Resolving OpenSSL Heartbleed for VMware vCenter Server 5.5
search cancel

Resolving OpenSSL Heartbleed for VMware vCenter Server 5.5

book

Article ID: 302307

calendar_today

Updated On:

Products

VMware

Issue/Introduction

Note: There are two vCenter Server 5.5. releases issued to remediate this issue:
  • If you are currently running vCenter Server 5.5 GA build 1312298, 1378903, or 1476327, upgrade to vCenter Server 5.5.0c build 1750597.

    Note: vCenter Server 5.5.0c should not be updated to vCenter Server 5.5 Update 1. You can upgrade vCenter Server 5.5.0c to vCenter Server 5.5 Update 1a build 1750787.

  • If you are currently running vCenter Server 5.5 Update 1 build 1623101, upgrade to vCenter Server 5.5 Update 1a build 1750787.
Note: These releases upgrade the OpenSSL libraries. The openssl.exe file remains unchanged and will display the same version number as it did previously.

After the vCenter Server environment is upgraded, the Single Sign-On component requires the SSL certificate for the VMware Directory Service to be re-issued and the [email protected] password to be changed. Any other vsphere.local users that have been defined will also require their passwords to be changed.

Failure to carry out these actions continues to expose the system to compromise from the OpenSSL Heartbleed vulnerability.

For more information on upgrading, see:


Symptoms:
This article provides the resolution procedure for vCenter Server 5.5 in response to the OpenSSL Heartbleed vulnerability.

Note: The Heartbleed issue affects the Windows version of vCenter Server and the VMware Client Integration Plug-in (a.k.a. the VMRC Plug-in). While the vCenter Server Appliance (vCSA) is not directly affected, it does ship with a vulnerable version of the VMware Client Integration Plug-in. Therefore, it must be upgraded so it does not distribute vulnerable plug-ins. For details on client remediation, see the Update the Client Integration Plug-in section.

Note: If you are using vCenter Single Sign-On 5.5 or the vSphere Web Client 5.5 in a vCenter Server 5.1 environment this article also applies.

The vCenter Single Sign-On VMware Directory Service is the only Windows vCenter Server component affected by the OpenSSL Heartbleed vulnerability.

The VMware Client Integration Plug-in is a client side component that is present when users connect to the vSphere Web Client to upload OVF files, for example. Version 5.5 of this component is affected by the OpenSSL heartbleed vulnerability. This version is part of vSphere 5.5.

The patch must be applied immediately to fix the critical security vulnerability reported in CVE- 2014- 0160. Details on this vulnerability can be found in VMware Security Advisory VMSA-2014-0004.

For details on the impact of the OpenSSL security issue, also known as Heartbleed, on VMware products and portals, see:


Resolution




This issue is resolved in vCenter Server 5.5.0c build 1750597 and vCenter Server 5.5 Update 1a 1750787, available on the download page. For more information, see the appropriate Release Notes:
These remediation steps are provided below:

Caution: VMware strongly advises that you take a backup of your Single Sign-On and vCenter Server machines before performing this steps in this article.

Note: If you encounter an issue during the remediation steps in this article, file a support request with VMware Technical Support and note this Knowledge Base article ID (2076692) in the problem description. For more information on filing a Support Request, see Filing a Support Request in Customer Connect (2006985).

Remediation steps for machines where Single Sign-On is installed

Perform these steps on machines where Single Sign-On is installed:

Note: These steps must be performed on all Single Sign-On Servers.

  1. Back up the vmdircert.pem and vmdirkey.pem files (located at C:\ProgramData\VMware\CIS\cfg\vmdird).

  2. Copy the current vmdircert.pem file and save it as vmdircert.crt.

  3. Double-click the vmdircert.crt file to open it and click the Details tab. Scroll down to Subject Alternative Name and record the IPv4 and DNS name.

  4. Open a Windows command prompt as Administrator and create a temporary directory using this command:

    This example uses C:\temp:

    mkdir C:\temp

  5. Navigate into the directory using this command:

    cd C:\temp

    Note: The new Key and Certificate generated in this procedure will be initially stored in the temp directory.

  6. To generate a new Private Key, run this command:

    "C:\Program Files\VMware\Infrastructure\VMware\CIS\vmcad\certool.exe" --genkey --priv=priv.key --pub=pub.key

  7. To generate a new Certificate, run this command:

    Note: Replace FQDN_DNS_NAME and IP_address with the DNS and IPv4 values respectively as recorded in step 3:

    "C:\Program Files\VMware\Infrastructure\VMware\CIS\vmcad\certool.exe" --genCIScert --priv=priv.key --Name=VMWareDirectoryService --FQDN=FQDN_DNS_NAME --IP=IP_address --cert=cert.crt --port=11711

    Note: For environments in which multiple hostnames or IP addresses are used, use the following command structure similar to the command listed above:

    "C:\Program Files\VMware\Infrastructure\VMware\CIS\vmcad\certool.exe" --genCIScert --priv=priv.key --Name=VMWareDirectoryService --FQDN="FQDN_DNS_NAME1,DNS:FQDN_DNSNAME_2,DNS:FQDN_DNSNAME_3" --IP="IP_address1,IP:IP_address2,IP:IP_address3" --cert=cert.crt --port=11711

  8. Copy the new Private Key to the Single Sign-On VMDir configuration location using this command:

    copy priv.key C:\ProgramData\VMware\CIS\cfg\vmdird\vmdirkey.pem

    Note: If asked to overwrite the existing file, answer Yes.

  9. Copy the new Certificate to the Single Sign-On VMDir configuration location using this command:

    copy cert.crt C:\ProgramData\VMware\CIS\cfg\vmdird\vmdircert.pem

    Note: If asked to overwrite the existing file, answer Yes.

  10. Restart the VMware Directory Service on all Single Sign-On servers:

    1. Click Start > Run, type services.msc, then press Enter.
    2. Locate the VMware Directory Service and click Restart.

      Note: You must restart the service on both Single Sign-On servers.

  11. Verify that you can continue to log into vCenter Server.

Remediation steps for multiple Single Sign-On servers that are participating in replication

If you have multiple Single Sign-On servers that are participating in replication, you must perform these steps in addition to the procedure above.

  1. On your first Single Sign-On server:

    1. Create a copy of the vmdircert.pem file (located in C:\ProgramData\VMware\CIS\cfg\vmdird) and name the copy using this format:

      sso_node1.domain.com.pem

      Where sso_node1.domain.com is the Fully Qualified Domain Name of the first Single Sign-On server.

    2. Copy this file to a temporary location on the Partner Single Sign-On server(s).

  2. On the Partner Single Sign-On server(s):

    1. Back up the existing file sso_node1.domain.com.pem file (located in C:\ProgramData\VMware\CIS\cfg\vmdird).

    2. Replace this file with the version you copied in step 1a.

    3. Create a copy of the vmdircert.pem file (located in C:\ProgramData\VMware\CIS\cfg\vmdird) and name the copy using this format:

      sso_node2.domain.com.pem

      Note: Where sso_node2.domain.com is the Fully Qualified Domain Name of the Partner Single Sign-On server.

    4. Copy this file to a temporary location on the First Single Sign-On server(s).

  3. On your first Single Sign-On server:

    1. Back up the existing file sso_node2.domain.com.pem (located in C:\ProgramData\VMware\CIS\cfg\vmdird).

    2. Replace this file with the version you copied in step 2c.

    3. Restart the VMware Directory Service on all Sign-On server(s). To restart the service:

      1. Click Start > Run, type services.msc, then press Enter.
      2. Locate the VMware Directory Service and click Restart.

    4. Verify that replication is working:

      Create a test Single Sign-On user from one Single Sign-On node and verify that the user appears on other Single Sign-On nodes. For more information on adding users, see Add vCenter Single Sign-On Users in the vSphere 5.5 Documentation.

Changing your vCenter Single Sign-On password

Perform these steps to change the [email protected] password.

Note: If you have more than one Single Sign-On server, you must perform this procedure on each Single Sign-On server.

  1. Log in to the vSphere Web Client using your vCenter Single Sign-On credentials.

  2. In the upper navigation pane to the left of the Help menu, click your user name to view the menu.

    Alternatively, select Administration > Single Sign-On > Users and Groups, then right-click the user and select Edit User.

  3. Select Change Password and type your current password.

  4. Type a new password and confirm it.

    Note: The password must conform to the password policy.

  5. Click OK.

  6. Verify that you can log into vCenter Server(s).

Updating the Client Integration Plug-in

After upgrading the vSphere Web Client, you must also update the Client Integration Plug-in by performing these steps:

  1. Open a web browser and enter the URL for the vSphere Web Client:

    https://client-hostname:port/vsphere-client

  2. At the bottom of the vSphere Web Client login page, click Upgrade the Client Integration Plug-in.

  3. Download and install the Client Integration Plug-in.


Additional Information

To be alerted when this document is updated, click the Subscribe to Article link in the Actions box
Update sequence for vSphere 5.5 and its compatible VMware products
Response to OpenSSL security issue CVE-2014-0160/CVE-2014-0346 a.k.a: "Heartbleed"
Impact of OpenSSL security issue CVE-2014-0160/CVE-2014-0346 a.k.a: "Heartbleed" on VMware Customer Portals and web sites
VMware vCenter Server 5.5 における OpenSSL の Heartbleed 問題の解決方法
解决 VMware vCenter Server 5.5 的 OpenSSL Heartbleed 问题

Powered by Wolken Software