Managing TLS protocol configuration for vSphere 6.5/6.7
search cancel

Managing TLS protocol configuration for vSphere 6.5/6.7

book

Article ID: 313841

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

Starting with vSphere 6.5, the TLS protocol versions 1.0, 1.1, and 1.2 are enabled by default. The TLS protocols can be toggled and configured using the TLS Reconfiguration Utility. This article provides steps for modifying the supported TLS protocols using this utility, and disabling TLSv1.0 within the vSphere environment. The utility will allow for an end-to-end disablement of TLSv1.0 across a vSphere environment. However, the vCenter Server, Platform Services Controller, vSphere Update Manager and ESXi hosts within the environment must be running the compatible software versions that allow for disablement. Additionally, ensure that other VMware products as well as third-party products are compatible with the use of only TLSv1.1 and TLSv1.2. For a list of VMware products supported for TLSv1.0 disablement and the use of TLSv1.1/1.2, consult Status of TLSv1.1/1.2 Enablement and TLSv1.0 Disablement across VMware products (2145796).

Versions prior to vSphere 6.5 and 6.0 U3 are not currently supported in disabling TLSv1.0 or manipulating the other TLS communication protocols. However, by design, all versions of vSphere will attempt to communication with the highest available version of TLS protocol available between products. Consult the Status Knowledge Base article above for availability of other versions of vSphere.

By using the TLS Reconfiguration Utility in the vSphere environment, you will be disabling TLSv1.0 across the following ports on the vCenter Server, Platform Services Controller and ESXi hosts. If a port is not included, it will not be handled through the utility.

vCenter Server and Platform Services Controller:

 

ServiceService NamePort
WindowsAppliance
VMware HTTP Reverse Proxyrhttpproxyvmware-rhttpproxy443
VMware Directory ServiceVMWareDirectoryServicevmdird636
VMware Syslog Collector (†)vmsyslogcollector †rsyslogd1514
VMware Appliance Management Interface (†)--applmgmt †5480
VMware vSphere Auto Deploy Waitervmware-autodeploy-waitervmware-rbd-watchdog6501
VMware vSphere Auto Deploy Waitervmware-autodeploy-waitervmware-rbd-watchdog6502
VMware Secure Token ServiceVMwareSTSvmware-stsd7444
VMware vSphere Authentication ProxyVMWareCAMServicevmcam7476
VMware vSphere Update Manager Service (‡)vmware-ufad-vci ‡vmware-updatemgr8084
VMware vSphere Update Manager Service (‡)vmware-ufad-vci ‡vmware-updatemgr9087
VMware vSphere Web Clientvspherewebclientsvcvsphere-client9443
VMware vSphere H5 Web Clientvsphere-uivsphere-ui5443
VMware Directory ServiceVMWareDirectoryServicevmdird11712
 

 

ESXi

 

ServiceService NamePort
VMware HTTP Reverse Proxy and Host DaemonHostd443
VMware vSAN VASA Vendor ProvidervSANVP8080
VMware Fault Domain ManagerFDM8182
VMware vSphere API for IO FiltersioFilterVPServer9080
 

 

Notes and Caveats:

  • † TLS is controlled by the cipher list for these services. Only TLSv1.2 or all TLSv1.x versions are supported; granular management is not possible.
  • ‡ Disablement of TLS protocols for vSphere Update Manager (Ports 8084, 9078) through the TLS Reconfiguration Utility is only supported on the vCenter Server Appliance. For more information on disabling TLS protocols on vSphere Update Manager on Windows, consult Managing the TLS protocol configuration for Update Manager 6.0 Update 3 and Update Manager 6.5 (2149136).
  • Ensure that the legacy ESXi 6.0 and 5.x hosts managed by the vCenter Server support TLSv1.1 and TLSv1.2. Upon disabling TLSv1.0 on vCenter Server 6.5, legacy ESXi 5.x and 6.0 hosts that have not been upgraded to compatible versions that support TLSv1.1 and/or TLSv1.2 will no longer be able to be managed by vCenter Server.
  • Using a TLSv1.2 only connection to an external Microsoft SQL Server is support in vSphere 6.5 Update 2 and vSphere 6.7. For more information, see Enforce an encrypted connection to a Microsoft SQL Server database.
  • Using a TLSv1.2 only connection to an external Oracle database is not currently supported.
  • Disablement of TLSv1.0 on vCenter Server and/or Platform Services Controller on Windows Server 2008 as the Host OS (Windows) supports only TLSv1.0. Newer versions of Windows Server support disablement of TLSv1.0. For more information, consult Microsoft TechNet Article TLS/SSL Setings in the Server Roles and Technologies Guide.
  • After applying TLS configuration changes to a Host directly or through cluster configuration via Host Profiles; the Host services need to be restarted for the changes to take effect.
  • If the vSphere Web Client port was modified from the default 9443 in vSphere 6.0 Update 3 and upgraded to vSphere 6.5 Update 1 or later TLSv1.1 and TLSv1.2 will be enabled on the custom port.
  • When using vCenter High Availability, destroy/disable the current configuration before running the TLS Configuration utility.
Disclaimer: VMware is not responsible for the reliability of any data, opinions, advice, or statements made on third-party websites. Inclusion of such links does not imply that VMware endorses, recommends, or accepts any responsibility for the content of such sites.


Environment

VMware vSphere ESXi 6.5
VMware vSphere ESXi 6.7

Resolution

For vSphere 6.7 see the Managing TLS Protocol Configuration with the TLS Configurator Utility section of the vSphere Security guide.

Disabling TLSv1.0 and enabling TLSv1.1 and/or TLSv1.2 will be a multi-phase process in a vSphere environment:

  1. Install the TLS Reconfigurator Utility on the vCenter Server and Platform Services controller; if the Platform Services Controller is embedded on the vCenter Server, users only need to install the utility on vCenter Server.
  2. Disable vCenter Server's and vSphere Update Manager's use of TLSv1.0 and enable the use of TLSv1.1 and/or TLSv1.2.
  3. The ESXi hosts managed by the vCenter Server will then be updated to disable the use of TLSv1.0 and enable the use of TLSv1.1 and/or TLSv1.2 either by a per-host or per-cluster level modification.
  4. The Platform Services Controller would be updated to disable the use of TLSv1.0 and enable the use of TLSv1.1 and/or TLSv1.2.
Note:-  The PSC in the embedded mode with vCenter is also included in the above step 1.
 

The TLS Reconfiguration Utility is delivered with two components to cover managing the TLS protocols for vCenter Server, vSphere Update Manager and the Platform Services Controller with the VcTlsReconfigurator component and ESXi hosts and clusters with the EsxTlsReconfigurator component. These components are located in these directories:

For vCenter Server for Windows:
  • C:\Program Files\VMware\CIS\vSphereTLSReconfigurator\VcTlsReconfigurator
  • C:\Program Files\VMware\CIS\vSphereTLSReconfigurator\EsxTlsReconfigurator
For vCenter Server Appliance:
  • /usr/lib/vmware-vSphereTlsReconfigurator/VcTlsReconfigurator
  • /usr/lib/vmware-vSphereTlsReconfigurator/EsxTlsReconfigurator

Installing the TLS Reconfiguration Utility:

The TLS Reconfiguration Utility is not provided with the vCenter Server and vCenter Server Appliance and must be downloaded separately. Follow these steps on installing the TLS Reconfiguration Utility:
  1. Go to customerconnect.vmware.com for vSphere.
  2. Using the Select Version drop-down menu, select your version of vSphere.
  3. Download the following depending on the use of Windows or Appliance in the environment.

    vSphere 6.5 and later

    For vCenter Server for Windows:     VMware-vSphereTlsReconfigurator-6.5.0-4635484.x86_64.msi
    For vCenter Server Appliance: VMware-vSphereTlsReconfigurator-6.5.0-4635484.x86_64.rpm

    For vSphere 6.5 Update 1 and later

    For vCenter Server for Windows: VMware-vSphereTlsReconfigurator-6.5.0-5597882.x86_64.msi
    For vCenter Server Appliance: VMware-vSphereTlsReconfigurator-6.5.0-5597882.x86_64.rpm
     
  4. Upload the file to vCenter Server and/or Platform Services Controller:

    For the vCenter Server Appliance and Platform Services Controller Appliance, use an SCP client to upload the file.
    For Windows vCenter Server or Windows Platform Services Controller, copy the appropriate file.
  • For vCenter Server for Windows:
    1. On the Windows Server running vCenter Server, log in as an administrative user.
    2. Install the MSI file.
    3. Locate the msi file, substituting the xxxxxxx for the appropriate build: VMware-vSphereTlsReconfigurator-6.5.0-xxxxxxx.x86_64.msi
  • For vCenter Server Appliance:
    1. Connect to the vCenter Server Appliance with an SSH session and root credentials.
    2. Run this command to enable the Bash shell:
shell
  1. In the Bash shell, locate the directory where the VMware-vSphereTlsReconfigurator-6.5.0-xxxxxxx.x86_64.rpm was uploaded.
  2. Run the below rpm command, substituting the xxxxxxx for the appropriate build:

    rpm -Uvh VMware-vSphereTlsReconfigurator-6.5.0-xxxxxxx.x86_64.rpm

Updating the TLS Reconfiguration Utility:

After upgrading from vSphere 6.5 to vSphere 6.5 Update 1 or later, you must update the TLS Reconfiguration Utility binaries on your vCenter Server. Follow the below steps to update.

  1. Go to customerconnect.vmware.com for vSphere.
  2. Using the Select Version drop-down menu, select your version of vSphere.
  3. Download the following depending on the use of Windows or Appliance in the environment.
For vSphere 6.5

For vCenter Server for Windows: VMware-vSphereTlsReconfigurator-6.5.0-4635484.x86_64.msi
For vCenter Server Appliance: VMware-vSphereTlsReconfigurator-6.5.0-4635484.x86_64.rpm

For vSphere 6.5 Update 1 and later

For vCenter Server for Windows: VMware-vSphereTlsReconfigurator-6.5.0-5597882.x86_64.msi 
For vCenter Server Appliance: VMware-vSphereTlsReconfigurator-6.5.0-5597882.x86_64.rpm
  1. Upload the file to vCenter Server and/or Platform Services Controller:


For the vCenter Server Appliance and Platform Services Controller Appliance, use an SCP client to upload the file.
For Windows vCenter Server or Windows Platform Services Controller, copy the appropriate file.

  • For vCenter Server for Windows:
  1. On the Windows Server running vCenter Server, log in as an administrative user.
  2. Locate the msi file containing the latest TLS Reconfiguration Utility.
  3. Install the MSI file.

 

  • For vCenter Server Appliance:
  1. Connect to the vCenter Server Appliance with an SSH session and root credentials.
  2. Run this command to enable the Bash shell:
shell
  1. ​In the Bash shell, locate the directory where the latest version of the TLS Reconfiguration Utility RPM was uploaded.
  2. Run the below rpm command, substituting the xxxxxxx for the appropriate build:

rpm -Uvh VMware-vSphereTlsReconfigurator-6.5.0-5597882.x86_64.rpm

You should observe the following output:

root@vcenter [ /tmp ]# rpm -Uvh VMware-vSphereTlsReconfigurator-6.5.0-5597882.x86_64.rpm
Preparing...
Updating / installing...
1:VMware-vSphereTlsReconfigurator-6################################# [ 50%]
Cleaning up / removing...
2:VMware-vSphereTlsReconfigurator-6################################# [100%]

Disabling TLSv1.0 using the TLS Reconfiguration Utility:

This section covers; disabling TLSv1.0 and enabling TLSv1.1 and TLSv1.2, disabling TLSv1.0 and TLSv1.1, and enabling only TLSv1.2 across vCenter Server, vSphere Update Manager, Platform Services Controller, and ESXi hosts. Disabling protocols must be done in this order:
  1. vSphere Update Manager
  2. vCenter Server
  3. ESXi hosts
  4. Platform Services Controller
Warning: Before proceeding, ensure all of these elements are running versions compatible with TLSv1.0 disablement.

Note:
  • The following KB may be needed for step 6 to work. Please check before proceeding. If you find that this change is needed, then you can skip the reboot in the KB, because step 5, below, also reboots the vCenter Server. KB 57308
  • If using 6.5U1 or earlier, needs to update to 6.5U2 or later before change TLS configuration.
  • TLS configuration steps on 6.5U1 or earlier might hit the issue KB 76555
For vCenter Server and Platform Services Controller for Windows
  1. Connect to the Windows Server.
  2. Open an administrative command prompt.
  3. Change directory to the vSphereTlsReconfigurator using this command:

    cd C:\Program Files\VMware\CIS\vSphereTlsReconfigurator\
     
  4. Manually back up all of the configurations for all supported services on vCenter Serverand Platform Services Controller:

    Note: The TLS Reconfigurator Utility will perform a backup operation each time a modification against the vCenter Server, Platform Services Controller or vSphere Updater Manager has been executed. Use this process only if you need to create a backup to a specific user directory.
     
    1. Change directory to the VcTlsReconfigurator using this command:

      cd VcTlsReconfigurator
       
    2. Execute this command to perform a backup:

      directory_path\VcTlsReconfigurator> reconfigureVc backup

      By default, this will output to this directory:

      c:\users\<current user>\appdata\local\temp\<year><month><day>T<time></time>

      To output to a specific directory, run this command

      directory_path\VcTlsReconfigurator> reconfigureVc backup -d <backup directory path>
       
    3. A successful backup will look like this:

      vCenter Transport Layer Security reconfigurator, version=6.5.0, build=4635484
      For more information refer to the following article: https://kb.vmware.com/kb/2147469
      Log file: "C:\ProgramData\VMware\vCenterServer\logs\vSphere-TlsReconfigurator\VcTlsReconfigurator.log".
      ================= Backing up vCenter Server TLS configuration ==================
      Using backup directory: c:\users\<username>\appdata\local\temp\20161108T161539
      Backing up: vspherewebclientsvc
      Backing up: vmware-autodeploy-waiter
      Backing up: rhttpproxy
      Backing up: VMwareSTS
      Backing up: vsphere-ui
      Backing up: VMWareDirectoryService
      Backing up: VMWareCAMService
       
  5. Update all of the configuration for all supported services on the vCenter Server. Once the chosen command has been run, the vCenter Server will require a reboot.

    Note: For products communicating to the vCenter Server which still require TLSv1.0 to be enabled, this will cease connectivity.
     
    1. Disable TLSv1.0 on the vCenter Server, and enable a higher versions of TLSv1.x.
      • To disable TLSv1.0 and enable both TLSv1.1 and TLSv1.2, execute this command to perform a reconfiguration:

        directory_path\VcTlsReconfigurator> reconfigureVc update -p TLSv1.1 TLSv1.2
         
      • To disable TLSv1.0 and TLSv1.1, and enable only and TLSv1.2, execute this command to perform a reconfiguration:

        directory_path\VcTlsReconfigurator> reconfigureVc update -p TLSv1.2
         
    2. Repeat this on remaining vCenter Server.
       
  6. Update the configuration for all supported services on the ESXi hosts managed by each of the vCenter Servers:
     
    1. Change directory to the EsxTlsReconfigurator using this command:

      cd ..\EsxTlsReconfigurator
       
    2. Disable TLSv1.0 on the ESXi hosts, and enable a higher versions of TLSv1.x. This can be done either on a per-host or per-cluster bases in addition to disabling TLSv1.0 and enabling TLSv1.1 and TLSv1.2 or disabling TLSv1.0 and enabling only TLSv1.2.

      Note: If --protocol or -p is not included, this will default to TLSv1.2 only
       
      • To disable TLSv1.0 and enable both TLSv1.1 and TLSv1.2 on an individual ESXi host inside of vCenter Server, execute this command to perform a reconfiguration:

        directory_path\EsxTlsReconfigurator> reconfigureEsx vCenterHost -h <ESXi_Host_Name> -u <Administrative_User> -p TLSv1.1 TLSv1.2
         
      • To disable TLSv1.0 and TLSv1.1, and enable only and TLSv1.2 on an individual ESXi host inside of vCenter Server, execute this command to perform a reconfiguration:

        directory_path\EsxTlsReconfigurator> reconfigureEsx vCenterHost -h <ESXi_Host_Name> -u <Administrative_User> -p TLSv1.2
         
      • To disable TLSv1.0 and enable both TLSv1.1 and TLSv1.2 on an vCenter Server Host Cluster, execute this command to perform a reconfiguration:

        directory_path\EsxTlsReconfigurator> reconfigureEsx vCenterCluster -c <Cluster_Name> -u <Administrative_User> -p TLSv1.1 TLSv1.2
         
      • To disable TLSv1.0 and TLSv1.1, and enable only and TLSv1.2 on an vCenter Server Host Cluster, execute this command to perform a reconfiguration:

        directory_path\EsxTlsReconfigurator> reconfigureEsx vCenterCluster -c <Cluster_Name> -u <Administrative_User> -p TLSv1.2
         
    3. Once completed, the hosts will be flagged for reboot. Reboot the ESXi hosts in order to complete the TLS protocol changes.
       
    4. Repeat this on the next cluster or ESXi host within the managing vCenter Server as appropriate.
Available in vSphere 6.5 Update 1: To disable TLSv1.0 and enable both TLSv1.1 and TLSv1.2 on an standalone ESXi host not in the vCenter Server inventory, execute this command to perform a reconfiguration:

Note: You must execute this from a vCenter Server

directory_path\EsxTlsReconfigurator> reconfigureEsx ESXiHost -h <ESXi_Host_Name> -u root -p TLSv1.1 TLSv1.2

Available in vSphere 6.5 Update 1 To disable TLSv1.0 and TLSv1.1, and enable only and TLSv1.2 on an standalone ESXi host not in the vCenter Server inventory, execute this command to perform a reconfiguration:

Note: You must execute this from a vCenter Server

directory_path\EsxTlsReconfigurator> reconfigureEsx ESXiHost -h <ESXi_Host_Name> -u root -p TLSv1.2
  1. Update all of the configuration for all supported services on the Platform Services Controller:

    Note: If you have older 6.0.x or 5.5.x vCenter Servers still connected to the Platform Services Controller, this step will cause the vCenter Servers to stop communicating to the PSC. Only proceed with this step after confirming that all vCenter Servers are running a compatible version.
     
    1. Change directory to the VcTlsReconfigurator using this command:

      cd C:\Program Files\VMware\CIS\vSphereTlsReconfigurator\VcTlsReconfigurator
       
    2. Disable TLSv1.0 on the Platform Services Controller, and enable a higher versions of TLSv1.x.

      Note: If --protocol or -p is not included, this will default to TLSv1.2 only
       
      • To disable TLSv1.0 and enable both TLSv1.1 and TLSv1.2, execute this command to perform a reconfiguration:

        directory_path\VcTlsReconfigurator> reconfigureVc update -p TLSv1.1 TLSv1.2
         
      • To disable TLSv1.0 and TLSv1.1, and enable only and TLSv1.2, execute this command to perform a reconfiguration:

        directory_path\VcTlsReconfigurator> reconfigureVc update -p TLSv1.2
         
    3. Repeat this operation on the remaining Platform Services Controller in the vSphere domain.
Once completed, all vCenter Servers, the managed ESXi hosts and the associated Platform Services Controllers will no longer be using TLSv1.0
 
 
For vCenter Server Appliance and Platform Services Controller Appliance:
  1. Connect to the vCenter Server Appliance using an SSH session.
  2. Run this command to enable the Bash shell:

    shell
     
  3. In the Bash shell, change directories to this directory:

    cd /usr/lib/vmware-vSphereTlsReconfigurator/
     
  4. Manually backup all of the configurations for all supported services on the vCenter Server and Platform Services Controller:

    Note: The TLS Reconfigurator Utility will perform a backup operation each time it is executed. Use this process only if you need to create a backup to a specific user directory.
     
    1. Change the directory to VcTlsReconfigurator with this command:

      cd VcTlsReconfigurator
       
    2. Execute this command to perform a backup:

      directory_path/VcTlsReconfigurator> ./reconfigureVc backup

      By default, this will output to this directory:

      /tmp/<year><month><day>T<time></time>

      In order to output to a specific directory, use this command

      directory_path/VcTlsReconfigurator> ./reconfigureVc backup -d <backup directory path>
       
  5. Update all of the configuration for all supported services on the vCenter Server and vSphere Update Manager. Once the chosen command has been run, the vCenter Server will require a reboot.

    Note: If you have products communicating to the vCenter Server which still require TLSv1.0 to be enabled, this will cease connectivity.
     
    1. Disable TLSv1.0 on the vCenter Server, and enable a higher versions of TLSv1.x.
       
      • To disable TLSv1.0 and enable both TLSv1.1 and TLSv1.2, execute this command to perform a reconfiguration:

        directory_path/VcTlsReconfigurator> ./reconfigureVc update -p TLSv1.1 TLSv1.2
         
      • To disable TLSv1.0 and TLSv1.1, and enable only and TLSv1.2, execute this command to perform a reconfiguration:

        directory_path/VcTlsReconfigurator> ./reconfigureVc update -p TLSv1.2
         
    2. Repeat this on the next vCenter Server as appropriate.
       
  6. Update all of the configuration for all supported services on the ESXi hosts. This can be done either on a per-host or per-cluster bases in addition to disabling TLSv1.0 and enabling TLSv1.1 and TLSv1.2 or disabling TLSv1.0 and enabling only TLSv1.2.
     
    1. Change directory to the EsxTlsReconfigurator using this command:

      cd ../EsxTlsReconfigurator
       
    2. Disable TLSv1.0 on the ESXi hosts, and enable a higher versions of TLSv1.x. This can be done either on a per-host or per-cluster bases in addition to disabling TLSv1.0 and enabling TLSv1.1 and TLSv1.2 or disabling TLSv1.0 and enabling only TLSv1.2.

      Note: If --protocol or -p is not included, this will default to TLSv1.2 only
       
      • To disable TLSv1.0 and enable both TLSv1.1 and TLSv1.2 on an individual ESXi inside of vCenter Server, execute this command to perform a reconfiguration:

        directory_path/EsxTlsReconfigurator> ./reconfigureEsx vCenterHost -h <ESXi_Host_Name> -u <Administrative_User> -p TLSv1.1 TLSv1.2
         
      • To disable TLSv1.0 and TLSv1.1, and enable only and TLSv1.2 on an individual ESXi inside of vCenter Server, execute this command to perform a reconfiguration:

        directory_path/EsxTlsReconfigurator> ./reconfigureEsx vCenterHost -h <ESXi_Host_Name> -u <Administrative_User> -p TLSv1.2
         
      • To disable TLSv1.0 and enable both TLSv1.1 and TLSv1.2 on an ESXi Cluster, execute this command to perform a reconfiguration:

        directory_path/EsxTlsReconfigurator> ./reconfigureEsx vCenterCluster -c <Cluster_Name> -u <Administrative_User> -p TLSv1.1 TLSv1.2
         
      • To disable TLSv1.0 and TLSv1.1, and enable only and TLSv1.2 on an ESXi Cluster, execute this command to perform a reconfiguration:

        directory_path/EsxTlsReconfigurator> ./reconfigureEsx vCenterCluster -c <Cluster_Name> -u <Administrative_User> -p TLSv1.2
         
    3. Once completed, the hosts will be flagged for reboot. Reboot the ESXi hosts in order to complete the TLS protocol changes.
    4. Repeat this on the next cluster or ESXi host within the managing vCenter Server as appropriate.
       
  7. Update all of the configuration for all supported services on the Platform Services Controller:

    Note: If you have older vCenter Servers 6.0.x or 5.5.x still connected to the Platform Services Controller, this step will cause the vCenter Servers to stop communicating to the PSC. Only proceed with this step after confirming that all vCenter Servers are running a compatible version.
     
    1. Change directory to the VcTlsReconfigurator using this command:

      cd /usr/lib/vmware-vSphereTlsReconfigurator/VcTlsReconfigurator
       
    2. Disable TLSv1.0 on the Platform Services Controller, and enable a higher versions of TLSv1.x.

      Note: If --protocol or -p is not included, this will default to TLSv1.2 only
       
      • To disable TLSv1.0 and enable both TLSv1.1 and TLSv1.2, execute this command to perform a reconfiguration:

        directory_path\VcTlsReconfigurator> ./reconfigureVc update -p TLSv1.1 TLSv1.2
         
      • To disable TLSv1.0 and TLSv1.1, and enable only and TLSv1.2, execute this command to perform a reconfiguration:

        directory_path\VcTlsReconfigurator> ./reconfigureVc update -p TLSv1.2
         
    3. Repeat this operation on the remaining Platform Services Controller in the vSphere domain.
Once completed, all vCenter Server Appliances, the managed ESXi hosts and the associated Platform Services Controller Appliances will no longer be using TLSv1.0
 
 


Additional Information

VMware Skyline Health Diagnostics for vSphere - FAQ

Performing a Recovery using the TLS Reconfiguration Utility:

This section covers; recovering from a previous settings change using the TLS Reconfiguration Utility, re-enabling previously used TLS protocols. This disabling TLSv1.0 and TLSv1.1, and enabling only TLSv1.2 across vCenter Server, vSphere Update Manager, Platform Services Controller, and ESXi hosts. Disabling protocols must be done in this order:
  1. vSphere Update Manager
  2. vCenter Server
  3. Platform Services Controller
 
For vCenter Server and Platform Services Controller for Windows
  1. Connect to the Windows Server.
  2. Open an administrative command prompt.
  3. Change directory to the vSphereTlsReconfigurator using this command:

    cd C:\Program Files\VMware\CIS\vSphereTlsReconfigurator\VcTlsReconfigurator
     
  4. Review the previous backups taken using the below commands:

    C:\ProgramData\VMware\vCenterServer\logs\vSphere-TlsReconfigurator\VcTlsReconfigurator.log

    Use the below output as an example:

    c:\users\<username>\appdata\local\temp\20161108T161539
    c:\users\<username>\appdata\local\temp\20161108T171539
     
  5. Manually run the below command to perform a restore:

    directory_path\VcTlsReconfigurator> reconfigureVc restore -d <Directory Path from Step 4>

    Use the below output as an example:

    directory_path\VcTlsReconfigurator> reconfigureVc restore -d c:\users\<username>\appdata\local\temp\20161108T171539

     
  6. Repeat this operation accordingly on the remaining vCenter Servers
  7. Repeat this operation accordingly on all Platform Services Controllers
 
For vCenter Server Appliance and Platform Services Controller Appliance:
  1. Connect to the vCenter Server Appliance using an SSH session.
  2. Run this command to enable the Bash shell:

    shell
     
  3. In the Bash shell, change directories to this directory:

    cd /usr/lib/vmware-vSphereTlsReconfigurator/VcTlsReconfigurator
     
  4. Review the previous backups taken using the below commands:

    grep "backup directory" /var/log/vmware/vSphere-TlsReconfigurator/VcTlsReconfigurator.log

    Use the below output as an example:

    2016-11-17T17:29:20.950Z INFO Using backup directory: /tmp/20161117T172920
    2016-11-17T17:32:59.019Z INFO Using backup directory: /tmp/20161117T173259
     
  5. Manually run the below command to perform a restore:

    directory_path\VcTlsReconfigurator> reconfigureVc restore -d <Directory Path from Step 4>

    Use the below output as an example:

    directory_path\VcTlsReconfigurator> reconfigureVc restore -d /tmp/20161117T172920
     
  6. Repeat this operation accordingly on the remaining vCenter Server Appliances
  7. Repeat this operation accordingly on all Platform Services Controller Appliances

Scanning vCenter for enabled TLS protocols

For vCenter Server and Platform Services Controller for Windows
  1. Connect to the Windows Server.
  2. Open an administrative command prompt.
  3. Change directory to the vSphereTlsReconfigurator using this command:

    cd C:\Program Files\VMware\CIS\vSphereTlsReconfigurator\VcTlsReconfigurator
     
  4. Run this command to output the TLS protocols on the endpoints:

    reconfigureVc scan

    For Example:

    reconfigureVc scan

    vCenter Transport Layer Security reconfigurator, version=6.5.0, build=4635484
    For more information refer to the following article: https://kb.vmware.com/kb/2147469
    Log file: "/var/log/vmware/vSphere-TlsReconfigurator/VcTlsReconfigurator.log".
    ==================== Scanning vCenter Server TLS endpoints =====================
    +---------------------+-------------------+-------------------------+
    | Service Name | TLS Endpoint Port | TLS Version(s) |
    +---------------------+-------------------+-------------------------+
    | vmware-stsd | | NOT RUNNING |
    | vmcam | | NOT RUNNING |
    | vmware-rhttpproxy | 443 | TLSv1.0 TLSv1.1 TLSv1.2 |
    | rsyslog | 1514 | TLSv1.0 TLSv1.1 TLSv1.2 |
    | vmdird | 636 | TLSv1.0 TLSv1.1 TLSv1.2 |
    | vmdird | 11712 | TLSv1.0 TLSv1.1 TLSv1.2 |
    | vmware-rbd-watchdog | | NOT RUNNING |
    | vmware-updatemgr | 8084 | TLSv1.0 TLSv1.1 TLSv1.2 |
    | vmware-updatemgr | 9087 | TLSv1.0 TLSv1.1 TLSv1.2 |
    | vsphere-client | 9443 | TLSv1.0 TLSv1.1 TLSv1.2 |
    | vsphere-ui | 5443 | TLSv1.0 TLSv1.1 TLSv1.2 |
    | vami-lighttp | 5480 | TLSv1.0 TLSv1.1 TLSv1.2 |
    +---------------------+-------------------+-------------------------+
For vCenter Server Appliance and Platform Services Controller Appliance:
  1. Connect to the vCenter Server Appliance using an SSH session.
  2. Run this command to enable the Bash shell:

    shell
     
  3. In the Bash shell, change directories to this directory:

    cd /usr/lib/vmware-vSphereTlsReconfigurator/VcTlsReconfigurator
     
  4. Run this command to output the TLS protocols on the endpoints:

    reconfigureVc scan

    For Example:

    reconfigureVc scan

    vCenter Transport Layer Security reconfigurator, version=6.5.0, build=4635484
    For more information refer to the following article: https://kb.vmware.com/kb/2147469
    Log file: "/var/log/vmware/vSphere-TlsReconfigurator/VcTlsReconfigurator.log".
    ==================== Scanning vCenter Server TLS endpoints =====================
    +---------------------+-------------------+-------------------------+
    | Service Name | TLS Endpoint Port | TLS Version(s) |
    +---------------------+-------------------+-------------------------+
    | vmware-stsd | | NOT RUNNING |
    | vmcam | | NOT RUNNING |
    | vmware-rhttpproxy | 443 | TLSv1.0 TLSv1.1 TLSv1.2 |
    | rsyslog | 1514 | TLSv1.0 TLSv1.1 TLSv1.2 |
    | vmdird | 636 | TLSv1.0 TLSv1.1 TLSv1.2 |
    | vmdird | 11712 | TLSv1.0 TLSv1.1 TLSv1.2 |
    | vmware-rbd-watchdog | | NOT RUNNING |
    | vmware-updatemgr | 8084 | TLSv1.0 TLSv1.1 TLSv1.2 |
    | vmware-updatemgr | 9087 | TLSv1.0 TLSv1.1 TLSv1.2 |
    | vsphere-client | 9443 | TLSv1.0 TLSv1.1 TLSv1.2 |
    | vsphere-ui | 5443 | TLSv1.0 TLSv1.1 TLSv1.2 |
    | vami-lighttp | 5480 | TLSv1.0 TLSv1.1 TLSv1.2 |
    +---------------------+-------------------+-------------------------+
For ESXi hosts:

From the vCenter Server/vCenter Server Appliance, execute the following from the command line.

Note: For Windows installed vCenter Server's the openssl utility is located at C:\ProgramData\VMware\VMware Virtualcenter\SSL

To test TLSv1.0 Availability:

openssl s_client -connect ESXi_host.local:443 -tls1

To Test TLSv1.1 Availability:

openssl s_client -connect ESXi_host.local:443 -tls1_1

To test TLSv1.2 Availability:

openssl s_client -connect ESXi_host.local:443 -tls1_2

Depending on what protocols were manipulated on the ESXi hosts, you will see one of two responses:

On a successful response from the ESXi host, indicating that protocol is Disabled:

openssl s_client -connect ESXi_host.local:443 -tls1

CONNECTED(00000003)
140482545034904:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:659:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1531202233
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---
On a successful response from the ESXi host, indicating that protocol is Active:

openssl s_client -connect ESXi_host.local:443 -tls1_2

CONNECTED(00000003)
depth=1 CN = CA, DC = vsphere, DC = local, C = US, ST = California, O = ESXi_host.local, OU = VMware
verify return:1
depth=0 C = US, ST = California, L = Palo Alto, O = VMware, OU = VMware, CN = ESXi_host.local, emailAddress = [email protected]
verify return:1
---
Certificate chain
 0 s:/C=US/ST=California/L=Palo Alto/O=VMware/OU=VMware/CN=ESXi_host.local/[email protected]
   i:/CN=CA/DC=vsphere/DC=local/C=US/ST=California/O=ESXi_host.local/OU=VMware
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEbTCCA1WgAwIBAgIJANff9zMGN32bMA0GCSqGSIb3DQEBCwUAMIGiMQswCQYD
VQQDDAJDQTEXMBUGCgmSJomT8ixkARkWB3ZzcGhlcmUxFTATBgoJkiaJk/IsZAEZ
FgVsb2NhbDELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExJDAiBgNV
BAoMG3NmbzAxbTAxdmMwMS5yYWlucG9sZS5sb2NhbDEbMBkGA1UECwwSVk13YXJl
IEVuZ2luZWVyaW5nMB4XDTE4MDQwNDExMjcxOVoXDTIzMDQwNDExMjcxOVowgasx
CzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRIwEAYDVQQHDAlQYWxv
IEFsdG8xDzANBgNVBAoMBlZNd2FyZTEbMBkGA1UECwwSVk13YXJlIEVuZ2luZWVy
aW5nMSUwIwYDVQQDDBxzZm8wMW0wMWVzeDAxLnJhaW5wb2xlLmxvY2FsMR4wHAYJ
KoZIhvcNAQkBFg92bWNhQHZtd2FyZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQDH23bnVWWQPd4ZAIeeGEaG6TljY6SJe5kPvv5SpdkuVWsNg2Eb
h3v0LqEXCLrjQY1hDslnYaVgjbnVyccGNyMOuxK5EdAZy8VoYroJjmePEY/qWnCD
hwdPGJmhT7bwSqsmE5rqDtRedq5kpmMxoMNB+d6EaaU8l69qI56i9CEfIv8AeXW2
73SvQV3pPRYNXqHGdD3aK/rB8/fqYI/9IRB8eu7aFd20gQ6gedL40gYOuBlrc4wT
TYvmwQEDTl1gQ2sB0N2LfnsES3fcgdRrg0no9xZrO5VbpswxOBWhuutweDPbb8aS
TUuCKJJmLdtfF9AXwYHNAPG4++xjH+FnsBPDAgMBAAGjgZowgZcwJwYDVR0RBCAw
HoIcc2ZvMDFtMDFlc3gwMS5yYWlucG9sZS5sb2NhbDAfBgNVHSMEGDAWgBS7w3T/
GC2+e2OZj5uHc4m6F3RXIDBLBggrBgEFBQcBAQQ/MD0wOwYIKwYBBQUHMAKGL2h0
dHBzOi8vc2ZvMDFtMDF2YzAxLnJhaW5wb2xlLmxvY2FsL2FmZC92ZWNzL2NhMA0G
CSqGSIb3DQEBCwUAA4IBAQC7CK+wPxG9JcDjCOE2h2b1gTexX2TVxLO49iJAbo+/
WvuYqy1miIr91PYVbvNXXoyEg4Cv/e7N2KDkjZXT3TCxWSwaUhluAD51qane2KGr
AvjPuBFM9cL09pAqWtGpCjM9+E2R5T9yI/DUH7doHvJWGLzRE3h222GAlrJMbCeD
1W22Pq7lwnINFeSeK4nt7Ib/t/CgxDKe1cate0WTE+LhbqWNfTcChUixPD23tHTc
9KHwG7/z5LoZtNKEdNZrNRJbYRpLnS65jnOgic15EZNWLIHIq8dEGvG7eHNsRT1U
SSmYDnrTWA6Qg7Yl1RrKc2OArJTIczewBoxOsgVic5Tv
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Palo Alto/O=VMware/OU=VMware/CN=ESXi_host.local/[email protected]
issuer=/CN=CA/DC=vsphere/DC=local/C=US/ST=California/O=ESXi_host.local/OU=VMware
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1617 bytes and written 433 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID:
    Session-ID-ctx:
    Master-Key: BDD2E34F930B785CD60EEAE67D7DFC06FE2FD30DB9D87CDFE6BF6778345D031FBF2BC4B33986DB79E328B1728B59B095
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1531202247
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---
Status of TLSv1.1/1.2 Enablement and TLSv1.0 Disablement across VMware products
Managing the TLS protocol configuration for Update Manager 6.0 Update 3 and Update Manager 6.5
管理 vSphere 6.5 的 TLS 协议配置
vSphere 6.5 の TLS プロトコル構成の管理
How to manage SSL and TLS Protocols for ESXi SFCB Daemon

Impact/Risks:
Some steps will require reboots of systems and disabling service versions. Please review the entire procedure before beginning.

Powered by Wolken Software