Introduction

Chrome recently updated to version 45 and now disallows connections to https sites with DH (Diffie-Hellman) keys less than 1024 bits.

This caused me an issue when attempting to connect to a local test vRA instance to in turn access the vRO console. Fortunately, there is a way round it.

Objective

  • To be able to get to the vRealize Orchestrator home/configuration pages from Chrome 45+

Infrastructure setup in this example

  • vRealize Orchestrator is embedded within the vRealize Automation appliance
  • Accessing with Chrome 45+

Assumptions

  • You have root SSH access to your vRO (in this case the vRA Appliance)

Steps to success

  1. Log into the vRealize Applicance as root
  2. Make backup copies of the following files

/etc/vco/app-server/server.xml (vRO server)
/etc/vco/configuration/server.xml (vRO configurator)

example;

cp /etc/vco/app-server/server.xml /etc/vco/app-server/server.xml.old cp /etc/vco/configuration/server.xml /etc/vco/configuration/server.xml.old

  1. Edit both files and remove the four “DHE” entries from “ciphers” section

scheme=”https” secure=”true” sslProtocol=”TLS” strategy=”ms” ciphers=”TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA”/>

The resultant ciphers section should look like this;

scheme=”https” secure=”true” sslProtocol=”TLS” strategy=”ms” ciphers=”TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA”/>

After removal of the insecure ciphers, you may need to restart vRO. Now you should be able to connect to vRO appliance using Chrome 45+.

NOTE: Once the editing has been completed, remember to save the file

(ESC KEY):wq
  1. Restart the vRO service

service vco-server restart

NOTE: The service restarts fairly quickly, but takes a few minutes to be available via the url

  1. You can now access the vCO url as normal

https://VRAPP-URL:8281/vco/

Links

Chrome Help - Fix connection errors
Server has a weak ephemeral Diffie-Hellman public