Search the VMware Knowledge Base (KB)
View by Article ID

Unable to apply storage policies to virtual machines residing on a VMware vSAN cluster with SSLv3 disabled (2128391)

  • 0 Ratings

Symptoms

  • Disabling SSLv3 in vpxd.cfg causes the application of vSAN storage policies to fail.
  • Cannot apply a storage profile to a vSAN object.
  • In the %ALLUSERSPROFILE%\Application Data\VMware\Infrastructure\Profile-Driven Storage\Logssps.log file, you see entries similar to:

    2015-04-29T06:13:12.152-06:00 [05584 info 'commonvpxLro' opID=DECA7CE8-00000420-6f-5a-18] [VpxLRO] -- BEGIN task-internal-1965 -- -- VsanUpdateVasaProviderLRO -- 2015-04-29T06:13:12.154-06:00 [05220 warning 'ProxySvc'] SSL Handshake failed for stream <io_obj p:0x000000000a8e78f8, h:3780, <TCP '[::1]:443'>, <TCP '[::1]:64651'>>, error: class Vmacore::Ssl::SSLException(SSL Exception: error:1408A10B:SSL routines:SSL3_GET_CLIENT_HELLO:wrong version number) 2015-04-29T06:13:12.154-06:00 [03112 error 'HttpConnectionPool-000001'] [ConnectComplete] Connect failed to <cs p:000000000d81a210, TCP:localhost:443>; cnx: (null), error: class Vmacore::Ssl::SSLException(SSL Exception: error:140000DB:SSL routines:SSL routines:short read) 2015-04-29T06:13:12.154-06:00 [05584 error 'vpxdvpxdMoStoragePod' opID=DECA7CE8-00000420-6f-5a-18] [StoragePodMo::GetStorageManager] Received exception from SMS: SSL Exception: error:140000DB:SSL routines:SSL routines:short read, unable to find StorageManager

    Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.

Cause

This issue occurs when SSLv3 settings are disabled in the vpxd.cfg file.
 
Currently, using TLS with storage profiles is not supported. To be able to apply storage profiles, use SSLv3.

Resolution

This is an expected behavior. SSLv3 must be enabled for VMware vSAN to function correctly.

To see if SSLv3 is enabled on vCenter Server or vCenter Server Appliance:
  • On a vCenter Virtual Appliance (VCVA), run this command:

    openssl s_client -connect[HOST]:443 -ssl3
  • On a Windows vCenter Server, run this command:

    openssl.exe s_client -connect[HOST]:443 -ssl3
If SSLv3 is enabled you see the certificate information.

Note: This setting is enabled by default.

To enable SSLv3 for the vCenter Server or vCenter Server Appliance:
  1. Take a backup of the vpxd.cfg file. By default, this file is located at:

    • vCenter Server Appliance: /etc/vmware-vpx/vpxd.cfg
    • Windows vCenter Server: C:\ProgramData\VMware\VMware VirtualCenter\vpxd.cfg

  2. Open the vpxd.cfg file using a text editor.
  3. Remove <sslVersion>tlsv1</sslVersion> under <vpxd> tag.
  4. Restart the vCenter Server service.

    If you are using vCenter Server Appliance, restart the server in the VCVA by running this command:

    service vmware-vpxd restart && service vmware-vpxd tomcat-start && service vmware-sps start

  5. Restart the host in Windows:

See Also

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 0 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.

What can we do to improve this information? (4000 or fewer characters)




Please enter the Captcha code before clicking Submit.
  • 0 Ratings
Actions
KB: