Search the VMware Knowledge Base (KB)
View by Article ID

How to disable TLS 1.0 in vRealize Operations Manager (2138007)

  • 1 Ratings


Note: The steps in this article apply to vRealize Operations Manager 6.2 and later releases.

Transport Layer Security (TLS) 1.0 is enabled by default in vRealize Operations Manager. TLS 1.0 is a superseded version of TLS and is enabled for vRealize Operations Manager compatibility with external products.
These external product issues are known to occur when TLS 1.0 is disabled.
  • vRealize Orchestrator cannot run REST workflows against vRealize Operations Manager.
  • vSphere cannot download the next generation client (NGC) plug-in from vRealize Operations Manager.
  • Previously registered Endpoint Operations agents might not communicate with vRealize Operations Manager.
  • vRealize Operations Manager reports might not display dashboards. This issue was fixed with vRealize Operations Manager 6.5
  • vRealize Operations Manager cannot integrate with vRealize Log Insight 3.0.


TLS 1.0 is not strictly required by vRealize Operations Manager internal communications and can be disabled by performing these steps on each node in the cluster.

  1. Log in to a console session on the node.

    Note: VCOPS_BASE is set to /usr/lib/vmware-vcops by default, or C:\vmware\vcenter-operations on Windows.

  2. In a text editor, open this Apache HTTPD configuration file:


  3. Add -TLSv1 to the SSLProtocol line.

    The modified line should look similar to:

    SSLProtocol All -SSLv2 -SSLv3 -TLSv1

  4. Save and close vcops-apache.conf.

  5. Run this command to restart the Web server:

    $VMWARE_PYTHON_BIN $VCOPS_BASE/../vmware-vcopssuite/utilities/bin/ force

    On Windows:

    %VMWARE_PYTHON_BIN% %VCOPS_BASE%\..\vmware-vcopssuite\utilities\bin\ force

To verify that TLS 1.0 is disabled, check port 443 on all nodes.

  1. For each node, run the following command:

    • vApp: $VCOPS_BASE/../vmware-vcopssuite/openssl/bin/openssl s_client -connect node-FQDN-or-IP-address:443 -tls1
    • RHEL: $VCOPS_BASE/../openssl/bin/openssl s_client -connectnode-FQDN-or-IP-address:443 -tls1
    • Windows: %VCOPS_BASE%\..\openssl\bin\openssl s_client -connectnode-FQDN-or-IP-address:443 -tls

  2. Verify that the command fails with error messages similar to any one of these:

    • CONNECTED(00000005)
    • 2283136:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:645:


      New, (NONE), Cipher is (NONE)
      Secure Renegotiation IS NOT supported
      Compression: NONE
      Expansion: NONE
      No ALPN negotiated
          Protocol  : TLSv1
          Cipher    : 0000

      Note: The Session-ID is empty and  various NONE values appear.

To verify that the later version of TLS is enabled, perform these steps:

  1. Repeat the earlier openssl command, replacing -tls1 with -tls1_2.
  2. Verify that the connection succeeds with messages similar to this example:

    New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384
    Server public key is 4096 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
        Protocol  : TLSv1.2
        Cipher    : AES256-GCM-SHA384
        Session-ID: 93A27AFCEBF1FC3845CB3AB3F34A7651F97D7551C42E0278577B73629E748FC2

    Note: The protocol includes TLSv1.2 and a valid Session-ID appears.

Additional Information

For translated versions of this article, see:

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.


  • 1 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.

What can we do to improve this information? (4000 or fewer characters)

Please enter the Captcha code before clicking Submit.
  • 1 Ratings