Enabling and Disabling SSLv3 support in vCenter Orchestrator 4.2.x and later
search cancel

Enabling and Disabling SSLv3 support in vCenter Orchestrator 4.2.x and later

book

Article ID: 341499

calendar_today

Updated On:

Products

VMware Aria Suite

Issue/Introduction

vCenter Orchestrator 4.2.x and 5.1.x run in JBoss which uses Apache Tomcat 5.5 as a Web container. vCenter Orchestrator 5.5.x runs in vFabric tc Server 2.9. Due to a security vulnerability in SSLv3, you must disable SSLv3 manually.

Note: SSLv3 in vRealize Orchestrator 6.0.x is disabled by default.


Environment

VMware vCenter Orchestrator Appliance 5.5.x
VMware vCenter Orchestrator 5.1.x
VMware vRealize Orchestrator 6.0.x
VMware vCenter Orchestrator 4.2.x
VMware vCenter Orchestrator Appliance 5.1.x
VMware vCenter Orchestrator 5.5.x
VMware vCenter Orchestrator Appliance 4.2.x

Resolution

Disable SSLv3 Support for vCenter Orchestrator:

To disable SSLv3 in Orchestrator 4.2.x and 5.1.x manually:
  1. Open server.xml, located in ${INSTALL_ROOT}/app-server/server/vmo/deploy/jboss-deploy-tomcat/jbossweb-tomcat55.sar/.
  2. Replace the sslProtocol="TLS" attribute with the sslProtocols="TLSv1, TLSv1.1, TLSv1.2" attribute.
  3. Save the changes.
  4. Restart the Orchestrator server:
    1. In the Orchestrator configuration interface, click the Startup Options tab.
    2. Click Restart service.

To disable SSLv3 in Orchestrator 5.5.x manually:
  1. Open server.xml.
    • If you have installed Orchestrator on a Microsoft Windows machine, navigate to:
      ${INSTALL_ROOT}\app-server\conf\
    • If you use the Orchestrator appliance, in the Linux console, navigate to:
      /etc/vco/app-server/
  2. Replace the sslProtocol="TLS" attribute with the sslEnabledProtocols="TLSv1, TLSv1.1, TLSv1.2" attribute.
  3. Save the changes.
  4. Restart the Orchestrator server:
    1. In the Orchestrator configuration interface, click the Startup Options tab.
    2. Click Restart service.

Enable SSLv3 Support for vCenter Orchestrator 5.5.x and vRealize Orchestrator 6.0.x:

To re-enable SSLv3, the following changes must be made to the Orchestrator Appliance:
  1. Open server.xml, located in /etc/vco/app-server/ and replace the sslEnabledProtocols="TLSv1, TLSv1.1, TLSv1.2" connector attribute with the sslEnabledProtocols="SSLv3, TLSv1, TLSv1.1, TLSv1.2" attribute.
  2. Open server.xml, located in /etc/vco/configuration/ and replace the sslEnabledProtocols="TLSv1, TLSv1.1, TLSv1.2" connector attribute with the sslEnabledProtocols="SSLv3, TLSv1, TLSv1.1, TLSv1.2" attribute.

SSLv3 is disabled by default in Java 7u75, 7u76 and 8u31. Refer to Java 7 and Java 8 release notes for information on how to re-enable SSLv3.

Powered by Wolken Software