Search the VMware Knowledge Base (KB)
View by Article ID

TLS protocol configuration options for vSphere Replication 6.1.1 (2145893)

  • 0 Ratings
Language Editions

Details

In vSphere Replication 6.1.1, the TLS protocol versions 1.0, 1.1, and 1.2 are enabled by default. The purpose of this article is to guide a customer through modifying the TLS protocols on the individual services of vSphere Replication.

Solution

To disable TLSv1.0 use the following steps.

Service Port Configuration steps
Configuration steps for vSphere Replication Management Service (hms) 8043 Configuration steps for hms service.
Configuration steps for vSphere Replication service (hbrsrv) 8123 Configuration steps for hbrsrv service.
Configuration steps for VMware Virtual Appliance Management Interface (VAMI) 5480 Configuration steps for vami service.
Configuration steps for VMware vSphere Web Client service (vsphere-client) 9443
    Configuration steps for the vspherewebclientsvc service.

    NOTE: Always make a backup copy of the configuration file before you start editing.


    Configuration steps for vSphere Replication Management Service - port 8043
    1. Log in to the vSphere Replication appliance using PuTTY.
    2. Open the file /opt/vmware/hms/conf/hms-configuration.xml in an editor and change the value of hms-ssl-enabled-protocols to TLSv1.1,TLSv1.2.
    3. Save the file.
    4. Restart hms service.
      /etc/init.d/hms restart

    Configuration steps for vSphere Replication service - port 8123
    1. Log in to vSphere Relication Appliance and vSphere Replication Server using PuTTY.
    2. Open the file /etc/vmware/hbrsrv.xml in an editor, locate the tag <vmacore><ssl> and add <sslOptions>117587968</sslOptions> in to disable TLSv1.0
      <vmacore> <ssl> <sslOptions>117587968</sslOptions> </ssl> </vmacore>
    3. Save the file.
    4. Restart the service.
      /etc/init.d/hbrsrv restart

    Configuration steps for VMware Virtual Appliance Management Interface (VAMI) - port 5480
    1. Go to /opt/vmware/etc/lighttpd/lighttpd.conf.
    2. Create a backup copy of the file.
    3. Open the file in an editor and search for the ssl.cipher-list.
    4. Add !TLSv1 to the line in lighttpd.conf file.
      Before modification, the value is: ssl.cipher-list = "TLSv1+HIGH: !SSLv2: !aNULL: !eNULL: !3DES: !DHE-RSA-AES128-SHA: !DHE-RSA-AES256-SHA: @STRENGTH" 
      After the modification, the value must be: ssl.cipher-list = "HIGH: !TLSv1: !SSLv2: !aNULL: !eNULL: !3DES: !DHE-RSA-AES128-SHA: !DHE-RSA-AES256-SHA: @STRENGTH"
    5. Save the file.
    6. Restart the VAMI service with the following command: service vami-lighttp restart
    NOTE: Disabling TLSv1.0 also disables TLSv1.1 on port 5480.


    Configuration steps for VMware vSphere Web Client service - Port 9443
    1. Open the file webclient.properties from the following locations in vCenter Server VM:
      Windows default location: C:\ProgramData\VMware\vCenterServer\cfg\vsphere-client
      vCenter Server Appliance default location: /etc/vmware/vsphere-client
    2. Add the following line.
      vr.ssl.enabledProtocols = TLSv1.1,TLSv1.2
    3. Save the file.
    4. Restart the vSphere Web Client service.
      For Windows, click Start > Run, enter services.msc, and restart the VMware vSphere Web Client.
      For vCenter Server Appliance, run the following command service vsphere-client restart

    Language Editions

    ja,2150412;zh_cn,2150440

    Request a Product Feature

    To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

    Feedback

    • 0 Ratings

    Did this article help you?
    This article resolved my issue.
    This article did not resolve my issue.
    This article helped but additional information was required to resolve my issue.

    What can we do to improve this information? (4000 or fewer characters)




    Please enter the Captcha code before clicking Submit.
    • 0 Ratings
    Actions
    KB: