Search the VMware Knowledge Base (KB)
View by Article ID

Configuring SSLv3 protocol on vSphere 5.5 (2146255)

  • 0 Ratings

Details

ESXi 550-201608001 Patch/ vCenter 5.5 Update 3e Release

 
Important: Always upgrade vCenter Server to version 5.5 Update 3e before you update ESXi to ESXi 5.5 Patch [ESXi550-201608001] released on 08/04/2016 to avoid issues due to interoperability implication relating to SSLv3 disablement. 

Support for SSLv3 protocol is  disabled by default
Note: In your vSphere environment, you need to update vCenter  Server to vCenter Server 5.5 Update 3e before updating ESXi to ESXi 5.5 Patch [ESXi550-201608001] released on 08/04/2016. vCenter Server will not be able to manage ESXi 5.5 Patch [ESXi550-201608001] released on 08/04/2016, if you  update ESXi before updating vCenter Server to version 5.5 Update 3e. For more information about the sequence in which vSphere environments need to  be updated, refer KB 2057795

  • VMware highly recommends you to update ESXi hosts to ESXi 5.5 Patch [ESXi550-201608001] released on 08/04/2016 while managing them from vCenter Server 5.5 Update 3e.         
         
     VMware does not recommend  re-enabling SSLv3 due to POODLE vulnerability. If at all you need to enable  SSLv3, you need to enable the SSLv3 protocol for all components. For  more information, refer KB 2139396.

     
  • vSphere 5.5 Update 3e enables support for the TLS versions 1.1 and 1.2 for most of the vSphere components without breaking the previously supported compatibility or interoperability. See KB 2145818 for the list of supported TLS protocols. 

vSphere 5.5 Update 3b Release

Important: Always upgrade vCenter Server to version 5.5 Update 3b before you update ESXi to ESXi 5.5 Update 3b to avoid issues due to interoperability implication relating to SSLv3 disablement.

Solution

vSphere ESXi550-201607001 Patch/ vCenter Server 5.5 Update 3e Ports and Services

Note: Always take a backup copy of the configuration file before editing when applying the following steps.

Service

Port

Configuration Steps
Hostd 443 Hostd Service
Authd 902 Authd Service
SFCBD 5989 SFCBD Service
vSAN VP 8080 vSAN VP Service
vSAN Observer 8010 vSAN Observer Service
VMware Directory Service (vmdir) 11712 Vmdir Service
Security Token Service (SSO) 7444 STS Service
Virtual Appliance Management Interface (VAMI) 5480 VAMI Service
Authentication proxy service (CAM) 51915 Authentication proxy Service
Syslog Collector (vmsyslogcollector) 1514 Vmsyslogcollector Service
VMware vSphere Web Client Service (vspherewebclientsvc) 9443 Vspherewebclientsvc Service
VirtualCenter Server service (vpxd) 443 Vpxd Service
vCenter Inventory Service database (invsvc) 10109 Inventory Service Database
vCenter Inventory Service HTTPS 10443 Inventory Service HTTPS
VMware VirtualCenter Management Webservices 8443 VMware VirtualCenter Management Webservices
PBM 8191 PBM Service
SPS 21100(VCSA),
31100(windows)
SPS Service
SMS 22100(VCSA), 32100(windows) SMS Service
Auto Deploy service 6501
6502
Auto Deploy Service
Update Manager 9087/8084 Update Manager Service
FDM 8182 FDM Service

Hostd service - Port 443

Enabling SSLv3 Protocol

To enable SSLv3 protocol on Hostd service for ESXi 5.5 Patch [ESXi550-201608001] released on 08/04/2016 follow these steps:

  1. Log in to ESXi using putty.exe.
  2. By default SSLv3 is disabled, run the following command to enable it:
    esxcli system settings advanced set -o /UserVars/ESXiRhttpproxyDisabledProtocols -s ""
  3. Run the following command to confirm the configuration changes:
    # esxcli system settings advanced list -o /UserVars/ESXiRhttpproxyDisabledProtocols
    Path: /UserVars/ESXiRhttpproxyDisabledProtocols
    Type: string
    Int Value: 0
    Default Int Value: 0
    Min Value: 0
    Max Value: 0
    String Value:
    Default String Value: sslv3
    Valid Characters: *
    Description: Rhttpproxy disabled protocols. Choices are sslv3, tlsv1, tlsv1.1, tlsv1.2. By default sslv3 is disabled. If no protocol is specified, all protocols are enabled.

  4. Run the following command to restart the service for configuration to take effect:
    /etc/init.d/rhttpproxy restart
  5. Hostd configuration changes can be captured by Hostprofile.
    a. Login on VC with Web Browser.
    b. Right click the target host and choose "Extract Host Profile" to create a new hostprofile.
    c. Once the hostprofile is created, you can choose Home --> Host Profiles --> your host profile to edit it.
    d. During "Edit Host Profiles" tab, user can find the entry for Hostd under [Advanced Configuration Settings] --> [Advanced Options] --> [Advanced Configuration Options] --> userVars.ESXiRhttpproxyDisabledProtocols
    e. The apply of Hostd in host profile is the same as other settings. If the configuration for Hostd is included in host profile, difference between host profile and target host for Hostd will be displayed and replaced when choosing the target host to apply the host profile.


Disabling SSLv3 Protocol

To disable SSLv3 protocol on Hostd service for ESXi 5.5 Patch [ESXi550-201608001] released on 08/04/2016 follow these steps:

  1. Log in to ESXi using putty.exe.
  2. Run the following command to disable it SSLv3:
    esxcli system settings advanced set -o /UserVars/ESXiRhttpproxyDisabledProtocols -s "sslv3"
  3. Run the following command to confirm the configuration changes:
    # esxcli system settings advanced list -o /UserVars/ESXiRhttpproxyDisabledProtocols
    Path: /UserVars/ESXiRhttpproxyDisabledProtocols
    Type: string
    Int Value: 0
    Default Int Value: 0
    Min Value: 0
    Max Value: 0
    String Value: sslv3
    Default String Value:sslv3
    Valid Characters: *
    Description: Rhttpproxy disabled protocols. Choices are sslv3, tlsv1, tlsv1.1, tlsv1.2. By default sslv3 is disabled. If no protocol is specified, all protocols are enabled.

  4. Restart the rhttpproxy service.
  5. Hostd configuration changes can be captured by Hostprofile.
    a.Login on VC with Web Browser.
    b.Right click the Target Host and choose Extract Host Profile to create a new hostprofile.
    c.Once the hostprofile is created, you can choose Home --> Host Profiles --> your host profile to edit it.
    d.During Edit Host Profiles tab, user can find the entry for Hostd under [Advanced Configuration Settings] --> [Advanced Options] --> [Advanced Configuration Options] --> userVars.ESXiRhttpproxyDisabledProtocols
    e.The apply of Hostd in host profile is the same as other settings. If the configuration for Hostd is included in host profile, difference between host profile and target host for Hostd will be displayed and replaced when choosing the target host to apply the host profile.

In an event when unexpected behavior is observed, you can restore the back up of the rhttpproxy configuration file and restart the rhttpproxy service, to revert the system to a clean state, as it was earlier.

Authd - Port 902

To enable SSLv3 protocol on Authd for ESXi 5.5 Patch [ESXi550-201608001] released on 08/04/2016 follow these steps:

  1. Log in to ESXi using putty.exe .

  2. Run the following command to enable SSLv3:
    # esxcli system settings advanced set -o /UserVars/VMAuthdDisabledProtocols -s ""
  3. Run the following command to check configuration changes:
    esxcli system settings advanced list -o /UserVars/VMAuthdDisabledProtocols
    Path: /UserVars/VMAuthdDisabledProtocols
    Type: string
    Int Value: 0
    Default Int Value: 0
    Min Value: 0
    Max Value: 0
    String Value: Default String Value: sslv3
    Valid Characters: *
    Description: VMAuthd disabled protocols. Choices are sslv3, tlsv1, tlsv1.1, tlsv1.2. By default sslv3 is disabled. If no protocol is specified, all protocols are enabled.

Disabling SSLv3 Protocol

To disable SSLv3 protocol on Authd for ESXi 5.5 Patch [ESXi550-201608001] released on 08/04/2016 follow these steps:

  1. Log in to ESXi using putty.exe .

  2. Run the following command to disable SSLv3:
    # esxcli system settings advanced set -o /UserVars/VMAuthdDisabledProtocols -s "sslv3"

  3. Run the following command to check configuration changes:
    esxcli system settings advanced list -o /UserVars/VMAuthdDisabledProtocols

    Path:/UserVars/VMAuthdDisabledProtocols
    Type: string
    Int Value: 0
    Default Int Value: 0
    Min Value: 0
    Max Value: 0
    String Value: sslv3
    Default String Value: sslv3
    Valid Characters: *
    Description: VMAuthd disabled protocols. Choices are sslv3, tlsv1, tlsv1.1, tlsv1.2. By default sslv3 is disabled. If no protocol is specified, all protocols are enabled.

SFCBD - Port 5989

Enabling SSLv3 Protocol

To enable SSLv3 protocol on SFCBD for ESXi 5.5 Patch [ESXi550-201608001] released on 08/04/2016 follow these steps:

  1. Log in to ESXi using putty.exe .

  2. Run the following command and edit the file:
    vi /etc/sfcb/sfcb.cfg
    enableSSLv3: true

  3. Save the file.

  4. Restart the service for configuration to take effect using below command:
    /etc/init.d/sfcbd-watchdog restart

Disabling SSLv3 Protocol

To disable SSLv3 protocol on SFCBD for ESXi 5.5 Patch [ESXi550-201608001] released on 08/04/2016 follow these steps:

  1. Log in to ESXi using putty.exe .

  2. Run the following command and edit the file:
    vi /etc/sfcb/sfcb.cfg
    enableSSLv3: false

  3. Save the file.

  4. Restart the service for configuration to take effect using below command:
    /etc/init.d/sfcbd-watchdog restart

HostProfile
Configuration for CIM can also be captured by host profile:

  1. Log in to vCenter Server with C#.

  2. Right click the target host and click Extract Host Profile to create a new host profile.

  3. Choose Home > Host Profiles > your host profile to edit it.

  4. On the Edit Host Profiles tab, find the entry forenable SSL v3 under SFCB Configuration > Settings.

  5. Apply the host profile to stateful or stateless systems.

  6. Restart the service for configuration to take effect using below command:
    /etc/init.d/sfcbd-watchdog restart

 

vSAN VP - Port 8080

Enabling SSLv3 Protocol

To enable SSLv3 protocol on vSAN VP for ESXi 5.5 Patch [ESXi550-201608001] released on 08/04/2016 follow these steps:

  1. Log in to ESXi using putty.exe .

  2. Run the following command to enable SSLv3:
    # esxcli system settings advanced set -o /UserVars/ESXiVPsDisabledProtocols -s ""

  3. Run the following command to check the configuration chages:
    esxcli system settings advanced list -o /UserVars/ESXiVPsDisabledProtocols

    Path: /UserVars/ESXiVPsDisabledProtocols
    Type: string
    Int Value: 0
    Default Int Value: 0
    Min Value: 0
    Max Value: 0
    String Value:
    Default String Value: sslv3
    Valid Characters: *
    Description: ESXi VPs disabled protocols. Choices are sslv3, tlsv1, tlsv1.1, tlsv1.2. By default sslv3 is disabled. If no protocol is specified, all protocols are enabled.


  4. Restart vsanvp daemon to take effect of the preceding command:
    ~# /etc/init.d/vsanvpd restart

Disabling SSLv3 Protocol

To disable SSLv3 protocol on vSAN VP for ESXi 5.5 Patch [ESXi550-201608001] released on 08/04/2016 follow these steps:

  1. Log in to ESXi using putty.exe.

  2. Run the following command to disable SSLv3:
    esxcli system settings advanced set -o /UserVars/ ESXiVPsDisabledProtocols -s "sslv3"

  3. Run the following command to check the configuration chages:
    esxcli system settings advanced list -o /UserVars/ESXiVPsDisabledProtocols

    Path: /UserVars/ESXiVPsDisabledProtocols
    Type: string
    Int Value: 0
    Default Int Value: 0
    Min Value: 0
    Max Value: 0
    String Value: sslv3
    Default String Value: sslv3
    Valid Characters: *
    Description: ESXi VPs disabled protocols. Choices are sslv3, tlsv1, tlsv1.1, tlsv1.2. By default sslv3 is disabled. If no protocol is specified, all protocols are enabled.


  4. Restart vsanvp daemon to take effect of the preceding command:
    ~# /etc/init.d/vsanvpd restart

Enabled or disabled SSL/TLS protocols can be seen using sslscan or TestSSLServer tools on port 8080 of the ESXi host.
Note: Configurations can also be captured by Host Profile.

vSAN Observer - Port 8010

Enabling SSLv3 Protocol

To enable SSLv3 protocol on vSAN Observer for ESXi 5.5 Patch [ESXi550-201608001] released on 08/04/2016 follow these steps:

  1. Deploy vSAN cluster. Log in to vCenter Server as root and log in to RVC as rvc localhost. If on Windows VC, logic to RVC as rvc.bat localhost

  2. Command usages: vsan.observer protocols
    -s, --ssl-protocols=<s>

    Allowed SSL protocols in comma separated list of sslv3, tlsv1, tlsv1_1, and tlsv1_2.

Disabling SSLv3 Protocol

To disable SSLv3 protocol on vSAN Observer for ESXi 5.5 Patch [ESXi550-201608001] released on 08/04/2016 follow these steps:

  1. Deploy vSAN cluster. Log in to vCenter Server as root and log in to RVC as rvc localhost. If on Windows VC, logic to RVC as rvc.bat localhost

  2. Command usages: vsan.observer protocols
    -s, --ssl-protocols=<s>

    Allowed SSL protocols in comma separated list of sslv3, tlsv1, tlsv1_1, and tlsv1_2.

  3. Run the following command to disable SSLv3, tlsv1_2 RVC
    vsan.observer -r -o -s sslv3,tlsv1_2 computers/VSAN-Cluster/

VMware Directory Service (vmdir) - Port 11712

Supports only TLSv1.

Security Token Service (sts) - Port 7444

Default Support:
Install: TLS protocols are enabled and SSLv3 disabled.
Upgrade: All protocols are enabled including SSLv3.

Enabling SSLv3 Protocol

To enable SSLv3 protocol on Security Token Service Webservices for vCenter Server 5.5 Update 3e follow these steps:

  1. Open theserver.xml file for the vCenter Single Sign-On.
    • Windows default location:C:\ProgramData\VMware\CIS\runtime\VMwareSTS\conf\
    • vCenter Server Appliance default location:/usr/lib/vmware-sso/conf/server.xml

  2. Create a backup copy of the file.

  3. Search for these line:
    '<Connector SSLEnabled="true"'

  4. Append the following to the above line:
    'sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"'

  5. Save the file.

  6. Restart the VMware Security Token Service.

  7. To enable SSLv3 along with TLSv1, 1.1, 1.2, find the following line fromserver.xml file:
    <Connector SSLEnabled="true"

  8. Edit the line to add SSLv3 tosslEnabledProtocols list as shown here to enable SSLv3:
    sslEnabledProtocols="SSLv3,TLSv1,TLSv1.1,TLSv1.2

  9. Restart the VMware Security Token Service by running these commands:
    service vmware-stsd restart

Disabling SSLv3 Protocol

To disable SSLv3 protocol on Security Token Service Webservices for vCenter Server 5.5 Update 3e follow these steps:

  1. Open theserver.xml file for the vCenter Single Sign-On.
    • Windows default location:C:\ProgramData\VMware\CIS\runtime\VMwareSTS\conf\
    • vCenter Server Appliance default location:/usr/lib/vmware-sso/conf/server.xml

  2. Create a backup copy of the file.

  3. Search the following line to disable SSLv3:
    '<Connector SSLEnabled="false""'

  4. Edit the line to remove SSLv3 to sslEnabledProtocols list as shown here to disable SSLv3:
    sslEnabledProtocols="SSLv3,TLSv1,TLSv1.1,TLSv1.2

  5. Restart the VMware Security Token Service by running these commands:
    service vmware-stsd restart

Virtual Appliance Management Interface (VAMI) service - Port 5480

Enabling SSLv3 Protocol

To enable SSLv3 protocol on VAMI Webservices for vCenter Server 5.5 Update 3e follow these steps:

  1. Go to /opt/vmware/etc/lighttpd/lighttpd.conf.

  2. Create a backup copy of the file.

  3. Search for this line:
    ssl.use-sslv3="disable"

  4. Modify the line to:
    ssl.use-sslv3="enable"

  5. Save the file.

  6. Restart the VAMI Service with the following command:
    service vami-lighttp restart
Disabling SSLv3 Protocol

To disable SSLv3 protocol on VAMI for vCenter Server 5.5 Update 3e follow these steps:

  1. Go to /opt/vmware/etc/lighttpd/lighttpd.conf.

  2. Create a backup copy of the file

  3. Search for this line:
    ssl.use-sslv3="enable"

  4. Modify the line to:
    ssl.use-sslv3="disable"

  5. Save the file.

  6. Restart the VAMI Service with the following command:
    service vami-lighttp restart

    Authentication proxy service - Port 51915

    Enabling SSLv3 Protocol

    To enable SSLv3 protocol on Authentication proxy service Webservices for vCenter Server 5.5 Update 3e follow these steps:

    1. Open and run the Registry Editor on the server where VMware Authentication Proxy is installed, as an administrator.

    2. Navigate to this location in the Registry Editor window:
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\

    3. In the navigation tree, right-click Protocols and select New > Key.

    4. Enter SSL3.0 as the key name.

    5. Repeat step 5 to create two SSL3.0 keys. Name the two keys as Server and Client.

    6. Right-click on the Client key, and select New > DWORD (32-bit) Value.

      • Enter DisabledByDefault as the value name.
      • Double-click DisabledByDefault, and enter 0 as the data value.
      • Click OK.

    7. Right-click on the Sever key, and select New > DWORD (32-bit) Value.
      • Enter Enabled as the value name.
      • Double-click Enabled, and enter 1 as the data value.
      • Click OK

    8. Restart the server.

    Disabling SSLv3 Protocol

    To disable SSLv3 protocol on Authentication proxy service for vCenter Server 5.5 Update 3e follow these steps:

    1. Open and run the Registry Editor on the server where VMware Authentication Proxy is installed, as an administrator.

    2. Navigate to this location in the Registry Editor window:
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\

    3. In the navigation tree, right-click Protocols and select New > Key.

    4. Enter SSL3.0 as the key name.

    5. Repeat step 5 to create two SSL3.0 keys. Name the two keys as Server and Client.

    6. Right-click on the Client key, and select New > DWORD (32-bit) Value.

      • Enter DisabledByDefault as the value name.
      • Double-click DisabledByDefault, and enter 0 as the data value.
      • Click OK.

    7. Right-click on the Sever key, and select New > DWORD (32-bit) Value.
      • Enter Enabled as the value name.
      • Double-click Enabled, and enter 1 as the data value.
      • Click OK

    8. Restart the server.

    Syslog Collector service - Port 1514

    Enabling SSLv3 Protocol

    To enable SSLv3 protocol on Syslog Collector Webservices for vCenter Server 5.5 Update 3e follow these steps:

    1. Access the configuration file from the following locations:
      • Windows default location: C:\ProgramData\VMware\VMware Syslog Collector\vmconfig-syslog.xml
      • vCenter Server Appliance default location: /etc/syslog-ng/stunnel.conf

    2. Create a backup copy of the file.

    3. For Windows, edit the file to add <enableSSLv3></enableSSLv3> node as shown here:
      <ssl>
      <defaultSSLPath>C:\ProgramData\VMware\vCenterServer\cfg\vmsyslogcollector\ssl</defaultSSLPath>
      <privateKey>vmsyslogcollector.key</privateKey>
      <certificate>vmsyslogcollector.crt</certificate>
      <enableSSLv3></enableSSLv3>
      </ssl>

    4. For VCSA, remove options=NO_SSLv3 from the configuration file.

    5. Save the file.

    6. Restart the vmsyslogcollector Service.
      Service syslog-collector restart


      Disabling SSLv3 Protocol

      To disable SSLv3 protocol on Syslog Collector Webservices for vCenter Server 5.5 Update 3e follow these steps:

      1. Access the configuration file from the following locations:
        • Windows default location:C:\ProgramData\VMware\VMware Syslog Collector\vmconfig-syslog.xml
        • vCenter Server Appliance default location: /etc/syslog-ng/stunnel.conf

      2. Create a backup copy of the file.

      3. For Windows, edit the file to remove<enableSSLv3></enableSSLv3> node as shown here:
        <ssl>
        <defaultSSLPath>C:\ProgramData\VMware\vCenterServer\cfg\vmsyslogcollector\ssl</defaultSSLPath>
        <privateKey>vmsyslogcollector.key</privateKey>
        <certificate>vmsyslogcollector.crt</certificate>
        </ssl>


      4. For VCSA:
        Add new line "options=NO_SSLv3" in the /etc/syslog-ng/stunnel.conf configuration file.

      5. Save the file.

      6. Restart the vmsyslogcollector Service:
        /etc/init.d/syslog-collector restart

    VMware vSphere Web Client Service (vspherewebclientsv) - Port 9443

    Enabling SSLv3 Protocol

    To enable SSLv3 protocol on Web Client Service Webservices for vCenter Server 5.5 Update 3e follow these steps:

    1. Open the tomcat-server.xml file:

      • Windows default location:C:\Program Files\VMware\Infrastructure\vSphereWebClient\server\configuration\tomcat-server.xml
      • vCenter Server Appliance default location: /usr/lib/vmware-vsphere-client/server/configuration/tomcat-server.xml

    2. Create a backup copy of the file.

    3. Edit the file to add SSLv3 to sslEnabledProtocols list as shown here to enable SSLv3:
      <Connector port="9443" protocol="HTTP/1.1" SSLEnabled="true"
      maxThreads="800" acceptCount="300" scheme="https" secure="true"
      clientAuth="false" sslEnabledProtocols="SSLv3, TLSv1,TLSv1.1,TLSv1.2"

    4. Save the file.

    5. Restart the webclient Service.

    Disabling SSLv3 Protocol

    To disable SSLv3 protocol on Web Client Service Webservices for vCenter Server 5.5 Update 3e follow these steps:

    1. Open the tomcat-server.xml file:

      • Windows default location:C:\Program Files\VMware\Infrastructure\vSphereWebClient\server\configuration\tomcat-server.xml
      • vCenter Server Appliance default location: /usr/lib/vmware-vsphere-client/server/configuration/tomcat-server.xml

    2. Create a backup copy of the file.

    3. Edit the file to remove SSLv3 to sslEnabledProtocols list as shown here to disable SSLv3:
      <Connector port="9443" protocol="HTTP/1.1" SSLEnabled="true"
      maxThreads="800" acceptCount="300" scheme="https" secure="true"
      clientAuth="false" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"

    4. Save the file.

    5. Restart the webclient Service.

    VMware Virtual Center Server (vpxd) - Port 443

    Enabling SSLv3 Protocol

    To enable SSLv3 protocol on vpxd Webservices for vCenter Server 5.5 Update 3e follow these steps:

    1. Open thevpxd.cfg file:

      • Windows default location: C:\ProgramData\VMware\VMware VirtualCenter\vpxd.cfg
      • vCenter Server Appliance default location: /etc/vmware-vpx/vpxd.cfg

    2. Create a backup copy of the file.

    3. Edit the file to add<sslOptions>16924672</sslOptions> to enable SSLv3 respectively:
      <vmacore>
      <cacheProperties>true</cacheProperties>
      <ssl>
      <useCompression>true</useCompression>
      <sslOptions>16924672</sslOptions>
      </ssl>
      <threadPool>
      <TaskMax>90</TaskMax>
      <threadNamePrefix>vpxd</threadNamePrefix>
      </threadPool>
      </vmacore>


    4. Save the file.

    5. Restart the vpxd service.

    Disabling SSLv3 Protocol

    To disable SSLv3 protocol on vpxd Webservices for vCenter Server 5.5 Update 3e follow these steps:

    1. Open the vpxd.cfg file:

      • Windows default location:C:\ProgramData\VMware\VMware VirtualCenter\vpxd.cfg
      • vCenter Server Appliance default location:/etc/vmware-vpx/vpxd.cfg

    2. Create a backup copy of the file.

    3. Edit the file to remove<sslOptions>16924672</sslOptions> to disable SSLv3:
      <vmacore>
      <cacheProperties>true</cacheProperties>
      <ssl>
      <useCompression>true</useCompression>
      </ssl>
      <threadPool>
      <TaskMax>90</TaskMax>
      <threadNamePrefix>vpxd</threadNamePrefix>
      </threadPool>
      </vmacore>


    4. Save the file.

    5. Restart the vpxd service.

      • Windows default location: Restart the VMware VirtualCenter Server service from services.msc
      • vCenter Server Appliance: Execute the following command from command prompt:
        /etc/init.d/vmware-vpxd restart.

    vCenter Inventory Service database (invsvc) - XDB Port 10109

    Enabling SSLv3 Protocol

    To enable SSLv3 protocol on Inventory Service database (invsvc) Webservices for vCenter Server 5.5 Update 3e follow these steps:

    1. Open thequery-server-config.xml file:

      • Windows default location: C:\Program Files\VMware\Infrastructure\Inventory Service\lib\server\config\query-service-config.xml
      • vCenter Server Appliance default location: /usr/lib/vmware-vpx/inventoryservice/lib/server/config/query-server-config.xml

    2. Create a backup copy of the file.

    3. Edit the file to add SSLv3 to value tag as shown here to enable SSLv3 respectively:
      <property name="protocols" value="SSLv3,TLSv1,TLSv1.1,TLSv1.2" />

    4. Save the file.

    5. Restart the Inventory Service.

    Disabling SSLv3 Protocol

    To disable SSLv3 protocol on Inventory Service database (invsvc) for vCenter Server 5.5 Update 3e follow these steps:

    1. Open thequery-server-config.xml file:

      • Windows default location:C:\Program Files\VMware\Infrastructure\Inventory Service\lib\server\config\query-service-config.xml
      • vCenter Server Appliance default location:/usr/lib/vmware-vpx/inventoryservice/lib/server/config/query-server-config.xml

    2. Create a backup copy of the file.

    3. Edit the file to remove SSLv3 to value tag as shown here to disable SSLv3 respectively:
      <property name="protocols" value="TLSv1,TLSv1.1,TLSv1.2" />

    4. Save the file.

    5. Restart the Inventory Service.

    vCenter Inventory Service HTTPS - Port 10443

    Enabling SSLv3 Protocol

    To enable SSLv3 protocol on Inventory Service HTTPS Webservices for vCenter Server 5.5 Update 3e follow these steps:

    1. Open the server-confg.xml file:

      • Windows default location:C:\Program Files\VMware\Infrastructure\Inventory Service\lib\server\config\server-confg.xml
      • vCenter Server Appliance default location: /usr/lib/vmware-vpx/inventoryservice/lib/server/config/server-config.xml

    2. Create a backup copy of the file.

    3. Edit the file to add SSLv3 to sslEnabledProtocols list as shown here to enable SSLv3:
      <property name="enabledProtocols" value="SSLv3,TLSv1,TLSv1.1,TLSv1.2"/>

    4. Save the file.

    5. Restart the Inventory Service.

    Disabling SSLv3 Protocol

    To disable SSLv3 protocol on Inventory Service HTTPS for vCenter Server 5.5 Update 3e follow these steps:

    1. Open the server-confg.xml file:

      • Windows default location: C:\Program Files\VMware\Infrastructure\Inventory Service\lib\server\config\server-confg.xml
      • vCenter Server Appliance default location: /usr/lib/vmware-vpx/inventoryservice/lib/server/config/server-config.xml

    2. Create a backup copy of the file.

    3. Edit the file to remove SSLv3 to sslEnabledProtocols list as shown here to disable SSLv3:
      <property name="enabledProtocols" value=TLSv1,TLSv1.1,TLSv1.2"/>

    4. Save the file.

    5. Restart the Inventory Service.

    VMware VirtualCenter Management Webservices - Port 8443

    Enabling SSLv3 Protocol

    To enable SSLv3 protocol on Virtual Center Management Webservices for vCenter Server 5.5 Update 3e follow these steps:

    1. Open the server.xml file:

      • Windows default location: C:\Program Files\VMware\Infrastructure\tomcat\conf\server.xml
      • vCenter Server Appliance default location: /usr/lib/vmware-vpx/tomcat/conf/server.xml

    2. Create a backup copy of the file.

    3. Edit the file to add or remove SSLv3 to sslEnabledProtocolslist as shown here to enable or disable SSLv3:
      <property name="enabledProtocols" value="SSLv3,TLSv1,TLSv1.1,TLSv1.2"/>

    4. Save the file.

    5. Restart the Management webservices.

    Disabling SSLv3 Protocol

    To disable SSLv3 protocol on Virtual Center Management Webservices for vCenter Server 5.5 Update 3e follow these steps:

    1. Open the server.xml file:

      • Windows default location: C:\Program Files\VMware\Infrastructure\tomcat\conf\server.xml
      • vCenter Server Appliance default location: /usr/lib/vmware-vpx/tomcat/conf/server.xml

    2. Create a backup copy of the file.

    3. Edit the file to remove SSLv3 to sslEnabledProtocols list as shown here to disable SSLv3:
      <property name="enabledProtocols" value="TLSv1,TLSv1.1,TLSv1.2"/>

    4. Save the file.

    5. Restart the Management webservices.

    PBM - Port 8191

    Enabling SSLv3 Protocol

    To enable SSLv3 protocol on PBM Webservices for vCenter Server 5.5 Update 3e follow these steps:

    1. Open the pbm-spring-config.xml file:

      • Windows default location: C:\Program Files\VMware\Infrastructure\Profile-Driven Storage\conf\pbm-spring-config.xml
      • vCenter Server Appliance default location: /usr/lib/vmware-vpx/sps/conf/pbm-spring-config.xml

    2. Create a backup copy of the file.

    3. Edit the file to add SSLv3 tosslEnabledProtocols list as shown here to enable SSLv3:
      <property name="enabledProtocols" value="SSLv3,TLSv1,TLSv1.1,TLSv1.2"/>

    4. Save the file.

    5. Restart the PBM service.

    Disabling SSLv3 Protocol

    To disable SSLv3 protocol on PBM Webservices for vCenter Server 5.5 Update 3e follow these steps:

    1. Open the pbm-spring-config.xml file:

      • Windows default location: C:\Program Files\VMware\Infrastructure\Profile-Driven Storage\conf\pbm-spring-config.xml
      • vCenter Server Appliance default location: /usr/lib/vmware-vpx/sps/conf/pbm-spring-config.xml

    2. Create a backup copy of the file.

    3. Edit the file to remove SSLv3 to sslEnabledProtocols list as shown here to disable SSLv3:
      <property name="enabledProtocols" value="TLSv1,TLSv1.1,TLSv1.2"/>

    4. Save the file.

    5. Restart the PBM service.

    SPS - Port 21100(VCSA), 31100(Windows)

    Enabling SSLv3 Protocol

    To enable SSLv3 protocol on SPS Webservices for vCenter Server 5.5 Update 3B follow these steps:

    1. Open the sps-spring-config.xml file:

      • Windows default location: C:\Program Files\VMware\Infrastructure\Profile-Driven Storage\conf\sps-spring-config.xml
      • vCenter Server Appliance default location: /usr/lib/vmware-vpx/sps/conf/sps-spring-config.xml

    2. Create a backup copy of the file.

    3. Edit the file to add SSLv3 to sslEnabledProtocolslist as shown here to enable SSLv3:
      <property name="enabledProtocols" value="SSLv3,TLSv1,TLSv1.1,TLSv1.2"/>

    4. Save the file.

    5. Restart the SPS service.

    Disabling SSLv3 Protocol
    To disable SSLv3 protocol on SPS for vCenter Server 5.5 Update 3e follow these steps:

    1. Open the sps-spring-config.xml file:

      • Windows default location: C:\Program Files\VMware\Infrastructure\Profile-Driven Storage\conf\sps-spring-config.xml
      • vCenter Server Appliance default location: /usr/lib/vmware-vpx/sps/conf/sps-spring-config.xml

    2. Create a backup copy of the file.

    3. Edit the file to remove SSLv3 from sps-spring-config list as shown here to disable SSLv3:
      <property name="enabledProtocols" value="TLSv1,TLSv1.1,TLSv1.2"/>"

    4. Save the file.

    5. Restart the vmware-sps service.

    SMS - Port 22100(VCSA), 32100(Windows)

    Enabling SSLv3 Protocol

    To enable SSLv3 protocol on SMS Webservices for vCenter Server 5.5 Update 3e follow these steps:

    1. Open the sms-spring-config.xml file:

      • Windows default location: C:\Program Files\VMware\Infrastructure\Profile-Driven Storage\conf\sms-spring-config.xml
      • vCenter Server Appliance default location: /usr/lib/vmware-vpx/sps/conf/sms-spring-config.xml

    2. Create a backup copy of the file.

    3. Edit the file to add thesslEnabledProtocols list as shown here to enable SSLv3:

      <property name="enabledProtocols" value="SSLv3,TLSv1,TLSv1.1,TLSv1.2"/>

    4. Save the file.

    5. Restart the SMS service.

    Disabling SSLv3 Protocol
    To disable SSLv3 protocol on SMS for vCenter Server 5.5 Update 3e follow these steps:

    1. Open the sms-spring-config.xml file:

      • Windows default location: C:\Program Files\VMware\Infrastructure\Profile-Driven Storage\conf\sms-spring-config.xml.
      • vCenter Server Appliance default location: /usr/lib/vmware-vpx/sps/conf/sms-spring-config.xml

    2. Create a backup copy of the file.

    3. Edit the file to remove SSLv3 from sps-spring-config list as shown here to disable SSLv3:

      <property name="enabledProtocols" value="TLSv1,TLSv1.1,TLSv1.2"/>"

    4. Save the file.

    5. Restart the vmware-sms service.

    Auto Deploy - Port 6501/6502

    Enabling SSLv3 Protocol

    To enable SSLv3 protocol on Auto Deploy Webservices for vCenter Server 5.5 Update 3e follow these steps:

    1. Run the following command to Connect to vCenter Server:

      PowerCLI C:\Program Files (x86)\VMware\Infrastructure\vSphere PowerCLI> Connect-VIServer -Server <FQDN_hostname or IP Address of vCenter Server>

    2. Run the following command to check the current status of SSLv3:

      PowerCLI C:\Program Files (x86)\VMware\Infrastructure\vSphere PowerCLI> Get-DeployOption

    3. Run the following command to re-enable SSLv3:

      To re-enable: PowerCLI C:\Program Files (x86)\VMware\Infrastructure\vSphere PowerCLI> Set-DeployOption disable-sslv3 0

    4. Restart the Auto Deploy service to update the change.

    Disabling SSLv3 Protocol

    To disable SSLv3 protocol on Auto Deploy Webservices for vCenter Server 5.5 Update 3e follow these steps:

    1. Run the following command to Connect to vCenter Server:

      PowerCLI C:\Program Files (x86)\VMware\Infrastructure\vSphere PowerCLI> Connect-VIServer -Server <FQDN_hostname or IP Address of vCenter Server>

    2. Run the following command to check the current status of SSLv3:

      PowerCLI C:\Program Files (x86)\VMware\Infrastructure\vSphere PowerCLI> Get-DeployOption

    3. Run the following command to re-enable SSLv3:

      To re-enable: PowerCLI C:\Program Files (x86)\VMware\Infrastructure\vSphere PowerCLI> Set-DeployOption disable-sslv3 1

    4. Restart the Auto Deploy service to update the change.

    Update Manager -Port 9087/8084

    Enabling SSLv3 Protocol

    By default SSLv3 protocol disabled on VUM 8084 and 9087 Port.

    To enable SSLv3 protocol on Update Manager service for vCenter Server 5.5 Update 3e follow these steps:

    1. Stop the vSphere Update Manager service.
    2. Go to Update Manager Install Directory.
    3. Edit the following files to enable SSLv3:
      • For port 9087, search and delete <Item>SSLv3</Item> from the jetty-vum-ssl.xml file:
        <Set name="ExcludeProtocols">
        <Array type="java.lang.String">
        <Item>SSLv3 </Item>
      • For port 8084, Enablement/Disablement of SSL/TLS protocols controlled through sslOptions.
        Add <sslOptions> tag and update tag value as per requirement.

        To enable SSLv3 protocol keeping TLSv1,TLSv1.1 & TLSv1.2 enabled and SSLv2 disabled
        sslOptions = 16924672
        <ssl>
        <cipherList>AES128-SHA, AES256-SHA</cipherList>
        <handshakeTimeoutMs>120000 </handshakeTimeoutMS>
        <sslOptions>16924672</sslOptions>
        <ssl>
        <ssl>
        <privateKey>ssl/rui.key</privateKey>
        <certificate>ssl/rui.crt</certificate>
        <sslOptions>16924672</sslOptions>
        <ssl>

    4. Save and Restart the vSphere Update Manager service.

    Disabling SSLv3 Protocol

    To disable SSLv3 protocol on Update Manager service for vCenter Server 5.5 Update 3e follow these steps:

    1. Stop the vSphere Update Manager service.
    2. Go to Update Manager Install Directory.
    3. Edit the following to disable SSLv3:

      • For port 9087, add the following text after the <Array type="java.lang.String">:
        <Set name="ExcludeProtocols">
        <Array type="java.lang.String">
        <Item>SSLv3 </Item>
        </Array>
        </Set>

      • For port 8084, delete the <sslOptions> any_value </sslOptions> from the vci-interity.xml file:
        <ssl>
        <cipherList>AES128-SHA, AES256-SHA</cipherList>
        <handshakeTimeoutMs>120000 </handshakeTimeoutMS>
        <sslOptions>16924672</sslOptions>
        <ssl>
        <ssl>
        <privateKey>ssl/rui.key</privateKey>
        <certificate>ssl/rui.crt</certificate>
        <sslOptions>16924672</sslOptions>
        <ssl>

    4. Save and Restart the vSphere Update Manager service.

     

    FDM service - Port 8182

    Enabling SSLv3 Protocol

    To enable SSLv3 protocol on FDM service for ESXi 5.5 Patch [ESXi550-201607001] released on 07/26/2016 follow these steps:

    1. Access the vCenter Server from the webclient.

    2. Refer the following kb article to enable SSLv3:
      KB 2033250.

    3. The key value pair are as follows:
      das.config.vmacore.ssl.sslOptions 16924672
      Where:
      KEY = das.config.vmacore.ssl.sslOptions
      Value = 16924672
    Note: FDM is a new port on ESXi, but it is configurable through vCenter Server.

    vSphere 5.5 Update 3b Ports and Services

    Note: Always take a backup copy of the configuration file before editing when applying the following steps.

    Service

    Port

    Configuration Steps
    Hostd 443 Hostd service
    Authd 902 Authd service
    SFCBD 5989 SFCBD service
    vSAN VP 8080 vSAN VP service
    vSAN Observer 8010 vSAN Observer service
    VMware Directory Service (vmdir) 11712 vmdir service
    Security Token Service (SSO) 7444 STS service
    Virtual Appliance Management Interface (VAMI) 5480 VAMI service
    Authentication proxy service (CAM) 51915 Authentication proxy service
    Syslog Collector (vmsyslogcollector) 1514 vmsyslogcollector service
    VMware vSphere Web Client Service (vspherewebclientsvc) 9443 vspherewebclientsvc service
    VirtualCenter Server service (vpxd) 443 vpxd service
    vCenter Inventory Service database (invsvc) 10109 Inventory Service database
    vCenter Inventory Service HTTPS 10443 Inventory Service HTTPS
    VMware VirtualCenter Management Webservices 8443 VMware VirtualCenter Management Webservices
    PBM 8191 PBM service
    SPS 21100(VCSA),
    31100(windows)
    SPS service
    SMS 22100(VCSA), 32100(windows) SMS service
    Auto Deploy service 6501
    6502
    Auto Deploy Service
    Log Browser Log Browser service
    HTML console 7343 HTML5 console service

    Hostd service - Port 443

    Enabling SSLv3 Protocol

    To enable SSLv3 protocol on Hostd service for ESXi 5.5 Update 3b follow these steps:

    1. Log in to ESXi using putty.exe.
    2. Take a back up of the /etc/vmware/rhttpproxy/config.xml file before editing.
    3. In the configuration file, add the<sslOptions>16924672</sslOptions> entry within the existing <vmacore> tag as shown in the following example to enable SSLv3:
      <vmacore>
      <ssl>
      <sslOptions>16924672</sslOptions>
      </ssl>
      </vmacore>


    4. Save the file.
    5. Restart the rhttpproxy service by running the following command:
      /etc/init.d/rhttpproxy restart
    Disabling SSLv3 Protocol

    To disable SSLv3 protocol on Hostd service for ESXi 5.5 Update 3b follow these steps:

    1. Log in to ESXi using putty.exe.

    2. Take a back up of the/etc/vmware/rhttpproxy/config.xml file before editing.

    3. Delete only the sslOptions entry "<sslOptions>16924672</sslOptions>" from the configuration file “/etc/vmware/rhttpproxy/config.xml” which will be within <vmacore> under the <ssl> tag.

    4. Save the file.

    5. Restart the rhttpproxy service by running the following command:
      /etc/init.d/rhttpproxy restart

    In an event whenunexpected behavior is observed, you can restore the back up of the rhttpproxy configuration file and restart the rhttpproxy service, to revert the system to a clean state, as it was earlier.

    HostProfile

    If you enabled SSLv3 along with the default protocols, HostProfile does not capture these settings. This results in the stateless ESXi hosts to lose the ssloptions settings made to proxy service after every reboot.

    Use the script in the attached KB2139396_sslprotomgmt.zip file to manage (enable/disable) SSLv3 security protocol for proxy service. Refer to the note below and script documentation enclosed in the zip file for details.

    Note: You must be careful when you run the script because the script is not completely tested. VMware recommends to run the script on a Non-production/Test Environment before you run it on production as needed.

    Authd - Port 902

    The SSL/TLS configuration file for authd is stored in /etc/vmware/esx.conf with entry like:
    /advUserOptions/options[0026]/name = "VMAuthdDisabledProtocols"

    Enabling SSLv3 Protocol

    To enable SSLv3 protocol on Authd for ESXi Update 3b follow these steps:

    1. Log in to ESXi using putty.exe .

    2. Run the following command to enable SSLv3:

      # esxcli system settings advanced set -o /UserVars/VMAuthdDisabledProtocols -s ""

    Disabling SSLv3 Protocol

    To disable SSLv3 protocol on Authd for ESXi Update 3b follow these steps:

    1. Log in to ESXi using putty.exe.

    2. Run the following command to disable SSLv3:

      # esxcli system settings advanced set -o /UserVars/VMAuthdDisabledProtocols -s "sslv3"

    3. Run the following command to check configuration changes:

      esxcli system settings advanced list -o /UserVars/VMAuthdDisabledProtocols

      Path: /UserVars/VMAuthdDisabledProtocols
      Type: string
      Int Value: 0
      Default Int Value: 0
      Min Value: 0
      Max Value: 0
      String Value: sslv3
      Default String Value: sslv3
      Valid Characters: *
      Description: VMAuthd disabled protocols. Choices are sslv3, tlsv1, tlsv1.1, tlsv1.2. By default sslv3 is disabled. If no protocol is specified, all protocols are enabled.

    HostProfile

    Configuration of the Authd can also be captured through host profile by following these steps:

    Note: If you do not change the configuration for authd, it may not get displayed in the host profile UI. You can trigger it by just changing it with ESXCLI command.
    1. Log in to VC with vSphere Web Client.

    2. Right click the target host and click Extract Host Profile to create a new hostprofile.

    3. After the hostprofile is created, navigate to Home > Host Profiles > your_host_profile to edit it.

    4. In the Edit Host Profiles tab, you can find the entry for authd under [Advanced Configuration Settings] > [Advanced Options] > [Advanced Configuration Options] > userVars.VMAuthdDisabledProtocols

    5. The application of authd in host profile is the same as other settings. If the configuration for authd is included in host profile, difference between host profile and target host for authd is displayed and replaced when choosing the target host to apply the host profile.

    SFCBD - Port 5989

    Enabling SSLv3 Protocol

    To enable SSLv3 protocol on SFCBD for ESXi 5.5 Update 3b follow these steps:

    1. Log in to ESXi using putty.exe .

    2. Run the following command and edit the file:
      vi /etc/sfcb/sfcb.cfg
      enableSSLv3: true

    3. Save the file.

    4. Restart the service for configuration to take effect using below command:
      /etc/init.d/sfcbd-watchdog restart

    Disabling SSLv3 Protocol

    To disable SSLv3 protocol on SFCBD for ESXi 5.5 Update 3b follow these steps:

    1. Log in to ESXi using putty.exe .

    2. Run the following command and edit the file:
      vi /etc/sfcb/sfcb.cfg
      enableSSLv3: false

    3. Save the file.

    4. Restart the service for configuration to take effect using below command:
      /etc/init.d/sfcbd-watchdog restart

    HostProfile
    Configuration for CIM can also be captured by host profile:

    1. Log in to vCenter Server with C#.

    2. Right click the target host and click Extract Host Profile to create a new host profile.

    3. Choose Home > Host Profiles > your host profile to edit it.

    4. On the Edit Host Profiles tab, find the entry forenable SSL v3 under SFCB Configuration > Settings.

    5. Apply the host profile to stateful or stateless systems.

    6. Restart the service for configuration to take effect using below command:
      /etc/init.d/sfcbd-watchdog restart

     

    vSAN VP - Port 8080

    Enabling SSLv3 Protocol

    To enable SSLv3 protocol on vSAN VP for ESXi 5.5 Update 3b follow these steps:

    1. Log in to ESXi using putty.exe .

    2. Run the following command to enable SSLv3:
      # esxcli system settings advanced set -o /UserVars/ESXiVPsDisabledProtocols -s ""

    3. Run the following command to check the configuration chages:
      esxcli system settings advanced list -o /UserVars/ESXiVPsDisabledProtocols

      Path: /UserVars/ESXiVPsDisabledProtocols
      Type: string
      Int Value: 0
      Default Int Value: 0
      Min Value: 0
      Max Value: 0
      String Value:
      Default String Value: sslv3
      Valid Characters: *
      Description: ESXi VPs disabled protocols. Choices are sslv3, tlsv1, tlsv1.1, tlsv1.2. By default sslv3 is disabled. If no protocol is specified, all protocols are enabled.


    4. Restart vsanvp daemon to take effect of the preceding command:
      ~# /etc/init.d/vsanvpd restart

    Disabling SSLv3 Protocol

    To disable SSLv3 protocol on vSAN VP for ESXi 5.5 Update 3b follow these steps:

    1. Log in to ESXi using putty.exe .

    2. Run the following command to disable SSLv3:
      esxcli system settings advanced set -o /UserVars/ ESXiVPsDisabledProtocols -s "sslv3"

    3. Run the following command to check the configuration chages:

      esxcli system settings advanced list -o /UserVars/ESXiVPsDisabledProtocols

      Path: /UserVars/ESXiVPsDisabledProtocols
      Type: string
      Int Value: 0
      Default Int Value: 0
      Min Value: 0
      Max Value: 0
      String Value: sslv3
      Default String Value: sslv3
      Valid Characters: *
      Description: ESXi VPs disabled protocols. Choices are sslv3, tlsv1, tlsv1.1, tlsv1.2. By default sslv3 is disabled. If no protocol is specified, all protocols are enabled.


    4. Restart vsanvp daemon to take effect of the preceding command:
      ~# /etc/init.d/vsanvpd restart

    Enabled or disabled SSL/TLS protocols can be seen using sslscan or TestSSLServer tools on port 8080 of the ESXi host.
    Note: Configurations can also be captured by Host Profile.

    vSAN Observer - Port 8010

    Enabling SSLv3 Protocol

    To enable SSLv3 protocol on vSAN Observer for ESXi 5.5 Update 3b follow these steps:

    1. Deploy vSAN cluster.

    2. Log in to vCenter Server as root and log in to RVC as rvc localhost. If on Windows VC, logic to RVC as rvc.bat localhost

    3. Command usages: vsan.observer protocols
      -s, --ssl-protocols=<s>

      Allowed SSL protocols in comma separated list of sslv3, tlsv1, tlsv1_1, and tlsv1_2.

    Disabling SSLv3 Protocol

    To disable SSLv3 protocol on vSAN Observer for ESXi 5.5 Update 3b follow these steps:

    1. Deploy vSAN cluster.

    2. Log in to vCenter Server as root and log in to RVC as rvc localhost. If on Windows VC, logic to RVC as rvc.bat localhost

    3. Command usages: vsan.observer protocols
      -s, --ssl-protocols=<s>
      Allowed SSL protocols in comma separated list of sslv3, tlsv1, tlsv1_1, and tlsv1_2.

    4. Run the following command to disable SSLv3, tlsv1_2 RVC
      vsan.observer -r -o -s sslv3,tlsv1_2 computers/VSAN-Cluster/

    VMware Directory Service (vmdir) - Port 11712

    Supports only TLSv1.0

    Security Token Service (sts) - Port 7444

    Default Support:
    Install: TLS protocols are enabled and SSLv3 disabled.
    Upgrade: All protocols are enabled including SSLv3.

    Enabling SSLv3 Protocol

    To enable SSLv3 protocol on Security Token Service Webservices for vCenter Server 5.5 Update 3b follow these steps:

    1. Open theserver.xml file for the vCenter Single Sign-On.
      • Windows default location: C:\ProgramData\VMware\CIS\runtime\VMwareSTS\conf\
      • vCenter Server Appliance default location: /usr/lib/vmware-sso/conf/server.xml

    2. Create a backup copy of the file.

    3. Search for these line:
      '<Connector SSLEnabled="true"'

    4. Append the following to the above line:
      'sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"'

    5. Save the file.

    6. Restart the VMware Security Token Service.

    7. To enable SSLv3 along with TLSv1, 1.1, 1.2, find the following line fromserver.xml file:
      <Connector SSLEnabled="true"
           
    8. Edit the line to add SSLv3 tosslEnabledProtocols list as shown here to enable SSLv3:
      sslEnabledProtocols="SSLv3,TLSv1,TLSv1.1,TLSv1.2

    9. Restart the VMware Security Token Service by running these commands:
      service vmware-stsd restart

    Disabling SSLv3 Protocol

    To disable SSLv3 protocol on Security Token Service Webservices for vCenter Server 5.5 Update 3b follow these steps:

    1. Open the server.xml file for the vCenter Single Sign-On.
      • Windows default location:C:\ProgramData\VMware\CIS\runtime\VMwareSTS\conf\
      • vCenter Server Appliance default location:/usr/lib/vmware-sso/conf/server.xml

    2. Create a backup copy of the file.

    3. Search the following line to disable SSLv3:
      '<Connector SSLEnabled="true">' 

    4. Edit the line to remove SSLv3 to sslEnabledProtocols list as shown here to disable SSLv3:
      sslEnabledProtocols="SSLv3,TLSv1,TLSv1.1,TLSv1.2"

      Example: '<Connector SSLEnabled="true"''sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"'

    5. Restart the VMware Security Token Service by running these commands:
      service vmware-stsd restart

    Virtual Appliance Management Interface (VAMI) service - Port 5480

    Enabling SSLv3 Protocol

    To enable SSLv3 protocol on VAMI Webservices for vCenter Server 5.5 Update 3b follow these steps:

    1. Go to /opt/vmware/etc/lighttpd/lighttpd.conf.

    2. Create a backup copy of the file.

    3. Search for this line:
      ssl.use-sslv3="disable"

    4. Modify the line to:
      ssl.use-sslv3="enable"

    5. Save the file.
    6. Restart the VAMI Service with the following command:
      service vami-lighttp restart

    Disabling SSLv3 Protocol

    To disable SSLv3 protocol on VAMI for vCenter Server 5.5 Update 3b follow these steps:

    1. Go to /opt/vmware/etc/lighttpd/lighttpd.conf

    2. Create a backup copy of the file.

    3. Search for this line:
      ssl.use-sslv3="enable"

    4. Modify the line to:
      ssl.use-sslv3="disable"

    5. Save the file.

    6. Restart the VAMI Service with the following command:
      service vami-lighttp restart

    Authentication proxy service - Port 51915

    Enabling SSLv3 Protocol

    To enable SSLv3 protocol on Authentication proxy service Webservices for vCenter Server 5.5 Update 3b follow these steps:

    1. Open and run the Registry Editor on the server where VMware Authentication Proxy is installed, as an administrator.

    2. Navigate to this location in the Registry Editor window:

      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\

    3. In the navigation tree, right-click Protocols and select New>Key.

    4. Enter SSL3.0 as the key name.

    5. Repeat step 5 to create two SSL3.0 keys. Name the two keys as Server and Client.

    6. Right-click on the Client key, and select New>DWORD (32-bit) Value.

      • Enter DisabledByDefault as the value name.
      • Double-click DisabledByDefault, and enter 0 as the data value.
      • Click OK.

    7. Right-click on the Sever key, and select New > DWORD (32-bit) Value.
      • Enter Enabled as the value name.
      • Double-click Enabled, and enter 1 as the data value.
      • Click OK

    8. Restart the server.

    Disabling SSLv3 Protocol

    To disable SSLv3 protocol on Authentication proxy service for vCenter Server 5.5 Update 3b follow these steps:

    1. Open and run the Registry Editor on the server where VMware Authentication Proxy is installed, as an administrator.

    2. Navigate to this location in the Registry Editor window:

      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\

    3. In the navigation tree, right-click Protocols and select New > Key.

    4. Enter SSL3.0 as the key name.

    5. Repeat step 5 to create two SSL3.0 keys. Name the two keys as Server and Client.

    6. Right-click on the Client key, and select New > DWORD (32-bit) Value.

      • Enter DisabledByDefault as the value name.
      • Double-click DisabledByDefault, and enter 0 as the data value.
      • Click OK.

    7. Right-click on the Sever key, and select New > DWORD (32-bit) Value.
      • Enter Enabled as the value name.
      • Double-click Enabled, and enter 1 as the data value.
      • Click OK

    8. Restart the server.

    Syslog Collector service - Port 1514

    Enabling SSLv3 Protocol

    To enable SSLv3 protocol on Syslog Collector Webservices for vCenter Server 5.5 Update 3b follow these steps:

    1. Access the configuration file from the following locations:

      • Windows default location: C:\ProgramData\VMware\VMware Syslog Collector\vmconfig-syslog.xml
      • vCenter Server Appliance default location: /etc/syslog-ng/stunnel.conf

    2. Create a backup copy of the file.

    3. For Windows, edit the file to add <enableSSLv3></enableSSLv3> node as shown here:

      <ssl>
      <defaultSSLPath>C:\ProgramData\VMware\vCenterServer\cfg\vmsyslogcollector\ssl</defaultSSLPath>
      <privateKey>vmsyslogcollector.key</privateKey>
      <certificate>vmsyslogcollector.crt</certificate>
      <enableSSLv3></enableSSLv3>
      </ssl>

    4. For VCSA, remove options=NO_SSLv3 from the configuration file.

    5. Save the file.

    6. Restart the vmsyslogcollector Service.

      Service syslog-collector restart


      Disabling SSLv3 Protocol

      To disable SSLv3 protocol on Syslog Collector Webservices for vCenter Server 5.5 Update 3b follow these steps:

      1. Access the configuration file from the following locations:

        • Windows default location:C:\ProgramData\VMware\VMware Syslog Collector\vmconfig-syslog.xml
        • vCenter Server Appliance default location: /etc/syslog-ng/stunnel.conf

      2. Create a backup copy of the file.

      3. For Windows, edit the file to remove<enableSSLv3></enableSSLv3> node as shown here:

        <ssl>
        <defaultSSLPath>C:\ProgramData\VMware\vCenterServer\cfg\vmsyslogcollector\ssl</defaultSSLPath>
        <privateKey>vmsyslogcollector.key</privateKey>
        <certificate>vmsyslogcollector.crt</certificate>
        </ssl>


      4. For VCSA:
        Add new line "options=NO_SSLv3" in the /etc/syslog-ng/stunnel.conf configuration file.

      5. Save the file.

      6. Restart the vmsyslogcollector Service:
        /etc/init.d/syslog-collector restart

      VMware vSphere Web Client Service (vspherewebclientsv) - Port 9443

      Enabling SSLv3 Protocol

      To enable SSLv3 protocol on Web Client Service Webservices for vCenter Server 5.5 Update 3b follow these steps:

      1. Open the tomcat-server.xml file:

        • Windows default location:C:\Program Files\VMware\Infrastructure\vSphereWebClient\server\configuration\tomcat-server.xml
        • vCenter Server Appliance default location: /usr/lib/vmware-vsphere-client/server/configuration/tomcat-server.xml

      2. Create a backup copy of the file.

      3. Edit the file to add SSLv3 to sslEnabledProtocols list as shown here to enable SSLv3:
        <Connector port="9443" protocol="HTTP/1.1" SSLEnabled="true"
        maxThreads="800" acceptCount="300" scheme="https" secure="true"
        clientAuth="false" sslEnabledProtocols="SSLv3, TLSv1,TLSv1.1,TLSv1.2"

      4. Save the file.

      5. Restart the webclient Service.

      Disabling SSLv3 Protocol

      To disable SSLv3 protocol on Web Client Service Webservices for vCenter Server 5.5 Update 3b follow these steps:

      1. Open the tomcat-server.xml file:

        • Windows default location:C:\Program Files\VMware\Infrastructure\vSphereWebClient\server\configuration\tomcat-server.xml
        • vCenter Server Appliance default location: /usr/lib/vmware-vsphere-client/server/configuration/tomcat-server.xml

      2. Create a backup copy of the file.

      3. Edit the file to remove SSLv3 to sslEnabledProtocols list as shown here to disable SSLv3:
        <Connector port="9443" protocol="HTTP/1.1" SSLEnabled="true"
        maxThreads="800" acceptCount="300" scheme="https" secure="true"
        clientAuth="false" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"

      4. Save the file.

      5. Restart the webclient Service.

      VMware Virtual Center Server (vpxd) - Port 443

      Enabling SSLv3 Protocol

      To enable SSLv3 protocol on vpxd Webservices for vCenter Server 5.5 Update 3b follow these steps:

      1. Open the vpxd.cfg file:

        • Windows default location: C:\ProgramData\VMware\VMware VirtualCenter\vpxd.cfg
        • vCenter Server Appliance default location: /etc/vmware-vpx/vpxd.cfg

      2. Create a backup copy of the file.

      3. Edit the file to add <sslOptions>16924672</sslOptions> to enable SSLv3 respectively:
        <vmacore>
        <cacheProperties>true</cacheProperties>
        <ssl>
        <useCompression>true</useCompression>
        <sslOptions>16924672</sslOptions>
        </ssl>
        <threadPool>
        <TaskMax>90</TaskMax>
        <threadNamePrefix>vpxd</threadNamePrefix>
        </threadPool>
        </vmacore>


      4. Save the file.

      5. Restart the vpxd service.

      Disabling SSLv3 Protocol

      To disable SSLv3 protocol on vpxd Webservices for vCenter Server 5.5 Update 3b follow these steps:

      1. Open the vpxd.cfg file:

        • Windows default location:C:\ProgramData\VMware\VMware VirtualCenter\vpxd.cfg
        • vCenter Server Appliance default location:/etc/vmware-vpx/vpxd.cfg

      2. Create a backup copy of the file.

      3. Edit the file to remove<sslOptions>16924672</sslOptions> to disable SSLv3:
        <vmacore>
        <cacheProperties>true</cacheProperties>
        <ssl>
        <useCompression>true</useCompression>
        </ssl>
        <threadPool>
        <TaskMax>90</TaskMax>
        <threadNamePrefix>vpxd</threadNamePrefix>
        </threadPool>
        </vmacore>


      4. Save the file.

      5. Restart the vpxd service.

        • Windows default location: Restart the VMware VirtualCenter Server service from services.msc

        • vCenter Server Appliance: Execute the following command from command prompt:
          /etc/init.d/vmware-vpxd restart.

      vCenter Inventory Service database (invsvc) - XDB Port 10109

      Enabling SSLv3 Protocol

      To enable SSLv3 protocol on Inventory Service database (invsvc) Webservices for vCenter Server 5.5 Update 3b follow these steps:

      1. Open thequery-server-config.xml file:
        • Windows default location: C:\Program Files\VMware\Infrastructure\Inventory Service\lib\server\config\query-service-config.xml
        • vCenter Server Appliance default location: /usr/lib/vmware-vpx/inventoryservice/lib/server/config/query-server-config.xml

      2. Create a backup copy of the file.

      3. Edit the file to add SSLv3 to value tag as shown here to enable SSLv3 respectively:
        <property name="protocols" value="SSLv3,TLSv1,TLSv1.1,TLSv1.2" />

      4. Save the file.

      5. Restart the Inventory Service.

      Disabling SSLv3 Protocol

      To disable SSLv3 protocol on Inventory Service database (invsvc) for vCenter Server 5.5 Update 3b follow these steps:

      1. Open thequery-server-config.xml file:
        • Windows default location:C:\Program Files\VMware\Infrastructure\Inventory Service\lib\server\config\query-service-config.xml
        • vCenter Server Appliance default location:/usr/lib/vmware-vpx/inventoryservice/lib/server/config/query-server-config.xml

      2. Create a backup copy of the file.

      3. Edit the file to remove SSLv3 to value tag as shown here to disable SSLv3 respectively:
        <property name="protocols" value="TLSv1,TLSv1.1,TLSv1.2" />

      4. Save the file.

      5. Restart the Inventory Service.

      vCenter Inventory Service HTTPS - Port 10443

      Enabling SSLv3 Protocol

      To enable SSLv3 protocol on Inventory Service HTTPS Webservices for vCenter Server 5.5 Update 3b follow these steps:

      1. Open the server-confg.xml file:
        • Windows default location:C:\Program Files\VMware\Infrastructure\Inventory Service\lib\server\config\server-confg.xml
        • vCenter Server Appliance default location: /usr/lib/vmware-vpx/inventoryservice/lib/server/config/server-config.xml

      2. Create a backup copy of the file.

      3. Edit the file to add SSLv3 to sslEnabledProtocols list as shown here to enable SSLv3:
        <property name="enabledProtocols" value="SSLv3,TLSv1,TLSv1.1,TLSv1.2"/>

      4. Save the file.

      5. Restart the Inventory Service.

      Disabling SSLv3 Protocol

      To disable SSLv3 protocol on Inventory Service HTTPS for vCenter Server 5.5 Update 3b follow these steps:

      1. Open the server-confg.xml file:
        • Windows default location: C:\Program Files\VMware\Infrastructure\Inventory Service\lib\server\config\server-confg.xml
        • vCenter Server Appliance default location: /usr/lib/vmware-vpx/inventoryservice/lib/server/config/server-config.xml

      2. Create a backup copy of the file.

      3. Edit the file to remove SSLv3 to sslEnabledProtocols list as shown here to disable SSLv3:
        <property name="enabledProtocols" value=TLSv1,TLSv1.1,TLSv1.2"/>

      4. Save the file.

      5. Restart the Inventory Service.

      VMware VirtualCenter Management Webservices - Port 8443

      Enabling SSLv3 Protocol

      To enable SSLv3 protocol on Virtual Center Management Webservices for vCenter Server 5.5 Update 3b follow these steps:

      1. Open the server.xml file:
        • Windows default location: C:\Program Files\VMware\Infrastructure\tomcat\conf\server.xml
        • vCenter Server Appliance default location: /usr/lib/vmware-vpx/tomcat/conf/server.xml

      2. Create a backup copy of the file.

      3. Edit the file to add or remove SSLv3 to sslEnabledProtocolslist as shown here to enable or disable SSLv3:
        <property name="enabledProtocols" value="SSLv3,TLSv1,TLSv1.1,TLSv1.2"/>

      4. Save the file.

      5. Restart the Management webservices.

      Disabling SSLv3 Protocol

      To disable SSLv3 protocol on Virtual Center Management Webservices for vCenter Server 5.5 Update 3b follow these steps:

      1. Open the server.xml file:
        • Windows default location: C:\Program Files\VMware\Infrastructure\tomcat\conf\server.xml
        • vCenter Server Appliance default location: /usr/lib/vmware-vpx/tomcat/conf/server.xml

      2. Create a backup copy of the file.

      3. Edit the file to remove SSLv3 tosslEnabledProtocols list as shown here to disable SSLv3:
        <property name="enabledProtocols" value="TLSv1,TLSv1.1,TLSv1.2"/>

      4. Save the file.

      5. Restart the Management webservices.

      PBM - Port 8191

      Enabling SSLv3 Protocol

      To enable SSLv3 protocol on PBM Webservices for vCenter Server 5.5 Update 3b follow these steps:

      1. Open the pbm-spring-config.xml file:
        • Windows default location: C:\Program Files\VMware\Infrastructure\Profile-Driven Storage\conf\pbm-spring-config.xml
        • vCenter Server Appliance default location: /usr/lib/vmware-vpx/sps/conf/pbm-spring-config.xml

      2. Create a backup copy of the file.

      3. Edit the file to add SSLv3 tosslEnabledProtocols list as shown here to enable SSLv3:
        <property name="enabledProtocols" value="SSLv3,TLSv1,TLSv1.1,TLSv1.2"/>

      4. Save the file.

      5. Restart the PBM service.

      Disabling SSLv3 Protocol

      To disable SSLv3 protocol on PBM Webservices for vCenter Server 5.5 Update 3b follow these steps:

      1. Open the pbm-spring-config.xml file:
        • Windows default location: C:\Program Files\VMware\Infrastructure\Profile-Driven Storage\conf\pbm-spring-config.xml
        • vCenter Server Appliance default location: /usr/lib/vmware-vpx/sps/conf/pbm-spring-config.xml

      2. Create a backup copy of the file.

      3. Edit the file to remove SSLv3 to sslEnabledProtocols list as shown here to disable SSLv3:
        <property name="enabledProtocols" value="TLSv1,TLSv1.1,TLSv1.2"/>

      4. Save the file.

      5. Restart the PBM service.

      SPS - Port 21100(VCSA), 31100(Windows)

      Enabling SSLv3 Protocol

      To enable SSLv3 protocol on SPS Webservices for vCenter Server 5.5 Update 3B follow these steps:

      1. Open the sps-spring-config.xml file:
        • Windows default location: C:\Program Files\VMware\Infrastructure\Profile-Driven Storage\conf\sps-spring-config.xml
        • vCenter Server Appliance default location: /usr/lib/vmware-vpx/sps/conf/sps-spring-config.xml

      2. Create a backup copy of the file.

      3. Edit the file to add SSLv3 to sslEnabledProtocolslist as shown here to enable SSLv3:
        <property name="enabledProtocols" value="SSLv3,TLSv1,TLSv1.1,TLSv1.2"/>

      4. Save the file.

      5. Restart the SPS service.

      Disabling SSLv3 Protocol
      To disable SSLv3 protocol on SPS for vCenter Server 5.5 Update 3b follow these steps:

      1. Open the sps-spring-config.xml file:
        • Windows default location: C:\Program Files\VMware\Infrastructure\Profile-Driven Storage\conf\sps-spring-config.xml
        • vCenter Server Appliance default location: /usr/lib/vmware-vpx/sps/conf/sps-spring-config.xml

      2. Create a backup copy of the file.

      3. Edit the file to remove SSLv3 from sps-spring-config list as shown here to disable SSLv3:
        <property name="enabledProtocols" value="TLSv1,TLSv1.1,TLSv1.2"/>"

      4. Save the file.

      5. Restart the vmware-sps service.

      SMS - Port 22100(VCSA), 32100(Windows)

      Enabling SSLv3 Protocol

      To enable SSLv3 protocol on SMS Webservices for vCenter Server 5.5 Update 3b follow these steps:

      1. Open the sms-spring-config.xml file:
        • Windows default location: C:\Program Files\VMware\Infrastructure\Profile-Driven Storage\conf\sms-spring-config.xml
        • vCenter Server Appliance default location: /usr/lib/vmware-vpx/sps/conf/sms-spring-config.xml

      2. Create a backup copy of the file.

      3. Edit the file to add thesslEnabledProtocols list as shown here to enable SSLv3:
        <property name="enabledProtocols" value="SSLv3,TLSv1,TLSv1.1,TLSv1.2"/>

      4. Save the file.

      5. Restart the SMS service.

      Disabling SSLv3 Protocol
      To disable SSLv3 protocol on SMS for vCenter Server 5.5 Update 3b follow these steps:

      1. Open the sms-spring-config.xml file:
        • Windows default location: C:\Program Files\VMware\Infrastructure\Profile-Driven Storage\conf\sms-spring-config.xml.
        • vCenter Server Appliance default location: /usr/lib/vmware-vpx/sps/conf/sms-spring-config.xml

      2. Create a backup copy of the file.

      3. Edit the file to remove SSLv3 from sps-spring-config list as shown here to disable SSLv3:
        <property name="enabledProtocols" value="TLSv1,TLSv1.1,TLSv1.2"/>"

      4. Save the file.

      5. Restart the vmware-sms service.

      Auto Deploy - Port 6501/6502

      Enabling SSLv3 Protocol

      To enable SSLv3 protocol on Auto Deploy Webservices for vCenter Server 5.5 Update 3b follow these steps:

      1. Run the following command to Connect to vCenter Server:
        PowerCLI C:\Program Files (x86)\VMware\Infrastructure\vSphere PowerCLI> Connect-VIServer -Server <FQDN_hostname or IP Address of vCenter Server>

      2. Run the following command to check the current status of SSLv3:
        PowerCLI C:\Program Files (x86)\VMware\Infrastructure\vSphere PowerCLI> Get-DeployOption

      3. Run the following command to re-enable SSLv3:
        To re-enable: PowerCLI C:\Program Files (x86)\VMware\Infrastructure\vSphere PowerCLI> Set-DeployOption disable-sslv3 0

      4. Restart the Auto Deploy service to update the change.

      Disabling SSLv3 Protocol

      To disable SSLv3 protocol on Auto Deploy Webservices for vCenter Server 5.5 Update 3b follow these steps:

      1. Run the following command to Connect to vCenter Server:
        PowerCLI C:\Program Files (x86)\VMware\Infrastructure\vSphere PowerCLI> Connect-VIServer -Server <FQDN_hostname or IP Address of vCenter Server>

      2. Run the following command to check the current status of SSLv3:
        PowerCLI C:\Program Files (x86)\VMware\Infrastructure\vSphere PowerCLI> Get-DeployOption

      3. Run the following command to re-enable SSLv3:
        To re-enable: PowerCLI C:\Program Files (x86)\VMware\Infrastructure\vSphere PowerCLI> Set-DeployOption disable-sslv3 0

      4. Restart the Auto Deploy service to update the change.

      Log Browser - Port 12443

      Enabling SSLv3 Protocol

      To enable SSLv3 protocol on Log Browser Webservices for vCenter Server 5.5 Update 3b follow these steps:

      1. Open the logbrowser.properties file:
        • Windows default location: C:\Program Files\VMware\Infrastructure\vSphereWebClient\logbrowser\conf\logbrowser.properties
        • vCenter Server Appliance default location: /usr/lib/vmware-logbrowser/conf/logbrowser.properties


      2. Create a backup copy of the file.

      3. Edit the file to add SSLv3 from the following line to enable SSLv3:
        exclude-protocols=""

      4. Save the file.

      5. Restart the Log Browser service.

      Disabling SSLv3 Protocol

      To disable SSLv3 protocol on Log Browser Webservices for vCenter Server 5.5 Update 3b follow these steps:

      1. Open the logbrowser.properties file:
        • Windows default location:C:\Program Files\VMware\Infrastructure\vSphereWebClient\logbrowser\conf\logbrowser.properties
        • vCenter Server Appliance default location: /usr/lib/vmware-logbrowser/conf/logbrowser.properties

      2. Create a backup copy of the file.

      3. Edit the file to remove SSLv3 from the following line to disable SSLv3:
        exclude-protocols="SSLv3"

      4. Save the file.

      5. Restart the Log Browser service
      Note: The above configuration steps are not applicable from vSphere 5.5 Update 3e.

      HTML5 console - Port 7343

      Enabling SSLv3 Protocol

      To enable SSLv3 protocol on HTML5 Webservices for vCenter Server 5.5 Update 3b follow these steps:

      1. Locate the jetty-ngc-ssl.xml file once the vSphere Web Client is running:
        • Windows default location: C:\Program Files\VMware\Infrastructure\vSphereWebClient\server\work\tmp\console-distro\etc\jetty-ngc-ssl.xml
        • vCenter Server Appliance default location: /usr/lib/vmware-vsphere-client/server/work/tmp/console-distro/etc/jetty-ngc-ssl.xml

      2. Create a backup copy of the file.

      3. Edit the jetty-ngc-ssl.xml file to append the following line:
        <Item>SSLv3</Item>

        Example:
        <Array type="java.lang.String">
        <Item>TLSv1</Item>
        <Item>TLSv1.1</Item>
        <Item>TLSv1.2</Item>
        <Item>SSLv3</Item>
        </Array>

      4. Save the file.

      5. Restart the jetty service as shown here.

        For Windows:
        • Get the PID and restart the service To stop Jetty, run the following commands:
          C:\Program Files\VMware\Infrastructure\vSphereWebClient\server\work\tmp\console-distro> netstat -ano | findstr 7343
          C:\Program Files\VMware\Infrastructure\vSphereWebClient\server\work\tmp\console-distro> taskkill /F /PID <your-pid>

        • To start Jetty, run the following command:
          C:\Program Files\VMware\Infrastructure\vSphereWebClient\server\work\tmp\console-distro>java -jar start.ja

        For VCSA:

        • To stop Jetty, run the following commands:
          $ pgrep -f jetty$ kill -TERM {pid of jetty}

        • To start Jetty, run the following command:
          $ java -jar /usr/lib/vmware-vsphere-client/server/work/tmp/console-distro/start.jar

      Disabling SSLv3 Protocol

      To disable SSLv3 protocol on HTML5 Webservices for vCenter Server 5.5 Update 3bfollow these steps:

      1. Locate the jetty-ngc-ssl.xml file once the vSphere Web Client is running:
        • Windows default location: C:\Program Files\VMware\Infrastructure\vSphereWebClient\server\work\tmp\console-distro\etc\jetty-ngc-ssl.xml
        • vCenter Server Appliance default location: /usr/lib/vmware-vsphere-client/server/work/tmp/console-distro/etc/jetty-ngc-ssl.xml

      2. Create a backup copy of the file.

      3. Edit the jetty-ngc-ssl.xml file to remove the item SSLv3:
        For example:

        <Array type="java.lang.String">
        <Item>TLSv1</Item>
        <Item>TLSv1.1</Item>
        <Item>TLSv1.2</Item>
        </Array>

      4. Save the file.

      5. Restart the jetty service as shown here.

        For Windows:
        • Get the PID and restart the service To stop Jetty, run the following commands:

          C:\Program Files\VMware\Infrastructure\vSphereWebClient\server\work\tmp\console-distro> netstat -ano | findstr 7343
          C:\Program Files\VMware\Infrastructure\vSphereWebClient\server\work\tmp\console-distro> taskkill /F /PID <your-pid>

        • To start Jetty, run the following command:
          C:\Program Files\VMware\Infrastructure\vSphereWebClient\server\work\tmp\console-distro>java -jar start.ja

        For VCSA:

        • To stop Jetty, run the following commands:
          $ pgrep -f jetty$ kill -TERM {pid of jetty}

        • To start Jetty, run the following command:
          $ java -jar /usr/lib/vmware-vsphere-client/server/work/tmp/console-distro/start.jar

      Note: From vSphere 5.5 Update 3e onwards, the configuration is not required. The webclient protocols settings will be automatically updated for the HTML5 console.

       

      Request a Product Feature

      To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

      Feedback

      • 0 Ratings

      Did this article help you?
      This article resolved my issue.
      This article did not resolve my issue.
      This article helped but additional information was required to resolve my issue.

      What can we do to improve this information? (4000 or fewer characters)




      Please enter the Captcha code before clicking Submit.
      • 0 Ratings
      Actions
      KB: