VMware Cloud Community
StuartB20111014
Enthusiast
Enthusiast
‎05-25-2015 09:29 AM

Problems getting vCAC 6.2 to work correctly. Security related.

Hi Everyone,

I am setting up a quick n dirty VCAC 6.2 test lab and am hitting a problem that has been annoying me for a good few days and I hope someone can help. To give a bit of background I did the following to set up the infrastructure (above and beyond having a working vCenter 6 installation)

Installed a SQL 2014 standalone box and IAAS box using Window 2012 R2

Installed the authentication appliance.

Installed the VRA appliance from OVF

Installed the Orchestrator appliance

All were installed from latest available on VMwares website. I then installed the pre req script to configure the IAAS pre reqs. Then installation went through ok (Although it took  a while Smiley Happy ) The problem is when I come to login I keep getting errors about connection broken/resets.

Looking in the IAAS event viewer I get the following error:

An TLS 1.2 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.

I understand that the issue is more or less related to the fact that the encryption type is not supported. So my question is.. What is the easy and straight forward to fix this ? Crypto functions are not my forte!

Regards

Stuart

Preview file
17 KB
0 Kudos
1 Reply
admin
Immortal
Immortal
‎06-09-2015 01:13 AM

Hi Stuart,

I also found the same issue when IAAS installed on Windows 2012 R2 machine with self-signed cert (with "sha512RSA" signature algorithm and "sha512" signature hash algorithm). In this case IAAS machine rejects TLS 1.2 connection from vRA, and iaas-service registration fails to component registry. Hence vRA-IAAS integration won't be functional (and 502 error will be thrown in Infrastructure tab).

1. To resolve this issue you can enable this from the registry, if it should be needed in your environment::


Location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010003

Type: REG_MULTI_SZ

Add Data: RSA/SHA512

Restart the machine if required. After this the connection resets should be resolved.

2. You can also resolve the issue by creating certificates based on SHA 384 or SHA 256

The issue and workaround to this issue are explained at http://blogs.technet.com/b/silvana/archive/2014/03/14/schannel-errors-on-scom-agent.aspx

  

Here is the iaas-service status with exception details, which can be resolved by applying the workaround:
-------------------------------------------------------------------------------------------------------
<serviceStatus serviceId="4100246b-fef7-4d64-bd24-9f8b386931c5" serviceName="iaas-service" serviceTypeId="com.vmware.csp.iaas.blueprint.service" notAvailable="true">
<lastUpdated>2015-06-09T12:12:05.253+05:30</lastUpdated>
<statusEndPointUrl>https://s1-vra-iaas.vra.local/WAPI/api/status</statusEndPointUrl>
<serviceStatus>
<errorMessage>
Exception during remote status retrieval for url: https://s1-vra-iaas.vra.local/WAPI/api/status. Error Message I/O error on GET request for "https://s1-vra-iaas.vra.local/WAPI/api/status":Connection reset; nested exception is java.net.SocketException: Connection reset.
</errorMessage>
<initialized>false</initialized>
</serviceStatus>
</serviceStatus>


Thanks,

Muzibur

Preview file
265 KB
Preview file
217 KB
0 Kudos