VMware

Managing TLS protocol configuration for vSphere 6.0 Update 3

This post provides steps for modifying the supported TLS protocols using TLS reconfiguration utility and powercli script, and disabling TLSv1.0 & TLSv1.1 within the vSphere environment. The utility/script will allow for an end-to-end disablement of TLSv1.0/TLS v1.1 across a vSphere environment. However, the vCenter Server, Platform Services Controller, and ESXi hosts within the environment must be running the compatible software versions that allow for disablement

Link to download 6.0 Update 3 TLS Reconfigurator tool

https://my.vmware.com/group/vmware/info?slug=datacenter_cloud_infrastructure/vmware_vsphere/6_0

For vCenter Server Appliance: VMware-vSphereTlsReconfigurator-6.0.0-5051284.x86_64.rpm

  • Take snapshot of vCenter and Platform Service Controller prior the change
  • Upload VMware-vSphereTlsReconfigurator-6.0.0-5051284.x86_64.rpm  to vCenter Appliance and Platform Service Controller
  • Install the TLS Reconfigurator Utility on the vCenter Server and Platform Services controller (if PSC is external)
  • Connect to the vCenter Server Appliance /PSC with an SSH session and root credentials.
  • Run this command to enable the Bash shell
    set –enabled true
  • Run this command to access the Bash shell
    shell
  • In the Bash shell, locate the directory where the VMware-vSphereTlsReconfigurator-6.0.0-5051284.x86_64.rpm was uploaded.
  • Run this command:
    rpm -Uvh VMware-vSphereTlsReconfigurator-6.0.0-5051284.x86_64.rpm

Disabling protocols must be done in this order:

  1. vCenter Server
  2. ESXi hosts
  3. Platform Services Controller

Disable TLS 1 & 1.1 for vCenter

  1. Connect to the vCenter Server Appliance using an SSH session.
  2. Run this command to enable the Bash shell
    set –enabled true
  3. Run this command to access the Bash shell
    shell
  4. In the Bash shell, change directories to this directory: cd /usr/lib/vmware-vSphereTlsReconfigurator/
  5. Manually backup all of the configurations for all supported services on the vCenter Server and Platform Services Controller

Note: The TLS Reconfigurator Utility will perform a backup operation each time it is executed. Use this process only if you need to create a backup to a specific user directory.

  1. Change the directory to VcTlsReconfigurator with this command: cd VcTlsReconfigurator
  2. Execute this command to perform a backup:
    directory_path/VcTlsReconfigurator> ./reconfigureVc backup

By default, this will output to this directory: /tmp/<year><month><day>T<time></time>
In order to output to a specific directory, use this command:
directory_path/VcTlsReconfigurator> ./reconfigureVc backup -d <backup directory path>

  1. Update all of the configuration for all supported services on the vCenter Server.

    Note: If you have products communicating to the vCenter Server which still require TLSv1.0 to be enabled, this will cease connectivity.

    1. Disable TLSv1.0 & TLS v1.1 on the vCenter Server, and enable a higher versions of TLSv1.2
      • To disable TLSv1.0 and TLSv1.1, and enable only and TLSv1.2, execute this command to perform a reconfiguration:
        directory_path/VcTlsReconfigurator> ./reconfigureVc update -p TLSv1.2
    2. Repeat this on the next vCenter Server.

Disable TLS 1 & 1.1 for ESXi hosts (via power-cli script)

Download script ESXiDisableProtocolConfiguration.ps1

The script includes the following two functions:

  • Get-ESXiDPC – Retrieve the current disabled protocols for all ESXi hosts within a vSphere Cluster
  • Set-ESXiDPC – Configure the specific disabled protocols for all ESXi hosts within a vSphere Cluster

To only enable TLS 1.2 (e.g. disable TLS 1.0, 1.1 & SSLv3) for all services, use the Set-ESXiDPC function by running the following command:

Set-ESXiDPC -Cluster MGMT-Cluster -TLS1 $true -TLS1_1 $true -TLS1_2 $false -SSLV3 $true

  • Reboot the ESXi hosts in order to complete the TLS protocol changes.

Disable TLS 1 & 1.1 for Platform Service Controller

  1. Update all of the configuration for all supported services on the Platform Services Controller
    1. Change directory to the VcTlsReconfigurator using this command:
      cd /usr/lib/vmware-vSphereTlsReconfigurator/VcTlsReconfigurator
    2. Disable TLSv1.0 on the Platform Services Controller, and enable a higher versions of TLSv1.x.
      • To disable TLSv1.0 and TLSv1.1, and enable only and TLSv1.2, execute this command to perform a reconfiguration
        directory_path\VcTlsReconfigurator> ./reconfigureVc update -p TLSv1.2
    3. Repeat this operation on the remaining Platform Services Controller in the vSphere domain.

Once completed, all vCenter Server Appliances, the managed ESXi hosts and the associated Platform Services Controller Appliances will no longer be using TLSv1.0 & TLS v1.1

For more information please refer to VMware Portal