Search the VMware Knowledge Base (KB)
View by Article ID
How to disable TLS 1.0 and 1.1 in vRealize Operations Manager 6.x (2138007)
Transport Layer Security (TLS) 1.0 is enabled by default in vRealize Operations Manager. TLS 1.0 is a superseded version of TLS and is enabled for vRealize Operations Manager compatibility with external products.
These external product issues are known to occur when TLS 1.0 is disabled.
- vRealize Orchestrator cannot run REST workflows against vRealize Operations Manager. VMware recommends using vRealize Orchestror 6.0.4 or later and using SNMP traps instead of the REST API for workflows.
- vSphere cannot download the next generation client (NGC) plug-in from vRealize Operations Manager 6.5 or earlier versions.
- Previously registered Endpoint Operations agents might not communicate with vRealize Operations Manager 6.4 or earlier versions. This issue was fixed with vRealize Operations Manager 6.5.
- vRealize Operations Manager reports might not display dashboards. This issue was fixed with vRealize Operations Manager 6.5.
- vRealize Operations Manager cannot integrate with vRealize Log Insight 3.0. VMware recommends the use of a more current version of vRealize Log Insight.
Disable TLS 1.0 in 6.0 - 6.5
- Log in to a console session on the node.
Note: VCOPS_BASE is set to /usr/lib/vmware-vcops by default, or C:\vmware\vcenter-operations on Windows.
- In a text editor, open this Apache HTTPD configuration file:
- Add -TLSv1 to the SSLProtocol line.
The modified line should look similar to:
SSLProtocol All -SSLv2 -SSLv3 -TLSv1
- Save and close vcops-apache.conf.
- Run this command to restart the Web server:
$VMWARE_PYTHON_BIN $VCOPS_BASE/../vmware-vcopssuite/utilities/bin/restartHttpd.py force
%VMWARE_PYTHON_BIN% %VCOPS_BASE%\..\vmware-vcopssuite\utilities\bin\restartHttpd.py force
- For each node, run the following command:
- vApp: $VCOPS_BASE/../vmware-vcopssuite/openssl/bin/openssl s_client -connect node-FQDN-or-IP-address:443 -tls1
- RHEL: $VCOPS_BASE/../openssl/bin/openssl s_client -connectnode-FQDN-or-IP-address:443 -tls1
- Windows: %VCOPS_BASE%\..\openssl\bin\openssl s_client -connectnode-FQDN-or-IP-address:443 -tls
- Verify that the command fails with error messages similar to any one of these:
- 2283136:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:645:
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
No ALPN negotiated
Protocol : TLSv1
Cipher : 0000
Note: The Session-ID is empty and various NONE values appear.
To verify that the later version of TLS is enabled, perform these steps:
- Repeat the earlier openssl command, replacing -tls1 with -tls1_2.
- Verify that the connection succeeds with messages similar to this example:
New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
No ALPN negotiated
Protocol : TLSv1.2
Cipher : AES256-GCM-SHA384
Note: The protocol includes TLSv1.2 and a valid Session-ID appears.
Disable TLS 1.0 and 1.1 in 6.6
- Log in to vRealize Operations Manager Master node as root through SSH or Console.
- Backup the $VMWARE_JAVA_HOME/lib/security/java.security file:
cp $VMWARE_JAVA_HOME/lib/security/java.security $VMWARE_JAVA_HOME/lib/security/java.security.bak
- Open $VMWARE_JAVA_HOME/lib/security/java.security in a text editor.
- On the jdk.tls.disabledAlgorithms property, add TLSv1 and TLSv1.1 after SSLv3.
Example: jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, MD5withRSA, DH keySize < 768, \
EC keySize < 224
- Save and close the file.
- Repeat steps 1-5 on all nodes in the cluster.
- Log in to vRealize Operations Manager admin UI.
- Click Take Offline to take the vRealize Operations Manager cluster offline.
- Once the cluster is offline, click Bring Online to bring the vRealize Operations Manager cluster online.
Additional InformationFor translated versions of this article, see:
Request a Product Feature
To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.