September 04, 2015

vCenter Server Appliance (vCSA) 5.5 SSL certificate replacement and root password reset the hard and/or easy way. (or The vCSA is Dead, Long Live the vCSA)









It all started because my SSL certificate was expired and with recent updates to Chrome and Firefox we could not login. I found this perfect article (http://www.virtuallyghetto.com/2013/04/automating-ssl-certificate-regeneration.html) to regenerate the certificate via commandline, but i was locked out of the root account. I thought, as many do, that i had forgotten the root password, but it turns out that with v5.5, root passwords expire in 90 days and if you don't set an SMTP server and email address, you will never be notified. Furthermore after some time the account will be locked.

On the vCSA console you have an option to Login. I don't really know why, but somehow after failing some logins or semi-resetting the account, i found that if i mistyped the password 3 times, i would actually get the root prompt. Now if you cannot get the root prompt, luckily you can use this excellent method (http://www.virtuallyghetto.com/2013/09/how-to-recover-vcsa-55-from-expired.html) to get to the files also. If you do use the link's method, please note that you will need to mount/remount with read-write access which is not mentioned. hint: mount -o remount,rw /mnt

So in the following commands, you will see [/mnt]. What i mean by this is that if you use the link's method, then you need /mnt/path ; however, if were able to get the vCSA's root prompt, then simply use the /path (excluding /mnt)

Of course you should bakup any files you plan to change!

We will use vi because it's the editor built into the vCSA. Remember in vi you can i or a to insert or append to get into typing mode. Afterward, <esc>wq! to force save & quit or <esc>q! to abort and quit.

Firstly, i found that the password policy required a new, previously unused, password that had to meet complexity requirements. This sucked tremendously considering i really really wanted to re-use the password. If you wish to do the same try this, if not skip it.

change root password policy with vi [/mnt]/etc/pam.d/common-password

change
password        requisite       pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=8 difok=4 retry=3
password        required        pam_pwhistory.so enforce_for_root remember=4 retry=3
to
password        requisite       pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=8 difok=0 retry=0
password        required        pam_pwhistory.so enforce_for_root remember=0 retry=3
The above should set that the password does not need to have to be significantly different from prior passwords and not to spam the prompt requesting retries.

An alternative way might be to purge the password history file with rm [/mnt]/etc/security/opasswd which of course i did.

If you can get to the vCSA's root prompt, then you can change the root password with passwd

However, if you cannot, then potentially you can reuse your old password by reinstantiating the password hash from a backup shadow.* file. Revisit the above mentioned article (http://www.virtuallyghetto.com/2013/09/how-to-recover-vcsa-55-from-expired.html) as it explains the shadowfile.

Thusly, I was successful with restoring the default password of vmware by finding that [/mnt]/etc/shadow.UPDATE contained its hash. I copied the hash (installation specific i'm sure) into the existing [/mnt]/etc/shadow's root line and made sure the 5th field was nothing (::). it looked like such:
root:$2y$10$Gye6636Oxy/2yK01.7MW0ud8pSE90cEYr92kLSwDvJmULjmTPnu0O:16581:0:90:7:::

Once I had accomplished all this, i rebooted and was able to login with vmware. I reset my password with passwd at the root prompt. It complained it was too simple a password, but accepted it none-the-less.

Note: Through all this, I found that the actual client login Administrator@vSphere.local had never changed changed, so don't expect it to be the new one you just changed.

Futhermore, I followed this very fitting article (http://www.virtuallyghetto.com/2013/09/administrator-password-expiration-in.html) to completely disable root password expiration with chage -M -1 -E -1 root.

If you use VMWare Update manager (VUM), you may need to remmediate it's connection with http://kb.vmware.com/kb/2048210.

In addition to the resources linked above, the following were referenced during my adventure-less adventure.
My other recent posts also relate to this issue due to Mozilla, Google and Microsoft weak SSL deprecation policies.



---
As Always, Good Luck!
Please comment or tip me or use any/all of my affiliate links; Thank YOU!
You can thank me with bitcoin.    


September 02, 2015

VMWare vCenter vSphere Web Client Chrome 45 ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY


VMWare vCenter vSphere Web Client + Chrome 45
Server has a weak ephemeral Diffie-Hellman public key
ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY
a.k.a Forward Secrecy

I patched this together rather quickly, but i think it's all here!  Today we had issue with Chrome 45 failing to connect to VMWare 5.1 vCenter vSphere Web Server (vSphere Web Client).  This is how I fixed it. (Also seems to work in Firefox.)

create new self-signed certificate (in linux):
openssl genrsa 2048 > rui.key
openssl req -new -key rui.key > rui.csr
#openssl x509 -in rui.cer -out rui.crt
openssl x509 -req -days 1825 -in rui.csr -signkey rui.key -out rui.crt
openssl pkcs12 -export -in rui.crt -inkey rui.key -name rui -passout pass:testpassword -out rui.pfx
you must use testpassword if you retain the default tomcat keystorePass setting in the xml mentioned below.

backup and replace files in C:\Program Files\VMware\Infrastructure\vSphereWebClient\DMServer\config\ssl\ with the files just created.  *** my other vCenter did not have this folder. It was C:\Program Files\VMware\Infrastructure\vSphereWebClient\logbrowser\conf\ instead. (upgrade vs. fresh install?)

edit C:\Program Files\VMware\Infrastructure\vSphereWebClient\server\config\tomcat-server.xml
was
        <Connector port="9443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="500" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" ciphers="SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_DH_RSA_WITH_AES_256_CBC_SHA, TLS_DH_DSS_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DH_RSA_WITH_AES_128_CBC_SHA, TLS_DH_DSS_WITH_AES_128_CBC_SHA" keystoreFile="C:\ProgramData\vmware\vSphere Web Client\ssl\rui.pfx" keystorePass="testpassword" keystoreType="PKCS12"></Connector>
changed to (removed RC4 and DHE-only ciphers)
        <Connector port="9443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="500" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" ciphers="TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DH_RSA_WITH_AES_256_CBC_SHA, TLS_DH_DSS_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DH_RSA_WITH_AES_128_CBC_SHA, TLS_DH_DSS_WITH_AES_128_CBC_SHA" keystoreFile="C:\ProgramData\vmware\vSphere Web Client\ssl\rui.pfx" keystorePass="testpassword" keystoreType="PKCS12"></Connector>
restart both vspherewebclientsvc and vctomcat services. Be patient, it will take a few minutes for the services to be ready to serve the web-pages correctly.


---
As Always, Good Luck! 
Please comment or tip me or use any/all of my affiliate links; Thank YOU!
If I saved your ass, you can thank me with bitcoin.