Knowledge Base

The VMware Knowledge Base provides support solutions, error messages and troubleshooting guides
 
Search the VMware Knowledge Base (KB)   View by Article ID
 

Configuring SSLv3 protocol on vSphere 5.x (2139396)

Details

This KB provides steps to configure SSLv3 protocol on vSphere 5.0, 5.1, and 5.5.

vSphere 5.0: SSLv3 protocol is enabled by default and is configurable. See the section vSphere 5.0 Ports and Services for configuration steps.

For known issues and recommendations related to SSLv3 protocol disablement in vSphere 5.0 Update 3g, see the following:

vSphere 5.1: SSLv3 protocol is enabled by default and is configurable. See the section vSphere 5.1 Ports and Services for configuration steps.

For known issues and recommendations related to SSLv3 protocol disablement in vSphere 5.1 Update 3d, see the following:

vSphere 5.5: SSLv3 protocol is disabled by default and is configurable in vSphere 5.5 Update 3b and later. See the section vSphere 5.5 Ports and Services for configuration steps.

For known issues and recommendations related to SSLv3 protocol disablement in vSphere 5.5 Update 3b, see the following:

 

Solution

vSphere 5.0 Ports and Services

Service

Port

Configuration Steps
Hostd
443
Authd
902
SFCBD
5989
Virtual Appliance Management Interface (VAMI)
5480
Authentication proxy service (CAM)
51915
Syslog Collector (vmsyslogcollector)
1514
VMware vSphere Web Client Service (vspherewebclientsvc)
9443
VirtualCenter Server service (vpxd)
443
vCenter Inventory Service database (invsvc)
10109
VMware VirtualCenter Management Webservices
8443
SPS
21100(VCSA),
31100(windows)
Auto Deploy servie port
Auto Deploy management port
6501
6502
vSphere Update Manager 8084/9087
vCenter Server Appliance 5489 vCenter Server Appliance

Hostd service - Port 443

Enabling SSLv3 Protocol

To enable SSLv3 protocol on Hostd service for ESXi 5.0 patch released on 06/14/2016 follow these steps:

  1. Login to ESXi using putty.exe

  2. To enable SSLv3 is run the following command:

    esxcli system settings advanced set -o /UserVars/ESXiHostdDisabledProtocols -s ""

  3. Restart the rhttpproxy services by running the following command:

    /etc/init.d/hostd restart

  4. Run the following command to get a list of disabled protocols for hostd:

    esxcli system settings advanced list -o /UserVars/ESXiHostdDisabledProtocols

    Where:
    Path: /UserVars/ESXiHostdDisabledProtocols
    Type: string
    Int Value: 0
    Default Int Value: 0
    Min Value: 0
    Max Value: 0
    String Value:
    Default String Value:
    Valid Characters: *

Disabling SSLv3 Protocol

To disable SSLv3 protocol follow these steps:

  1. Login to ESXi using putty.exe

  2. Run the following command to disable SSLv3:

    esxcli system settings advanced set -o /UserVars/ESXiHostdDisabledProtocols -s "SSLv3"

  3. Restart the rhttpproxy services by running the following command:

    /etc/init.d/hostd restart

  4. Run the following command to get a list of disabled protocols for hostd:

    esxcli system settings advanced list -o /UserVars/ESXiHostdDisabledProtocols

    Where:
    Path: /UserVars/ESXiHostdDisabledProtocols
    Type: string
    Int Value: 0
    Default Int Value: 0
    Min Value: 0
    Max Value: 0
    String Value: sslv3
    Default String Value:
    Valid Characters: *



In event of unexpected behavior, restore the earlier backed up proxy configuration file to revert the system to clean state, as it was before.

HostProfile

Configuration of the Hostd can also be captured through host profile by following these steps:

  1. Log in to VC with vSphere Web Client.
  2. Right click the target host and click Extract Host Profile to create a new hostprofile.
  3. After the hostprofile is created, navigate to Home > Host Profiles > your_host_profile to edit it.
  4. In the Edit Host Profiles tab, you can find the entry for hostd under [Advanced Configuration Settings] > [Advanced Options] > [Advanced Configuration Options] > ESXiHostdDisabledProtocols
  5. The application of hostd in host profile is the same as other settings. If the configuration for hostd is included in host profile, difference between host profile and target host for hostd is displayed and replaced when choosing the target host to apply the host profile.

Authd - Port 902

Enabling SSLv3 Protocol

To enable SSLv3 protocol on Authd service for ESXi 5.0 patch released on 06/14/2016follow these steps:

  1. Login to ESXi using putty.exe.

  2. To enable SSLv3, run the following command:

    esxcli system settings advanced set -o /UserVars/VMAuthdDisabledProtocols50 -s ""

  3. Run the following command to get a list of disabled protocols for authd:

    esxcli system settings advanced list -o /UserVars/VMAuthdDisabledProtocols50

    Where:
    Path: /UserVars/VMAuthdDisabledProtocols50
    Type: string
    Int Value: 0
    Default Int Value: 0
    Min Value: 0
    Max Value: 0
    String Value:
    Default String Value:
    Valid Characters: *

Disabling SSLv3 Protocol
To disable SSLv3 protocol follow these steps:
  1. Login to ESXi using putty.exe
  2. To disable sslv3, run the following command:

    esxcli system settings advanced set -o /UserVars/VMAuthdDisabledProtocols50 -s "sslv3"

  3. Run the following command to get a list of disabled protocols for authd:

    esxcli system settings advanced list -o /UserVars/VMAuthdDisabledProtocols50

    Where:
    Path: /UserVars/VMAuthdDisabledProtocols50
    Type: string
    Int Value: 0
    Default Int Value: 0
    Min Value: 0
    Max Value: 0
    String Value: sslv3
    Default String Value:
    Valid Characters: *
In event of unexpected behavior, restore the earlier backed up proxy configuration file to revert the system to clean state, as it was before.

HostProfile

Configuration of the Authd can also be captured through host profile by following these steps:
  1. Log in to VC with vSphere Web Client.
  2. Right click the target host and click Extract Host Profile to create a new hostprofile.
  3. After the hostprofile is created, navigate to Home > Host Profiles > your_host_profile to edit it.
  4. In the Edit Host Profiles tab, you can find the entry for authd under [Advanced Configuration Settings] > [Advanced Options] > [Advanced Configuration Options] > VMAuthdDisabledProtocols50.
  5. The application of authd in host profile is the same as other settings. If the configuration for authd is included in host profile, difference between host profile and target host for authd is displayed and replaced when choosing the target host to apply the host profile.

SFCBD - Port 5989

Enabling SSLv3 Protocol

To enable SSLv3 protocol on SFCBD service for ESXi 5.0 patch released on 06/14/2016 follow these steps:
  1. Log in to ESXi usingputty.exe.

  2. Run the following command and edit the file:

    vi /etc/sfcb/sfcb.cfg

    enableSSLv3: true

  3. Save the file.
  4. Restart the service for configuration to take effect using below command:

    /etc/init.d/sfcbd-watchdog restart
Disabling SSLv3 Protocol

To disable SSLv3 protocol on SFCBD service for ESXi 5.0 patch released on 06/14/2016 follow these steps:
  1. Log in to ESXi usingputty.exe.

  2. Run the following command to modify the file and to disable SSLv3:

    vi /etc/sfcb/sfcb.cfg

  3. Add new entry similar to the following to disable SSLv3. If the entry exists, set the value to false:

    enableSSLv3: false

  4. Save the file.
HostProfile

Configuration for CIM can also be captured by host profile:

  1. Log in to vCenter Server with C#.
  2. Right click the target host and click Extract Host Profile to create a new host profile.
  3. Choose Home > Host Profiles > your host profile to edit it.
  4. On the Edit Host Profiles tab, > Select General System Settings> Management Agent Confirguraion under SFCB Configuration > Settings > enable sslv3.
  5. Apply the host profile to stateful or stateless systems.
  6. Restart the service for configuration to take effect using below command:

    /etc/init.d/sfcbd-watchdog restart



Virtual Appliance Management Interface (VAMI) service - Port 5480

Enabling SSLv3 Protocol

To enable SSLv3 protocol on VAMI service for vCenter Server 5.0 Update 3g follow these steps:

  1. Go to /opt/vmware/etc/lighttpd/lighttpd.conf file.

  2. Create a backup copy of the file.

  3. Search for this line:
    ssl.use-sslv3="disable"

  4. Modify the line to:
    ssl.use-sslv3="enable"

  5. Save the file.

  6. Restart the VAMI Service with the following command:

    service vami-lighttp restart
Disbaling SSLv3 Protocol

To disable SSLv3 protocol on VAMI service for vCenter Server 5.0 Update 3g follow these steps:

  1. Go to/opt/vmware/etc/lighttpd/lighttpd.conf.

  2. Create a backup copy of the file.

  3. Search for this line:
    ssl.use-sslv3="enable"

  4. Add the following line in the cofig file, in case there is no ssl.use-sslv3="enable"
    ssl.engine = "enable"

  5. Modify the line to:
    ssl.use-sslv3="disable"

  6. Save the file.
  7. Restart the VAMI Service with the following command:
    service vami-lighttp restart

Authentication proxy (CAM) service - Port 51915

Enabling SSLv3 Protocol

To enable SSLv3 protocol on CAM service for vCenter Server 5.0 Update 3g follow these steps:

  1. Open and run the Registry Editor on the server where VMware Authentication Proxy is installed, as an administrator.

  2. Navigate to this location in the Registry Editor window:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\

  3. In the navigation tree, right-click Protocols, and select New > Key.

  4. Enter SSL3.0 as the key name.

  5. Repeat step 5 to create two SSL3.0 keys. Name the two keys as Server and Client.

  6. Right-click on the Client key, and select New > DWORD (32-bit) Value.

    • Enter DisabledByDefault as the value name.
    • Double-click DisabledByDefault, and enter 0 as the data value.
    • Click OK.

  7. Right-click on the Sever key, and select New > DWORD (32-bit) Value.

    • Enter Enabled as the value name.
    • Double-click Enabled, and enter 1 as the data value.
    • Click OK

  8. Restart the server.
Disbaling SSLv3 Protocol

To disable SSLv3 protocol on CAM service forvCenter Server 5.0 Update 3g follow these steps:

  1. Open and run the Registry Editor on the server where VMware Authentication Proxy is installed, as an administrator.

  2. Navigate to this location in the Registry Editor window:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\

  3. In the navigation tree, right-click Protocols, and select New > Key.

  4. Enter SSL3.0 as the key name.

  5. Create two keys under SSL3.0 key and name them as Server and Client.

  6. Right-click on the Client key, and select New > DWORD (32-bit) Value.

    • Enter DisabledByDefault as the value name.
    • Double-click DisabledByDefault, and enter 1 as the data value.
    • Click OK.

  7. Right-click on the Sever key, and select New > DWORD (32-bit) Value.
    • Enter Enabled as the value name.
    • Double-click Enabled, and enter 0 as the data value.
    • Click OK
  8. Restart the server.

Syslog Collector service - Port 1514

Enabling SSLv3 Protocol

To enable SSLv3 protocol on Syslog Collector service for vCenter Server 5.0 Update 3g follow these steps:

  1. Access the configuration file from the following locations:
    • Windows default location:C:\ProgramData\VMware\VMware Syslog Collector\vmconfig-syslog.xml
    • vCenter Server Appliance default location:/etc/syslog-ng/stunnel.conf


  2. Create a backup copy of the file.

  3. For Windows, edit the file to remove <disableSSLv3></disableSSLv3> node as shown here:
    <ssl>
    <defaultSSLPath>C:\ProgramData\VMware\vCenterServer\cfg\vmsyslogcollector\ssl</defaultSSLPath>
    <privateKey>vmsyslogcollector.key</privateKey>
    <certificate>vmsyslogcollector.crt</certificate>
    </ssl>


  4. For VCSA:
    Removeoptions=NO_SSLv3 from the configuration file.

  5. Save the file and restart.

  6. Window: Restart the vmsyslogcollector Service.
    VCSA: Service syslog-collector restart
Disabling SSLv3 Protocol

To disable SSLv3 protocol on Syslog Collector service for vCenter Server 5.0 Update 3g follow these steps:

  1. Access the configuration file from the following locations:
    • Windows default location: C:\ProgramData\VMware\VMware Syslog Collector\vmconfig-syslog.xml
    • vCenter Server Appliance default location: /etc/syslog-ng/stunnel.conf

  2. Create a backup copy of the file.

  3. For Windows, edit the file to add <disableSSLv3></disableSSLv3> node as shown here:
    <ssl>
    <defaultSSLPath>C:\ProgramData\VMware\vCenterServer\cfg\vmsyslogcollector\ssl</defaultSSLPath>
    <privateKey>vmsyslogcollector.key</privateKey>
    <certificate>vmsyslogcollector.crt</certificate>
    <disableSSLv3></disableSSLv3>
    </ssl>


  4. For VCSA:
    Add new line "options=NO_SSLv3" in the /etc/syslog-ng/stunnel.conf configuration file.

  5. Save the file and restart.
    Windows: Restart the vmsyslogcollector service
    VCSA: /etc/init.d/syslog-collector restart

VMware vSphere Web Client Service (vspherewebclientsv) - Port 9443

Enabling SSLv3 Protocol

To enable SSLv3 protocol on vSphere Web Client Service service forvCenter Server 5.0 Update 3g follow these steps:

  1. Open thetomcat-server.xml file:
    • Windows default location:C:\Program Files\VMware\Infrastructure\vSphereWebClient\server\config\tomcat-server.xml
    • vCenter Server Appliance default location:/usr/lib/vmware-vsphere-client/server/config/tomcat-server.xml

  2. Create a backup copy of the file.

  3. Edit the file to add SSLv3 to sslEnabledProtocols list as shown here to enable SSLv3:

    <Connector port="9443" protocol="HTTP/1.1" sslEnabledProtocols="SSLv3, TLSv1">

  4. Save the file.

  5. Restart the Management webservices.

    Windows: Restart VMware management webservices service.

    VCSA: Restart VPXD service.
Disabling SSLv3 Protocol

To disable SSLv3 protocol on vSphere Web Client Service service for vCenter Server 5.0 Update 3g follow these steps:

  1. Open thetomcat-server.xml file:

    • Windows default location:C:\Program Files\VMware\Infrastructure\vSphereWebClient\server\config\tomcat-server.xml

    • vCenter Server Appliance default location:/usr/lib/vmware-vsphere-client/server/config/tomcat-server.xml

  2. Create a backup copy of the file.

  3. Edit the file to remove SSLv3 to sslEnabledProtocols="TLSv1" list as shown here to disable SSLv3:

    <Connector port="9443" protocol="HTTP/1.1" sslEnabledProtocols="TLSv1">

  4. Save the file.

  5. For windows, restart the VMware Management webservices.

  6. For VCSA, restart VPXD.

VMware Virtual Center Server (vpxd) - Port 443

Enabling SSLv3 Protocol

To enable SSLv3 protocol on Virtual Center Server service forvCenter Server 5.0 Update 3g follow these steps:

  1. Open thevpxd.cfg file:

    • Windows default location:C:\ProgramData\VMware\VMware VirtualCenter\vpxd.cfg
    • vCenter Server Appliance default location:/etc/vmware-vpx/vpxd.cfg

  2. Create a backup copy of the file.

  3. Edit the file remove the<sslOptions></sslOptions> to enable SSLv3 respectively:
    <vmacore>
    <cacheProperties>true</cacheProperties>
    <ssl>
    <useCompression>true</useCompression>
    </ssl>
    <threadPool>
    <TaskMax>90</TaskMax>
    <threadNamePrefix>vpxd</threadNamePrefix>
    </threadPool>
    </vmacore>


  4. Save the file.

  5. Restart the vpxd Service.
    • Windows default location: Restart the VMware VirtualCenter Server service from services.msc

    • vCenter Server Appliance: Execute the command from command prompt:
      /etc/init.d/vmware-vpxd restart.

Disbaling SSLv3 Protocol

To disable SSLv3 protocol on Virtual Center Server service forvCenter Server 5.0 Update 3g follow these steps:

  1. Open thevpxd.cfg file:
    • Windows default location:C:\ProgramData\VMware\VMware VirtualCenter\vpxd.cfg
    • vCenter Server Appliance default location:/etc/vmware-vpx/vpxd.cfg
  2. Create a backup copy of the file.

  3. Edit the file to add<sslOptions>50479104</sslOptions> to disable SSLv3:
    <vmacore>
    <cacheProperties>true</cacheProperties>
    <ssl>
    <useCompression>true</useCompression>
    <sslOptions>50479104</sslOptions>

    </ssl>
    <threadPool>
    <TaskMax>90</TaskMax>
    <threadNamePrefix>vpxd</threadNamePrefix>
    </threadPool>
    </vmacore>


  4. Save the file.

  5. Restart the vpxd Service.

    • Windows default location: Restart the VMware VirtualCenter Server service from services.msc

    • vCenter Server Appliance: Execute the command from command prompt:
      /etc/init.d/vmware-vpxd restart.

vCenter Inventory Service database (invsvc) - XDB Port 10109, 10443

Enabling SSLv3 Protocol

To enable SSLv3 protocol on invsvc service for vCenter Server vCenter Server 5.0 Update 3g follow these steps:

  1. Open thequery-server-config.xml file:

    • Windows default location:C:\Program Files\VMware\Infrastructure\Inventory Service\lib\server\config\server-confg.xml
    • vCenter Server Appliance default location:/usr/lib/vmware-vpx/inventoryservice/lib/server/config/server-config.xml

  2. Create a backup copy of the file.

  3. Edit the file to add SSLv3 to enabledProtocols list as shown here to enable SSLv3:

    <property name="enabledProtocols" value="SSLv3,TLSv1" />

  4. Save the file.

  5. Restart the Inventory Services.
Disbaling SSLv3 Protocol

To disable SSLv3 protocol on invsvc service forvCenter Server 5.0 Update 3g follow these steps:

  1. Open thequery-server-config.xmlfile:
    • Windows default location:C:\Program Files\VMware\Infrastructure\Inventory Service\lib\server\config\server-confg.xml
    • vCenter Server Appliance default location:/usr/lib/vmware-vpx/inventoryservice/lib/server/config/server-config.xml
  2. Create a backup copy of the file.

  3. Edit the file to remove SSLv3 from enabledProtocols list disable SSLv3:

    <property name="enabledProtocols" value="TLSv1" />

  4. For VCSA:
    Change the corresponding query-server-config.xml and server-config.xml files available in usr/lib/vmware-vpx/inventoryservice/lib/server/config

  5. Save the file.

  6. Restart the Inventory Service.

VMware Virtual Center Management Webservices - Port 8443

Enabling SSLv3 Protocol

To enable SSLv3 protocol on Virtual Center Management Webservices for vCenter Server 5.0 Update 3g follow these steps:

  1. Open theeserver.xml file:

    • Windows default location:C:\Program Files\VMware\Infrastructure\tomcat\conf\server.xml
    • vCenter Server Appliance default location:/usr/lib/vmware-vpx/tomcat/conf/server.xml

  2. Create a backup copy of the file.

  3. Edit the file to add SSLv3 tosslEnabledProtocols list as shown here to enable SSLv3:

    <property name="enabledProtocols" value="SSLv3,TLSv1"/>

  4. Save the file.

  5. For windows, restart the VMware Management webservices.

  6. For VCSA, restart VPXD.
Disabling SSLv3 Protocol

To disable SSLv3 protocol on Virtual Center Management Webservices for vCenter Server 5.0 Update 3g follow these steps:

  1. Open theserver.xml file:

    • Windows default location:C:\Program Files\VMware\Infrastructure\tomcat\conf\server.xml
    • vCenter Server Appliance default location:/usr/lib/vmware-vpx/tomcat/conf/server.xml

  2. Create a backup copy of the file.

  3. Edit the file to remove SSLv3 tosslEnabledProtocols list as shown here to disable SSLv3:

    <property name="enabledProtocols" value="TLSv1"/>

  4. For VCSA:

    Change the value in /usr/lib/vmware-vpx/tomcat/conf/server.xml file.

  5. Save the file.

  6. Restart the Management webservices.

    Windows: Restart VMware management webservices service.

    VCSA: Restart VPXD service.

SPS - Port 21100(VCSA), 31100(Windows)

Enabling SSLv3 Protocol
To enable SSLv3 protocol on SPS for vCenter Server 5.0 Update 3g follow these steps:

  1. Open thesps-spring-config.xml file:

    • Windows default location:C:\Program Files\VMware\Infrastructure\Profile-Driven Storage\conf\sps-spring-config.xml
    • vCenter Server Appliance default location:/usr/lib/vmware-vpx/sps/conf/sps-spring-config.xml

  2. Create a backup copy of the file.

  3. Edit the file to add value SSLv3 to enabledProtocolslist as shown here to enable SSLv3:

    <property name="enabledProtocols" value="SSLv3,TLSv1 "/>

  4. Save the file.

  5. Restart the SPS service.

Disabling SSLv3 Protocol
To disable SSLv3 protocol on SPS for vCenter Server 5.0 Update 3g follow these steps:

  1. Open thesps-spring-config.xml file:

    • Windows default location:C:\Program Files\VMware\Infrastructure\Profile-Driven Storage\conf\sps-spring-config.xml
    • vCenter Server Appliance default location:/usr/lib/vmware-vpx/sps/conf/sps-spring-config.xml

  2. Create a backup copy of the file.

  3. To disable SSLv3, remove the string SSLv3 from the list of EnabledProtocols insps-spring-config list:

    Change <property name="enabledProtocols" value="SSLv3,TLSv1"/>" to <property name="enabledProtocols" value="TLSv1"/>"

  4. Save the file.

  5. Restart the vmware-sps service.

Auto Deploy - Port 6501/6502

Enabling SSLv3 Protocol

To enable SSLv3 protocol on Auto Deploy service for vCenter Server 5.0 Update 3g follow these steps:

  1. Run the following command to Connect to vCenter Server:

    PowerCLI C:\Program Files (x86)\VMware\Infrastructure\vSphere PowerCLI> Connect-VIServer -Server <FQDN_hostname or IP Address of vCenter Server>

  2. Run the following command to check the current status of SSLv3:

    PowerCLI C:\Program Files (x86)\VMware\Infrastructure\vSphere PowerCLI> Get-DeployOption

    KeyValue

    vlan-id0
    disable-sslv31

  3. Run the following command to enable SSLv3:

    To enable: PowerCLI C:\Program Files (x86)\VMware\Infrastructure\vSphere PowerCLI> Set-DeployOption disable-sslv3 0

  4. Restart the Auto Deploy service to update the change.
Disabling SSLv3 Protocol

To disable SSLv3 protocol on Auto Deploy service forvCenter Server 5.0 Update 3g follow these steps:

  1. Run the following command to Connect to vCenter Server:

    PowerCLI C:\Program Files (x86)\VMware\Infrastructure\vSphere PowerCLI> Connect-VIServer -Server <FQDN_hostname or IP Address of vCenter Server>

  2. Run the following command to check the current status of SSLv3:

    PowerCLI C:\Program Files (x86)\VMware\Infrastructure\vSphere PowerCLI> Get-DeployOption
    KeyValue
    vlan-id0
    disable-sslv30

  3. Open modify autodeploy config file, to disable SSLv3:

    • Windows default location: c:\ProgramData\VMware\VMware vSphere Autodeploy\vmconfig-autodeploy
    • vCenter Server Appliance default location: /etc/vmware-rbd/autodeploy-setup.xml

  4. Edit the file and change the value from True to False to diasble sslv3 as shown here:

    <ssl>
    <disable-sslv3>False</disable-sslv3>
    <ssl>


  5. Run the following command to disable SSLv3:

    To disable:PowerCLI C:\Program Files (x86)\VMware\Infrastructure\vSphere PowerCLI> Set-DeployOption disable-sslv3 1

  6. Restart the Auto Deploy service to update the change.

Update Manager - Port 9087/8084

Enabling SSLv3 Protocol

To enable SSLv3 protocol on Update Manager service forvCenter Server 5.0 Update 3g follow these steps:

  1. Stop the vSphere Update Manager service.

  2. Go to Update Manager Install Directory.

  3. Edit the following to enable SSLv3:
    • For port 9087, search and delete <Item>SSLv3</Item> from the jetty-vum-ssl.xml file:
                <New class="org.eclipse.jetty.util.ssl.SslContextFactory">
      <Arg>
      <Set name="ExcludeProtocols">
      <Array type="java.lang.String">
      <Item>SSLv3</Item>
      </Array>
      </Set>
      </New>
      </Arg>


    • For port 8084 , search and delete <sslOptions>33554432</sslOptions> from the vci-interity.xml file:

      <ssl>
      <cipherList>AES128-SHA, AES256-SHA</cipherList>
      <handshakeTimeoutMs>120000</handshakeTimeoutMS>
      <sslOptions>33554432</sslOptions>
      <ssl>
      <ssl>
      <privateKey>ssl/rui.key</privateKey>
      <certificate>ssl/rui.crt</certificate>
      <sslOptions>33554432</sslOptions>
      <ssl>

  4. Save and Restart the vSphere Update Manager service.
Disabling SSLv3 Protocol

To disable SSLv3 protocol on Update Manager service forvCenter Server 5.0 Update 3g follow these steps:

  1. Stop the vSphere Update Manager service.

  2. Go to Update Manager Install Directory.

     
  3. Edit the following to disable SSLv3:

       
    • For port 9087, add the following text after the <New class="org.eclipse.jetty.server.ssl.SslSocketConnector"> to the jetty-vum-ssl.xml file:
       
                  <Arg>
                 
      <New class="org.eclipse.jetty.util.ssl.SslContextFactory">
                  <Set name="ExcludeProtocols">
                 
      <Array type="java.lang.String">
                  <Item>SSLv3</Item>
                  </Array>
                  </Set>
                  </New>
                  </Arg>

                 
                     
    • For port 8084, add <sslOptions>33554432</sslOptions> to the vci-interity.xml file:
      <ssl>
      <cipherList>AES128-SHA, AES256-SHA</cipherList>
      <handshakeTimeoutMs>120000</handshakeTimeoutMS>
      <sslOptions>33554432</sslOptions>
      <ssl>
      <ssl>
      <privateKey>ssl/rui.key</privateKey>
      <certificate>ssl/rui.crt</certificate>
      <sslOptions>33554432</sslOptions>
      <ssl>

  4. Save and Restart the vSphere Update Manager service.

vCenter Server Appliance - Port 5489

SSLv3 is not configurable on this port and this issue is specific to VCSA. Login to VCSA server using an SSH client.

  1. Run the following command to go to init.d directory:
    cd /etc/init.d/

  2. Run the following command to create new file:
    vi vami_port

  3. Add the following content to the vami_port file:
    #!/bin/bash
    ### BEGIN INIT INFO
    # Provides: vami_port
    # Required-Start: vaos
    # Required-Stop:
    # Default-Start: 3 5
    # Default-Stop:
    ### END INIT INFO
    . /etc/rc.status
    rc_reset
    /usr/sbin/iptables -A INPUT -i eth0 -p tcp --dport 5489 -j REJECT
    rc_exit

  4. Run the following command to change permissions of vami_port file:
    chmod 755 vami_port

  5. Run the following command to execute the script:
    ./vami_port or sh vami_port

  6. Run the following command to insert the vami_port file as a service:
    insserv vami_port

vSphere 5.1 Ports and Services

Service

Port

Configuration Steps
Hostd
443
Authd
902
SFCBD
5989
Single Sign On (SSO)
7444
Virtual Appliance Management Interface (VAMI)
5480
Authentication proxy service (CAM)
51915
Syslog Collector (vmsyslogcollector)
1514
VMware vSphere Web Client Service (vspherewebclientsvc)
9443
VirtualCenter Server service (vpxd)
443
vCenter Inventory Service database (invsvc)
10109
VMware VirtualCenter Management Webservices
8443
SPS
21100(VCSA), 31100(windows)
Auto Deploy servie port
Auto Deploy management port

6501
6502

Log Browser 12443 Log Browser service
vSphere Update Manager
8084/9087

Hostd service - Port 443

Enabling SSLv3 Protocol

To enable SSLv3 protocol on Hostd service for ESXi 5.1 patch [3872664] released on 05/24/2016 follow these steps:

  1. Login to ESXi using putty.exe

  2. To enable SSLv3 is run the following command:
    esxcli system settings advanced set -o /UserVars/ESXiRhttpproxyDisabledProtocols51 -s ""

  3. Restart the rhttpproxy services by running the following command:
    /etc/init.d/rhttpproxy restart
    watchdog-rhttpproxy: Terminating watchdog process with PID 6276
    rhttpproxy stopped.
    rhttpproxy started.

  4. Run the following command to get a list of disabled protocols for hostd:

    esxcli system settings advanced list -o /UserVars/ESXiRhttpproxyDisabledProtocols51
    Where:
    Path: /UserVars/ESXiRhttpproxyDisabledProtocols51
    Type: string
    Int Value: 0
    Default Int Value: 0
    Min Value: 0
    Max Value: 0
    String Value:
    Default String Value:
    Valid Characters: *


Disabling SSLv3 Protocol

To disable SSLv3 protocol follow these steps:

  1. Login to ESXi using putty.exe

  2. Run the following command to disable SSLv3:
    esxcli system settings advanced set -o /UserVars/ESXiRhttpproxyDisabledProtocols51 -s "SSLv3"

  3. Restart the rhttpproxy services by running the following command:

    /etc/init.d/rhttpproxy restart
    watchdog-rhttpproxy: Terminating watchdog process with PID 6276
    rhttpproxy stopped.
    rhttpproxy started.

  4. Run the following command to get a list of disabled protocols for hostd:

    esxcli system settings advanced list -o /UserVars/ESXiRhttpproxyDisabledProtocols51

    Where:
    Path: /UserVars/ESXiRhttpproxyDisabledProtocols51
    Type: string
    Int Value: 0
    Default Int Value: 0
    Min Value: 0
    Max Value: 0
    String Value: sslv3
    Default String Value:
    Valid Characters: *



In event of unexpected behavior, restore the earlier backed up proxy configuration file to revert the system to clean state, as it was before.

HostProfile

Configuration of the Hostd can also be captured through host profile by following these steps:

  1. Log in to VC with vSphere Web Client.

  2. Right click the target host and click Extract Host Profile to create a new hostprofile.

  3. After the hostprofile is created, navigate to Home > Host Profiles > your_host_profile to edit it.

  4. In the Edit Host Profiles tab, you can find the entry for hostd under [Advanced Configuration Settings] > [Advanced Options] > [Advanced Configuration Options] > ESXiRhttpproxyDisabledProtocols51

  5. The application of hostd in host profile is the same as other settings. If the configuration for hostd is included in host profile, difference between host profile and target host for hostd is displayed and replaced when choosing the target host to apply the host profile.

Authd - Port 902

Enabling SSLv3 Protocol

To enable SSLv3 protocol on Authd service for ESXi 5.1 patch [3872664] released on 05/24/2016 follow these steps:

  1. Login to ESXi using putty.exe

  2. To enable SSLv3, run the following command:
    esxcli system settings advanced set -o /UserVars/VMAuthdDisabledProtocols51 -s ""

  3. Run the following command to get a list of disabled protocols for authd:
    esxcli system settings advanced list -o /UserVars/VMAuthdDisabledProtocols51

    Where:
    Path: /UserVars/VMAuthdDisabledProtocols51
    Type: string
    Int Value: 0
    Default Int Value: 0
    Min Value: 0
    Max Value: 0
    String Value:
    Default String Value:
    Valid Characters: *


Disabling SSLv3 Protocol

To disable SSLv3 protocol follow these steps:

  1. Login to ESXi using putty.exe

  2. To disable SSLv3, run the following command:
    esxcli system settings advanced set -o /UserVars/VMAuthdDisabledProtocols51 -s "SSLv3"

  3. Run the following command to get a list of disabled protocols for authd:
    esxcli system settings advanced list -o /UserVars/VMAuthdDisabledProtocols51

    Where:
    Path: /UserVars/VMAuthdDisabledProtocols51
    Type: string
    Int Value: 0
    Default Int Value: 0
    Min Value: 0
    Max Value: 0
    String Value: sslv3
    Default String Value:
    Valid Characters: *



In event of unexpected behavior, restore the earlier backed up proxy configuration file to revert the system to clean state, as it was before.

HostProfile

Configuration of the Authd can also be captured through host profile by following these steps:

  1. Log in to VC with vSphere Web Client.

  2. Right click the target host and click Extract Host Profile to create a new hostprofile.

  3. After the hostprofile is created, navigate to Home > Host Profiles > your_host_profile to edit it.

  4. In the Edit Host Profiles tab, you can find the entry for authd under [Advanced Configuration Settings] > [Advanced Options] > [Advanced Configuration Options] > VMAuthdDisabledProtocols51.

  5. The application of authd in host profile is the same as other settings. If the configuration for authd is included in host profile, difference between host profile and target host for authd is displayed and replaced when choosing the target host to apply the host profile.

SFCBD - Port 5989

Enabling SSLv3 Protocol
To enable SSLv3 protocol on SFCBD service for ESXi 5.1 patch [3872664] released on 05/24/2016 follow these steps:
  1. Log in to ESXi usingputty.exe .

  2. Run the following command and edit the file:

    vi /etc/sfcb/sfcb.cfg
    enableSSLv3: true

  3. Save the file.

  4. Restart the service for configuration to take effect using below command:

    /etc/init.d/sfcbd-watchdog restart
Disabling SSLv3 Protocol
To disable SSLv3 protocol on SFCBD service for ESXi 5.1 Update 3d follow these steps:
  1. Log in to ESXi usingputty.exe .

  2. Run the following command to modify the file and to disable SSLv3:

    vi /etc/sfcb/sfcb.cfg

  3. Add new entry similar to the following to disable SSLv3. If the entry exists, set the value to false:

    enableSSLv3: false

  4. Save the file.

  5. Run the following command to restart the service for configuration to take effect:

    /etc/init.d/sfcbd-watchdog restart
    /etc/init.d/sfcbd-watchdog status

    sfcbd is running.

HostProfile
Configuration for CIM can also be captured by host profile:

  1. Log in to vCenter Server with C#.

  2. Right click the target host and click Extract Host Profile to create a new host profile.

  3. Choose Home > Host Profiles > your host profile to edit it.

  4. On the Edit Host Profiles tab, > Select General System Settings> Management Agent Confirguraion under SFCB Configuration > Settings > enable SSL v3

  5. Apply the host profile to stateful or stateless systems.

  6. Restart the service for configuration to take effect using below command:

    /etc/init.d/sfcbd-watchdog restart

Single Sign On - Port 7444

Enabling SSLv3 Protocol

To enable SSLv3 protocol on SS0 service for vCenter Server 5.1 Update 3d follow these steps:

  1. Open the server.xml file.

    • Windows default location: C:\Program Files\VMware\Infrastructure\SSOServer\conf\server.xml
    • vCenter Server Appliance default location: /usr/lib/vmware-sso/conf/server.xml


  2. Create a backup copy of the file.

  3. Edit the file to add the SSLv3 value to the two instances of sslEnabledProtocols tag, so that it lists as :
    sslEnabledProtocols="SSLv3,TLSv1"

  4. Save the file.

  5. Restart the vmware-sso service.

    • For vCenter Server Appliance: Restart the vmware-sso service using the command service vmware-sso restart
    • For Windows: Restart the vCenter Single Sign On service from services.msc.
Disabling SSLv3 Protocol

To disable SSLv3 protocol on SS0 service for vCenter Server 5.1 Update 3d follow these steps:

  1. Open the server.xml file.

    • Windows default location: C:\Program Files\VMware\Infrastructure\SSOServer\conf\server.xml
    • vCenter Server Appliance default location: /usr/lib/vmware-sso/conf/server.xml

  2. Create a backup copy of the file.

  3. Edit the file to remove the SSLv3 value from the two instances of sslEnabledProtocols tag, to disable SSLv3 as follows
    sslEnabledProtocols="TLSv1"
  4. Save the file.

  5. Restart the vmware-sso service.

    • For vCenter Server Appliance: Restart the vmware-sso service using the command service vmware-sso restart.
    • For Windows: Restart the vCenter Single Sign On service from services.msc.

Virtual Appliance Management Interface (VAMI) service - Port 5480

Enabling SSLv3 Protocol

To enable SSLv3 protocol on VAMI service for vCenter Server 5.1 Update 3d follow these steps:

  1. Go to /opt/vmware/etc/lighttpd/lighttpd.conf file.

  2. Create a backup copy of the file.

  3. Search for this line:

    ssl.use-sslv3="disable"

  4. Modify the line to:

    ssl.use-sslv3="enable"

  5. Save the file.

  6. Restart the VAMI Service with the following command:

    service vami-lighttp restart
Disbaling SSLv3 Protocol

To disable SSLv3 protocol on VAMI service for vCenter Server 5.1 Update 3d follow these steps:

  1. Go to/opt/vmware/etc/lighttpd/lighttpd.conf.

  2. Create a backup copy of the file.

  3. Search for this line:

    ssl.use-sslv3="enable"

  4. Add the following line in the cofig file, in case there is no ssl.use-sslv3="enable"

    ssl.engine = "enable"

  5. Modify the line to:

    ssl.use-sslv3="disable"

  6. Save the file.

  7. Restart the VAMI Service with the following command:

    service vami-lighttp restart

Authentication proxy (CAM) service - Port 51915

Enabling SSLv3 Protocol

To enable SSLv3 protocol on CAM service for vCenter Server 5.1 Update 3d follow these steps:

  1. Open and run the Registry Editor on the server where VMware Authentication Proxy is installed, as an administrator.

  2. Navigate to this location in the Registry Editor window:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\

  3. In the navigation tree, right-click Protocols, and select New > Key.

  4. Enter SSL3.0 as the key name.

  5. Repeat step 5 to create two SSL3.0 keys. Name the two keys as Server and Client.

  6. Right-click on the Client key, and select New > DWORD (32-bit) Value.

    • Enter DisabledByDefault as the value name.
    • Double-click DisabledByDefault, and enter 0 as the data value.
    • Click OK.

  7. Right-click on the Sever key, and select New > DWORD (32-bit) Value.

    • Enter Enabled as the value name.
    • Double-click Enabled, and enter 1 as the data value.
    • Click OK

  8. Restart the server.
Disbaling SSLv3 Protocol

To disable SSLv3 protocol on CAM service for vCenter Server 5.1 Update 3d follow these steps:

  1. Open and run the Registry Editor on the server where VMware Authentication Proxy is installed, as an administrator.

  2. Navigate to this location in the Registry Editor window:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\

  3. In the navigation tree, right-click Protocols, and select New > Key.

  4. Enter SSL3.0 as the key name.

  5. Create two keys under SSL3.0 key and name them as Server and Client.

  6. Right-click on the Client key, and select New > DWORD (32-bit) Value.

    • Enter DisabledByDefault as the value name.
    • Double-click DisabledByDefault, and enter 1 as the data value.
    • Click OK.



  7. Right-click on the Sever key, and select New > DWORD (32-bit) Value.

    • Enter Enabled as the value name.
    • Double-click Enabled, and enter 0 as the data value.
    • Click OK

  8. Restart the server.

Syslog Collector service - Port 1514

Enabling SSLv3 Protocol

To enable SSLv3 protocol on Syslog Collector service for vCenter Server 5.1 Update 3d follow these steps:

  1. Access the configuration file from the following locations:

    • Windows default location:C:\ProgramData\VMware\VMware Syslog Collector\vmconfig-syslog.xml
    • vCenter Server Appliance default location:/etc/syslog-ng/stunnel.conf

  2. Create a backup copy of the file.

  3. For Windows, edit the file to remove <disableSSLv3></disableSSLv3> node as shown here:

    <ssl>
    <defaultSSLPath>C:\ProgramData\VMware\vCenterServer\cfg\vmsyslogcollector\ssl</defaultSSLPath>
    <privateKey>vmsyslogcollector.key</privateKey>
    <certificate>vmsyslogcollector.crt</certificate>
    </ssl>


  4. For VCSA:

    Removeoptions=NO_SSLv3 from the configuration file.

  5. Save the file and restart.

  6. Window: Restart the vmsyslogcollector Service.

    VCSA: Service syslog-collector restart
Disabling SSLv3 Protocol

To disable SSLv3 protocol on Syslog Collector service for vCenter Server 5.1 Update 3d follow these steps:

  1. Access the configuration file from the following locations:

    • Windows default location: C:\ProgramData\VMware\VMware Syslog Collector\vmconfig-syslog.xml
    • vCenter Server Appliance default location: /etc/syslog-ng/stunnel.conf

  2. Create a backup copy of the file.

  3. For Windows, edit the file to add <disableSSLv3></disableSSLv3> node as shown here:

    <ssl>
    <defaultSSLPath>C:\ProgramData\VMware\vCenterServer\cfg\vmsyslogcollector\ssl</defaultSSLPath>
    <privateKey>vmsyslogcollector.key</privateKey>
    <certificate>vmsyslogcollector.crt</certificate>
    <disableSSLv3></disableSSLv3>
    </ssl>


  4. For VCSA:

    Add new line "options=NO_SSLv3" in the /etc/syslog-ng/stunnel.conf configuration file.

  5. Save the file and restart.

    Windows: Restart the vmsyslogcollector service

    VCSA: /etc/init.d/syslog-collector restart

VMware vSphere Web Client Service (vspherewebclientsv) - Port 9443

Enabling SSLv3 Protocol

To enable SSLv3 protocol on vSphere Web Client Service service for vCenter Server 5.1 Update 3d follow these steps:

  1. Open thetomcat-server.xml file:

    • Windows default location:C:\Program Files\VMware\Infrastructure\vSphereWebClient\server\config\tomcat-server.xml
    • vCenter Server Appliance default location:/usr/lib/vmware-vsphere-client/server/config/tomcat-server.xml

  2. Create a backup copy of the file.

  3. Edit the file to add SSLv3 to sslEnabledProtocols list as shown here to enable SSLv3:

    <Connector port="9443" protocol="HTTP/1.1" sslEnabledProtocols="SSLv3, TLSv1">

  4. Save the file.

  5. Restart the Management webservices.

    Windows: Restart VMware management webservices service.

    VCSA: Restart VPXD service.
Disabling SSLv3 Protocol

To disable SSLv3 protocol on vSphere Web Client Service service for vCenter Server 5.1 Update 3d follow these steps:

  1. Open thetomcat-server.xml file:

    • Windows default location:C:\Program Files\VMware\Infrastructure\vSphereWebClient\server\config\tomcat-server.xml

    • vCenter Server Appliance default location:/usr/lib/vmware-vsphere-client/server/config/tomcat-server.xml

  2. Create a backup copy of the file.

  3. Edit the file to remove SSLv3 to sslEnabledProtocols="TLSv1" list as shown here to disable SSLv3:

    <Connector port="9443" protocol="HTTP/1.1" sslEnabledProtocols="TLSv1">

  4. Save the file.

  5. For windows, restart the VMware Management webservices.

  6. For VCSA, restart VPXD.

VMware Virtual Center Server (vpxd) - Port 443

Enabling SSLv3 Protocol

To enable SSLv3 protocol on Virtual Center Server service for vCenter Server 5.1 Update 3d follow these steps:

  1. Open thevpxd.cfg file:

    • Windows default location:C:\ProgramData\VMware\VMware VirtualCenter\vpxd.cfg
    • vCenter Server Appliance default location:/etc/vmware-vpx/vpxd.cfg

  2. Create a backup copy of the file.

  3. Edit the file remove the<sslOptions></sslOptions> to enable SSLv3 respectively:


    <vmacore>
    <cacheProperties>true</cacheProperties>
    <ssl>
    <useCompression>true</useCompression>
    </ssl>
    <threadPool>
    <TaskMax>90</TaskMax>
    <threadNamePrefix>vpxd</threadNamePrefix>
    </threadPool>
    </vmacore>


  4. Save the file.

  5. Restart the vpxd Service.
    • Windows default location: Restart the VMware VirtualCenter Server service from services.msc

    • vCenter Server Appliance: Execute the command from command prompt:
      /etc/init.d/vmware-vpxd restart.

Disbaling SSLv3 Protocol

To disable SSLv3 protocol on Virtual Center Server service for vCenter Server 5.1 Update 3d follow these steps:

  1. Open thevpxd.cfg file:

    • Windows default location:C:\ProgramData\VMware\VMware VirtualCenter\vpxd.cfg
    • vCenter Server Appliance default location:/etc/vmware-vpx/vpxd.cfg

  2. Create a backup copy of the file.

  3. Edit the file to add<sslOptions>50479104</sslOptions> to disable SSLv3:

    <vmacore>
    <cacheProperties>true</cacheProperties>
    <ssl>
    <useCompression>true</useCompression>
    <sslOptions>50479104</sslOptions>

    </ssl>
    <threadPool>
    <TaskMax>90</TaskMax>
    <threadNamePrefix>vpxd</threadNamePrefix>
    </threadPool>
    </vmacore>


  4. Save the file.

  5. Restart the vpxd Service.

    • Windows default location: Restart the VMware VirtualCenter Server service from services.msc

    • vCenter Server Appliance: Execute the command from command prompt:
      /etc/init.d/vmware-vpxd restart.

vCenter Inventory Service database (invsvc) - XDB Port 10109, 10443

Enabling SSLv3 Protocol

To enable SSLv3 protocol on invsvc service for vCenter Server 5.1 Update 3d follow these steps:

  1. Open thequery-server-config.xml file:

    • Windows default location:C:\Program Files\VMware\Infrastructure\Inventory Service\lib\server\config\server-confg.xml
    • vCenter Server Appliance default location:/usr/lib/vmware-vpx/inventoryservice/lib/server/config/server-config.xml

  2. Create a backup copy of the file.

  3. Edit the file to add SSLv3 to enabledProtocols list as shown here to enable SSLv3:

    <property name="enabledProtocols" value="SSLv3,TLSv1" />

  4. Save the file.

  5. Restart the Inventory Services.
Disbaling SSLv3 Protocol

To disable SSLv3 protocol on invsvc service for vCenter Server 5.1 Update 3d follow these steps:

  1. Open thequery-server-config.xmlfile:

    • Windows default location:C:\Program Files\VMware\Infrastructure\Inventory Service\lib\server\config\server-confg.xml
    • vCenter Server Appliance default location:/usr/lib/vmware-vpx/inventoryservice/lib/server/config/server-config.xml

  2. Create a backup copy of the file.

  3. Edit the file to remove SSLv3 from enabledProtocols list disable SSLv3:

    <property name="enabledProtocols" value="TLSv1" />

  4. For VCSA:
    Change the corresponding query-server-config.xml and server-config.xml files available in usr/lib/vmware-vpx/inventoryservice/lib/server/config

  5. Save the file.

  6. Restart the Inventory Service.

VMware Virtual Center Management Webservices - Port 8443

Enabling SSLv3 Protocol

To enable SSLv3 protocol on Virtual Center Management Webservices for vCenter Server 5.1 Update 3d follow these steps:

  1. Open theserver.xml file:

    • Windows default location:C:\Program Files\VMware\Infrastructure\tomcat\conf\server.xml
    • vCenter Server Appliance default location:/usr/lib/vmware-vpx/tomcat/conf/server.xml

  2. Create a backup copy of the file.

  3. Edit the file to add SSLv3 tosslEnabledProtocols list as shown here to enable SSLv3:

    <property name="enabledProtocols" value="SSLv3,TLSv1"/>

  4. Save the file.

  5. For windows, restart the VMware Management webservices.

  6. For VCSA, restart VPXD.
Disabling SSLv3 Protocol

To disable SSLv3 protocol on Virtual Center Management Webservices for vCenter Server 5.1 Update 3d follow these steps:

  1. Open theserver.xml file:

    • Windows default location:C:\Program Files\VMware\Infrastructure\tomcat\conf\server.xml
    • vCenter Server Appliance default location:/usr/lib/vmware-vpx/tomcat/conf/server.xml

  2. Create a backup copy of the file.

  3. Edit the file to remove SSLv3 tosslEnabledProtocols list as shown here to disable SSLv3:

    <property name="enabledProtocols" value="TLSv1"/>

  4. For VCSA:
    Change the value in /usr/lib/vmware-vpx/tomcat/conf/server.xml file.

  5. Save the file.

  6. Restart the Management webservices.

    Windows: Restart VMware management webservices service.

    VCSA: Restart VPXD service.

SPS - Port 21100(VCSA), 31100(Windows)

Enabling SSLv3 Protocol
To enable SSLv3 protocol on SPS for vCenter Server 5.1 Update 3d follow these steps:

  1. Open thesps-spring-config.xml file:

    • Windows default location:C:\Program Files\VMware\Infrastructure\Profile-Driven Storage\conf\sps-spring-config.xml
    • vCenter Server Appliance default location:/usr/lib/vmware-vpx/sps/conf/sps-spring-config.xml

  2. Create a backup copy of the file.

  3. Edit the file to add value SSLv3 to enabledProtocolslist as shown here to enable SSLv3:

    <property name="enabledProtocols" value="SSLv3,TLSv1 "/>

  4. Save the file.

  5. Restart the SPS service.

Disabling SSLv3 Protocol
To disable SSLv3 protocol on SPS for vCenter Server 5.1 Update 3d follow these steps:

  1. Open thesps-spring-config.xml file:

    • Windows default location:C:\Program Files\VMware\Infrastructure\Profile-Driven Storage\conf\sps-spring-config.xml
    • vCenter Server Appliance default location:/usr/lib/vmware-vpx/sps/conf/sps-spring-config.xml

  2. Create a backup copy of the file.

  3. To disable SSLv3, remove the string SSLv3 from the list of EnabledProtocols insps-spring-config list:

    Change <property name="enabledProtocols" value="SSLv3,TLSv1"/>" to <property name="enabledProtocols" value="TLSv1"/>"

  4. Save the file.

  5. Restart the vmware-sps service.

Auto Deploy - Port 6501/6502

Enabling SSLv3 Protocol

To enable SSLv3 protocol on Auto Deploy service for vCenter Server 5.1 Update 3d follow these steps:

  1. Run the following command to Connect to vCenter Server:

    PowerCLI C:\Program Files (x86)\VMware\Infrastructure\vSphere PowerCLI> Connect-VIServer -Server <FQDN_hostname or IP Address of vCenter Server>

  2. Run the following command to check the current status of SSLv3:

    PowerCLI C:\Program Files (x86)\VMware\Infrastructure\vSphere PowerCLI> Get-DeployOption

    KeyValue

    vlan-id0
    disable-sslv31

  3. Run the following command to enable SSLv3:

    To enable: PowerCLI C:\Program Files (x86)\VMware\Infrastructure\vSphere PowerCLI> Set-DeployOption disable-sslv3 0

  4. Restart the Auto Deploy service to update the change.
Disabling SSLv3 Protocol

To disable SSLv3 protocol on Auto Deploy service for vCenter Server 5.1 Update 3d follow these steps:

  1. Run the following command to Connect to vCenter Server:

    PowerCLI C:\Program Files (x86)\VMware\Infrastructure\vSphere PowerCLI> Connect-VIServer -Server <FQDN_hostname or IP Address of vCenter Server>

  2. Run the following command to check the current status of SSLv3:

    PowerCLI C:\Program Files (x86)\VMware\Infrastructure\vSphere PowerCLI> Get-DeployOption
    KeyValue
    vlan-id0
    disable-sslv30

  3. Run the following command to enable SSLv3:

    To disable:PowerCLI C:\Program Files (x86)\VMware\Infrastructure\vSphere PowerCLI> Set-DeployOption disable-sslv3 1

  4. Restart the Auto Deploy service to update the change.

Log Browser - Port 12443

Enabling SSLv3 Protocol

To enable SSLv3 protocol on Log Browser service for vCenter Server 5.1 Update 3d follow these steps:

  1. Open the logbrowser.properties file:

    • Windows default location: C:\Program Files\VMware\Infrastructure\vSphereWebClient\logbrowser\conf\logbrowser.properties
    • vCenter Server Appliance default location: /usr/lib/vmware-logbrowser/conf/logbrowser.properties
  2. Create a backup copy of the file.

  3. Edit the file to add SSLv3 from the following line to enable SSLv3:

    exclude-protocols=sslv3

  4. Save the file.

  5. Restart the Log Browser service.
Disabling SSLv3 Protocol

To disable SSLv3 protocol on Log Browser service for vCenter Server 5.1 Update 3d follow these steps:

  1. Open the logbrowser.properties file:

    • Windows default location: C:\Program Files\VMware\Infrastructure\vSphereWebClient\logbrowser\conf\logbrowser.properties
    • vCenter Server Appliance default location: /usr/lib/vmware-logbrowser/conf/logbrowser.properties

  2. Create a backup copy of the file.

  3. Edit the file to remove SSLv3 from the following line to disabled SSLv3:

    exclude-protocols=SSLv3

  4. Save the file.

  5. Restart the Log Browser service.

Update Manager - Port 9087/8084

Enabling SSLv3 Protocol

To enable SSLv3 protocol on Update Manager service for vCenter Server 5.1 Update 3d follow these steps:

  1. Stop the vSphere Update Manager service.

  2. Go to Update Manager Install Directory.

  3. Edit the following to enable SSLv3:

    • For port 9087, search and delete <Item>SSLv3</Item> from the jetty-vum-ssl.xml file:

      <Arg>
      <New class="org.eclipse.jetty.util.ssl.SslContextFactory">
      <Set name="ExcludeProtocols">
      <Array type="java.lang.String">
      <Item>SSLv3</Item>
      </Array>
      </Set>
      </New>
      </Arg>


    • For port 8084 , search and delete <sslOptions>33554432</sslOptions> from the vci-interity.xml file:

      <ssl>
      <cipherList>AES128-SHA, AES256-SHA</cipherList>
      <handshakeTimeoutMs>120000</handshakeTimeoutMS>
      <sslOptions>33554432</sslOptions>
      <ssl>
      <ssl>
      <privateKey>ssl/rui.key</privateKey>
      <certificate>ssl/rui.crt</certificate>
      <sslOptions>33554432</sslOptions>
      <ssl>

  4. Save and Restart the vSphere Update Manager service.
Disabling SSLv3 Protocol

To disable SSLv3 protocol on Update Manager service for vCenter Server 5.1 Update 3d follow these steps:

  1. Stop the vSphere Update Manager service.

  2. Go to Update Manager Install Directory.

  3. Edit the following to disable SSLv3:
     
    • For port 9087, add the following text after the <New class="org.eclipse.jetty.server.ssl.SslSocketConnector"> to the jetty-vum-ssl.xml file:
      <Arg>
      <New class="org.eclipse.jetty.util.ssl.SslContextFactory">
      <Set name="ExcludeProtocols">
      <Array type="java.lang.String">
      <Item>SSLv3</Item>
      </Array>
      </Set>
      </New>
      </Arg>


    • For port 8084, add <sslOptions>33554432</sslOptions> to the vci-interity.xml file:
      <ssl>
      <cipherList>AES128-SHA, AES256-SHA</cipherList>
      <handshakeTimeoutMs>120000</handshakeTimeoutMS>
      <sslOptions>33554432</sslOptions>
      <ssl>
      <ssl>
      <privateKey>ssl/rui.key</privateKey>
      <certificate>ssl/rui.crt</certificate>
      <sslOptions>33554432</sslOptions>
      <ssl>

  4. Save and Restart the vSphere Update Manager service.

vSphere 5.5 Ports and Services

Note: Always take a backup copy of the configuration file before editing when applying the following steps.

Service

Port

Configuration Steps
Hostd 443 Hostd service
Authd 902 Authd service
SFCBD 5989 SFCBD service
Virtual SAN VP 8080 Virtual SAN VP service
Virtual SAN Observer 8010 Virtual SAN Observer service
VMware Directory Service (vmdir) 11712 vmdir service
Security Token Service (SSO) 744 STS service
Virtual Appliance Management Interface (VAMI) 5480 VAMI service
Authentication proxy service (CAM) 51915 Authentication proxy service
Syslog Collector (vmsyslogcollector) 1514 vmsyslogcollector service
VMware vSphere Web Client Service (vspherewebclientsvc) 9443 vspherewebclientsvc service
VirtualCenter Server service (vpxd) 443 vpxd service
vCenter Inventory Service database (invsvc) 10109 Inventory Service database
vCenter Inventory Service HTTPS 10443 Inventory Service HTTPS
VMware VirtualCenter Management Webservices 8443 VMware VirtualCenter Management Webservices
PBM 8191 PBM service
SPS 21100(VCSA),
31100(windows)
SPS service
SMS 22100(VCSA), 32100(windows) SMS service
Auto Deploy service 6501
6502
Auto Deploy Service
Log Browser Log Browser service
HTML console 7343 HTML5 console service

Hostd service - Port 443

Enabling SSLv3 Protocol

To enable SSLv3 protocol on Hostd service for ESXi 5.5 Update 3b follow these steps:

  1. Log in to ESXi usingputty.exe.
  2. Take a back up of the /etc/vmware/rhttpproxy/config.xml file before editing.
  3. In the configuration file, add the<sslOptions>16924672</sslOptions> entry within the existing<vmacore> tag as shown in the following example to enable SSLv3:

    <vmacore>
    <ssl>
    <sslOptions>16924672</sslOptions>
    </ssl>
    </vmacore>


  4. Save the file.
  5. Restart the rhttpproxy service by running the following command:

    /etc/init.d/rhttpproxy restart
Disabling SSLv3 Protocol

To disable SSLv3 protocol on Hostd service for ESXi 5.5 Update 3b follow these steps:

  1. Log in to ESXi usingputty.exe.
  2. Take a back up of the/etc/vmware/rhttpproxy/config.xml file before editing.
  3. Delete only the sslOptions entry "<sslOptions>16924672</sslOptions>" from the configuration file “/etc/vmware/rhttpproxy/config.xml” which will be within <vmacore> under the <ssl> tag.
  4. Save the file.
  5. Restart the rhttpproxy service by running the following command:

    /etc/init.d/rhttpproxy restart

In an event whenunexpected behavior is observed, you can restore the back up of the rhttpproxy configuration file and restart the rhttpproxy service, to revert the system to a clean state, as it was earlier.

HostProfile

If you enabled SSLv3 along with the default protocols, HostProfile does not capture these settings. This results in the stateless ESXi hosts to lose the ssloptions settings made to proxy service after every reboot.

Use the script in the attachedKB2139396_sslprotomgmt.zip file to manage (enable/disable) SSLv3 security protocol for proxy service. Refer to the note below and script documentation enclosed in the zip file for details.

Note: You must be careful when you run the script because the script is not completely tested. VMware recommends to run the script on a Non-production/Test Environment before you run it on production as needed.

Authd - Port 902

The SSL/TLS configuration file for authd is stored in/etc/vmware/esx.conf with entry like:
/advUserOptions/options[0026]/name = "VMAuthdDisabledProtocols"

Enabling SSLv3 Protocol

To enable SSLv3 protocol on Authd for ESXi Update 3b follow these steps:

  1. Log in to ESXi usingputty.exe .

  2. Run the following command to enable SSLv3:

    # esxcli system settings advanced set -o /UserVars/VMAuthdDisabledProtocols -s ""

Disbaling SSLv3 Protocol

To disable SSLv3 protocol on Authd for ESXi Update 3b follow these steps:

  1. Log in to ESXi usingputty.exe .

  2. Run the following command to disable SSLv3:

    # esxcli system settings advanced set -o /UserVars/VMAuthdDisabledProtocols -s "sslv3"

  3. Run the following command to check configuration changes:

    esxcli system settings advanced list -o /UserVars/VMAuthdDisabledProtocols

    Path: /UserVars/VMAuthdDisabledProtocols
    Type: string
    Int Value: 0
    Default Int Value: 0
    Min Value: 0
    Max Value: 0
    String Value: sslv3
    Default String Value: sslv3
    Valid Characters: *
    Description: VMAuthd disabled protocols. Choices are sslv3, tlsv1, tlsv1.1, tlsv1.2. By default sslv3 is disabled. If no protocol is specified, all protocols are enabled.

HostProfile

Configuration of the Authd can also be captured through host profile by following these steps:

Note: If you do not change the configuration for authd, it may not get displayed in the host profile UI. You can trigger it by just changing it with ESXCLI command.
  1. Log in to VC with vSphere Web Client.

  2. Right click the target host and click Extract Host Profile to create a new hostprofile.

  3. After the hostprofile is created, navigate to Home > Host Profiles > your_host_profile to edit it.

  4. In the Edit Host Profiles tab, you can find the entry for authd under [Advanced Configuration Settings] > [Advanced Options] > [Advanced Configuration Options] > userVars.VMAuthdDisabledProtocols

  5. The application of authd in host profile is the same as other settings. If the configuration for authd is included in host profile, difference between host profile and target host for authd is displayed and replaced when choosing the target host to apply the host profile.

SFCBD - Port 5989

Enabling SSLv3 Protocol

To enable SSLv3 protocol on SFCBD for ESXi 5.5 Update 3b follow these steps:

  1. Log in to ESXi usingputty.exe .

  2. Run the following command and edit the file:

    vi /etc/sfcb/sfcb.cfg
    enableSSLv3: true

  3. Save the file.

  4. Restart the service for configuration to take effect using below command:

    /etc/init.d/sfcbd-watchdog restart

Disbaling SSLv3 Protocol

To disable SSLv3 protocol on SFCBD for ESXi 5.5 Update 3b follow these steps:

  1. Log in to ESXi usingputty.exe .

  2. Run the following command and edit the file:

    vi /etc/sfcb/sfcb.cfg
    enableSSLv3: false

  3. Save the file.

  4. Restart the service for configuration to take effect using below command:

    /etc/init.d/sfcbd-watchdog restart

HostProfile
Configuration for CIM can also be captured by host profile:

  1. Log in to vCenter Server with C#.

  2. Right click the target host and click Extract Host Profile to create a new host profile.

  3. Choose Home > Host Profiles > your host profile to edit it.

  4. On the Edit Host Profiles tab, find the entry forenable SSL v3 under SFCB Configuration > Settings.

  5. Apply the host profile to stateful or stateless systems.

  6. Restart the service for configuration to take effect using below command:
    /etc/init.d/sfcbd-watchdog restart

Virtual SAN VP - Port 8080

Enabling SSLv3 Protocol

To enable SSLv3 protocol on Virtual SAN VP for ESXi 5.5 Update 3b follow these steps:

  1. Log in to ESXi usingputty.exe .

  2. Run the following command to enable SSLv3:
    # esxcli system settings advanced set -o /UserVars/ESXiVPsDisabledProtocols -s ""

  3. Run the following command to check the configuration chages:
    esxcli system settings advanced list -o /UserVars/ESXiVPsDisabledProtocols

    Path: /UserVars/ESXiVPsDisabledProtocols
    Type: string
    Int Value: 0
    Default Int Value: 0
    Min Value: 0
    Max Value: 0
    String Value:
    Default String Value: sslv3
    Valid Characters: *
    Description: ESXi VPs disabled protocols. Choices are sslv3, tlsv1, tlsv1.1, tlsv1.2. By default sslv3 is disabled. If no protocol is specified, all protocols are enabled.


  4. Restart vsanvp daemon to take effect of the preceding command:
    ~# /etc/init.d/vsanvpd restart

Disbaling SSLv3 Protocol

To disable SSLv3 protocol on Virtual SAN VP for ESXi 5.5 Update 3b follow these steps:

  1. Log in to ESXi usingputty.exe .

  2. Run the following command to disable SSLv3:
    esxcli system settings advanced set -o /UserVars/ ESXiVPsDisabledProtocols -s "sslv3"

  3. Run the following command to check the configuration chages:

    esxcli system settings advanced list -o /UserVars/ESXiVPsDisabledProtocols

    Path: /UserVars/ESXiVPsDisabledProtocols
    Type: string
    Int Value: 0
    Default Int Value: 0
    Min Value: 0
    Max Value: 0
    String Value: sslv3
    Default String Value: sslv3
    Valid Characters: *
    Description: ESXi VPs disabled protocols. Choices are sslv3, tlsv1, tlsv1.1, tlsv1.2. By default sslv3 is disabled. If no protocol is specified, all protocols are enabled.


  4. Restart vsanvp daemon to take effect of the preceding command:

    ~# /etc/init.d/vsanvpd restart

Enabled or disabled SSL/TLS protocols can be seen using sslscan or TestSSLServer tools on port 8080 of the ESXi host.
Note: Configurations can also be captured by Host Profile.

Virtual SAN Observer - Port 8010

Enabling SSLv3 Protocol

To enable SSLv3 protocol on Virtual SAN Observer for ESXi 5.5 Update 3b follow these steps:

  1. Deploy Virtual SAN cluster. Log in to vCenter Server as root and log in to RVC as rvc localhost. If on Windows VC, logic to RVC as rvc.bat localhost

  2. Command usages: vsan.observer protocols
    -s, --ssl-protocols=<s>

    Allowed SSL protocols in comma separated list of sslv3, tlsv1, tlsv1_1, and tlsv1_2.

Disbaling SSLv3 Protocol

To disable SSLv3 protocol on Virtual SAN Observer for ESXi 5.5 Update 3b follow these steps:

  1. Deploy Virtual SAN cluster. Log in to vCenter Server as root and log in to RVC as rvc localhost. If on Windows VC, logic to RVC as rvc.bat localhost

  2. Command usages: vsan.observer protocols
    -s, --ssl-protocols=<s>

    Allowed SSL protocols in comma separated list of sslv3, tlsv1, tlsv1_1, and tlsv1_2. 
  3. Run the following command to disable SSLv3, tlsv1_2 RVC
    vsan.observer -r -o -s sslv3,tlsv1_2 computers/VSAN-Cluster/

VMware Directory Service (vmdir) - Port 11712

Supports only TLSv1.

Security Token Service (sts) - Port 7444

Default Support:
Install: TLS protocols are enabled and SSLv3 disabled.
Upgrade: All protocols are enabled including SSLv3.

Enabling SSLv3 Protocol

To enable SSLv3 protocol on Security Token Service Webservices for vCenter Server 5.5 Update 3b follow these steps

 
     
  1. Open theserver.xml file for the vCenter Single Sign-On. 
    • Windows default location:C:\ProgramData\VMware\CIS\runtime\VMwareSTS\conf\
    • vCenter Server Appliance default location:/usr/lib/vmware-sso/conf/server.xml

  2. Create a backup copy of the file.

  3. Search for these line:
         '<Connector SSLEnabled="true"'

  4. Append the following to the above line:
           'sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"'

  5. Save the file.

  6. Restart the VMware Security Token Service.

  7. To enable SSLv3 along with TLSv1, 1.1, 1.2, find the following line fromserver.xml file:
             <Connector SSLEnabled="true"
           
  8. Edit the line to add SSLv3 tosslEnabledProtocols list as shown here to enable SSLv3:
             sslEnabledProtocols="SSLv3,TLSv1,TLSv1.1,TLSv1.2

  9. Restart the VMware Security Token Service by running these commands:
               service vmware-stsd restart

 

Disbaling SSLv3 Protocol

To disable SSLv3 protocol on Security Token Service Webservices for vCenter Server 5.5 Update 3b follow these steps:

  1. Open theserver.xml file for the vCenter Single Sign-On.
    • Windows default location:C:\ProgramData\VMware\CIS\runtime\VMwareSTS\conf\
    • vCenter Server Appliance default location:/usr/lib/vmware-sso/conf/server.xml

  2. Create a backup copy of the file.

  3. Search the following line to disable SSLv3: 
     '<Connector SSLEnabled="false""'
  4. Edit the line to remove SSLv3 tosslEnabledProtocols list as shown here to disable SSLv3:
    sslEnabledProtocols="SSLv3,TLSv1,TLSv1.1,TLSv1.2
  5. Restart the VMware Security Token Service by running these commands:
       service vmware-stsd restart

Virtual Appliance Management Interface (VAMI) service - Port 5480

Enabling SSLv3 Protocol

To enable SSLv3 protocol on VAMI Webservices for vCenter Server 5.5 Update 3b follow these steps:

  1. Go to /opt/vmware/etc/lighttpd/lighttpd.conf.
  2. Create a backup copy of the file.
  3. Search for this line:

    ssl.use-sslv3="disable"

  4. Modify the line to:

    ssl.use-sslv3="enable"

  5. Save the file.
  6. Restart the VAMI Service with the following command:

    service vami-lighttp restart

Disbaling SSLv3 Protocol

To disable SSLv3 protocol on VAMI for vCenter Server 5.5 Update 3b follow these steps:

  1. Go to /opt/vmware/etc/lighttpd/lighttpd.conf.
  2. Create a backup copy of the file.
  3. Search for this line:

    ssl.use-sslv3="enable"

  4. Modify the line to:

    ssl.use-sslv3="disable"

  5. Save the file.
  6. Restart the VAMI Service with the following command:

    service vami-lighttp restart

Authentication proxy service - Port 51915

Enabling SSLv3 Protocol

To enable SSLv3 protocol on Authentication proxy service Webservices for vCenter Server 5.5 Update 3b follow these steps:

  1. Open and run the Registry Editor on the server where VMware Authentication Proxy is installed, as an administrator.

  2. Navigate to this location in the Registry Editor window:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\

  3. In the navigation tree, right-click Protocols and select New > Key.

  4. Enter SSL3.0 as the key name.

  5. Repeat step 5 to create two SSL3.0 keys. Name the two keys as Server and Client.

  6. Right-click on the Client key, and select New > DWORD (32-bit) Value.

    • Enter DisabledByDefault as the value name.
    • Double-click DisabledByDefault, and enter 0 as the data value.
    • Click OK.

  7. Right-click on the Sever key, and select New > DWORD (32-bit) Value.
    • Enter Enabled as the value name.
    • Double-click Enabled, and enter 1 as the data value.
    • Click OK

  8. Restart the server.

Disbaling SSLv3 Protocol

To disable SSLv3 protocol on Authentication proxy service for vCenter Server 5.5 Update 3b follow these steps:

  1. Open and run the Registry Editor on the server where VMware Authentication Proxy is installed, as an administrator.

  2. Navigate to this location in the Registry Editor window:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\

  3. In the navigation tree, right-click Protocols and select New > Key.

  4. Enter SSL3.0 as the key name.

  5. Repeat step 5 to create two SSL3.0 keys. Name the two keys as Server and Client.

  6. Right-click on the Client key, and select New > DWORD (32-bit) Value.

    • Enter DisabledByDefault as the value name.
    • Double-click DisabledByDefault, and enter 0 as the data value.
    • Click OK.

  7. Right-click on the Sever key, and select New > DWORD (32-bit) Value.
    • Enter Enabled as the value name.
    • Double-click Enabled, and enter 1 as the data value.
    • Click OK

  8. Restart the server.

Syslog Collector service - Port 1514

Enabling SSLv3 Protocol

To enable SSLv3 protocol on Syslog Collector Webservices for vCenter Server 5.5 Update 3b follow these steps:

  1. Access the configuration file from the following locations:

    • Windows default location: C:\ProgramData\VMware\VMware Syslog Collector\vmconfig-syslog.xml
    • vCenter Server Appliance default location: /etc/syslog-ng/stunnel.conf

  2. Create a backup copy of the file.

  3. For Windows, edit the file to add <enableSSLv3></enableSSLv3> node as shown here:

    <ssl>
    <defaultSSLPath>C:\ProgramData\VMware\vCenterServer\cfg\vmsyslogcollector\ssl</defaultSSLPath>
    <privateKey>vmsyslogcollector.key</privateKey>
    <certificate>vmsyslogcollector.crt</certificate>
    <enableSSLv3></enableSSLv3>
    </ssl>

  4. For VCSA, remove options=NO_SSLv3 from the configuration file.

  5. Save the file.

  6. Restart the vmsyslogcollector Service.

    Service syslog-collector restart


Disabling SSLv3 Protocol

To disable SSLv3 protocol on Syslog Collector Webservices for vCenter Server 5.5 Update 3b follow these steps:

  1. Access the configuration file from the following locations:

    • Windows default location:C:\ProgramData\VMware\VMware Syslog Collector\vmconfig-syslog.xml
    • vCenter Server Appliance default location:/etc/syslog-ng/stunnel.conf

  2. Create a backup copy of the file.

  3. For Windows, edit the file to remove<enableSSLv3></enableSSLv3> node as shown here:

    <ssl>
    <defaultSSLPath>C:\ProgramData\VMware\vCenterServer\cfg\vmsyslogcollector\ssl</defaultSSLPath>
    <privateKey>vmsyslogcollector.key</privateKey>
    <certificate>vmsyslogcollector.crt</certificate>
    </ssl>


  4. For VCSA:
    Add new line"options=NO_SSLv3" in the /etc/syslog-ng/stunnel.conf configuration file.

  5. Save the file.

  6. Restart the vmsyslogcollector Service:
    /etc/init.d/syslog-collector restart


VMware vSphere Web Client Service (vspherewebclientsv) - Port 9443

Enabling SSLv3 Protocol

To enable SSLv3 protocol on Web Client Service Webservices for vCenter Server 5.5 Update 3b follow these steps:

  1. Open the tomcat-server.xml file:

    • Windows default location:C:\Program Files\VMware\Infrastructure\vSphereWebClient\server\configuration\tomcat-server.xml
    • vCenter Server Appliance default location: /usr/lib/vmware-vsphere-client/server/configuration/tomcat-server.xml

  2. Create a backup copy of the file.

  3. Edit the file to add SSLv3 to sslEnabledProtocols list as shown here to enable SSLv3:

    <Connector port="9443" protocol="HTTP/1.1" SSLEnabled="true"
    maxThreads="800" acceptCount="300" scheme="https" secure="true"
    clientAuth="false" sslEnabledProtocols="SSLv3, TLSv1,TLSv1.1,TLSv1.2"

  4. Save the file.

  5. Restart the webclient Service.

Disbaling SSLv3 Protocol

To disable SSLv3 protocol on Web Client Service Webservices for vCenter Server 5.5 Update 3b follow these steps:

  1. Open the tomcat-server.xml file:

    • Windows default location:C:\Program Files\VMware\Infrastructure\vSphereWebClient\server\configuration\tomcat-server.xml
    • vCenter Server Appliance default location: /usr/lib/vmware-vsphere-client/server/configuration/tomcat-server.xml

  2. Create a backup copy of the file.

  3. Edit the file to remove SSLv3 to sslEnabledProtocols list as shown here to disable SSLv3:

    <Connector port="9443" protocol="HTTP/1.1" SSLEnabled="true"
    maxThreads="800" acceptCount="300" scheme="https" secure="true"
    clientAuth="false" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"

  4. Save the file.

  5. Restart the webclient Service.

VMware Virtual Center Server (vpxd) - Port 443

Enabling SSLv3 Protocol

To enable SSLv3 protocol on vpxd Webservices for vCenter Server 5.5 Update 3b follow these steps:

  1. Open thevpxd.cfg file:

    • Windows default location:C:\ProgramData\VMware\VMware VirtualCenter\vpxd.cfg
    • vCenter Server Appliance default location:/etc/vmware-vpx/vpxd.cfg

  2. Create a backup copy of the file.

  3. Edit the file to add<sslOptions>16924672</sslOptions> to enable SSLv3 respectively:

    <vmacore>
    <cacheProperties>true</cacheProperties>
    <ssl>
    <useCompression>true</useCompression>
    <sslOptions>16924672</sslOptions>
    </ssl>
    <threadPool>
    <TaskMax>90</TaskMax>
    <threadNamePrefix>vpxd</threadNamePrefix>
    </threadPool>
    </vmacore>


  4. Save the file.

  5. Restart the vpxd service.

Disbaling SSLv3 Protocol

To disable SSLv3 protocol on vpxd Webservices for vCenter Server 5.5 Update 3b follow these steps:

  1. Open thevpxd.cfg file:

    • Windows default location:C:\ProgramData\VMware\VMware VirtualCenter\vpxd.cfg
    • vCenter Server Appliance default location:/etc/vmware-vpx/vpxd.cfg

  2. Create a backup copy of the file.

  3. Edit the file to remove<sslOptions>16924672</sslOptions> to disable SSLv3:

    <vmacore>
    <cacheProperties>true</cacheProperties>
    <ssl>
    <useCompression>true</useCompression>
    </ssl>
    <threadPool>
    <TaskMax>90</TaskMax>
    <threadNamePrefix>vpxd</threadNamePrefix>
    </threadPool>
    </vmacore>


  4. Save the file.

  5. Restart the vpxd service.

    • Windows default location: Restart the VMware VirtualCenter Server service from services.msc

    • vCenter Server Appliance: Execute the following command from command prompt:
      /etc/init.d/vmware-vpxd restart.

vCenter Inventory Service database (invsvc) - XDB Port 10109

Enabling SSLv3 Protocol

To enable SSLv3 protocol on Inventory Service database (invsvc) Webservices for vCenter Server 5.5 Update 3b follow these steps:

  1. Open thequery-server-config.xml file:

    • Windows default location:C:\Program Files\VMware\Infrastructure\Inventory Service\lib\server\config\query-service-config.xml
    • vCenter Server Appliance default location:/usr/lib/vmware-vpx/inventoryservice/lib/server/config/query-server-config.xml

  2. Create a backup copy of the file.

  3. Edit the file to add SSLv3 tovalue tag as shown here to enable SSLv3 respectively:

    <property name="protocols" value="SSLv3,TLSv1,TLSv1.1,TLSv1.2" />

  4. Save the file.

  5. Restart the Inventory Service.

Disbaling SSLv3 Protocol

To disable SSLv3 protocol on Inventory Service database (invsvc) for vCenter Server 5.5 Update 3b follow these steps:

  1. Open thequery-server-config.xml file:

    • Windows default location:C:\Program Files\VMware\Infrastructure\Inventory Service\lib\server\config\query-service-config.xml
    • vCenter Server Appliance default location:/usr/lib/vmware-vpx/inventoryservice/lib/server/config/query-server-config.xml

  2. Create a backup copy of the file.

  3. Edit the file to remove SSLv3 tovalue tag as shown here to disable SSLv3 respectively:

    <property name="protocols" value="TLSv1,TLSv1.1,TLSv1.2" />

  4. Save the file.

  5. Restart the Inventory Service.

vCenter Inventory Service HTTPS - Port 10443

Enabling SSLv3 Protocol

To enable SSLv3 protocol on Inventory Service HTTPS Webservices for vCenter Server 5.5 Update 3b follow these steps:

  1. Open theserver-confg.xml file:

    • Windows default location:C:\Program Files\VMware\Infrastructure\Inventory Service\lib\server\config\server-confg.xml
    • vCenter Server Appliance default location:/usr/lib/vmware-vpx/inventoryservice/lib/server/config/server-config.xml


  2. Create a backup copy of the file.

  3. Edit the file to add SSLv3 tosslEnabledProtocols list as shown here to enable SSLv3:

    <property name="enabledProtocols" value="SSLv3,TLSv1,TLSv1.1,TLSv1.2"/>

  4. Save the file.

  5. Restart the Inventory Service.

Disbaling SSLv3 Protocol

To disable SSLv3 protocol on Inventory Service HTTPS for vCenter Server 5.5 Update 3b follow these steps:

  1. Open theserver-confg.xml file:

    • Windows default location:C:\Program Files\VMware\Infrastructure\Inventory Service\lib\server\config\server-confg.xml
    • vCenter Server Appliance default location:/usr/lib/vmware-vpx/inventoryservice/lib/server/config/server-config.xml


  2. Create a backup copy of the file.

  3. Edit the file to remove SSLv3 tosslEnabledProtocols list as shown here to disable SSLv3:

    <property name="enabledProtocols" value=TLSv1,TLSv1.1,TLSv1.2"/>

  4. Save the file.

  5. Restart the Inventory Service.

VMware VirtualCenter Management Webservices - Port 8443

Enabling SSLv3 Protocol

To enable SSLv3 protocol on Virtual Center Management Webservices for vCenter Server 5.5 Update 3b follow these steps:

  1. Open theserver.xml file:

    • Windows default location:C:\Program Files\VMware\Infrastructure\tomcat\conf\server.xml
    • vCenter Server Appliance default location:/usr/lib/vmware-vpx/tomcat/conf/server.xml

  2. Create a backup copy of the file.

  3. Edit the file to add or remove SSLv3 tosslEnabledProtocols list as shown here to enable or disable SSLv3:

    <property name="enabledProtocols" value="SSLv3,TLSv1,TLSv1.1,TLSv1.2"/>

  4. Save the file.

  5. Restart the Management webservices.

Disbaling SSLv3 Protocol

To disable SSLv3 protocol on Virtual Center Management Webservices for vCenter Server 5.5 Update 3b follow these steps:

  1. Open theserver.xml file:

    • Windows default location:C:\Program Files\VMware\Infrastructure\tomcat\conf\server.xml
    • vCenter Server Appliance default location:/usr/lib/vmware-vpx/tomcat/conf/server.xml

  2. Create a backup copy of the file.

  3. Edit the file to remove SSLv3 tosslEnabledProtocols list as shown here to disable SSLv3:

    <property name="enabledProtocols" value="TLSv1,TLSv1.1,TLSv1.2"/>

  4. Save the file.

  5. Restart the Management webservices.

PBM - Port 8191

Enabling SSLv3 Protocol

To enable SSLv3 protocol on PBM Webservices for vCenter Server 5.5 Update 3b follow these steps:

  1. Open thepbm-spring-config.xml file:

    • Windows default location:C:\Program Files\VMware\Infrastructure\Profile-Driven Storage\conf\pbm-spring-config.xml
    • vCenter Server Appliance default location:/usr/lib/vmware-vpx/sps/conf/pbm-spring-config.xml

  2. Create a backup copy of the file.

  3. Edit the file to add SSLv3 tosslEnabledProtocols list as shown here to enable SSLv3:

    <property name="enabledProtocols" value="SSLv3,TLSv1,TLSv1.1,TLSv1.2"/>

  4. Save the file.

  5. Restart the PBM service.

Disbaling SSLv3 Protocol

To disable SSLv3 protocol on PBM Webservices for vCenter Server 5.5 Update 3b follow these steps:

  1. Open thepbm-spring-config.xml file:

    • Windows default location:C:\Program Files\VMware\Infrastructure\Profile-Driven Storage\conf\pbm-spring-config.xml
    • vCenter Server Appliance default location:/usr/lib/vmware-vpx/sps/conf/pbm-spring-config.xml

  2. Create a backup copy of the file.

  3. Edit the file to remove SSLv3 tosslEnabledProtocols list as shown here to disable SSLv3:

    <property name="enabledProtocols" value="TLSv1,TLSv1.1,TLSv1.2"/>

  4. Save the file.

  5. Restart the PBM service.

SPS - Port 21100(VCSA), 31100(Windows)

Enabling SSLv3 Protocol

To enable SSLv3 protocol on SPS Webservices for vCenter Server 5.5 Update 3B follow these steps:

  1. Open thesps-spring-config.xml file:

    • Windows default location:C:\Program Files\VMware\Infrastructure\Profile-Driven Storage\conf\sps-spring-config.xml
    • vCenter Server Appliance default location:/usr/lib/vmware-vpx/sps/conf/sps-spring-config.xml

  2. Create a backup copy of the file.

  3. Edit the file to add SSLv3 tosslEnabledProtocols list as shown here to enable SSLv3:

    <property name="enabledProtocols" value="SSLv3,TLSv1,TLSv1.1,TLSv1.2"/>

  4. Save the file.

  5. Restart the SPS service.

Disabling SSLv3 Protocol
To disable SSLv3 protocol on SPS for vCenter Server 5.5 Update 3b follow these steps:

  1. Open thesps-spring-config.xml file:

    • Windows default location:C:\Program Files\VMware\Infrastructure\Profile-Driven Storage\conf\sps-spring-config.xml
    • vCenter Server Appliance default location:/usr/lib/vmware-vpx/sps/conf/sps-spring-config.xml

  2. Create a backup copy of the file.

  3. Edit the file to remove SSLv3 fromsps-spring-configlist as shown here to disable SSLv3:

    <property name="enabledProtocols" value="TLSv1,TLSv1.1,TLSv1.2"/>"

  4. Save the file.

  5. Restart the vmware-sps service.

SMS - Port 22100(VCSA), 32100(Windows)

Enabling SSLv3 Protocol

To enable SSLv3 protocol on SMS Webservices for vCenter Server 5.5 Update 3b follow these steps:

  1. Open thesms-spring-config.xml file:

    • Windows default location:C:\Program Files\VMware\Infrastructure\Profile-Driven Storage\conf\sms-spring-config.xml
    • vCenter Server Appliance default location:/usr/lib/vmware-vpx/sps/conf/sms-spring-config.xml

  2. Create a backup copy of the file.

  3. Edit the file to add thesslEnabledProtocols list as shown here to enable SSLv3:

    <property name="enabledProtocols" value="SSLv3,TLSv1,TLSv1.1,TLSv1.2"/>

  4. Save the file.

  5. Restart the SMS service.

Disabling SSLv3 Protocol
To disable SSLv3 protocol on SMS for vCenter Server 5.5 Update 3b follow these steps:

  1. Open thesms-spring-config.xml file:

    • Windows default location:C:\Program Files\VMware\Infrastructure\Profile-Driven Storage\conf\sms-spring-config.xml
    • vCenter Server Appliance default location:/usr/lib/vmware-vpx/sps/conf/sms-spring-config.xml

  2. Create a backup copy of the file.

  3. Edit the file to remove SSLv3 fromsps-spring-configlist as shown here to disable SSLv3:

    <property name="enabledProtocols" value="TLSv1,TLSv1.1,TLSv1.2"/>"

  4. Save the file.

  5. Restart the vmware-sms service.

Auto Deploy - Port 6501/6502

Enabling SSLv3 Protocol

To enable SSLv3 protocol on Auto Deploy Webservices for vCenter Server 5.5 Update 3b follow these steps:

  1. Run the following command to Connect to vCenter Server:

    PowerCLI C:\Program Files (x86)\VMware\Infrastructure\vSphere PowerCLI> Connect-VIServer -Server <FQDN_hostname or IP Address of vCenter Server>

  2. Run the following command to check the current status of SSLv3:

    PowerCLI C:\Program Files (x86)\VMware\Infrastructure\vSphere PowerCLI> Get-DeployOption

  3. Run the following command to re-enable SSLv3:

    To re-enable:PowerCLI C:\Program Files (x86)\VMware\Infrastructure\vSphere PowerCLI> Set-DeployOption disable-sslv3 0

  4. Restart the Auto Deploy service to update the change.

Disbaling SSLv3 Protocol

To disable SSLv3 protocol on Auto Deploy Webservices for vCenter Server 5.5 Update 3b follow these steps:

  1. Run the following command to Connect to vCenter Server:

    PowerCLI C:\Program Files (x86)\VMware\Infrastructure\vSphere PowerCLI> Connect-VIServer -Server <FQDN_hostname or IP Address of vCenter Server>

  2. Run the following command to check the current status of SSLv3:

    PowerCLI C:\Program Files (x86)\VMware\Infrastructure\vSphere PowerCLI> Get-DeployOption

  3. Run the following command to re-enable SSLv3:

    To re-enable:PowerCLI C:\Program Files (x86)\VMware\Infrastructure\vSphere PowerCLI> Set-DeployOption disable-sslv3 0

  4. Restart the Auto Deploy service to update the change.

Log Browser - Port 12443

Enabling SSLv3 Protocol

To enable SSLv3 protocol on Log Browser Webservices for vCenter Server 5.5 Update 3b follow these steps:

  1. Open thelogbrowser.properties file:

    • Windows default location:C:\Program Files\VMware\Infrastructure\vSphereWebClient\logbrowser\conf\logbrowser.properties
    • vCenter Server Appliance default location: /usr/lib/vmware-logbrowser/conf/logbrowser.properties


  2. Create a backup copy of the file.

  3. Edit the file to add SSLv3 from the following line to enable SSLv3:

    exclude-protocols=sslv3

  4. Save the file.

  5. Restart the Log Browser service.

Disbaling SSLv3 Protocol

To disable SSLv3 protocol on Log Browser Webservices for vCenter Server 5.5 Update 3b follow these steps:

  1. Open thelogbrowser.properties file:

    • Windows default location:C:\Program Files\VMware\Infrastructure\vSphereWebClient\logbrowser\conf\logbrowser.properties
    • vCenter Server Appliance default location: /usr/lib/vmware-logbrowser/conf/logbrowser.properties


  2. Create a backup copy of the file.

  3. Edit the file to remove SSLv3 from the following line to disable SSLv3:

    exclude-protocols=""

  4. Save the file.

  5. Restart the Log Browser service.

HTML5 console - Port 7343

Enabling SSLv3 Protocol

To enable SSLv3 protocol on HTML5 Webservices for vCenter Server 5.5 Update 3b follow these steps:

  1. Locate the jetty-ngc-ssl.xml file once the vSphere Web Client is running:

    • Windows default location:C:\Program Files\VMware\Infrastructure\vSphereWebClient\server\work\tmp\console-distro\etc\jetty-ngc-ssl.xml
    • vCenter Server Appliance default location: /usr/lib/vmware-vsphere-client/server/work/tmp/console-distro/etc/jetty-ngc-ssl.xml

  2. Create a backup copy of the file.

  3. Edit the jetty-ngc-ssl.xml file to append the following line:

    <Item>SSLv3</Item>

    Example:

    <Array type="java.lang.String">
    <Item>TLSv1</Item>
    <Item>TLSv1.1</Item>
    <Item>TLSv1.2</Item>
    <Item>SSLv3</Item>
    </Array>

  4. Save the file.

  5. Restart the jetty service as shown here.

    For Windows:
    • Get the PID and restart the service To stop Jetty, run the following commands:

      C:\Program Files\VMware\Infrastructure\vSphereWebClient\server\work\tmp\console-distro> netstat -ano | findstr 7343
      C:\Program Files\VMware\Infrastructure\vSphereWebClient\server\work\tmp\console-distro> taskkill /F /PID <your-pid>

    • To start Jetty, run the following command:

      C:\Program Files\VMware\Infrastructure\vSphereWebClient\server\work\tmp\console-distro>java -jar start.ja

    For VCSA:

    • To stop Jetty, run the following commands:

      $ pgrep -f jetty$ kill -TERM {pid of jetty}

    • To start Jetty, run the following command:

      $ java -jar /usr/lib/vmware-vsphere-client/server/work/tmp/console-distro/start.jar

Disbaling SSLv3 Protocol

To disable SSLv3 protocol on HTML5 Webservices for vCenter Server 5.5 Update 3bfollow these steps:

  1. Locate the jetty-ngc-ssl.xml file once the vSphere Web Client is running:

    • Windows default location:C:\Program Files\VMware\Infrastructure\vSphereWebClient\server\work\tmp\console-distro\etc\jetty-ngc-ssl.xml
    • vCenter Server Appliance default location: /usr/lib/vmware-vsphere-client/server/work/tmp/console-distro/etc/jetty-ngc-ssl.xml
  2. Create a backup copy of the file.

  3. Edit the jetty-ngc-ssl.xml file to remove the item SSLv3:

    <Item>SSLv3</Item>

    Example:

    <Array type="java.lang.String">
    <Item>TLSv1</Item>
    <Item>TLSv1.1</Item>
    <Item>TLSv1.2</Item>
    <Item>SSLv3</Item>
    </Array>

  4. Save the file.

  5. Restart the jetty service as shown here.

    For Windows:
    • Get the PID and restart the service To stop Jetty, run the following commands:

      C:\Program Files\VMware\Infrastructure\vSphereWebClient\server\work\tmp\console-distro> netstat -ano | findstr 7343
      C:\Program Files\VMware\Infrastructure\vSphereWebClient\server\work\tmp\console-distro> taskkill /F /PID <your-pid>

    • To start Jetty, run the following command:

      C:\Program Files\VMware\Infrastructure\vSphereWebClient\server\work\tmp\console-distro>java -jar start.ja

    For VCSA:

    • To stop Jetty, run the following commands:

      $ pgrep -f jetty$ kill -TERM {pid of jetty}

    • To start Jetty, run the following command:

      $ java -jar /usr/lib/vmware-vsphere-client/server/work/tmp/console-distro/start.jar
   

Attachments

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 32 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.

What can we do to improve this information? (4000 or fewer characters)




Please enter the Captcha code before clicking Submit.
  • 32 Ratings
Actions
KB: