How to disable TLS v1.0 and v1.1 in vRealize Log Insight
search cancel

How to disable TLS v1.0 and v1.1 in vRealize Log Insight

book

Article ID: 312960

calendar_today

Updated On:

Products

VMware Aria Suite

Issue/Introduction

VMware vRealize Log Insight 3.6 and higher support inbound connections secured with TLS v1.0, v1.1 and v1.2.
TLS v1.0 and v1.1 has known security concerns.

This article provides steps to disable support for TLS v1.0 and/or v1.1 on the Log Insight server.

Some clients, such as web browsers and syslog sources, may be actively communicating with TLS v1.0 or v1.1. Verify all clients can successfully negotiate TLS v1.1 or v1.2 before disabling support for TLS v1.0 and/or v1.1 in Log Insight.


Resolution

To disable TLS v1.0 and v1.1 support in vRealize Log Insight, modify the java.security configuration file on each node and restart the loginsight server.
  1. Open a console or SSH connection to each vRealize Log Insight cluster node and login as root.
  2. Open the /usr/java/default/lib/security/java.security file using a text editor.
  3. Locate the jdk.tls.disabledAlgorithms list. By default it will appear similar to: 
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 2048, \
   EC keySize < 224, RSA keySize < 512, DES, DESede 
  1. Modify the jdk.tls.disabledAlgorithms list to include TLSv1 and TLSv1.1.
Example: jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 2048, \
    EC keySize < 224, RSA keySize < 512, DES, DESede, 3DES_EDE_CBC, TLSv1, TLSv1.1
  1. Save and close the file.
  2. Restart the loginsight service by running the following command:
service loginsight restart
  1. Repeat steps 1-6 on all other nodes in the Log Insight cluster.


Additional Information

To verify that TLS v1.0 and/or TLS v1.1 are disabled on ports 443, 6514 and 9543, use the following command to list the supported SSL ciphers:

nmap <log_insight_ip_address> -p 443 --script ssl-enum-ciphers

Example: If you run the command against a vRealize Log Insight node with TLS 1.0 and TLS 1.1 disabled, you will get an output similar to:

PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers:
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
|     compressors:
|       NULL
|_  least strength: strong


Impact/Risks:
Upgrades from Log Insight 4.0 to any higher release will fail with TLS v1.0 disabled if the pre-upgrade validation script cannot establish a connection to other cluster members. In this situation, you may observe one of these errors:

  • Pre-upgrade validation was not OK
  • Log Insight deployment did not pass pre-upgrade validation
  • SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol

To upgrade successfully, disable pre-upgrade verification temporarily. Use the web-browser method in Changing internal configuration options in VMware vRealize Log Insight (341917) to set an advanced configuration option <upgrade-prevalidation-enabled value="false" /> inside the <upgrade> section.

<config>
  ...
  <upgrade>
    <upgrade-status-update-retry-count value="3"/>
    <upgrade-prevalidation-enabled value="false"/>
  </upgrade>
  ...
</config>


After successfully upgrading to Log Insight 4.8, set this option back to default value (true).

vSphere 6.0 and higher have TLS 1.2 support.
Older versions of vSphere will fail to integrate with vRealize Log Insight when TLS 1.0 and 1.1 are disabled.

vRealize Operations Manager 6.6 and higher have TLS 1.2 support.
Older versions of vRealize Operations Manager will fail to enable the Launch in Context feature when TLS 1.0 and TLS 1.1 are disabled.