Search the VMware Knowledge Base (KB)
View by Article ID

Managing the TLS protocol configuration for Update Manager 6.0 Update 3 and Update Manager 6.5 (2149136)

  • 0 Ratings

Details

This article provides steps for TLS protocol configuration on Update Manager ports 9087 and 8084.
Note: In vSphere Update Manager 6.0 Update 3 and vSphere Update Manager 6.5, the TLS protocol versions 1.0, 1.1, and 1.2 are all enabled by default. You can disable TLS version 1.0 and TLS version 1.1, but you cannot disable TLS version 1.2. 
In vSphere 6.0 Update 3 and vSphere 6.5, you can manage the TLS protocol configuration  by using the TLS Reconfiguration Utility. 
However, vSphere Update Manager 6.0 Update 3 and vSphere Update Manager 6.5 do not use this utility, and you must reconfigure the TLS protocol manually.

Solution

Modifying the TLS protocol configuration might involve any of the following tasks:
  • Disabling TLS version 1.0 while leaving TLS version 1.1 and TLS version 1.2 enabled

  • Disabling TLS version 1.0 and TLS version 1.1 while leaving TLS version 1.2 enabled

  • Re-enabling the TLS protocol

 

Disabling the TLS protocol for Update Manager port 9087

  1. Stop the vSphere Update Manager service.
    For additional information, see Stopping, starting, or restarting the vSphere Update Manager service.

  2. Navigate to the Update Manager installation directory.
    For Update Manager 6.0 Update 3, the default installation location on a 64-bit Windows system is: C:\Program Files (x86)\VMware\Infrastructure\Update Manager.
    For Update Manager 6.5, the default location on a 64-bit Windows system is C:\Program Files\VMware\Infrastructure\Update Manager.

  3. Backup a copy of the jetty-vum-ssl.xml file.

  4. Open the jetty-vum-ssl.xml file.

  5. Disable the TLS protocol.

    • Disable TLSv1.0 and leave TLSv1.1 and TLSv1.2 enabled.

      To disable TLSv1.0 and leave TLSv1.1 and TLSv1.2 enabled, add TLS version 1.0 in an <Item> code tag in the jetty-

      vum-ssl.xml
      file.
      <Set name="ExcludeProtocols">
           <Array type="java.lang.String">
               <Item>TLSv1</Item>
           </Array>
      </Set>

    • Disable TLSv1.0 and TLSv1.1 and leave TLS v1.2 enabled.

      To disable TLSv1.0 and TLSv1.1 and leave TLS v1.2 enabled, add the respective TLS versions in <Item> code tags in the jetty-vum-ssl.xml file.

      <Set name="ExcludeProtocols">
           <Array type="java.lang.String">
               <Item>TLSv1</Item>
               <Item>TLSv1.1</Item>
           </Array>
      </Set>

  6. Save the jetty-vum-ssl.xml file.

  7. Restart the vSphere Update Manager service.

 

Disabling the TLS protocol for Update Manager port 8084

  1. Stop the vSphere Update Manager service.

  2. Navigate to the Update Manager installation directory.
    For Update Manager 6.0 Update 3, the default installation location on a 64-bit Windows system is: C:\Program Files (x86)\VMware\Infrastructure\Update Manager.
    For Update Manager 6.5, the default location on a 64-bit Windows system is C:\Program Files\VMware\Infrastructure\Update Manager.

  3. Backup a copy of the vci-integrity.xml file.

  4. Open the vci-integrity.xml file.

  5. Add a <sslOptions> tag in the vci-integrity.xml file.
         
          <ssl>
              <handshakeTimeoutMs>120000</handshakeTimeoutMS>
              <sslOptions>sslOptions_value</sslOptions>
          </ssl>

          <ssl>
              <privateKey>ssl/rui.key</privateKey>
              <certificate>ssl/rui.crt</certificate>
              <sslOptions>sslOptions_value</sslOptions>
          </ssl>

  6. Depending on the TLS version that you want to disable, enter one of the following decimal values in the <sslOptions> tag.

    • To disable TLSv1.0, use decimal value 117587968.

    • To disable TLSv1.0 and TLSv1.1, use decimal value 386023424.

  7. Save the vci-integrity.xml file.

  8. Restart the vSphere Update Manager service.

 

Re-enabling the TLS protocol protocol for Update Manager port 9087

  1. Stop the vSphere Update Manager service.

  2. Navigate to the Update Manager installation directory.
    For Update Manager 6.0 Update 3, the default installation location on a 64-bit Windows system is: C:\Program Files (x86)\VMware\Infrastructure\Update Manager.
    For Update Manager 6.5, the default location on a 64-bit Windows system is C:\Program Files\VMware\Infrastructure\Update Manager.

  3. Backup a copy of the jetty-vum-ssl.xml file.

  4. Open the jetty-vum-ssl.xml file.

  5. Remove the TLS tag that corresponds to the TLS protocol version that you want to enable.
    For example, remove <Item>TLSv1.0</Item> in the jetty-vum-ssl.xml file to enable TLSv1.0.

  6. Save the jetty-vum-ssl.xml file.

  7. Restart the vSphere Update Manager service.

 

Re-enabling the TLS protocol for Update Manager port 8084

  1. Stop the vSphere Update Manager service.

  2. Navigate to the Update Manager installation directory.
    For Update Manager 6.0 Update 3, the default installation location on a 64-bit Windows system is: C:\Program Files (x86)\VMware\Infrastructure\Update Manager.
    For Update Manager 6.5, the default location on a 64-bit Windows system is C:\Program Files\VMware\Infrastructure\Update Manager.

  3. Backup a copy of the vci-integrity.xml file.

  4. Open the vci-integrity.xml file.

  5. Delete the <sslOptions> tag line.

  6. Save the vci-integrity.xml file.

  7. Restart the vSphere Update Manager service.

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 0 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.

What can we do to improve this information? (4000 or fewer characters)




Please enter the Captcha code before clicking Submit.
  • 0 Ratings
Actions
KB: