Disabling TLSv1.1 on port 5671 on the NSX Manager
search cancel

Disabling TLSv1.1 on port 5671 on the NSX Manager

book

Article ID: 307349

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

Symptoms:

Some PCI scans will show TLS v1.1 enabled on port 5671 as a security vulnerability.

Environment

NSX Data Center for vSphere 6.4.x

Resolution

Fix

Enabling FIPS on the NSX manager will resolve this. If the customer cannot enable FIPS please check the steps in the workaround.

Workaround:

The following workaround can be performed to point the rabbitmq to the fips config.

SSH into root mode of the NSX Manager.
Under directory /etc/rabbitmq, there should be following two files:

/etc/rabbitmq/rabbitmq-nonfips.config
/etc/rabbitmq/rabbitmq-fips.config

and following symbolink link will be pointing to non-fips files:

/etc/rabbitmq/rabbitmq.config -> /etc/rabbitmq/rabbitmq-nonfips.config

Just the above link to point to the fips file like:

/etc/rabbitmq/rabbitmq.config -> /etc/rabbitmq/rabbitmq-fips.config


The command to do this is : 
ln -sf /etc/rabbitmq/rabbitmq-fips.config /etc/rabbitmq/rabbitmq.config

After this restart the broker as following:

/etc/init.d/rabbitmq-server restart

Additional Information

Impact/Risks:
This might lead to some audit failures for the customer

Powered by Wolken Software