Search the VMware Knowledge Base (KB)
View by Article ID

How to disable TLS v1.0 in vRealize Log Insight (2146305)

  • 0 Ratings

Purpose

VMware vRealize Log Insight 3.6 and higher support inbound connections secured with TLS v1.0, v1.1 and v1.2. TLS v1.0 has known security concerns.

This article provides steps to disable support for TLS v1.0 on the Log Insight server.

Some clients, such as web browsers and syslog sources, may be actively communicating with TLS v1.0. Verify all clients can successfully negotiate TLS v1.1 or v1.2 before disabling support for TLS v1.0 in Log Insight.

Resolution

To disable TLS v1.0 support in vRealize Log Insight, modify the java.security configuration file on each node and restart the loginsight service.

  1. Open a console or SSH connection to each vRealize Log Insight cluster node and login as root.

  2. Open the /usr/java/default/lib/security/java.security file using a text editor.

  3. Locate the disabledAlgorithms list. By default it will appear similar to:

    jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768

  4. Modify the disabledAlgorithms list to include TLSv1. For example:

    jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768, TLSv1

  5. Save the changes.

  6. Restart the loginsight service:

    service loginsight restart

Impact/Risks

Upgrades from Log Insight 4.0 to 4.3 may fail with TLS v1.0 disabled if the pre-upgrade validation script cannot establish a connection to other cluster members. In this situation, you may observe one of these errors:

  • Pre-upgrade validation was not OK
  • Log Insight deployment did not pass pre-upgrade validation
  • SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol

To upgrade successfully, disable pre-upgrade verification temporarily. Use the web-browser method in Changing internal configuration options in VMware vRealize Log Insight (2123058) to set an advanced configuration option <upgrade-prevalidation-enabled value="false" /> inside the <upgrade> section.

<config>
  ...
  <upgrade>
    <upgrade-status-update-retry-count value="3" />
    <upgrade-prevalidation-enabled value="false" />
  </upgrade>
</config>

After successfully upgrading to Log Insight 4.3, set this option back to default value (true).

Additional Information

To verify that TLS v1.0 is disabled on ports 443, 6514 and 9543, attempt to establish a TLS v1.0 connection using the openssl s_client command-line tool:

openssl s_client -verify no -quiet -no_ign_eof -connect localhost:9543 -tls1 < /dev/null

A rejected connection attempt will fail with an error similar to:

31499:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:283:


Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 0 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.

What can we do to improve this information? (4000 or fewer characters)




Please enter the Captcha code before clicking Submit.
  • 0 Ratings
Actions
KB: