Complete both sections below to fully enable TLSv1.0 and TLSv1.1 in vRealize Operations Manager 7.5.
Before starting, ensure the vRealize Operations Manager cluster is offline:
- Log in to vRealize Operations Manager admin UI as the local admin user.
Example: https://IP_or_FQDN/admin
Note: Replace IP_or_FQDN with the actual IP or FQDN of vRealize Operations Manager UI.
- Click Take Offline under Cluster Status.
Note: Wait for Cluster Status to show as Offline.
Section 1: Enable TLSv1.0 and TLSv1.1 in vRealize Operations Manager 7.5 for Web Access
- Log into the Primary node as root via SSH or console.
Note: VCOPS_BASE is set to /usr/lib/vmware-vcops by default
- Backup the Apache HTTPD configuration file:
cp $VCOPS_BASE/../vmware-vcopssuite/utilities/conf/vcops-apache.conf $VCOPS_BASE/../vmware-vcopssuite/utilities/conf/vcops-apache.conf.bak
- Open $VCOPS_BASE/../vmware-vcopssuite/utilities/conf/vcops-apache.conf in a text editor.
- Remove -TLSv1 -TLSv1.1 from the SSLProtocol line. The modified line should look similar to:
SSLProtocol All -SSLv2 -SSLv3
- Save and close vcops-apache.conf.
- Repeat steps 1-5 on all other nodes in the cluster.
Section 2: Enable TLSv1.0 and TLSv1.1 in vRealize Operations Manager 7.5 for Java Components
- Log into the Primary node as root via SSH or console.
- Backup the $VMWARE_JAVA_HOME/lib/security/java.security file:
cp $VMWARE_JAVA_HOME/lib/security/java.security $VMWARE_JAVA_HOME/lib/security/java.security.bak
- Open $VMWARE_JAVA_HOME/lib/security/java.security in a text editor.
- On the jdk.tls.disabledAlgorithms property, remove TLSv1 and TLSv1.1 after SSLv3.
Example: jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 2048, \
EC keySize < 224 , DES40_CBC, RC4_40, 3DES_EDE_CBC
- Save and close the file.
- Repeat steps 1-5 on all nodes in the cluster.
- Log in to vRealize Operations Manager Admin UI.
- Click Take Offline to take the vRealize Operations Manager cluster offline.
- In vSphere, preform a Guest restart on all vRealize Operations Manager nodes.
- Log in to vRealize Operations Manager Admin UI.
- Bring Online to bring the vRealize Operations Manager cluster online.
Verify Changes
To verify that
TLSv1.0 and
TLSv1.1 are enabled, check port 443 on all nodes.
- For each node, run the following commands for TLSv1.0 (-tls1) and TLSv1.1 (-tls1_1):
- $VCOPS_BASE/../vmware-vcopssuite/openssl/bin/openssl s_client -connect node-FQDN-or-IP-address:443 -tls1
- $VCOPS_BASE/../vmware-vcopssuite/openssl/bin/openssl s_client -connect node-FQDN-or-IP-address:443 -tls1_1
- Verify that the commands are executed successfully; you will see output similar to:
CONNECTED(00000003)
depth=1 CN = vc-ops-cluster-ca_<UUID_1>, O = "VMware, Inc.", OU = MBU
verify error:num=19:self signed certificate in certificate chain
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: 551AD7697E9B5BE5225FC39108F385D3B68F3D314EE1D9EFE8242B4C41AB458F
Note: The Session-ID is not empty.
Once all steps have been completed successfully, you may log back into the admin UI and bring the cluster online.