Search the VMware Knowledge Base (KB)
View by Article ID

Managing TLS protocol configuration for vSphere 6.0 Update 3 (2148819)

  • 1 Ratings

Details

The TLS protocol versions 1.0, 1.1, and 1.2 are enabled by default. Disablement of  TLSv1.2 is not supported. The TLS protocols can be toggled and configured using the TLS Reconfiguration Utility.

This article provides steps for modifying the supported TLS protocols using this utility, and disabling TLSv1.0 within the vSphere environment. The utility will allow for an end-to-end disablement of TLSv1.0 across a vSphere environment. However, the vCenter Server, Platform Services Controller, and ESXi hosts within the environment must be running the compatible software versions that allow for disablement. Additionally, ensure that other VMware products as well as third-party products are compatible with the use of only TLSv1.1 and TLSv1.2. For a list of VMware products supported for TLSv1.0 disablement and the use of TLSv1.1/1.2, consult Status of TLSv1.1/1.2 Enablement and TLSv1.0 Disablement across VMware products (2145796).

Versions prior to vSphere 6.0 Update 3 are not currently supported in disabling TLSv1.0 or manipulating the other TLS communication protocols. However, by design, all versions of vSphere will attempt to communication with the highest available version of TLS protocol available between products. Consult the Status Knowledge Base article above for availability of other versions of vSphere.

By using the TLS Reconfiguration Utility in the vSphere environment, you will be disabling TLSv1.0 across the following ports on the vCenter Server, Platform Services Controller and ESXi hosts. If ports or services are not included, it will not be handled through the utility.

vCenter Server and Platform Services Controller                                                                                                                                           

ServiceService NamePort
WindowsAppliance
VMware HTTP Reverse Proxyrhttpproxyvmware-rhttpproxy 443
VMware vSphere Web Client vspherewebclientsvc vsphere-client9443
VMware Syslog Collector  (†)vmsyslogcollector †--1514
VMware vSphere Auto Deploy Waitervmware-autodeploy-waitervmware-rbd-watchdog 6501
VMware vSphere Auto Deploy Waitervmware-autodeploy-waitervmware-rbd-watchdog 6502
VMware Secure Token ServiceVMwareSTS vmware-stsd 7444
VMware Directory ServiceVMWareDirectoryServicevmdird 636
VMware Directory ServiceVMWareDirectoryServicevmdird 11712

ESXi         

ServiceService NamePort
VMware HTTP Reverse Proxy and Host DaemonHostd443
VMware vSAN VASA Vendor ProvidervSANVP8080
VMware Fault Domain ManagerFDM8182
VMware vSphere API for IO FiltersioFilterVPServer9080
 VMware Authorization Daemonvmware-authd902

Notes and Caveats:

  • Only TLSv1.2 or all TLSv1.x versions are  supported; granular management is not possible. On vCenter Server with external Platform Services Controllers, ensure that all  PSCs and the VC are enabled with same TLS protocols.  
  • Disablement of TLS protocols for vSphere Update Manager (Ports 8084, 9087) through the TLS reconfiguration utility is not supported. For more information see, Managing the TLS protocol configuration for Update Manager 6.0 Update 3 and Update Manager 6.5 (2149136)
  • Disablement of TLS protocols for VMware vSAN observer (Ports 8010) through the TLS reconfiguration utility is not supported. For more information see, Configuring the TLS protocol for VMware vSAN Observer 6.0 Update 3 (2144800).
  • † VMware Syslog Collector on vCenter Server Appliance supports TLSv1.0 only. Using the TLS reconfigurator script, TLSv1.1 or TLSv1.2 cannot be enabled.  
  • TLSv1.2 is enabled on vSphere Application Management Interface port 5480 by default. Disablement of TLSv1.0 is not allowed by configuration.
  • Ensure that the legacy ESXi 6.0 and 5.x hosts managed by the vCenter Server support TLSv1.1 and TLSv1.2. Upon disabling TLSv1.0 on vCenter Server 6.0 Update 3 and later, legacy ESXi 5.x and 6.0 hosts that have not been upgraded to compatible versions that support TLSv1.1 and/or TLSv1.2 will no longer be able to be managed by vCenter Server.  
  • Using a TLSv1.2 only connection to an external Microsoft SQL Server or external Oracle database is not currently supported.
  • Disablement of TLSv1.0 on vCenter Server and/or Platform Services Controller on Windows Server 2008 as the Host OS (Windows) supports only TLSv1.0. Newer versions of Windows Server support disablement of TLSv1.0. For more information, consult Microsoft TechNet Article TLS/SSL Setings in the Server Roles and Technologies Guide.
  • After applying TLS configuration changes to a Host directly or through cluster configuration via Host Profiles; the Host services need to be restarted for the changes to take effect. 
  • Authentication proxy port 51915 supports TLSv1.2 enablement from 6.0 Update 3. For more information, see Disabling SSLv3 protocol for VMware Authentication Proxy - Port 51915 (2136184)
Disclaimer: VMware is not responsible for the reliability of any data, opinions, advice, or statements made on third-party websites. Inclusion of such links does not imply that VMware endorses, recommends, or accepts any responsibility for the content of such sites.

Solution

 

Disabling TLSv1.0 and enabling TLSv1.1 and/or TLSv1.2 will be a multi-phase process in a vSphere environment:

  1. Install the TLS Reconfigurator Utility on the vCenter Server and Platform Services controller; if the Platform Services Controller is embedded on the vCenter Server, users only need to install the utility on vCenter Server. 
  2. Disable vCenter Server's use of TLSv1.0 and enable the use of TLSv1.1 and TLSv1.2 or use TLSv1.2 exclusively.
  3. The ESXi hosts managed by the vCenter Server will then be updated to disable the use of TLSv1.0 and enable the use of TLSv1.1 and TLSv1.2 or use TLSv1.2 exclusively. It can either be modified at  per-host or per-cluster level.
  4. The Platform Services Controller would be updated to disable the use of TLSv1.0 and enable the use of TLSv1.1 and/or TLSv1.2. vCenter Server 6.0 Update 1 or earlier does not support Platform Service Controller with only TLSv1.2 enabled. Before disabling TLSv1.0 on PSC, upgrade the vCenter Server to the same version as the PSC or keep TLSv1.0 enabled on the PSC machine.

The TLS Reconfiguration Utility is delivered with two components to cover managing the TLS protocols for vCenter Server and the Platform Services Controller with the VcTlsReconfigurator component and ESXi hosts and clusters with the EsxTlsReconfigurator component. These components are located in these directories:

For vCenter Server for Windows:
  • C:\Program Files\VMware\CIS\vSphereTLSReconfigurator\VcTlsReconfigurator
  • C:\Program Files\VMware\CIS\vSphereTLSReconfigurator\EsxTlsReconfigurator
For vCenter Server Appliance:
  • /usr/lib/vmware-vSphereTlsReconfigurator/VcTlsReconfigurator
  • /usr/lib/vmware-vSphereTlsReconfigurator/EsxTlsReconfigurator

Installing the TLS Reconfiguration Utility

The TLS Reconfiguration Utility is an independent downloadable utility. Users must install the utility to disable TLSv1.0 within their vSphere environment. Follow these steps on installing the TLS Reconfiguration Utility:
  1. Go to My.VMware.com for vSphere.
  2. Download the following depending on the use of Windows or Appliance in the environment.

    For vCenter Server for Windows:
     VMware-vSphereTlsReconfigurator-6.0.0-5051284.x86_64.msi
    For vCenter Server Appliance: VMware-vSphereTlsReconfigurator-6.0.0-5051284.x86_64.rpm

  3. Upload the file to vCenter Server and/or Platform Services Controller:

    For the vCenter Server Appliance and Platform Services Controller Appliance, use an SCP client to upload the file.
    For Windows vCenter Server or Windows Platform Services Controller, copy the appropriate file. 
    • For vCenter Server for Windows
      1. On the Windows Server running vCenter Server, log in as an administrative user.
      2. Locate the VMware-vSphereTlsReconfigurator-6.0.0-5051284.x86_64.msi
      3. Install the MSI file.
    • For vCenter Server Appliance

      1. Connect to the vCenter Server Appliance with an SSH session and root credentials.    
      2. Run this command to enable the Bash shell
                   
        shell.set --enabled true                  
      3.        
      4. Run this command to  access the Bash shell
      5.        
             shell         
               
      6. In the Bash shell, locate the directory where the VMware-vSphereTlsReconfigurator-6.0.0-5051284.x86_64.rpm was uploaded.       
      7. Run this command:
                 
        rpm -Uvh VMware-vSphereTlsReconfigurator-6.0.0-5051284.x86_64.rpm

Disabling TLSv1.0 using the TLS Reconfiguration Utility

This section covers; disabling TLSv1.0 and enabling TLSv1.1 and TLSv1.2, disabling TLSv1.0 and TLSv1.1, and enabling only TLSv1.2 across vCenter Server, Platform Services Controller, and ESXi hosts. Disabling protocols must be done in this order:
  1. vCenter Server
  2. ESXi hosts
  3. Platform Services Controller
Warning: Before proceeding, ensure all of these elements are running versions compatible with TLSv1.0 disablement.

For vCenter Server and Platform Services Controller for Windows   
     
  1. Connect to the Windows Server.
  2.  
  3. Open an administrative command prompt.
  4.  
  5. Change directory to the vSphereTlsReconfigurator using this command
       
    cd C:\Program Files\VMware\CIS\vSphereTlsReconfigurator\
     
  6. Manually back up all of the configurations for all supported services on vCenter Server and Platform Services Controller:
         
    Note: The TLS Reconfigurator Utility will perform a backup operation each time a  modification against the vCenter Server or Platform Services Controller has  been executed. Use this process only if you need to create a backup to a  specific user directory. 
    1.    
    2. Change directory to the VcTlsReconfigurator using this command

      cd VcTlsReconfigurator

    3. Execute this command to perform a backup:

      directory_path\VcTlsReconfigurator> reconfigureVc backup

      By default, this will output to this directory:

      c:\users\<current user>\appdata\local\temp\<year><month><day>T<time>

      To output to a specific directory, run this command

      directory_path\VcTlsReconfiguratorreconfigureVc backup -d <backup directory path>

    4. A successful backup will look like this:     

      vCenter Transport Layer Security reconfigurator,  version=6.0.0, build=8482376
      For more information, refer to the following article: https://kb.vmware.com/kb/2148819"
      Log file: "C:\ProgramData\VMware\vCenterServer\logs\vmware\vSphere-TlsReconfigurator\VcTlsReconfigurator.log".
      ================= Backing up vCenter Server TLS  configuration ==================

      Using backup directory:  c:\users\admini~1\appdata\local\temp\1\20170202T054311
      Backing up: vmsyslogcollector
      Backing up: vspherewebclientsvc
      Backing up: vmware-autodeploy-waiter
      Backing up: rhttpproxy
      Backing up: VMwareSTS
      Backing up: VMWareDirectoryService
            

    1. Execute this command to perform restore:
    2. reconfigureVc  restore -d <tmp directory / custom backup directory path>

    1. An output similar to the following is displayed:     
    2. vCenter Transport Layer Security reconfigurator,  version=6.0.0, build=5051284 For more information refer to the following  article: https://kb.vmware.com/kb/2148819 Log file:  "C:\ProgramData\VMware\vCenterServer\logs\vmware\vSphere-TlsReconfigurator\VcTlsReconfigurator.log".
      vCenter Server is going to be restarted. Do you want to  continue (Y/N)? Y ==================== Scanning vCenter Server TLS endpoints  =====================

      +--------------------------+-------------------+----------------+
        | Service Name              | TLS Endpoint Port | TLS Version(s) |
        +--------------------------+-------------------+----------------+
        | vmsyslogcollector         |              1514 | TLSv1.2        |
        | vspherewebclientsvc       |              9443 | TLSv1.2        |
        | vmware-autodeploy-waiter |                   | NOT RUNNING    |
        | rhttpproxy                |               443 | TLSv1.2        |
        | VMwareSTS                 |              7444 | TLSv1.2        |
        | VMWareDirectoryService    |               636 | TLSv1.2        |
        | VMWareDirectoryService    |             11712 | TLSv1.2        |
        +--------------------------+-------------------+----------------+
        ================== Restoring vCenter Server TLS  configuration ==================

      Using backup directory: c:\users\lab1ad~1\appdata\local\temp\20170224T150604
        Restoring: vmsyslogcollector
        Restoring: vspherewebclientsvc
        Restoring: vmware-autodeploy-waiter
        Restoring: rhttpproxy
        Restoring: VMwareSTS
        Restoring: VMWareDirectoryService
        ========================== Restarting vCenter Server  ===========================

  7. Update all of the configuration for all supported services on the vCenter Server

    Note: For products communicating to the vCenter Server which still require TLSv1.0 to be enabled, this will cease connectivity.

    1. Disable TLSv1.0 on the vCenter Server, and enable a higher versions of TLSv1.x.
      • To disable TLSv1.0 and enable both TLSv1.1 and TLSv1.2, execute this command to perform a reconfiguration:

        directory_path\VcTlsReconfigurator> reconfigureVc update -p TLSv1.1 TLSv1.2

      • To disable TLSv1.0 and TLSv1.1, and enable only and TLSv1.2, execute this command to perform a reconfiguration:

        d
        irectory_path\VcTlsReconfigurator> reconfigureVc update -p TLSv1.2

    2. Repeat this on remaining vCenter Server. 
  8.  
  9. Update the configuration for all supported services on the ESXi hosts managed by each of the vCenter Servers.

    1. Change directory to the EsxTlsReconfigurator using this command:

      cd ..\EsxTlsReconfigurator

    2. Disable TLSv1.0 on the ESXi hosts, and enable a higher versions of TLSv1.x. This can be done either on a per-host or per-cluster bases in addition to disabling TLSv1.0 and enabling TLSv1.1 and TLSv1.2 or disabling TLSv1.0 and enabling only TLSv1.2.

      Note
      : If --protocol or -p is not included, this will default to TLSv1.2 only

      • To disable TLSv1.0 and enable both TLSv1.1 and TLSv1.2 on an individual ESXi host inside of vCenter Server, execute this command to perform a reconfiguration:

        directory_path\EsxTlsReconfigurator> reconfigureEsx vCenterHost -h <ESXi_Host_Name> -u <Administrative_User> -p TLSv1.1 TLSv1.2

      • To disable TLSv1.0 and TLSv1.1, and enable only and TLSv1.2 on an individual ESXi host inside of vCenter Server, execute this command to perform a reconfiguration:

        directory_path
        \EsxTlsReconfigurator> reconfigureEsx vCenterHost -h <ESXi_Host_Name> -u <Administrative_User> -p TLSv1.2

      • To disable TLSv1.0 and enable both TLSv1.1 and TLSv1.2 on an vCenter Server Host Cluster, execute this command to perform a reconfiguration:

        directory_path\EsxTlsReconfigurator> reconfigureEsx vCenterCluster -c <Cluster_Name> -u <Administrative_User> -p TLSv1.1 TLSv1.2

      • To disable TLSv1.0 and TLSv1.1, and enable only and TLSv1.2 on an vCenter Server Host Cluster, execute this command to perform a reconfiguration:

        directory_path
        \EsxTlsReconfigurator> reconfigureEsx vCenterCluster -c <Cluster_Name> -u <Administrative_User> -p TLSv1.2

    3. Once completed, the hosts will be flagged for reboot. Reboot the ESXi hosts in order to complete the TLS protocol changes.

    4. Repeat this on the next cluster or ESXi host within the managing vCenter Server as appropriate. 
  10.  
  11. Update all of the configuration for all supported services on the Platform Services Controller:

    Note: If you have older  6.0.x or 5.5.x vCenter Servers still connected to the Platform Services Controller, this step will cause the vCenter Servers to stop communicating to the PSC. Only proceed with this step after confirming that all vCenter Servers are running a compatible version.

    1. Change directory to the VcTlsReconfigurator using this command:

      cd C:\Program Files\VMware\CIS\vSphereTlsReconfigurator\VcTlsReconfigurator

    2. Disable TLSv1.0 on the Platform Services Controller, and enable a higher versions of TLSv1.x.

      Note: If --protocol or -p is not included, this will default to TLSv1.2 only

      • To disable TLSv1.0 and enable both TLSv1.1 and TLSv1.2, execute this command to perform a reconfiguration:

        directory_path\VcTlsReconfigurator> reconfigureVc update -p TLSv1.1 TLSv1.2

      • To disable TLSv1.0 and TLSv1.1, and enable only and TLSv1.2, execute this command to perform a reconfiguration:

        directory_path\VcTlsReconfigurator> reconfigureVc update -p TLSv1.2        
      •              
      • To disable TLSv1.0 and enable both TLSv1.1 and TLSv1.2 on an standalone ESXi Server, execute this command to perform a reconfiguration
                       

        directory_path/EsxTlsReconfigurator> ./reconfigureEsx ESXiHost -h <ESXi_Host_Name> -u <User> -p TLSv1.1 TLSv1.2
      •              
      • To disable TLSv1.0 and TLSv1.1, and enable only and TLSv1.2 on an standalone ESXi Server, execute this command to perform a reconfiguration
                     

        directory_path\VcTlsReconfigurator> reconfigureVc update -p TLSv1.2               
                     
    3. Repeat this operation on the remaining Platform Services Controller in the vSphere domain.       

Once completed, all vCenter Servers, the managed ESXi hosts and the associated Platform Services Controllers will no longer be using TLSv1.0

  
For vCenter Server Appliance and Platform Services Controller Appliance 

  1. Connect to the vCenter Server Appliance using an SSH session.
  2. Run this command to enable the Bash shell
     
    shell.set --enabled true

  3. Run this command to  access the Bash shell
  4.  
    shell
     
  5. In the Bash shell, change directories to this directory
         
    cd /usr/lib/vmware-vSphereTlsReconfigurator/     
  6.  
  7. Manually backup all of the configurations for all supported services on the vCenter Server and Platform Services Controller

    Note: The TLS Reconfigurator Utility will perform a backup operation each time it is executed. Use this process only if you need to create a backup to a specific user directory.

    1. Change the directory to VcTlsReconfigurator with this command:

      cd VcTlsReconfigurator

    2. Execute this command to perform a backup:

      directory_path/VcTlsReconfigurator> ./reconfigureVc backup

      By default, this will output to this directory:

      /tmp/<year><month><day>T<time>

      In order to output to a specific directory, use this command

      directory_path/VcTlsReconfigurator> ./reconfigureVc backup -d <backup directory path>

  8. Update all of the configuration for all supported services on the vCenter Server
     
    Note: If you have products communicating to the vCenter Server which still require TLSv1.0 to be enabled, this will cease connectivity.

    1. Disable TLSv1.0 on the vCenter Server, and enable a higher versions of TLSv1.x. 

      • To disable TLSv1.0 and enable both TLSv1.1 and TLSv1.2, execute this command to perform a reconfiguration:

        directory_path/VcTlsReconfigurator> ./reconfigureVc update -p TLSv1.1 TLSv1.2

      • To disable TLSv1.0 and TLSv1.1, and enable only and TLSv1.2, execute this command to perform a reconfiguration:

        directory_path/VcTlsReconfigurator>
         ./reconfigureVc update -p TLSv1.2

    2. Repeat this on the next vCenter Server as appropriate.

  9. Update all of the configuration for all supported services on the ESXi hosts. This can be done either on a per-host or per-cluster bases in addition to disabling TLSv1.0 and enabling TLSv1.1 and TLSv1.2 or disabling TLSv1.0 and enabling only TLSv1.2.

    1. Change directory to the EsxTlsReconfigurator using this command:

      cd ../EsxTlsReconfigurator

    2. Disable TLSv1.0 on the ESXi hosts, and enable a higher versions of TLSv1.x. This can be done either on a per-host or per-cluster bases in addition to disabling TLSv1.0 and enabling TLSv1.1 and TLSv1.2 or disabling TLSv1.0 and enabling only TLSv1.2.

      Note: If --protocol or -p is not included, this will default to TLSv1.2 only

      • To disable TLSv1.0 and enable both TLSv1.1 and TLSv1.2 on an individual ESXi inside of vCenter Server, execute this command to perform a reconfiguration:

        directory_path/EsxTlsReconfigurator> ./reconfigureEsx vCenterHost -h <ESXi_Host_Name> -u <Administrative_User> -p TLSv1.1 TLSv1.2

      • To disable TLSv1.0 and TLSv1.1, and enable only and TLSv1.2 on an individual ESXi inside of vCenter Server, execute this command to perform a reconfiguration:

        directory_path/EsxTlsReconfigurator> 
        ./reconfigureEsx vCenterHost -h <ESXi_Host_Name> -u <Administrative_User> -p TLSv1.2

      • To disable TLSv1.0 and enable both TLSv1.1 and TLSv1.2 on an ESXi Cluster, execute this command to perform a reconfiguration:

        directory_path/EsxTlsReconfigurator> ./reconfigureEsx vCenterCluster -c <Cluster_Name> -u <Administrative_User> -p TLSv1.1 TLSv1.2

      • To disable TLSv1.0 and TLSv1.1, and enable only and TLSv1.2 on an ESXi Cluster, execute this command to perform a reconfiguration:

        directory_path/EsxTlsReconfigurator> 
        ./reconfigureEsx vCenterCluster -c <Cluster_Name> -u <Administrative_User> -p TLSv1.2
      •            
      • To disable TLSv1.0 and enable both TLSv1.1 and TLSv1.2 on an standalone ESXi Server, execute this command to perform a reconfiguration
                     

        directory_path/EsxTlsReconfigurator> ./reconfigureEsx ESXiHost -h <ESXi_Host_Name> -u <User> -p TLSv1.1 TLSv1.2            
      •            
      • To disable TLSv1.0 and TLSv1.1, and enable only and TLSv1.2 on an standalone ESXi Server, execute this command to perform a reconfiguration
                     

        directory_path\VcTlsReconfigurator> reconfigureVc update -p TLSv1.2            
      •            
    3. Once completed, the hosts will be flagged for reboot. Reboot the ESXi hosts in order to complete the TLS protocol changes.
    4. Repeat this on the next cluster or ESXi host within the managing vCenter Server as appropriate.

  10. Update all of the configuration for all supported services on the Platform Services Controller

    Note: If you have older vCenter Servers 6.0.x or 5.5.x still connected to the Platform Services Controller, this step will cause the vCenter Servers to stop communicating to the PSC. Only proceed with this step after confirming that all vCenter Servers are running a compatible version.

    1. Change directory to the VcTlsReconfigurator using this command:

      cd /usr/lib/vmware-vSphereTlsReconfigurator/VcTlsReconfigurator

    2. Disable TLSv1.0 on the Platform Services Controller, and enable a higher versions of TLSv1.x.  

      Note: If --protocol or -p is not included, this will default to TLSv1.2 only

      • To disable TLSv1.0 and enable both TLSv1.1 and TLSv1.2, execute this command to perform a reconfiguration

        directory_path\VcTlsReconfigurator> ./reconfigureVc update -p TLSv1.1 TLSv1.2
      •    
      • To disable TLSv1.0 and TLSv1.1, and enable only and TLSv1.2, execute this command to perform a reconfiguration
           

        directory_path\VcTlsReconfigurator
        > ./reconfigureVc update -p TLSv1.2

    3. Repeat this operation on the remaining Platform Services Controller in the vSphere domain.

Once completed, all vCenter Server Appliances, the managed ESXi hosts and the associated Platform Services Controller Appliances will no longer be using TLSv1.0

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 1 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.

What can we do to improve this information? (4000 or fewer characters)




Please enter the Captcha code before clicking Submit.
  • 1 Ratings
Actions
KB: