Translate

Total Pageviews

My YouTube Channel

Thursday 24 September 2015

Unlock vRealize Orchestrator default VMware account and fix vRealize Orchestrator 6 appliance, weak ephemeral Diffie-Hellman key

It can happen, when you type a wrong password too many times and end up with an account locked. Well, it happed to me when working to vRealize Orchestrator.
Curiously, the procedure is documented on Orchestrator Installation Guide, even though it took me a considerable amount of time to find it, so why not emphasize the procedure here and help others to find the solution quicker ?!?
When the default account (user=vmware) is locked out you will receive the error:
Login failed: User/password mismatch or account temporarily blocked after too many unsuccessful attempts




It’s not clear yet how many failed attempts would lock the account and how many minutes it would automatically unlock it. let's see how you unlock it.

You can reset/unlock your account tweaking passwd.properties file, depending where vRO is running on you will find this file at:

Running on vCenter: install_directory\VMware\Infrastructure\Orchestrator\config
uration\conf\
Running standalone on Windows:install_directory\VMware\Orchestrator\configuration\conf\ Running on the appliance: /etc/vco/configuration/
I’ll show you the appliance steps, because I believe it is the most common deployment out there.
1.  Login through SSH on the Orchestrator Appliance
- cd /etc/vco/configuration/
2. Take a copy of the file just in case you want to restore it later
- cp passwd.properties passwd.properties.bkp
3. now edit the file with your preferred file editor.
Look for the line starting with vmware= (there should be a bunch of numbers and letters here, it’s the actual password, but encrypted)
Get ride of this line and replace it with:
vmware=92963abd36c896b93a36b8e296ff3387


Save the file and restart vRO services.

Give the appliance some minutes to take affect.

Login back with:
User: vmware
Password: vmware

If you did it right you will be able to login and change the default password ; )


But one more issue i faced even after changing this it was not working in Google Chrome and Mozilla Firefox and in Internet Explorer issue was same Login failed: User/password mismatch or account temporarily blocked after too many unsuccessful attempts. because it is issue with browser but when i was using Google Chrome and Mozilla Firefox i was getting this error:-
Firefox always complained about a weak Diffie-Hellman key. 

“An error occurred during a connection to ip-address:8281. SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. (Error code: ssl_error_weak_server_ephemeral_dh_key)”
At the time I simply ignored it and just tried Google Chrome which it worked fine. That was until the latest release also broke with the same type of error message:
 

"Server has a weak ephemeral Diffie-Hellman public key".

I now had a problem and contacted VMware support, below is the very easy fix to make vCO 6 work in both the latest version of Firefox and Chrome!


VMware vRealize Orchestrator weak ephemeral Diffie-Hellman key fix:-


1. SSH into your vCO appliance
2. Make a copy of your server.xml files in both the /etc/vco/app-server and /etc/vco/configuration folders by typing the following command:
cp /etc/vco/app-server/server.xml /etc/vco/app-server/server.xml.bak
cp /etc/vco/configuration/server.xml /etc/vco/configuration/server.xml.bak

3. Now use VI to edit the /etc/vco/app-server/server.xml file, using the up down arrows move the cursor down to the “ciphers” line and press dd on your keyboard to delete the line, then press i to enter insert mode and copy the the below line and press ESC to exit insert mode and press YY (case sensitive)
ciphers="TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA" />

Before:-


After:-


4. Do the exact step above for the /etc/vco/configuration/server.xml file.
5. Finally reboot the vCO appliance by typing “reboot”.
 6. After the reboot vRealize Orchestrator should work just fine on both Firefox and Chrome now!

In short, the vRO appliance is configured to use SSLv3 and some of the cipher suites (Diffie-Hellman) are now considered unsafe (POODLE vulnerability) and browsers have started blocking said ciphers.
The above steps resolve the issue by removing the Diffie-Hellman cipher suites from the vCO appliance which in turn make Chrome and Firefox both happy :).

Source:-
https://miketabor.com/how-to-fix-vrealize-orchestrator-6-appliance-weak-ephemeral-diffie-hellman-key/

No comments:

Post a Comment