=\2\3
    http-request replace-value Cookie (.*?)XSRF-TOKEN_HZN=([^;]+)(.*?) \1XSRF-TOKEN=\2\3
    cookie JSESSIONID prefix
    timeout check 10s
    server local 127.0.0.1:8443 maxconn 500 ssl verify none

backend backend-vra
    mode http
    balance leastconn
    option http-server-close
    option forwardfor
    option redispatch
    http-response replace-value Set-Cookie JSESSIONID=(.*) JSESSIONID_VRA=\1
    http-response replace-value Set-Cookie XSRF-TOKEN=(.*) XSRF-TOKEN_VRA=\1
    http-request replace-value Cookie (.*?)JSESSIONID_VRA=([^;]+)(.*?) \1JSESSIONID=\2\3
    http-request replace-value Cookie (.*?)XSRF-TOKEN_VRA=([^;]+)(.*?) \1XSRF-TOKEN=\2\3
    cookie JSESSIONID prefix
    server local 127.0.0.1:8082 maxconn 1500 cookie A check ssl verify none

backend backend-vra-health
    mode http
    balance leastconn
    option http-server-close
    option log-health-checks
    option httplog
    option forwardfor
    option redispatch
    http-response replace-value Set-Cookie JSESSIONID=(.*) JSESSIONID_VRA=\1
    http-response replace-value Set-Cookie XSRF-TOKEN=(.*) XSRF-TOKEN_VRA=\1
    http-request replace-value Cookie (.*?)JSESSIONID_VRA=([^;]+)(.*?) \1JSESSIONID=\2\3
    http-request replace-value Cookie (.*?)XSRF-TOKEN_VRA=([^;]+)(.*?) \1XSRF-TOKEN=\2\3
    cookie JSESSIONID prefix
    server local 127.0.0.1:8082 cookie A check ssl verify none

backend backend-vro
    mode http
    balance leastconn
    option http-server-close
    option forwardfor
    option redispatch
    http-response replace-value Set-Cookie JSESSIONID=(.*) JSESSIONID_VRO=\1
    http-response replace-value Set-Cookie XSRF-TOKEN=(.*) XSRF-TOKEN_VRO=\1
    http-request replace-value Cookie (.*?)JSESSIONID_VRO=([^;]+)(.*?) \1JSESSIONID=\2\3
    http-request replace-value Cookie (.*?)XSRF-TOKEN_VRO=([^;]+)(.*?) \1XSRF-TOKEN=\2\3
    cookie JSESSIONID prefix
    option httpchk GET /vcac/services/api/health
    server local 127.0.0.1:8281 cookie A check ssl verify none
#    server node2 REMOTE-IP:443 cookie A check ssl verify none

backend backend-vco-health
    mode http
    option http-server-close
    option forwardfor
    option redispatch
    http-response replace-value Set-Cookie JSESSIONID=(.*) JSESSIONID_VRO=\1
    http-response replace-value Set-Cookie XSRF-TOKEN=(.*) XSRF-TOKEN_VRO=\1
    http-request replace-value Cookie (.*?)JSESSIONID_VRO