The TLS protocol versions 1.0, 1.1, and 1.2 are enabled by default. Disablement of TLSv1.2 is not supported. The TLS protocols can be toggled and configured using the TLS Reconfiguration Utility.

This article provides steps for modifying the supported TLS protocols using this utility, and disabling TLSv1.0 within the vSphere environment. The utility will allow for an end-to-end disablement of TLSv1.0 across a vSphere environment. However, the vCenter Server, Platform Services Controller, and ESXi hosts within the environment must be running the compatible software versions that allow for disablement. Additionally, ensure that other VMware products as well as third-party products are compatible with the use of only TLSv1.1 and TLSv1.2. For a list of VMware products supported for TLSv1.0 disablement and the use of TLSv1.1/1.2, consult Status of TLSv1.1/1.2 Enablement and TLSv1.0 Disablement across VMware products (2145796).

Versions prior to vSphere 6.0 Update 3 are not supported in disabling TLSv1.0 or manipulating the other TLS communication protocols. However, by design, all versions of vSphere will attempt to communicate with the highest available version of TLS protocol available between products. Consult the Status Knowledge Base article above for availability of other versions of vSphere.

By using the TLS Reconfiguration Utility in the vSphere environment, you will be disabling TLSv1.0 across the following ports on the vCenter Server, Platform Services Controller and ESXi hosts. If ports or services are not included, it will not be handled through the utility.

vCenter Server and Platform Services Controller

Service	Service Name		Port
	Windows	Appliance
VMware HTTP Reverse Proxy	rhttpproxy	vmware-rhttpproxy	443
VMware vSphere Web Client	vspherewebclientsvc	vsphere-client	9443
VMware Syslog Collector (†)	vmsyslogcollector †	--	1514
VMware vSphere Auto Deploy Waiter	vmware-autodeploy-waiter	vmware-rbd-watchdog	6501
VMware vSphere Auto Deploy Waiter	vmware-autodeploy-waiter	vmware-rbd-watchdog	6502
VMware Secure Token Service	VMwareSTS	vmware-stsd	7444
VMware Directory Service	VMWareDirectoryService	vmdird	636
VMware Directory Service	VMWareDirectoryService	vmdird	11712

 

 

ESXi

Service	Service Name	Port
VMware HTTP Reverse Proxy and Host Daemon	Hostd	443
VMware vSAN VASA Vendor Provider	vSANVP	8080
VMware Fault Domain Manager	FDM	8182
VMware vSphere API for IO Filters	ioFilterVPServer	9080
VMware Authorization Daemon	vmware-authd	902

 

 

Notes and Caveats:

• Only TLSv1.2 or all TLSv1.x versions are supported; granular management is not possible. On vCenter Server with external Platform Services Controllers, ensure that all PSCs and the VC are enabled with same TLS protocols.
• Disablement of TLS protocols for vSphere Update Manager (Ports 8084, 9087) through the TLS reconfiguration utility is not supported. For more information see, Managing the TLS protocol configuration for Update Manager 6.0 Update 3 and Update Manager 6.5 (2149136)
• Disablement of TLS protocols for VMware vSAN observer (Ports 8010) through the TLS reconfiguration utility is not supported. For more information see, Configuring the TLS protocol for VMware vSAN Observer 6.0 Update 3 (2144800).
• † VMware Syslog Collector on vCenter Server Appliance supports TLSv1.0 only. Using the TLS reconfigurator script, TLSv1.1 or TLSv1.2 cannot be enabled.
• TLSv1.2 is enabled on vSphere Application Management Interface port 5480 by default. Disablement of TLSv1.0 is not allowed by configuration.
• Ensure that the legacy ESXi 6.0 and 5.x hosts managed by the vCenter Server support TLSv1.1 and TLSv1.2. Upon disabling TLSv1.0 on vCenter Server 6.0 Update 3 and later, legacy ESXi 5.x and 6.0 hosts that have not been upgraded to compatible versions that support TLSv1.1 and/or TLSv1.2 will no longer be able to be managed by vCenter Server.
• Using a TLSv1.2 only connection to an external Microsoft SQL Server or external Oracle database is not currently supported.
• Disablement of TLSv1.0 on vCenter Server and/or Platform Services Controller on Windows Server 2008 as the Host OS (Windows) supports only TLSv1.0. Newer versions of Windows Server support disablement of TLSv1.0. For more information, consult Microsoft TechNet Article TLS/SSL Setings in the Server Roles and Technologies Guide.
• After applying TLS configuration changes to a Host directly or through cluster configuration via Host Profiles; the Host services need to be restarted for the changes to take effect.
• Authentication proxy port 51915 supports TLSv1.2 enablement from 6.0 Update 3. For more information, see Disabling SSLv3 protocol for VMware Authentication Proxy - Port 51915 (2136184)

VMware vSphere ESXi 5.5
VMware vCenter Server 6.0.x
VMware vCenter Server Appliance 6.0.x
VMware vSphere ESXi 6.0

Disabling TLSv1.0 and enabling TLSv1.1 and/or TLSv1.2 will be a multi-phase process in a vSphere environment:

1. Install the TLS Reconfigurator Utility on the vCenter Server and Platform Services controller; if the Platform Services Controller is embedded on the vCenter Server, users only need to install the utility on vCenter Server.
2. Disable vCenter Server's use of TLSv1.0 and enable the use of TLSv1.1 and TLSv1.2 or use TLSv1.2 exclusively.
3. The ESXi hosts managed by the vCenter Server will then be updated to disable the use of TLSv1.0 and enable the use of TLSv1.1 and TLSv1.2 or use TLSv1.2 exclusively. It can either be modified at per-host or per-cluster level.
4. The Platform Services Controller would be updated to disable the use of TLSv1.0 and enable the use of TLSv1.1 and/or TLSv1.2. vCenter Server 6.0 Update 1 or earlier does not support Platform Service Controller with only TLSv1.2 enabled. Before disabling TLSv1.0 on PSC, upgrade the vCenter Server to the same version as the PSC or keep TLSv1.0 enabled on the PSC machine.

The TLS Reconfiguration Utility is delivered with two components to cover managing the TLS protocols for vCenter Server and the Platform Services Controller with the VcTlsReconfigurator component and ESXi hosts and clusters with the EsxTlsReconfigurator component. These components are located in these directories:

For vCenter Server for Windows:

• C:\Program Files\VMware\CIS\vSphereTLSReconfigurator\VcTlsReconfigurator
• C:\Program Files\VMware\CIS\vSphereTLSReconfigurator\EsxTlsReconfigurator

For vCenter Server Appliance:

• /usr/lib/vmware-vSphereTlsReconfigurator/VcTlsReconfigurator
• /usr/lib/vmware-vSphereTlsReconfigurator/EsxTlsReconfigurator

Installing the TLS Reconfiguration Utility

The TLS Reconfiguration Utility is an independent downloadable utility. Users must install the utility to disable TLSv1.0 within their vSphere environment. Follow these steps on installing the TLS Reconfiguration Utility:

1. Go to customerconnect.vmware.com for vSphere.
2. Download the following depending on the use of Windows or Appliance in the environment.
   For vCenter Server for Windows: VMware-vSphereTlsReconfigurator-6.0.0-5051284.x86_64.msi
   For vCenter Server Appliance: VMware-vSphereTlsReconfigurator-6.0.0-5051284.x86_64.rpm 
    
3. Upload the file to vCenter Server and/or Platform Services Controller:
   
   For the vCenter Server Appliance and Platform Services Controller Appliance, use an SCP client to upload the file.
   For Windows vCenter Server or Windows Platform Services Controller, copy the appropriate file.

• For vCenter Server for Windows:

1. On the Windows Server running vCenter Server, log in as an administrative user.
2. Locate the VMware-vSphereTlsReconfigurator-6.0.0-5051284.x86_64.msi
3. Install the MSI file.

• For vCenter Server Appliance:
  1. Connect to the vCenter Server Appliance with an SSH session and root credentials.
  2. Run this command to enable the Bash shell
     shell.set --enabled true
  3. Run this command to access the Bash shell
     shell
  4. In the Bash shell, locate the directory where the VMware-vSphereTlsReconfigurator-6.0.0-5051284.x86_64.rpm was uploaded.
  5. Run this command:
     rpm -Uvh VMware-vSphereTlsReconfigurator-6.0.0-5051284.x86_64.rpm

Disabling TLSv1.0 using the TLS Reconfiguration Utility

This section covers; disabling TLSv1.0 and enabling TLSv1.1 and TLSv1.2, disabling TLSv1.0 and TLSv1.1, and enabling only TLSv1.2 across vCenter Server, Platform Services Controller, and ESXi hosts. Disabling protocols must be done in this order:

1. vCenter Server
2. ESXi hosts
3. Platform Services Controller

Warning: Before proceeding, ensure all of these elements are running versions compatible with TLSv1.0 disablement.
 
For vCenter Server and Platform Services Controller for Windows

1. Connect to the Windows Server.
2. Open an administrative command prompt.
3. Change directory to the vSphereTlsReconfigurator using this command
   cd C:\Program Files\VMware\CIS\vSphereTlsReconfigurator\
4. Manually back up all of the configurations for all supported services on vCenter Server and Platform Services Controller:
   
   Note: The TLS Reconfigurator Utility will perform a backup operation each time a modification against the vCenter Server or Platform Services Controller has been executed. Use this process only if you need to create a backup to a specific user directory.
   1. Change directory to the VcTlsReconfigurator using this command:
      cd VcTlsReconfigurator
       
   2. Execute this command to perform a backup:
      directory_path\VcTlsReconfigurator> reconfigureVc backup
      By default, this will output to this directory:
      c:\users\<current user>\appdata\local\temp\<year><month><day>T<time></time>
      
      To output to a specific directory, run this command
      
      directory_path\VcTlsReconfigurator> reconfigureVc backup -d <backup directory path>
       
   3. A successful backup will look like this:

4. Execute this command to perform restore:
   reconfigureVc restore -d <tmp directory / custom backup directory path>
    
5. An output similar to the following is displayed:

5. Update all of the configuration for all supported services on the vCenter Server.
   
   Note: For products communicating to the vCenter Server which still require TLSv1.0 to be enabled, this will cease connectivity.
    
   1. Disable TLSv1.0 on the vCenter Server, and enable a higher versions of TLSv1.x.
      • To disable TLSv1.0 and enable both TLSv1.1 and TLSv1.2, execute this command to perform a reconfiguration:
        
        directory_path\VcTlsReconfigurator> reconfigureVc update -p TLSv1.1 TLSv1.2
         
      • To disable TLSv1.0 and TLSv1.1, and enable only TLSv1.2, execute this command to perform a reconfiguration:
        
        directory_path\VcTlsReconfigurator> reconfigureVc update -p TLSv1.2
         
   2. Repeat this on remaining vCenter Server.
6. Update the configuration for all supported services on the ESXi hosts managed by each of the vCenter Servers.
    
   1. Change directory to the EsxTlsReconfigurator using this command:
      
      cd ..\EsxTlsReconfigurator
       
   2. Disable TLSv1.0 on the ESXi hosts, and enable a higher versions of TLSv1.x. This can be done either on a per-host or per-cluster bases in addition to disabling TLSv1.0 and enabling TLSv1.1 and TLSv1.2 or disabling TLSv1.0 and enabling only TLSv1.2.
      
      Note: If --protocol or -p is not included, this will default to TLSv1.2 only
       
      • To disable TLSv1.0 and enable both TLSv1.1 and TLSv1.2 on an individual ESXi host inside of vCenter Server, execute this command to perform a reconfiguration:
        
        directory_path\EsxTlsReconfigurator> reconfigureEsx vCenterHost -h <ESXi_Host_Name> -u <Administrative_User> -p TLSv1.1 TLSv1.2
         
      • To disable TLSv1.0 and TLSv1.1, and enable only and TLSv1.2 on an individual ESXi host inside of vCenter Server, execute this command to perform a reconfiguration:
        
        directory_path\EsxTlsReconfigurator> reconfigureEsx vCenterHost -h <ESXi_Host_Name> -u <Administrative_User> -p TLSv1.2
         
      • To disable TLSv1.0 and enable both TLSv1.1 and TLSv1.2 on an vCenter Server Host Cluster, execute this command to perform a reconfiguration:
        
        directory_path\EsxTlsReconfigurator> reconfigureEsx vCenterCluster -c <Cluster_Name> -u <Administrative_User> -p TLSv1.1 TLSv1.2
         
      • To disable TLSv1.0 and TLSv1.1, and enable only and TLSv1.2 on an vCenter Server Host Cluster, execute this command to perform a reconfiguration:
        
        directory_path\EsxTlsReconfigurator> reconfigureEsx vCenterCluster -c <Cluster_Name> -u <Administrative_User> -p TLSv1.2
         
   3. Once completed, the hosts will be flagged for reboot. Reboot the ESXi hosts in order to complete the TLS protocol changes.
       
   4. Repeat this on the next cluster or ESXi host within the managing vCenter Server as appropriate.
7. Update all of the configuration for all supported services on the Platform Services Controller:
   
   Note: If you have older 6.0.x or 5.5.x vCenter Servers still connected to the Platform Services Controller, this step will cause the vCenter Servers to stop communicating to the PSC. Only proceed with this step after confirming that all vCenter Servers are running a compatible version.
    
   1. Change directory to the VcTlsReconfigurator using this command:
      
      cd C:\Program Files\VMware\CIS\vSphereTlsReconfigurator\VcTlsReconfigurator
       
   2. Disable TLSv1.0 on the Platform Services Controller, and enable a higher versions of TLSv1.x.
      
      Note: If --protocol or -p is not included, this will default to TLSv1.2 only
       
      • To disable TLSv1.0 and enable both TLSv1.1 and TLSv1.2, execute this command to perform a reconfiguration:
        
        directory_path\VcTlsReconfigurator> reconfigureVc update -p TLSv1.1 TLSv1.2
         
      • To disable TLSv1.0 and TLSv1.1, and enable only and TLSv1.2, execute this command to perform a reconfiguration:
        
        directory_path\VcTlsReconfigurator> reconfigureVc update -p TLSv1.2
      • To disable TLSv1.0 and enable both TLSv1.1 and TLSv1.2 on an standalone ESXi Server, execute this command to perform a reconfiguration
        
        directory_path/EsxTlsReconfigurator> ./reconfigureEsx ESXiHost -h <ESXi_Host_Name> -u <User> -p TLSv1.1 TLSv1.2
      • To disable TLSv1.0 and TLSv1.1, and enable only and TLSv1.2 on an standalone ESXi Server, execute this command to perform a reconfiguration
        directory_path/EsxTlsReconfigurator> ./reconfigureEsx ESXiHost -h <ESXi_Host_Name> -u <User> -p TLSv1.2
   3. Repeat this operation on the remaining Platform Services Controller in the vSphere domain.

Once completed, all vCenter Servers, the managed ESXi hosts and the associated Platform Services Controllers will no longer be using TLSv1.0.

For vCenter Server Appliance and Platform Services Controller Appliance

1. Connect to the vCenter Server Appliance using an SSH session.
2. Run this command to enable the Bash shell
   
   shell.set --enabled true
    
3. Run this command to access the Bash shell
   shell 
    
4. In the Bash shell, change directories to this directory
   
   cd /usr/lib/vmware-vSphereTlsReconfigurator/
5. Manually backup all of the configurations for all supported services on the vCenter Server and Platform Services Controller
   
   Note: The TLS Reconfigurator Utility will perform a backup operation each time it is executed. Use this process only if you need to create a backup to a specific user directory.
    
   1. Change the directory to VcTlsReconfigurator with this command:
      
      cd VcTlsReconfigurator
       
   2. Execute this command to perform a backup:
      
      directory_path/VcTlsReconfigurator> ./reconfigureVc backup
      
      By default, this will output to this directory:
      
      /tmp/<year><month><day>T<time></time>
      
      In order to output to a specific directory, use this command:
      
      directory_path/VcTlsReconfigurator> ./reconfigureVc backup -d <backup directory path>

6. Update all of the configuration for all supported services on the vCenter Server.
   
   Note: If you have products communicating to the vCenter Server which still require TLSv1.0 to be enabled, this will cease connectivity.
    
   1. Disable TLSv1.0 on the vCenter Server, and enable a higher versions of TLSv1.x.
       
      • To disable TLSv1.0 and enable both TLSv1.1 and TLSv1.2, execute this command to perform a reconfiguration:
        
        directory_path/VcTlsReconfigurator> ./reconfigureVc update -p TLSv1.1 TLSv1.2
         
      • To disable TLSv1.0 and TLSv1.1, and enable only and TLSv1.2, execute this command to perform a reconfiguration:
        
        directory_path/VcTlsReconfigurator> ./reconfigureVc update -p TLSv1.2
         
   2. Repeat this on the next vCenter Server as appropriate.
       
7. Update all of the configuration for all supported services on the ESXi hosts. This can be done either on a per-host or per-cluster bases in addition to disabling TLSv1.0 and enabling TLSv1.1 and TLSv1.2 ordisabling TLSv1.0 and enabling only TLSv1.2.
    
   1. Change directory to the EsxTlsReconfigurator using this command:
      
      cd ../EsxTlsReconfigurator
       
   2. Disable TLSv1.0 on the ESXi hosts, and enable a higher versions of TLSv1.x. This can be done either on a per-host or per-cluster bases in addition to disabling TLSv1.0 and enabling TLSv1.1 and TLSv1.2 or disabling TLSv1.0 and enabling only TLSv1.2.
      
      Note: If --protocol or -p is not included, this will default to TLSv1.2 only.
       
      • To disable TLSv1.0 and enable both TLSv1.1 and TLSv1.2 on an individual ESXi inside of vCenter Server, execute this command to perform a reconfiguration:
        
        directory_path/EsxTlsReconfigurator> ./reconfigureEsx vCenterHost -h <ESXi_Host_Name> -u <Administrative_User> -p TLSv1.1 TLSv1.2
         
      • To disable TLSv1.0 and TLSv1.1, and enable only and TLSv1.2 on an individual ESXi inside of vCenter Server, execute this command to perform a reconfiguration:
        
        directory_path/EsxTlsReconfigurator> ./reconfigureEsx vCenterHost -h <ESXi_Host_Name> -u <Administrative_User> -p TLSv1.2
         
      • To disable TLSv1.0 and enable both TLSv1.1 and TLSv1.2 on an ESXi Cluster, execute this command to perform a reconfiguration:
        
        directory_path/EsxTlsReconfigurator> ./reconfigureEsx vCenterCluster -c <Cluster_Name> -u <Administrative_User> -p TLSv1.1 TLSv1.2
         
      • To disable TLSv1.0 and TLSv1.1, and enable only and TLSv1.2 on an ESXi Cluster, execute this command to perform a reconfiguration:
        
        directory_path/EsxTlsReconfigurator> ./reconfigureEsx vCenterCluster -c <Cluster_Name> -u <Administrative_User> -p TLSv1.2
      • To disable TLSv1.0 and enable both TLSv1.1 and TLSv1.2 on an standalone ESXi Server, execute this command to perform a reconfiguration
        
        directory_path/EsxTlsReconfigurator> ./reconfigureEsx ESXiHost -h <ESXi_Host_Name> -u <User> -p TLSv1.1 TLSv1.2
      • To disable TLSv1.0 and TLSv1.1, and enable only and TLSv1.2 on an standalone ESXi Server, execute this command to perform a reconfiguration
        directory_path/EsxTlsReconfigurator> ./reconfigureEsx ESXiHost -h <ESXi_Host_Name> -u <User> -p TLSv1.2
   3. Once completed, the hosts will be flagged for reboot. Reboot the ESXi hosts in order to complete the TLS protocol changes.
   4. Repeat this on the next cluster or ESXi host within the managing vCenter Server as appropriate.
       
8. Update all of the configuration for all supported services on the Platform Services Controller
   
   Note: If you have older vCenter Servers 6.0.x or 5.5.x still connected to the Platform Services Controller, this step will cause the vCenter Servers to stop communicating to the PSC. Only proceed with this step after confirming that all vCenter Servers are running a compatible version.
    
   1. Change directory to the VcTlsReconfigurator using this command:
      
      cd /usr/lib/vmware-vSphereTlsReconfigurator/VcTlsReconfigurator
       
   2. Disable TLSv1.0 on the Platform Services Controller, and enable a higher versions of TLSv1.x.
      
      Note: If --protocol or -p is not included, this will default to TLSv1.2 only
       
      • To disable TLSv1.0 and enable both TLSv1.1 and TLSv1.2, execute this command to perform a reconfiguration
        
        directory_path\VcTlsReconfigurator> ./reconfigureVc update -p TLSv1.1 TLSv1.2
      • To disable TLSv1.0 and TLSv1.1, and enable only and TLSv1.2, execute this command to perform a reconfiguration
        
        directory_path\VcTlsReconfigurator> ./reconfigureVc update -p TLSv1.2
   3. Repeat this operation on the remaining Platform Services Controller in the vSphere domain. 

Once completed, all vCenter Server Appliances, the managed ESXi hosts and the associated Platform Services Controller Appliances will no longer be using TLSv1.0