Knowledge Base

The VMware Knowledge Base provides support solutions, error messages and troubleshooting guides
 
Search the VMware Knowledge Base (KB)   View by Article ID
 

Resolving OpenSSL Heartbleed for VMware vCenter Server 5.5 (2076692)

Symptoms

This article provides the resolution procedure for vCenter Server 5.5 in response to the OpenSSL Heartbleed vulnerability.

Note: The Heartbleed issue affects the Windows version of vCenter Server and the VMware Client Integration Plug-in (a.k.a. the VMRC Plug-in). While the vCenter Server Appliance (vCSA) is not directly affected, it does ship with a vulnerable version of the VMware Client Integration Plug-in. Therefore, it must be upgraded so it does not distribute vulnerable plug-ins. For details on client remediation, see the Update the Client Integration Plug-in section.

Note: If you are using vCenter Single Sign-On 5.5 or the vSphere Web Client 5.5 in a vCenter Server 5.1 environment this article also applies.

The vCenter Single Sign-On VMware Directory Service is the only Windows vCenter Server component affected by the OpenSSL Heartbleed vulnerability.

The VMware Client Integration Plug-in is a client side component that is present when users connect to the vSphere Web Client to upload OVF files, for example. Version 5.5 of this component is affected by the OpenSSL heartbleed vulnerability. This version is part of vSphere 5.5.

The patch must be applied immediately to fix the critical security vulnerability reported in CVE-­2014-­0160. Details on this vulnerability can be found in VMware Security Advisory VMSA-2014-0004.

For details on the impact of the OpenSSL security issue, also known as Heartbleed, on VMware products and portals, see:

Purpose

Note: There are two vCenter Server 5.5. releases issued to remediate this issue:
  • If you are currently running vCenter Server 5.5 GA build 1312298, 1378903, or 1476327, upgrade to vCenter Server 5.5.0c build 1750597.

    Note: vCenter Server 5.5.0c should not be updated to vCenter Server 5.5 Update 1. You can upgrade vCenter Server 5.5.0c to vCenter Server 5.5 Update 1a build 1750787.

  • If you are currently running vCenter Server 5.5 Update 1 build 1623101, upgrade to vCenter Server 5.5 Update 1a build 1750787.
Note: These releases upgrade the OpenSSL libraries. The openssl.exe file remains unchanged and will display the same version number as it did previously.

After the vCenter Server environment is upgraded, the Single Sign-On component requires the SSL certificate for the VMware Directory Service to be re-issued and the administrator@vsphere.local password to be changed. Any other vsphere.local users that have been defined will also require their passwords to be changed.

Failure to carry out these actions continues to expose the system to compromise from the OpenSSL Heartbleed vulnerability.

For more information on upgrading, see:

Resolution




This issue is resolved in vCenter Server 5.5.0c build 1750597 and vCenter Server 5.5 Update 1a 1750787, available on the download page. For more information, see the appropriate Release Notes:
These remediation steps are provided below:

Caution: VMware strongly advises that you take a backup of your Single Sign-On and vCenter Server machines before performing this steps in this article.

Note: If you encounter an issue during the remediation steps in this article, file a support request with VMware Technical Support and note this Knowledge Base article ID (2076692) in the problem description. For more information on filing a Support Request, see Filing a Support Request in My VMware (2006985).

Remediation steps for machines where Single Sign-On is installed

Perform these steps on machines where Single Sign-On is installed:

Note: These steps must be performed on all Single Sign-On Servers.

  1. Back up the vmdircert.pem and vmdirkey.pem files (located at C:\ProgramData\VMware\CIS\cfg\vmdird).

  2. Copy the current vmdircert.pem file and save it as vmdircert.crt.

  3. Double-click the vmdircert.crt file to open it and click the Details tab. Scroll down to Subject Alternative Name and record the IPv4 and DNS name.

  4. Open a Windows command prompt as Administrator and create a temporary directory using this command:

    This example uses C:\temp:

    mkdir C:\temp

  5. Navigate into the directory using this command:

    cd C:\temp

    Note: The new Key and Certificate generated in this procedure will be initially stored in the temp directory.

  6. To generate a new Private Key, run this command:

    "C:\Program Files\VMware\Infrastructure\VMware\CIS\vmcad\certool.exe" --genkey --priv=priv.key --pub=pub.key

  7. To generate a new Certificate, run this command:

    Note: Replace FQDN_DNS_NAME and IP_address with the DNS and IPv4 values respectively as recorded in step 3:

    "C:\Program Files\VMware\Infrastructure\VMware\CIS\vmcad\certool.exe" --genCIScert --priv=priv.key --Name=VMWareDirectoryService --FQDN=FQDN_DNS_NAME --IP=IP_address --cert=cert.crt --port=11711

    Note: For environments in which multiple hostnames or IP addresses are used, use the following command structure similar to the command listed above:

    "C:\Program Files\VMware\Infrastructure\VMware\CIS\vmcad\certool.exe" --genCIScert --priv=priv.key --Name=VMWareDirectoryService --FQDN="FQDN_DNS_NAME1,DNS:FQDN_DNSNAME_2,DNS:FQDN_DNSNAME_3" --IP="IP_address1,IP:IP_address2,IP:IP_address3" --cert=cert.crt --port=11711

  8. Copy the new Private Key to the Single Sign-On VMDir configuration location using this command:

    copy priv.key C:\ProgramData\VMware\CIS\cfg\vmdird\vmdirkey.pem

    Note: If asked to overwrite the existing file, answer Yes.

  9. Copy the new Certificate to the Single Sign-On VMDir configuration location using this command:

    copy cert.crt C:\ProgramData\VMware\CIS\cfg\vmdird\vmdircert.pem

    Note: If asked to overwrite the existing file, answer Yes.

  10. Restart the VMware Directory Service on all Single Sign-On servers:

    1. Click Start > Run, type services.msc, then press Enter.
    2. Locate the VMware Directory Service and click Restart.

      Note: You must restart the service on both Single Sign-On servers.

  11. Verify that you can continue to log into vCenter Server.

Remediation steps for multiple Single Sign-On servers that are participating in replication

If you have multiple Single Sign-On servers that are participating in replication, you must perform these steps in addition to the procedure above.

  1. On your first Single Sign-On server:

    1. Create a copy of the vmdircert.pem file (located in C:\ProgramData\VMware\CIS\cfg\vmdird) and name the copy using this format:

      sso_node1.domain.com.pem

      Where sso_node1.domain.com is the Fully Qualified Domain Name of the first Single Sign-On server.

    2. Copy this file to a temporary location on the Partner Single Sign-On server(s).

  2. On the Partner Single Sign-On server(s):

    1. Back up the existing file sso_node1.domain.com.pem file (located in C:\ProgramData\VMware\CIS\cfg\vmdird).

    2. Replace this file with the version you copied in step 1a.

    3. Create a copy of the vmdircert.pem file (located in C:\ProgramData\VMware\CIS\cfg\vmdird) and name the copy using this format:

      sso_node2.domain.com.pem

      Note: Where sso_node2.domain.com is the Fully Qualified Domain Name of the Partner Single Sign-On server.

    4. Copy this file to a temporary location on the First Single Sign-On server(s).

  3. On your first Single Sign-On server:

    1. Back up the existing file sso_node2.domain.com.pem (located in C:\ProgramData\VMware\CIS\cfg\vmdird).

    2. Replace this file with the version you copied in step 2c.

    3. Restart the VMware Directory Service on all Sign-On server(s). To restart the service:

      1. Click Start > Run, type services.msc, then press Enter.
      2. Locate the VMware Directory Service and click Restart.

    4. Verify that replication is working:

      Create a test Single Sign-On user from one Single Sign-On node and verify that the user appears on other Single Sign-On nodes. For more information on adding users, see Add vCenter Single Sign-On Users in the vSphere 5.5 Documentation.

Changing your vCenter Single Sign-On password

Perform these steps to change the administrator@vsphere.local password.

Note: If you have more than one Single Sign-On server, you must perform this procedure on each Single Sign-On server.

  1. Log in to the vSphere Web Client using your vCenter Single Sign-On credentials.

  2. In the upper navigation pane to the left of the Help menu, click your user name to view the menu.

    Alternatively, select Administration > Single Sign-On > Users and Groups, then right-click the user and select Edit User.

  3. Select Change Password and type your current password.

  4. Type a new password and confirm it.

    Note: The password must conform to the password policy.

  5. Click OK.

  6. Verify that you can log into vCenter Server(s).

Updating the Client Integration Plug-in

After upgrading the vSphere Web Client, you must also update the Client Integration Plug-in by performing these steps:

  1. Open a web browser and enter the URL for the vSphere Web Client:

    https://client-hostname:port/vsphere-client

  2. At the bottom of the vSphere Web Client login page, click Upgrade the Client Integration Plug-in.

  3. Download and install the Client Integration Plug-in.

Additional Information

To be alerted when this article is updated, click Subscribe to Document in the Actions box.

See Also

Update History

04/21/2014 - Updated text in symptoms section; clarified steps in resolution section 04/24/2014 - Various clarifications

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 21 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.
What can we do to improve this information? (4000 or fewer characters)
  • 21 Ratings
Actions
KB: