Search the VMware Knowledge Base (KB)
View by Article ID

Configuring SSLv3 protocol on vSphere 5.0 (2146252)

  • 0 Ratings
Language Editions

Details

Support for SSLv3 protocol is enabled by default and is configurable.

Note: To disable SSLv3 in your vSphere environment, you need to update ESXi to ESXi 5.0 patch [3982828] released on 06/14/2016 and update vCenter Server to vCenter Server 5.0 Update 3g first and then manually disable SSLv3 through configuration settings, for more information, see KB 2139396.
 
 ESXi hosts updated to ESXi 5.0 patch [3982828] released on 06/14/2016 can be managed by older vCenter Server only if SSLv3 is not disabled in ESXi hosts.  

VMware highly recommends you to update ESXi hosts to ESXi 5.0 patch [3982828] while managing them from vCenter Server 5.0 Update 3g. 
    The following products might not work if SSLv3 is disabled in your vSphere 5.0 environment:
  • Site Recovery Manager 
  • Big Data Extensions 
  • vCloud Director 
  • vCenter or vRealize Infrastructure Navigator 
  • vShield or vCloud Networking and Security 
  • vSphere Data Recovery
   For more information on products eligible for SSLv3 disablement with vSphere 5.0, see KB 2145488.

   

Solution

vSphere 5.0 Ports and Services

Service

Port

Configuration Steps
Hostd
443
Authd
902
SFCBD
5989
Virtual Appliance Management Interface (VAMI)
5480
Authentication proxy service (CAM)
51915
Syslog Collector (vmsyslogcollector)
1514
VMware vSphere Web Client Service (vspherewebclientsvc)
9443
VirtualCenter Server service (vpxd)
443
vCenter Inventory Service database (invsvc)
10109
VMware VirtualCenter Management Webservices
8443
SPS
21100(VCSA),
31100(windows)
Auto Deploy servie port
Auto Deploy management port
6501
6502
vSphere Update Manager 8084/9087
vCenter Server Appliance5489vCenter Server Appliance

Hostd service - Port 443

Enabling SSLv3 Protocol

To enable SSLv3 protocol on Hostd service for ESXi 5.0 patch released on 06/14/2016 follow these steps:

  1. Login to ESXi using putty.exe

  2. To enable SSLv3 is run the following command:

    esxcli system settings advanced set -o /UserVars/ESXiHostdDisabledProtocols -s ""

  3. Restart the rhttpproxy services by running the following command:

    /etc/init.d/hostd restart

  4. Run the following command to get a list of disabled protocols for hostd:

    esxcli system settings advanced list -o /UserVars/ESXiHostdDisabledProtocols

    Where:
    Path: /UserVars/ESXiHostdDisabledProtocols
    Type: string
    Int Value: 0
    Default Int Value: 0
    Min Value: 0
    Max Value: 0
    String Value:
    Default String Value:
    Valid Characters: *

Disabling SSLv3 Protocol

To disable SSLv3 protocol follow these steps:

  1. Login to ESXi using putty.exe

  2. Run the following command to disable SSLv3:

    esxcli system settings advanced set -o /UserVars/ESXiHostdDisabledProtocols -s "SSLv3"

  3. Restart the rhttpproxy services by running the following command:

    /etc/init.d/hostd restart

  4. Run the following command to get a list of disabled protocols for hostd:

    esxcli system settings advanced list -o /UserVars/ESXiHostdDisabledProtocols

    Where:
    Path: /UserVars/ESXiHostdDisabledProtocols
    Type: string
    Int Value: 0
    Default Int Value: 0
    Min Value: 0
    Max Value: 0
    String Value: sslv3
    Default String Value:
    Valid Characters: *



In event of unexpected behavior, restore the earlier backed up proxy configuration file to revert the system to clean state, as it was before.

HostProfile

Configuration of the Hostd can also be captured through host profile by following these steps:

  1. Log in to VC with vSphere Web Client.
  2. Right click the target host and click Extract Host Profile to create a new hostprofile.
  3. After the hostprofile is created, navigate to Home > Host Profiles > your_host_profile to edit it.
  4. In the Edit Host Profiles tab, you can find the entry for hostd under [Advanced Configuration Settings] > [Advanced Options] > [Advanced Configuration Options] > ESXiHostdDisabledProtocols
  5. The application of hostd in host profile is the same as other settings. If the configuration for hostd is included in host profile, difference between host profile and target host for hostd is displayed and replaced when choosing the target host to apply the host profile.

Authd - Port 902

Enabling SSLv3 Protocol

To enable SSLv3 protocol on Authd service for ESXi 5.0 patch released on 06/14/2016follow these steps:

  1. Login to ESXi using putty.exe.

  2. To enable SSLv3, run the following command:

    esxcli system settings advanced set -o /UserVars/VMAuthdDisabledProtocols50 -s ""

  3. Run the following command to get a list of disabled protocols for authd:

    esxcli system settings advanced list -o /UserVars/VMAuthdDisabledProtocols50

    Where:
    Path: /UserVars/VMAuthdDisabledProtocols50
    Type: string
    Int Value: 0
    Default Int Value: 0
    Min Value: 0
    Max Value: 0
    String Value:
    Default String Value:
    Valid Characters: *

Disabling SSLv3 Protocol
To disable SSLv3 protocol follow these steps:
  1. Login to ESXi using putty.exe
  2. To disable sslv3, run the following command:

    esxcli system settings advanced set -o /UserVars/VMAuthdDisabledProtocols50 -s "sslv3"

  3. Run the following command to get a list of disabled protocols for authd:

    esxcli system settings advanced list -o /UserVars/VMAuthdDisabledProtocols50

    Where:
    Path: /UserVars/VMAuthdDisabledProtocols50
    Type: string
    Int Value: 0
    Default Int Value: 0
    Min Value: 0
    Max Value: 0
    String Value: sslv3
    Default String Value:
    Valid Characters: *
In event of unexpected behavior, restore the earlier backed up proxy configuration file to revert the system to clean state, as it was before.

HostProfile

Configuration of the Authd can also be captured through host profile by following these steps:
  1. Log in to VC with vSphere Web Client.
  2. Right click the target host and click Extract Host Profile to create a new hostprofile.
  3. After the hostprofile is created, navigate to Home > Host Profiles > your_host_profile to edit it.
  4. In the Edit Host Profiles tab, you can find the entry for authd under [Advanced Configuration Settings] > [Advanced Options] > [Advanced Configuration Options] > VMAuthdDisabledProtocols50.
  5. The application of authd in host profile is the same as other settings. If the configuration for authd is included in host profile, difference between host profile and target host for authd is displayed and replaced when choosing the target host to apply the host profile.

SFCBD - Port 5989

Enabling SSLv3 Protocol

To enable SSLv3 protocol on SFCBD service for ESXi 5.0 patch released on 06/14/2016 follow these steps:
  1. Log in to ESXi usingputty.exe.

  2. Run the following command and edit the file:

    vi /etc/sfcb/sfcb.cfg

    enableSSLv3: true

  3. Save the file.
  4. Restart the service for configuration to take effect using below command:

    /etc/init.d/sfcbd-watchdog restart
Disabling SSLv3 Protocol

To disable SSLv3 protocol on SFCBD service for ESXi 5.0 patch released on 06/14/2016 follow these steps:
  1. Log in to ESXi using putty.exe.

  2. Run the following command to modify the file and to disable SSLv3:

    vi /etc/sfcb/sfcb.cfg

  3. Add new entry similar to the following to disable SSLv3. If the entry exists, set the value to false:

    enableSSLv3: false

  4. Save the file.
HostProfile

Configuration for CIM can also be captured by host profile:

  1. Log in to vCenter Server with C#.
  2. Right click the target host and click Extract Host Profile to create a new host profile.
  3. Choose Home > Host Profiles > your host profile to edit it.
  4. On the Edit Host Profiles tab, > Select General System Settings> Management Agent Confirguraion under SFCB Configuration > Settings > enable sslv3.
  5. Apply the host profile to stateful or stateless systems.
  6. Restart the service for configuration to take effect using below command:

    /etc/init.d/sfcbd-watchdog restart



Virtual Appliance Management Interface (VAMI) service - Port 5480

Enabling SSLv3 Protocol

To enable SSLv3 protocol on VAMI service for vCenter Server 5.0 Update 3g follow these steps:

  1. Go to /opt/vmware/etc/lighttpd/lighttpd.conf file.

  2. Create a backup copy of the file.

  3. Search for this line:
    ssl.use-sslv3="disable"

  4. Modify the line to:
    ssl.use-sslv3="enable"

  5. Save the file.

  6. Restart the VAMI Service with the following command:

    service vami-lighttp restart
Disbaling SSLv3 Protocol

To disable SSLv3 protocol on VAMI service for vCenter Server 5.0 Update 3g follow these steps:

  1. Go to/opt/vmware/etc/lighttpd/lighttpd.conf.

  2. Create a backup copy of the file.

  3. Search for this line:
    ssl.use-sslv3="enable"

  4. Add the following line in the cofig file, in case there is no ssl.use-sslv3="enable"
    ssl.engine = "enable"

  5. Modify the line to:
    ssl.use-sslv3="disable"

  6. Save the file.
  7. Restart the VAMI Service with the following command:
    service vami-lighttp restart

Authentication proxy (CAM) service - Port 51915

Enabling SSLv3 Protocol

To enable SSLv3 protocol on CAM service for vCenter Server 5.0 Update 3g follow these steps:

  1. Open and run the Registry Editor on the server where VMware Authentication Proxy is installed, as an administrator.

  2. Navigate to this location in the Registry Editor window:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\

  3. In the navigation tree, right-click Protocols, and select New > Key.

  4. Enter SSL3.0 as the key name.

  5. Repeat step 5 to create two SSL3.0 keys. Name the two keys as Server and Client.

  6. Right-click on the Client key, and select New > DWORD (32-bit) Value.

    • Enter DisabledByDefault as the value name.
    • Double-click DisabledByDefault, and enter 0 as the data value.
    • Click OK.

  7. Right-click on the Sever key, and select New > DWORD (32-bit) Value.

    • Enter Enabled as the value name.
    • Double-click Enabled, and enter 1 as the data value.
    • Click OK

  8. Restart the server.
Disbaling SSLv3 Protocol

To disable SSLv3 protocol on CAM service forvCenter Server 5.0 Update 3g follow these steps:

  1. Open and run the Registry Editor on the server where VMware Authentication Proxy is installed, as an administrator.

  2. Navigate to this location in the Registry Editor window:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\

  3. In the navigation tree, right-click Protocols, and select New > Key.

  4. Enter SSL3.0 as the key name.

  5. Create two keys under SSL3.0 key and name them as Server and Client.

  6. Right-click on the Client key, and select New > DWORD (32-bit) Value.

    • Enter DisabledByDefault as the value name.
    • Double-click DisabledByDefault, and enter 1 as the data value.
    • Click OK.

  7. Right-click on the Sever key, and select New > DWORD (32-bit) Value.
    • Enter Enabled as the value name.
    • Double-click Enabled, and enter 0 as the data value.
    • Click OK
  8. Restart the server.

Syslog Collector service - Port 1514

Enabling SSLv3 Protocol

To enable SSLv3 protocol on Syslog Collector service for vCenter Server 5.0 Update 3g follow these steps:

  1. Access the configuration file from the following locations:
    • Windows default location: C:\ProgramData\VMware\VMware Syslog Collector\vmconfig-syslog.xml
    • vCenter Server Appliance default location:/etc/syslog-ng/stunnel.conf.

  2. Create a backup copy of the file.
  3. For Windows, edit the file to remove <disableSSLv3></disableSSLv3> node as shown here:
    <ssl>
    <defaultSSLPath>C:\ProgramData\VMware\vCenterServer\cfg\vmsyslogcollector\ssl</defaultSSLPath>
    <privateKey>vmsyslogcollector.key</privateKey>
    <certificate>vmsyslogcollector.crt</certificate>
    </ssl>


  4. For VCSA:
    Remove options=NO_SSLv3 from the configuration file.

  5. Save the file and restart.

  6. Window: Restart the vmsyslogcollector Service.
    VCSA: Service syslog-collector restart
Disabling SSLv3 Protocol

To disable SSLv3 protocol on Syslog Collector service for vCenter Server 5.0 Update 3g follow these steps:

  1. Access the configuration file from the following locations:
    • Windows default location: C:\ProgramData\VMware\VMware Syslog Collector\vmconfig-syslog.xml
    • vCenter Server Appliance default location: /etc/syslog-ng/stunnel.conf

  2. Create a backup copy of the file.

  3. For Windows, edit the file to add <disableSSLv3></disableSSLv3> node as shown here:
    <ssl>
    <defaultSSLPath>C:\ProgramData\VMware\vCenterServer\cfg\vmsyslogcollector\ssl</defaultSSLPath>
    <privateKey>vmsyslogcollector.key</privateKey>
    <certificate>vmsyslogcollector.crt</certificate>
    <disableSSLv3></disableSSLv3>
    </ssl>


  4. For VCSA:
    Add new line "options=NO_SSLv3" in the /etc/syslog-ng/stunnel.conf configuration file.

  5. Save the file and restart.
    Windows: Restart the vmsyslogcollector service
    VCSA: /etc/init.d/syslog-collector restart

VMware vSphere Web Client Service (vspherewebclientsv) - Port 9443

Enabling SSLv3 Protocol

To enable SSLv3 protocol on vSphere Web Client Service service forvCenter Server 5.0 Update 3g follow these steps:

  1. Open thetomcat-server.xml file:
    • Windows default location:C:\Program Files\VMware\Infrastructure\vSphereWebClient\server\config\tomcat-server.xml
    • vCenter Server Appliance default location:/usr/lib/vmware-vsphere-client/server/config/tomcat-server.xml

  2. Create a backup copy of the file.

  3. Edit the file to add SSLv3 to sslEnabledProtocols list as shown here to enable SSLv3:

    <Connector port="9443" protocol="HTTP/1.1" sslEnabledProtocols="SSLv3, TLSv1">

  4. Save the file.

  5. Restart the Management webservices.

    Windows: Restart VMware management webservices service.

    VCSA: Restart VPXD service.
Disabling SSLv3 Protocol

To disable SSLv3 protocol on vSphere Web Client Service service for vCenter Server 5.0 Update 3g follow these steps:

  1. Open the tomcat-server.xml file:

    • Windows default location:C:\Program Files\VMware\Infrastructure\vSphereWebClient\server\config\tomcat-server.xml

    • vCenter Server Appliance default location:/usr/lib/vmware-vsphere-client/server/config/tomcat-server.xml

  2. Create a backup copy of the file.

  3. Edit the file to remove SSLv3 to sslEnabledProtocols="TLSv1" list as shown here to disable SSLv3:

    <Connector port="9443" protocol="HTTP/1.1" sslEnabledProtocols="TLSv1">

  4. Save the file.

  5. For windows, restart the VMware Management webservices.

  6. For VCSA, restart VPXD.

VMware Virtual Center Server (vpxd) - Port 443

Enabling SSLv3 Protocol

To enable SSLv3 protocol on Virtual Center Server service forvCenter Server 5.0 Update 3g follow these steps:

  1. Open the vpxd.cfg file:

    • Windows default location:C:\ProgramData\VMware\VMware VirtualCenter\vpxd.cfg
    • vCenter Server Appliance default location:/etc/vmware-vpx/vpxd.cfg
  2. Create a backup copy of the file.

  3. Edit the file remove the <sslOptions></sslOptions> to enable SSLv3 respectively:
      <vmacore>
    <cacheProperties>true</cacheProperties>
    <ssl>
    <useCompression>true</useCompression>
    </ssl>
    <threadPool>
    <TaskMax>90</TaskMax>
    <threadNamePrefix>vpxd</threadNamePrefix>
    </threadPool>
    </vmacore>


  4. Save the file.

  5. Restart the vpxd Service.
    • Windows default location: Restart the VMware VirtualCenter Server service from services.msc

    • vCenter Server Appliance: Execute the command from command prompt:
      /etc/init.d/vmware-vpxd restart.

Disbaling SSLv3 Protocol

To disable SSLv3 protocol on Virtual Center Server service forvCenter Server 5.0 Update 3g follow these steps:  

  1. Open the  vpxd.cfg file:
    • Windows default location:C:\ProgramData\VMware\VMware VirtualCenter\vpxd.cfg
    • vCenter Server Appliance default location: /etc/vmware-vpx/vpxd.cfg  
  2. Create a backup copy of the file.

  3. Edit the file to add<sslOptions>50479104</sslOptions> to disable SSLv3:
    <vmacore>
    <cacheProperties>true</cacheProperties>
    <ssl>
    <useCompression>true</useCompression>
    <sslOptions>50479104</sslOptions>

    </ssl>
    <threadPool>
    <TaskMax>90</TaskMax>
    <threadNamePrefix>vpxd</threadNamePrefix>
    </threadPool>
    </vmacore>


  4. Save the file.

  5. Restart the vpxd Service.

    • Windows default location: Restart the VMware VirtualCenter Server service from services.msc

    • vCenter Server Appliance: Execute the command from command prompt:
      /etc/init.d/vmware-vpxd restart.

vCenter Inventory Service database (invsvc) - XDB Port 10109, 10443  

Enabling SSLv3 Protocol

To enable SSLv3 protocol on invsvc service for vCenter Server vCenter Server 5.0 Update 3g follow these steps:

  1. Open the query-server-config.xml file:

    • Windows default location:C:\Program Files\VMware\Infrastructure\Inventory Service\lib\server\config\server-confg.xml
    • vCenter Server Appliance default location:/usr/lib/vmware-vpx/inventoryservice/lib/server/config/server-config.xml

  2. Create a backup copy of the file.

  3. Edit the file to add SSLv3 to enabledProtocols list as shown here to enable SSLv3:

    <property name="enabledProtocols" value="SSLv3,TLSv1" />

  4. Save the file.

  5. Restart the Inventory Services.
Disbaling SSLv3 Protocol

To disable SSLv3 protocol on invsvc service forvCenter Server 5.0 Update 3g follow these steps:

  1. Open the query-server-config.xml file:
    • Windows default location: C:\Program Files\VMware\Infrastructure\Inventory Service\lib\server\config\server-confg.xml.
    • vCenter Server Appliance default location: /usr/lib/vmware-vpx/inventoryservice/lib/server/config/server-config.xml.

  2. Create a backup copy of the file.

  3. Edit the file to remove SSLv3 from enabledProtocols list disable SSLv3:

    <property name="enabledProtocols" value="TLSv1" />

  4. For VCSA:
    Change the corresponding query-server-config.xml and server-config.xml files available in usr/lib/vmware-vpx/inventoryservice/lib/server/config

  5. Save the file.

  6. Restart the Inventory Service.  

VMware Virtual Center Management Webservices - Port 8443

Enabling SSLv3 Protocol

To enable SSLv3 protocol on Virtual Center Management Webservices for vCenter Server 5.0 Update 3g follow these steps:

  1. Open theeserver.xml file:

    • Windows default location: C:\Program Files\VMware\Infrastructure\tomcat\conf\server.xml
    • vCenter Server Appliance default location: /usr/lib/vmware-vpx/tomcat/conf/server.xml

  2. Create a backup copy of the file.

  3. Edit the file to add SSLv3 tosslEnabledProtocols list as shown here to enable SSLv3:

    <property name="enabledProtocols" value="SSLv3,TLSv1"/>

  4. Save the file.

  5. For windows, restart the VMware Management webservices.

  6. For VCSA, restart VPXD.  
Disabling SSLv3 Protocol

To disable SSLv3 protocol on Virtual Center Management Webservices for vCenter Server 5.0 Update 3g follow these steps:

  1. Open the server.xml file:

    • Windows default location: C:\Program Files\VMware\Infrastructure\tomcat\conf\server.xml
    • vCenter Server Appliance default location: /usr/lib/vmware-vpx/tomcat/conf/server.xml

  2. Create a backup copy of the file.

  3. Edit the file to remove SSLv3 to sslEnabledProtocols list as shown here to disable SSLv3:

    <property name="enabledProtocols" value="TLSv1"/>

  4. For VCSA:

    Change the value in /usr/lib/vmware-vpx/tomcat/conf/server.xml file.

  5. Save the file.

  6. Restart the Management webservices.

    Windows: Restart VMware management webservices service.

    VCSA: Restart VPXD service.  
 

SPS - Port 21100(VCSA), 31100(Windows)

Enabling SSLv3 Protocol
To enable SSLv3 protocol on SPS for vCenter Server 5.0 Update 3g follow these steps:

  1. Open the sps-spring-config.xml file:

    • Windows default location: C:\Program Files\VMware\Infrastructure\Profile-Driven Storage\conf\sps-spring-config.xml  
    • vCenter Server Appliance default location: /usr/lib/vmware-vpx/sps/conf/sps-spring-config.xml

  2. Create a backup copy of the file.

  3. Edit the file to add value SSLv3 to enabledProtocols list as shown here to enable SSLv3:

    <property name="enabledProtocols" value="SSLv3,TLSv1 "/>

  4. Save the file.

  5. Restart the SPS service.  

Disabling SSLv3 Protocol
To disable SSLv3 protocol on SPS for vCenter Server 5.0 Update 3g follow these steps:

  1. Open the sps-spring-config.xml file:

    • Windows default location: C:\Program Files\VMware\Infrastructure\Profile-Driven Storage\conf\sps-spring-config.xml
    • vCenter Server Appliance default location: /usr/lib/vmware-vpx/sps/conf/sps-spring-config.xml

  2. Create a backup copy of the file.

  3. To disable SSLv3, remove the string SSLv3 from the list of EnabledProtocols insps-spring-config list:

    Change <property name="enabledProtocols" value="SSLv3,TLSv1"/>" to <property name="enabledProtocols" value="TLSv1"/>"

  4. Save the file.

  5. Restart the vmware-sps service.  

Auto Deploy - Port 6501/6502

Enabling SSLv3 Protocol

To enable SSLv3 protocol on Auto Deploy service for vCenter Server 5.0 Update 3g follow these steps:

  1. Run the following command to Connect to vCenter Server:

    PowerCLI C:\Program Files (x86)\VMware\Infrastructure\vSphere PowerCLI> Connect-VIServer -Server <FQDN_hostname or IP Address of vCenter Server>

  2. Run the following command to check the current status of SSLv3:

    PowerCLI C:\Program Files (x86)\VMware\Infrastructure\vSphere PowerCLI> Get-DeployOption

    KeyValue

    vlan-id0
    disable-sslv31

  3. Run the following command to enable SSLv3:

    To enable: PowerCLI C:\Program Files (x86)\VMware\Infrastructure\vSphere PowerCLI> Set-DeployOption disable-sslv3 0

  4. Restart the Auto Deploy service to update the change.
Disabling SSLv3 Protocol

To disable SSLv3 protocol on Auto Deploy service forvCenter Server 5.0 Update 3g follow these steps:

  1. Run the following command to Connect to vCenter Server:

    PowerCLI C:\Program Files (x86)\VMware\Infrastructure\vSphere PowerCLI> Connect-VIServer -Server <FQDN_hostname or IP Address of vCenter Server>

  2. Run the following command to check the current status of SSLv3:

    PowerCLI C:\Program Files (x86)\VMware\Infrastructure\vSphere PowerCLI> Get-DeployOption
    KeyValue
    vlan-id0
    disable-sslv30

  3. Open modify autodeploy config file, to disable SSLv3:

    • Windows default location: c:\ProgramData\VMware\VMware vSphere Autodeploy\vmconfig-autodeploy
    • vCenter Server Appliance default location: /etc/vmware-rbd/autodeploy-setup.xml

  4. Edit the file and change the value from True to False to diasble sslv3 as shown here:

    <ssl>
    <disable-sslv3>False</disable-sslv3>
    <ssl>


  5. Run the following command to disable SSLv3:

    To disable:PowerCLI C:\Program Files (x86)\VMware\Infrastructure\vSphere PowerCLI> Set-DeployOption disable-sslv3 1

  6. Restart the Auto Deploy service to update the change.

Update Manager - Port 9087/8084  

Enabling SSLv3 Protocol

To enable SSLv3 protocol on Update Manager service forvCenter Server 5.0 Update 3g follow these steps:

  1. Stop the vSphere Update Manager service.

  2. Go to Update Manager Install Directory.

  3. Edit the following to enable SSLv3:
    • For port 9087, search and delete <Item>SSLv3</Item> from the jetty-vum-ssl.xml file:
                <New class="org.eclipse.jetty.util.ssl.SslContextFactory">
      <Arg>
      <Set name="ExcludeProtocols">
      <Array type="java.lang.String">
      <Item>SSLv3</Item>
      </Array>
      </Set>
      </New>
      </Arg>


    • For port 8084 , search and delete <sslOptions>33554432</sslOptions> from the vci-interity.xml file:

      <ssl>
      <cipherList>AES128-SHA, AES256-SHA</cipherList>
      <handshakeTimeoutMs>120000</handshakeTimeoutMS>
      <sslOptions>33554432</sslOptions>
      <ssl>
      <ssl>
      <privateKey>ssl/rui.key</privateKey>
      <certificate>ssl/rui.crt</certificate>
      <sslOptions>33554432</sslOptions>
      <ssl>

  4. Save and Restart the vSphere Update Manager service.
Disabling SSLv3 Protocol

To disable SSLv3 protocol on Update Manager service forvCenter Server 5.0 Update 3g follow these steps:

  1. Stop the vSphere Update Manager service.

  2. Go to Update Manager Install Directory.

     
  3. Edit the following to disable SSLv3:

       
    • For port 9087, add the following text after the <New class="org.eclipse.jetty.server.ssl.SslSocketConnector"> to the jetty-vum-ssl.xml file:
       
      <Arg>
      <New class="org.eclipse.jetty.util.ssl.SslContextFactory">
      <Set name="ExcludeProtocols">
      <Array type="java.lang.String">
      <Item>SSLv3</Item>
      </Array>
      </Set>
      </New>
      </Arg>

                 
                     
    • For port 8084, add <sslOptions>33554432</sslOptions> to the vci-interity.xml file:
      <ssl>
      <cipherList>AES128-SHA, AES256-SHA</cipherList>
      <handshakeTimeoutMs>120000</handshakeTimeoutMS>
      <sslOptions>33554432</sslOptions>
      <ssl>
      <ssl>
      <privateKey>ssl/rui.key</privateKey>
      <certificate>ssl/rui.crt</certificate>
      <sslOptions>33554432</sslOptions>
      <ssl>

  4. Save and Restart the vSphere Update Manager service.

vCenter Server Appliance - Port 5489

SSLv3 is not configurable on this port and this issue is specific to VCSA. Login to VCSA server using an SSH client.

  1. Run the following command to go to init.d directory:
    cd /etc/init.d/

  2. Run the following command to create new file:
    vi vami_port

  3. Add the following content to the vami_port file:
    #!/bin/bash
    ### BEGIN INIT INFO
    # Provides: vami_port
    # Required-Start: vaos
    # Required-Stop:
    # Default-Start: 3 5
    # Default-Stop:
    ### END INIT INFO
    . /etc/rc.status
    rc_reset
    /usr/sbin/iptables -A INPUT -i eth0 -p tcp --dport 5489 -j REJECT
    rc_exit

  4. Run the following command to change permissions of vami_port file:
    chmod 755 vami_port

  5. Run the following command to execute the script:
    ./vami_port or sh vami_port

  6. Run the following command to insert the vami_port file as a service:
    insserv vami_port

Additional Information

For translated versions of this article, see:

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 0 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.

What can we do to improve this information? (4000 or fewer characters)




Please enter the Captcha code before clicking Submit.
  • 0 Ratings
Actions
KB: