Change of Direction

Sometimes at work priorities change.

Right now for me that means that my vRA studying is going to need to go on the back burner while I step into some Kubernetes sized shoes. This is both exciting and frustrating at the same time. On the one hand, learning Kubernetes is very exciting and full of a lot of diverse technologies. While on the other, I’ve spent a great deal of time working with an old version of vRA just for the purposes of the VCAP-CMA exam.

With any luck by the time I come back to it (if I do) the exam version will have been uplifted to something more recent!

So expect some Kubernetes content in the near future. Very probably a CKA study guide!

VCAP-CMA Deploy – Objective 8.2

Disclaimer: These are my notes from studying for the 3V0-31.18 exam. If something doesn’t make sense, please feel free to reach out.

The main goal for this objective is the security of vRealize Automation.

Objective 8.2 – Secure a vRealize Automation deployment in accordance with the VMware
hardening guide


This is very much around the appliance itself so familiarity with Linux hardening, particularly around SSH will be beneficial. Almost all these changes are made on individual hosts so will need to be made on each host.

Very roughly, this can be split into:

  • Client Access
  • Data at rest
  • Data in transit
  • Misc

I’m just going to run through a brief overview of each section. For further detail have a read of the very comprehensive documentation.

Client Access

To secure access to the appliance you need to think along the lines of creating a separate user to login to the appliance (VAMI, Console & SSH) and disabling direct root access. Once logged into a CLI you can su to root. Definitely only enable SSH when required. Also consider password policies and matching the local users password to the corporate policy.

You may also want to consider changing the default timeouts for vRA. The default is set to 30 minutes.

Data at Rest

This is to secure access to the data that is held on local disk. This is the database and application files. If you need access to the database for anything outside of the application you should create another user account for this purpose rather than using the default postgres user. There is also a list of commands in the hardening guide to ensure that the application files are secure, they are by default but this should give you an idea if something has been tampered with.

Data in Transit

Securing the data while it stored on the disk is no good unless the access to that data is also secure. You’ll want to disable SSL v3.0, TLS v1.0 & v1.1 and configure the accepted cipher suites as per your corporate policies on all the below services:

  • haproxy
  • lighttpd
  • vcac
  • vco
  • rabbitmq
  • IaaS Servers

You may also want to consider the response headers for these services to ensure that additional information is given away in this manner either.


VCAP-CMA Deploy – Objective 8.1

Disclaimer: These are my notes from studying for the 3V0-31.18 exam. If something doesn’t make sense, please feel free to reach out.

The main goal for this objective is the security of vRealize Automation.

Objective 8.1 – Renew, and/or replace security certificates on distributed vRealize Automation components


This is about replacing the certificates on these components:

  • vRA appliance
  • IaaS Manager Service Server
  • Web Server

Other certificates that are in use manage themselves through self signed certificates to communicate. An external vRO must be done separately but if you’re using the embedded one it will update automatically.

All of these can be updated from the VAMI page of the vRA appliance. The different certificates can be managed from two pages:

  • Host Settings page – vRealize Automation certificate
  • Certificates page – IaaS certificates

Both of these pages provide different options to complete the certificate replacement.

  • Generate – generate a self signed certificate to replace the existing certificate in situ
  • Import – Use an existing certificate
  • Provide thumbprint – Option to use a certificate if already imported into IaaS server certificate store. This just acts as a pointer, no certificate is physically transmitted

When you update a certificate, trust is re-initiated with other components.

Side note – If you use certificate chains, specify the certificates in the following order:

  1. Client/server certificate signed by the intermediate CA certificate

  2. One or more intermediate certificates

  3. A root CA certificate

If you offload SSL on your load balancer, you will need to SSH to the appliance to export the certificate to upload to your load balancer.

While updating the certificate, a list of recent actions and success/failure is show near the bottom of the page.

That’s all for this one, fairly straightforward. Although it’s always worth remembering that exam questions are going to be scenario based so you’ll be asked to achieve an objective that may well touch multiple parts of vRA.