Sunday, May 27, 2018

Upgrade vCenter Server Appliance 6.0 to 6.0 Update 3e

Upgrade vCenter Server Appliance 6.0 to 6.0 Update 3e for spectre compliance (7977753) and disable TLS 1.0.

Synopsis

If you are like most companies in the world you have been trying to remediate your configuration to ensure it is PCI and Spectre compliant. Spectre-1 (CVE-2017-5753) and Spectre-2 (CVE-2017-5715) both impact vSphere while Meltdown (CVE-2017-5754) is not impacting on these services. For the duration of this write-up I will wrap all of these up into “spectre compliance” and vSphere covers both vCenter services and ESXi. PCI compliance also dictates that TLS 1.0 is disabled by the start of Q3 2018, this means that no service within your vSphere environment should be listening and accepting TLS 1.0 requests. VMware has made disabling TLS 1.0 a fairly painless process, however it requires an updated version of vCenter in order to get the tool to run properly. The process to ensure compliance is a multi-prong approach within the environment I manage due to the amount of VMware services installed. Anytime you are performing upgrades to your vSphere services I highly recommend utilizing the VMware Product Interoperability Matrices in order to ensure all of your products are able to work with one another.

[Read more...]

Wednesday, May 23, 2018

vSphere Client and TLS 1.0

vSphere Client not working after disabling TLS 1.0?

Like most companies we have been going through compliance remediation. Many compliance groups are now requiring that TLS 1.0 is disabled and only TLS 1.1 or 1.2 are being used. This brings in an issue with the older vSphere Client being able to connect to the virtual center. While vShere 6.5 and 6.7 make use of a much better HTML5 version if you are still running the latest version of vSphere 6.0 then you will be stuck using the not-so-great flash-based web client.

However, there is actually a way to get the older vSphere client to work after disabling TLS1.0.

[Read more...]