Search the VMware Knowledge Base (KB)
View by Article ID

TLS protocol configuration options for vCenter Support Assistant (2146079)

  • 1 Ratings

Details

vCenter Support Assistant accepts and initiates connections only over HTTPS protocol. The incoming connections are on ports 8443 and 443, and the outbound connections are to a configurable set of available instances of vCenter Server Single Sign-On, vCenter Server, ESXi, and to vmware.com.
You can whitelist incoming TLS/SSL protocols and ciphersuites, to ensure that older browser versions, and versions of vSphere can communicate with vCenter Support Assistant. You can blacklist any SSL/TLS algorithms for both inbound and outbound connections to enhance the security of your environment. Blacklists have higher priority than whitelists and a configuration that is present in both is disabled.
The goal of this document is to describe how to enable or disable specific ciphersuites and TLS/SSL protocol versions of the vCenter Support Assistant services to enhance the security of your environment. To ensure successful operation of the product, you must enable the support of the required TLS/SSL versions on all endpoints that vCenter Support Assistant communicates with.

NOTE: Always make a backup copy of the configuration file before you start editing.

Solution

To configure vCenter Support Assistant SSL connections you can use the following configurations.

NOTE: To enable SSH protocol for the vCenter Support Assistant virtual appliance, see KB 2076086.
 
Whitelisting protocols and ciphers for vCenter Support Assistant Service - port 8443
  1. Log in to the vCenter Support Assistant appliance over SSH protocol.
  2. Open the /etc/vmware-phonehome/settings/program/SslSettingsServerProtocols.json  file in an editor and change the contents to "TLSv1.2,TLSv1.1".
  3. To change the set of supported ciphers, open the /etc/vmware-phonehome/settings/program/SslSettingsServerCiphers.json file in an editor and change the contents according to your needs.
  4. Save the file.
  5. Run this command to restart the service:
    service vmware-phonehome restart
Whitelisting protocols and ciphers for vCenter Support Assistant Installer - port 443
  1. Log in to the vCenter Support Assistant appliance over SSH protocol.
  2. To disable TLSv1 and SSLv2Hello protocols, open the /usr/lib/vmware-phonehome/config/tomcat-server.xml file in an editor and change the contents of sslEnabledProtocols to "TLSv1.2,TLSv1.1".
  3. To change the set of supported ciphers, open the /usr/lib/vmware-phonehome/config/tomcat-server.xmlfile in  an editor and change the value of the ciphers according to your needs.
  4. Save the file.
  5. Run this command to restart the service:
    service vmware-phonehome-cfg restart
NOTE: To enable any of the protocols and ciphersuites, you must remove them from the Blacklist.
 
Blacklisting algorithms for all SSL/TLS connections
  1. Log in to the vCenter Support Assistant appliance over SSH protocol.
  2. Open the  /usr/java/jre-vmware/lib/security/java.security file in an editor and change the value of property jdk.tls.disabledAlgorithms according to your needs.
  3. Save the file.
  4. Run the following commands to restart the services:
    service vmware-phonehome restart
    service vmware-phonehome-cfg restart

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 1 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.

What can we do to improve this information? (4000 or fewer characters)




Please enter the Captcha code before clicking Submit.
  • 1 Ratings
Actions
KB: