Error Message

Authentication broker is not accessible. Please check server logs for details.

During the patch installation the SSLCipherSuite setting for the VxAT Broker service was changed to 'Forward Secrecy Ciphers' only:

"RootBrokerName"="SFM_BROKER"
"UseClusterNameAsDomainName"=dword:00000000
"UseClusterNameAsBrokerName"=dword:00000001
"DefaultAuthSequence"="pam unixpwd nis nisplus"
"SSLCipherSuite"="ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-GCM-SHA384"   <<<< note

This change was done as part of on-going efforts to provide better security enhancements. However if the LDAP/AD server doesn't make use of these ciphers (eg. LDAP/AD with SSL), then the VIOM MS and LDAP/AD will fail to communicate. 

The following steps can be used to fix this on the VIOM MS:

1. cd /var/opt/.VRTSsfmcs/sec/root/.VRTSat/profile/

2. cp VRTSatlocal.conf VRTSatlocal.conf.orig

3. /opt/VRTSsfmcs/bin/vomsc --stop ALL

4. There are two SSLCipherSuite entries in the VRTSatlocal.conf. The setting for the broker needs to be changed.

 From "SSLCipherSuite"="ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-GCM-SHA384" to "SSLCipherSuite"="HIGH:MEDIUM:!eNULL:!aNULL:!SSLv2"

5. /opt/VRTSsfmcs/bin/vomsc --start ALL

ldap users should now be able to login again, though it may be necessary to refresh the VIOM gui first.

Veritas will be reverting this change, so to avoid this issue in future VIOM patches.