Search the VMware Knowledge Base (KB)
View by Article ID

How to disable TLS 1.0 and 1.1 in vRealize Operations Manager 6.x (2138007)

  • 1 Ratings
Language Editions

Details

Note: The steps in this article apply to vRealize Operations Manager 6.2 and later releases.

Transport Layer Security (TLS) 1.0 is enabled by default in vRealize Operations Manager. TLS 1.0 is a superseded version of TLS and is enabled for vRealize Operations Manager compatibility with external products.
These external product issues are known to occur when TLS 1.0 is disabled.
  • vRealize Orchestrator cannot run REST workflows against vRealize Operations Manager. VMware recommends using vRealize Orchestror 6.0.4 or later and using SNMP traps instead of the REST API for workflows.
  • vSphere cannot download the next generation client (NGC) plug-in from vRealize Operations Manager 6.5 or earlier versions. 
  • Previously registered Endpoint Operations agents might not communicate with vRealize Operations Manager 6.4 or earlier versions. This issue was fixed with vRealize Operations Manager 6.5.
  • vRealize Operations Manager reports might not display dashboards. This issue was fixed with vRealize Operations Manager 6.5.
  • vRealize Operations Manager cannot integrate with vRealize Log Insight 3.0. VMware recommends the use of a more current version of vRealize Log Insight. 

Solution

TLS 1.0 is not strictly required by vRealize Operations Manager internal communications and can be disabled by performing these steps on each node in the cluster.

Disable TLS 1.0 in 6.0 - 6.5

  1. Log in to a console session on the node.

    Note: VCOPS_BASE is set to /usr/lib/vmware-vcops by default, or C:\vmware\vcenter-operations on Windows.

  2. In a text editor, open this Apache HTTPD configuration file:

    $VCOPS_BASE/../vmware-vcopssuite/utilities/conf/vcops-apache.conf

  3. Add -TLSv1 to the SSLProtocol line.

    The modified line should look similar to:

    SSLProtocol All -SSLv2 -SSLv3 -TLSv1

  4. Save and close vcops-apache.conf.

  5. Run this command to restart the Web server:

    $VMWARE_PYTHON_BIN $VCOPS_BASE/../vmware-vcopssuite/utilities/bin/restartHttpd.py force

    On Windows:

    %VMWARE_PYTHON_BIN% %VCOPS_BASE%\..\vmware-vcopssuite\utilities\bin\restartHttpd.py force

To verify that TLS 1.0 is disabled, check port 443 on all nodes.

  1. For each node, run the following command:

    • vApp: $VCOPS_BASE/../vmware-vcopssuite/openssl/bin/openssl s_client -connect node-FQDN-or-IP-address:443 -tls1
    • RHEL: $VCOPS_BASE/../openssl/bin/openssl s_client -connectnode-FQDN-or-IP-address:443 -tls1
    • Windows: %VCOPS_BASE%\..\openssl\bin\openssl s_client -connectnode-FQDN-or-IP-address:443 -tls

  2. Verify that the command fails with error messages similar to any one of these:

    • CONNECTED(00000005)
    • 2283136:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:645:

      Alternatively:

      New, (NONE), Cipher is (NONE)
      Secure Renegotiation IS NOT supported
      Compression: NONE
      Expansion: NONE
      No ALPN negotiated
      SSL-Session:
          Protocol  : TLSv1
          Cipher    : 0000
          Session-ID:


      Note: The Session-ID is empty and  various NONE values appear.

To verify that the later version of TLS is enabled, perform these steps:

  1. Repeat the earlier openssl command, replacing -tls1 with -tls1_2.
  2. Verify that the connection succeeds with messages similar to this example:

    New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384
    Server public key is 4096 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    SSL-Session:
        Protocol  : TLSv1.2
        Cipher    : AES256-GCM-SHA384
        Session-ID: 93A27AFCEBF1FC3845CB3AB3F34A7651F97D7551C42E0278577B73629E748FC2

    Note: The protocol includes TLSv1.2 and a valid Session-ID appears.

Disable TLS 1.0 and 1.1 in 6.6

  1. Log in to vRealize Operations Manager Master node as root through SSH or Console.
  2. Backup the $VMWARE_JAVA_HOME/lib/security/java.security file:

    cp $VMWARE_JAVA_HOME/lib/security/java.security $VMWARE_JAVA_HOME/lib/security/java.security.bak

  3. Open $VMWARE_JAVA_HOME/lib/security/java.security in a text editor.
  4. On the jdk.tls.disabledAlgorithms property, add TLSv1 and TLSv1.1 after SSLv3.

    Example: jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, MD5withRSA, DH keySize < 768, \
        EC keySize < 224
  5. Save and close the file.
  6. Repeat steps 1-5 on all nodes in the cluster.
  7. Log in to vRealize Operations Manager admin UI.
  8. Click Take Offline to take the vRealize Operations Manager cluster offline.
  9. Once the cluster is offline, click Bring Online to bring the vRealize Operations Manager cluster online.

Additional Information

For translated versions of this article, see:

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 1 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.

What can we do to improve this information? (4000 or fewer characters)




Please enter the Captcha code before clicking Submit.
  • 1 Ratings
Actions
KB: