How to enable TLS 1.0 and 1.1 in vRealize Operations Manager 7.5

Products

VMware Aria Suite

Issue/Introduction

Note: The steps in this article apply to vRealize Operations Manager 7.5.

Transport Layer Security (TLS) version 1.0 and 1.1 are disabled by default in vRealize Operations Manager 7.5.
As a result, some end-to-end communication might be broken, if the end point doesn’t support TLS v1.2.
For example, TLS v1.0 and TLS v1.1 are required to monitor vCenter version 5.5.
To repair the end-to-end communication there is a need to upgrade end points to more recent versions which support TLS v1.2.

If upgrading is not possible, or not desired, apply the below workaround to enable TLS v1.0 and TLS v1.1.

Environment

VMware vRealize Operations Manager 7.5.x

Resolution

Complete both sections below to fully enable TLSv1.0 and TLSv1.1 in vRealize Operations Manager 7.5.
Before starting, ensure the vRealize Operations Manager cluster is offline:

Log in to vRealize Operations Manager admin UI as the local admin user.

Example: https://IP_or_FQDN/admin

Note: Replace IP_or_FQDN with the actual IP or FQDN of vRealize Operations Manager UI.
Click Take Offline under Cluster Status.

Note: Wait for Cluster Status to show as Offline.

Section 1: Enable TLSv1.0 and TLSv1.1 in vRealize Operations Manager 7.5 for Web Access

Log into the Primary node as root via SSH or console.

Note: VCOPS_BASE is set to /usr/lib/vmware-vcops by default

Backup the Apache HTTPD configuration file:

cp $VCOPS_BASE/../vmware-vcopssuite/utilities/conf/vcops-apache.conf $VCOPS_BASE/../vmware-vcopssuite/utilities/conf/vcops-apache.conf.bak

Open $VCOPS_BASE/../vmware-vcopssuite/utilities/conf/vcops-apache.conf in a text editor.
Remove -TLSv1 -TLSv1.1 from the SSLProtocol line. The modified line should look similar to:

SSLProtocol All -SSLv2 -SSLv3

Save and close vcops-apache.conf.
Repeat steps 1-5 on all other nodes in the cluster.

Section 2: Enable TLSv1.0 and TLSv1.1 in vRealize Operations Manager 7.5 for Java Components

Log into the Primary node as root via SSH or console.
Backup the $VMWARE_JAVA_HOME/lib/security/java.security file:

cp $VMWARE_JAVA_HOME/lib/security/java.security $VMWARE_JAVA_HOME/lib/security/java.security.bak

Open $VMWARE_JAVA_HOME/lib/security/java.security in a text editor.
On the jdk.tls.disabledAlgorithms property, remove TLSv1 and TLSv1.1 after SSLv3.

Example: jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 2048, \
EC keySize < 224 , DES40_CBC, RC4_40, 3DES_EDE_CBC

Save and close the file.
Repeat steps 1-5 on all nodes in the cluster.
Log in to vRealize Operations Manager Admin UI.
Click Take Offline to take the vRealize Operations Manager cluster offline.
In vSphere, preform a Guest restart on all vRealize Operations Manager nodes.
Log in to vRealize Operations Manager Admin UI.
Bring Online to bring the vRealize Operations Manager cluster online.

Verify Changes

To verify that TLSv1.0 and TLSv1.1 are enabled, check port 443 on all nodes.

For each node, run the following commands for TLSv1.0 (-tls1) and TLSv1.1 (-tls1_1):

$VCOPS_BASE/../vmware-vcopssuite/openssl/bin/openssl s_client -connect node-FQDN-or-IP-address:443 -tls1
$VCOPS_BASE/../vmware-vcopssuite/openssl/bin/openssl s_client -connect node-FQDN-or-IP-address:443 -tls1_1

Verify that the commands are executed successfully; you will see output similar to:

CONNECTED(00000003)
depth=1 CN = vc-ops-cluster-ca_<UUID_1>, O = "VMware, Inc.", OU = MBU
verify error:num=19:self signed certificate in certificate chain
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: 551AD7697E9B5BE5225FC39108F385D3B68F3D314EE1D9EFE8242B4C41AB458F

Note: The Session-ID is not empty.

Once all steps have been completed successfully, you may log back into the admin UI and bring the cluster online.