vRealize Orchestrator and SQL Force Encryption | Writing about tech and anything else I find interesting

vRealize Orchestrator and SQL Force Encryption

I’m currently working on an engagement where the customer’s security team has mandated the use of “Force Encryption” on all SQL connections within their SQL 2012 environment. This posed a few challenges when setting up vRO, and since I haven’t found a post that deals with that I thought it worth writing up.

The first step with any SSL connection for Orchestrator is to import the certificate.

01

The next step is to define the SQL details. Clicking Apply Changes resulted in me staring at a blank screen with a spinning wheel for roughly 15 minutes. The failure takes a long time to come back. If you’re following this as a guide, apply the fix below before you complete this step.

02

After some internet trawling, I found the this thread that gave me some idea of what what going on.

The next step was to update the two setenv files with the appropriate values:

/var/lib/vco/configuration/bin/setenv.sh

/var/lib/vco/app-server/bin/setenv.sh

My first attempt was to put -Djsse.enableCBCProtection=false into the CATALINA_OPTS, but that didn’t work. After reading this post I was inclined to think that this setting needed to extend outside of Tomcat, but I need someone a bit smarter than me to confirm exactly how/where this is the case.

I added JAVA_OPTS per the below screenshot to both files, and decided to try again.

03

The good news? It’s all now working as expected. I’m hoping we can get this verified by engineering and get an official KB out.

04