Disable TLS 1.0/1.1 in VMware vSphere product suite.

Table of Contents

• Table of Contents
• Synopsis
• vCenter
• ESXi
• NSX 4.2.4 and newer
• VMware Update Manager (VUM)
• vRealize Automation (VRA)

Synopsis

This article assumes you have upgraded your vCenter to at least Update 3e, which is spectre compliant, as it is confirmed the TLS tool works there. This article is specific for disabling TLS 1.0 although it is just as easy to include TLS 1.1. If you have not upgraded your vCenter to Update 3e yet, I highly suggest following my article Upgrade vCenter Server Appliance to 6.0 Update 3e. That article also includes how to install the TLS reconfigurator tool in part 5 under the heading “MAINTENANCE PROCEDURE: Perform vCenter Upgrade to Update 3e.” Further information about the TLS reconfigurator tool can be found here: https://kb.vmware.com/s/article/2148819 To understand the various status of TLSv1.1/1.2 enablement and TLSv1.0 disablement across VMware products be sure to check out this article here: https://kb.vmware.com/s/article/2145796

While the TLS reconfigurator tool is amazing, it will not be able to disable TLS 1.0/1.1 in your entire environment. Manual work will be required in order to ensure proper compliance, this article attempts to include all of those items that I have run into in my environment. There still might be other VMware products and services where it will need to be disabled.

Here are the areas in which I have had to disable bad versions of TLS within my environment.

• vCenter
• ESXi
• VMware Update Manager (VUM)
• vRealize Automation (VRA)

vCenter

To disable TLSv1.0 and TLSv1.1 on vCenter we need to utilize the TLS Reconfigurator tool that typically is installed on your vCenter Appliance.

1. Log into your vCenter appliance over SSH.
2. Scan your configuration to determine current TLS status.

    /usr/lib/vmware-vSphereTlsReconfigurator/EsxTlsReconfigurator/reconfigureVc scan
   

3. We need to create a backup of your configuration in case there is a problem.

    /usr/lib/vmware-vSphereTlsReconfigurator/EsxTlsReconfigurator/reconfigureVc backup
   

4. Now lets disable TLS 1.0 in our configuration, leaving just TLSv1.1 and 1.2 enabled:

    /usr/lib/vmware-vSphereTlsReconfigurator/EsxTlsReconfigurator/reconfigureVc update -p TLSv1.1 TLSv1.2 --no-restart
   

5. Alternatively you can disable TLS 1.0 and 1.1, leaving just TLSv1.2 enabled:

    /usr/lib/vmware-vSphereTlsReconfigurator/EsxTlsReconfigurator/reconfigureVc update -p TLSv1.2 --no-restart
   

6. When requested enter “No” to on restarting services. Restarting services does not always seem to work, rebooting it ensures a fresh start.
7. Reboot the vApp VM by running “shutdown reboot -r install_update3e” or “shutdown -rfn 000” depending on the version.
8. Once all services are back online confirm that vCenter, vCloud, etc are all working as expected. If they are not do not proceed further until you have resolved the issues.

   NOTE: VMware Syslog Collector, running on port 1514, on vCenter Server Appliance supports TLSv1.0 only. Using the TLS reconfigurator script, TLSv1.1 or TLSv1.2 cannot be enabled. REF: https://kb.vmware.com/s/article/2148819

ESXi

To disable TLSv1.0 on ESXi hosts we need to utilize a different section of the TLS tool. TLS tool allows you to disable settings either by HA/DRS cluster, host, or standalone host. If a hypervisor is inside an HA/DRS cluster then it will force you to run this tool against all hosts in that cluster. Typically would be "administrator@vsphere.local" but you can use a domain user account so long as it is an administrator in vSphere. Disable TLS on ESXi hypervisors:

1. Cluster basis:

    /usr/lib/vmware-vSphereTlsReconfigurator/EsxTlsReconfigurator/reconfigureEsx vCenterCluster -c <Cluster_Name> -u <Administrative_User> -p TLSv1.1 TLSv1.2
   

2. Host basis:

    /usr/lib/vmware-vSphereTlsReconfigurator/EsxTlsReconfigurator/reconfigureEsx vCenterHost -h <ESXi_Host_Name> -u <Administrative_User> -p TLSv1.1 TLSv1.2
   

3. Standalone host basis:

    /usr/lib/vmware-vSphereTlsReconfigurator/EsxTlsReconfigurator/reconfigureEsx ESXiHost -h <ESXi_Host_Name> -u root -p TLSv1.1 TLSv1.2
   

4. Log into each hypervisor and edit the following to ensure the CIM service is configured correctly.
   1. Create a backup copy of the cfg file.

       cp /etc/sfcb/sfcb.cfg /etc/sfcb/sfcb.bak
      

   2. Stop the CIM watchdog service.

       /etc/init.d/sfcbd-watchdog stop
      

   3. Edit the config file. You can do this by either echoing in the items (it will append the each line at the end of the file) or you can edit the file with your favorite editor and add the items in parenthesis below into the file.

       echo -e "enableSSLv3: false" >>  /etc/sfcb/sfcb.cfg
       echo -e "enableTLSv1: false" >>  /etc/sfcb/sfcb.cfg
       echo -e "enableTLSv1_1: false" >>  /etc/sfcb/sfcb.cfg
       echo -e "enableTLSv1_2: true" >>  /etc/sfcb/sfcb.cfg
       echo -e "sslCipherList:ECDHE-RSA-AES256-GCM-SHA384:HIGH:!AECDH-AES256-SHA:!AECDH-DES-CBC3-SHA:!AECDH-AES128-SHA:!AES128-SHA:!AES128-SHA256:!AES128-GCM-SHA256:!AES256-SHA:!AES256-SHA256:!AES256-GCM-SHA384:!AECDH-AES256-SHA:!CAMELLIA128-SHA:!CAMELLIA256-SHA" >>  /etc/sfcb/sfcb.cfg
      

   4. Start the CIM watchdog service.

       /etc/init.d/sfcbd-watchdog start
      

5. Log into each hypervisor and edit the following to ensure the rhttpproxy service is configured correctly.
   1. Create a backup copy of the cfg file.

       cp /etc/vmware/rhttpproxy/config.xml /etc/vmware/rhttpproxy/config.bak
      

   2. Edit the config file.

       sed -i '/following node to disable SSL -->/a\   <cipherList>ECDHE-RSA-AES256-GCM-SHA384:!aNULL:!AES128-SHA:!AES128-SHA256:!AES128-GCM-SHA256:!AES256-SHA:!AES256-SHA256:!AES256-GCM-SHA384<\/cipherList>' /etc/vmware/rhttpproxy/config.xml
      

   3. Restart the rhttpproxy service

       /etc/init.d/rhttpproxy restart
      

6. Reboot each hypervisor:
   1. If the hypervisor is in vCloud, then disable the hypervisor and deploy the VMs to other hosts.
   2. Put hypervisor into maintenance mode in vCenter.
   3. Manually reboot the hypervisor.
   4. After reboot ensure the hypervisor rejoins the vCenter.
   5. Examine the hypervisor in vCenter and ensure everything appears as it should. Example: Build Version, Networks, storage, etc.
   6. Exit maintenance mode in the vCenter.
   7. If hypervisor is in vCloud, then re-enable the hypervisor.
7. Repeat process for all hypervisors.

NSX 4.2.4 and newer

1. Using Rest API call you can now disable TLS 1.0.
   1. Download and run Advanced REST Client
   2. Do a “GET” command on https://nsxmgr_ip/api/1.0/appliance-management/system/tlssettings, go to authorization tab and enter admin and password of your NSX manager.
   3. Ensure the following is returned.

      		
               <?xml version="1.0" encoding="UTF-8"?>
               <tlsSettings><serverEnabledProtocols>TLS1,TLSv1.1,TLSv1.2</serverEnabledProtocols>
               <clientEnabledProtocols>TLS1,TLSv1.1,TLSv1.2</clientEnabledProtocols>
               </tlsSettings>
      		
      

   4. Change the method to POST, click on “Body”, change type to “application/xml” and enter the following.

      		
               <?xml version="1.0" encoding="UTF-8"?>
               <tlsSettings><serverEnabledProtocols>TLSv1.1,TLSv1.2</serverEnabledProtocols>
               <clientEnabledProtocols>TLSv1.1,TLSv1.2</clientEnabledProtocols>
               </tlsSettings>
      		
      

   5. Now click “Send”
2. Restart NSX server and ensure it properly checks in with vCenter.
3. Confirm you can see the NSX manager inside vCenter.
4. Hit rest API for NSX to ensure TLS 1.0 is disabled: https://nsxmgr_ip/api/1.0/appliance-management/system/tlssettings

   NOTE: You might have to log back into NSX manager, click on “NSX Management Service” and re-enter the password information for Lookup and vCenter objects.

VMware Update Manager (VUM)

This article assumes you are still running VUM on a Windows machine and how to disable TLS 1.0/1.1. This is just for the VUM services itself, this does not include the base Windows features that require TLS 1.0/1.1 to be disabled.

1. jetty-vum-ssl.xml file.
   1. Locate the file “jetty-vum-ssl.xml” which is typically under C:\Program Files (x86)\VMware\Infrastructure\Update Manager) and create a backup copy of it.
   2. Edit the original “jetty-vum-ssl.xml” file.
   3. There is a section inside the file called ‘' navigate to this part and add in the follow line: TLSv1.0
   4. It should look like this:

       <Set name="ExcludeProtocols">
           <Array type="java.lang.String">
               <Item>SSLv3</Item>
               <Item>SSLv2Hello</Item>
               <Item>TLSv1</Item>
           </Array>
       </Set>
      

      NOTE: If you want to disable TLS 1.1 then also add the line: TLSv1.1

   5. Save and close the file.
2. vci-integrity.xml file.
   1. Locate the file “vci-integrity.xml” which is typically under C:\Program Files (x86)\VMware\Infrastructure\Update Manager and create a backup copy of it.
   2. Edit the original “vci-integrity.xml” file.
   3. There TWO sections inside the file where this needs to be added, both fall under the ‘' one is inside the primary config file while the second is in the section.
      1. Navigate to the first section, which should be under the primary config as and add in the following line: 117587968

          <ssl>
              <certificate>ssl/rui.crt</certificate>
              <privateKey>ssl/rui.key</privateKey>
              <sslOptions>117587968</sslOptions>
          </ssl>
         

      2. Navigate down to the section and add in the following line: 117587968

          <ssl>
              <handshakeTimeoutMs>120000</handshakeTimeoutMs>
              <sslOptions>117587968</sslOptions>
          </ssl>
         

         NOTE: If you want to disable TLS 1.0 and 1.1 then change the value 117587968 to 386023424.

   4. Save and close the file.
3. Restart the VMware Update Manager service in Windows.

vRealize Automation (VRA)

This will resolve the alerts for ssl-cve-2011-3389-beast and tlsv1_0-enabled (Port 8283, 443, 5480), further information can be found from VMware at https://kb.vmware.com/s/article/2146570 I also highly recommend following the vRA hardening guide.

NOTE: According to VMware “Do not modify the Internal postgres service (port 5432) to disable TLS 1.0 because this breaks the internal tools that monitor the DB.”

1. vRealize Automation Appliance
   1. Log in to each vRealize Automation as root.
   2. Edit both of the following files with your favorite editor: /etc/haproxy/conf.d/20-vcac.cfg /etc/haproxy/conf.d/30-vro-config.cfg
   3. Add “no-sslv3 no-tlsv10” to the end of lines. bind 0.0.0.0:443 ssl crt /etc/apache2/server.pem ciphers TLSv1+HIGH:!aNULL:!eNULL:!3DES:!RC4:!CAMELLIA:!DH:!kECDHE:@STRENGTH
   4. The resulting lines will look like this:

       bind 0.0.0.0:443 ssl crt /etc/apache2/server.pem ciphers TLSv1+HIGH:!aNULL:!eNULL:!3DES:!RC4:!CAMELLIA:!DH:!kECDHE:@STRENGTH no-sslv3 no-tlsv10
      

   5. Reload haproxy config by running the command:.

       service haproxy reload
      

2. HTTP OPTIONS Method Enabled (Port 5480) - Configure HTTP Strict Transport Security Response Header
   1. Log in to each vRealize Automation as root.
   2. Edit the file /etc/haproxy/conf.d/20-vcac.cfg with your favorite editor.
   3. Add the following lines in a front end section:

       rspdel Strict-Transport-Security:\ max-age=31536000
           rspadd Strict-Transport-Security:\ max-age=31536000
      

   4. Reload the HAProxy configuration using the following command.

       /etc/init.d/haproxy reload
      

3. Console proxy (port 8444)
   1. Log in to each vRealize Automation as root.
   2. Edit the file /etc/vcac/security.properties with your favorite editor.
   3. Add or modify line consoleproxy.ssl.server.protocols using either TLSv1.2,TLSv1.1 (to also allow TLSv1.1) or just TLSv1.2 (to exclude TLS 1.1).

       consoleproxy.ssl.server.protocols=TLSv1.2
      

   4. To disable bad ciphers add the following line:

       consoleproxy.ssl.ciphers.disallowed=TLS_DH_DSS_WITH_AES_128_CBC_SHA,TLS_DH_DSS_WITH_AES_256_CBC_SHA, TLS_DH_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA
      

   5. Restart vcac-server service by running the command:

       service vcac-server restart
      

4. Management console (port 5480)
   1. Log in to each vRealize Automation as root.
   2. Edit the file /opt/vmware/etc/lighttpd/lighttpd.conf with your favorite editor.
   3. You will find a section with ssl.cipher-list, replace it with:

       ssl.cipher-list = "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"
      

   4. Restart the lighttpd service by running the command:

       service vami-lighttp restart
      

5. vCO Service
   1. Log in to each vRealize Automation as root.
   2. Edit the file /etc/vco/app-server/server.xml with your favorite editor.
   3. Locate the tag in the file and using either TLSv1.2,TLSv1.1 (to also allow TLSv1.1) or just TLSv1.2 (to exclude TLS 1.1).

       sslEnabledProtocols = "TLSv1.2"
      

   4. Restart the vCO service by running the following command:

       service vco-server restart
      

6. vRealize Automation service
   1. Log in to each vRealize Automation as root.
   2. Edit the file /etc/vcac/server.xml with your favorite editor.
   3. Locate the tag in the file and using either TLSv1.2,TLSv1.1 (to also allow TLSv1.1) or just TLSv1.2 (to exclude TLS 1.1).

       sslEnabledProtocols = "TLSv1.2"
      

   4. Restart the vRealize Automation service by running the following commands.

       service vcac-server restart
      

7. vIDM service
   1. Log in to each vRealize Automation as root.
   2. Edit the file /opt/vmware/horizon/workspace/conf/server.xml with your favorite editor.
   3. Verify that SSLv3 and TLS 1.0 are disabled for the vIDM service. Do this by looking for the following line in the “<Connector” section

       sslEnabledProtocols="TLSv1.1,TLSv1.2"
      

   4. To also disable TLS1.1, simply remove TLSv1.1 from he above line.
8. RabbitMQ
   1. Log in to each vRealize Automation as root.
   2. Edit the file /etc/rabbitmq/rabbitmq.config with your favorite editor.
   3. Verify that tlsv1.2 and tlsv1.1 are already in the “ssl” and “ssl_options” sections. It should look similar to this:

       [
       {ssl, [
           {versions, ['tlsv1.2', 'tlsv1.1']},
           {ciphers, ["AES256-SHA", "AES128-SHA"]}
       ]},
       {rabbit, [
           {tcp_listeners, [{"127.0.0.1", 5672}]},
           {frame_max, 262144},
           {ssl_listeners, [5671]},
           {ssl_options, [
               {cacertfile, "/etc/rabbitmq/certs/ca/cacert.pem"},
               {certfile, "/etc/rabbitmq/certs/server/cert.pem"},
               {keyfile, "/etc/rabbitmq/certs/server/key.pem"},
               {versions, ['tlsv1.2', 'tlsv1.1']},
               {ciphers, ["AES256-SHA", "AES128-SHA"]},
               {verify, verify_peer},
               {fail_if_no_peer_cert, false}
           ]},
           {mnesia_table_loading_timeout,600000},
           {cluster_partition_handling, autoheal},
           {heartbeat, 600}
       ]},
       {kernel, [{net_ticktime,  120}]}
       ]
      

   4. If you had to make edits then restart the RabbitMQ server by running the following command:

       service rabbitmq-server restart