19 Oct 2015

Removing Obsolete Cipher Suites from vRealize Hyperic

So, you've done all the hard work to change your Hyperic Server certificate (or not). Now you browse to your Hyperic server's management page via HTTPS on port 7443 and you're presented with this uninspiring message from your browser:

 

 

Although this looks rather serious, it's not and it's simply because Firefox and Chrome have now removed support for Cipher suites that make use of the Diffie-Hellman key exchange mechanism due to the protocol being obsolete and insecure.  

Note: If you're an administrator that hates SSL certificates and everything about them, you might want to consider doing what I did. I hated them too once upon a time. Then I realised that the reason I hated SSL was because I knew very little about SSL/TLS. Because I knew very little about SSL/TLS, I always got tripped up with issues like these, issues that just got in my way of getting the job done. So to address that problem, I decided to study SSL/TLS (the're the same thing really) and in particular OpenSSL. Do yourself and your career a favour and get a book called "Bulletproof SSL/TLS" by Ivan Ristić. Buy the book and study it thoroughly. You'll probably find that the subject is far more interesting than what you currently think it is and all will suddenly look much less complicated.

Before making any changes in a production environment, always test the process in a development or pre-production environment to ensure that the changes do not affect anything on your deployed Hyperic agent configuration. By default, changing cipher suites in a sensible manner (don't remove everything and certainly don't add any new ones in manually unless told to do so by VMware support), but it's better be safe than sorry. I do not accept any responsibility for anything that goes wrong in your environment as a result of changes made.

So, back to fixing our issue. In order to fix this, we need to remove the unsupported cipher suites from the Hyperic server configuration. This can be done by changing the "ciphers" line in /opt/hyperic/server-5.8.4-EE/hq-engine/hq-server/conf/server.xml (In the default server.xml, the line should be in the area around line 33). Before making changes to the configuration file, always make a backup copy of the original.

1. Make a backup copy of /opt/hyperic/server-5.8.4-EE/hq-engine/hq-server/conf/server.xml 

cd /opt/hyperic/server-5.8.4-EE/hq-engine/hq-server/conf/
cp ./server.xml ./server.xml.original.backup

2. Edit the file /opt/hyperic/server-5.8.4-EE/hq-engine/hq-server/conf/server.xml

vi /opt/hyperic/server-5.8.4-EE/hq-engine/hq-server/conf/server.xml

Find the Ciphers line:

ciphers="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA"

We need to remove any suites that contain DHE, but RC4 is also obsolete, so remove them as well. That essentially leaves us with two suites remaining:

ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA"

3. Save the file and exit the editor

 <ESC> :wq

4. Restart the Hyperic server

/opt/hyperic/server-5.8.4-EE/bin/hq-server.sh restart

Written by  5 comments
Last modified on Monday, 19 October 2015 17:08
Rate this item
(2 votes)

Comments (5)

  1. Abhishek

This is really useful, Also can you help me in fixing Diffie hellman issue for HQ 4.4 version?

  Attachments
 
  1. Abhishek

This is really helpful. Can you also help me in fixing on HQ 4.4

  Attachments
 
  1. Rynardt Spies    Abhishek

Hi,

Sorry. I've not used HQ4.4 before. Does the same configuration files not exist on HQ4.4?

  Attachments
 
  1. Abhishek

It does have same configuration file but there is no 'ciphers' property. Even if I add property manually and restart HQ, settings are vanishing. Not sure if anything to do with Hyperic server side code?

  Attachments
 
  1. Abhishek

It does have same configuration file but there is no 'ciphers' property. Even if I add property manually and restart HQ, settings are vanishing. Not sure if anything to do with Hyperic server side code?

  Attachments
 
There are no comments posted here yet

Leave your comments

Posting comment as a guest. Sign up or login to your account.
0 Characters
Attachments (0 / 3)
Share Your Location

@galkun83 No. UK is MPH. Continental Europe is KM/H
Follow Rynardt Spies on Twitter