Managing TLS protocol configuration for vSphere.
search cancel

Managing TLS protocol configuration for vSphere.

book

Article ID: 313841

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

Starting with vSphere 6.5, the TLS protocol versions 1.0, 1.1, and 1.2 are enabled by default. The TLS protocols can be toggled and configured using the TLS Reconfiguration Utility. This article provides steps for modifying the supported TLS protocols using this utility and disabling TLSv1.0 within the vSphere environment. The utility will allow for an end-to-end disablement of TLSv1.0 across a vSphere environment. However, the vCenter Server, Platform Services Controller, vSphere Update Manager and ESXi hosts within the environment must be running the compatible software versions that allow for disablement. Additionally, ensure that other VMware products as well as third-party products are compatible with the use of only TLSv1.1 and TLSv1.2.

For a list of VMware products supported for TLSv1.0 disablement and the use of TLSv1.1/1.2, consult Status of TLSv1.1/1.2 Enablement and TLSv1.0 Disablement across VMware products (2145796).

Versions prior to vSphere 6.5 and 6.0 U3 are not currently supported in disabling TLSv1.0 or manipulating the other TLS communication protocols. However, by design, all versions of vSphere will attempt to communicate with the highest available version of the TLS protocol available between products. Consult the Status Knowledge Base article above for the availability of other versions of vSphere.

By using the TLS Reconfiguration Utility in the vSphere environment, you will be disabling TLSv1.0 across the following ports on the vCenter Server, Platform Services Controller and ESXi hosts. If a port is not included, it will not be handled through the utility.

vCenter Server and Platform Services Controller:

Service Service Name Port
Windows Appliance
VMware HTTP Reverse Proxy rhttpproxy vmware-rhttpproxy 443
VMware Directory Service VMWareDirectoryService vmdird 636
VMware Syslog Collector  vmsyslogcollector  rsyslogd 1514
VMware Appliance Management Interface  -- applmgmt  5480
VMware vSphere Auto Deploy Waiter vmware-autodeploy-waiter vmware-rbd-watchdog 6501
VMware vSphere Auto Deploy Waiter vmware-autodeploy-waiter vmware-rbd-watchdog 6502
VMware Secure Token Service VMwareSTS vmware-stsd 7444
VMware vSphere Authentication Proxy VMWareCAMService vmcam 7476
VMware vSphere Update Manager Service  vmware-ufad-vci  vmware-updatemgr 8084
VMware vSphere Update Manager Service  vmware-ufad-vci  vmware-updatemgr 9087
VMware vSphere Web Client vspherewebclientsvc vsphere-client 9443
VMware vSphere H5 Web Client vsphere-ui vsphere-ui 5443
VMware Directory Service VMWareDirectoryService vmdird 11712

 

ESXi

Service Service Name Port
VMware HTTP Reverse Proxy and Host Daemon Hostd 443
VMware vSAN VASA Vendor Provider vSANVP 8080
VMware Fault Domain Manager FDM 8182
VMware vSphere API for IO Filters ioFilterVPServer 9080

 

Notes and Caveats:

  • TLS is controlled by the cipher list for these services. Only TLSv1.2 or all TLSv1.x versions are supported; granular management is not possible.
  • Disablement of TLS protocols for vSphere Update Manager (Ports 8084, 9087) through the TLS Reconfiguration Utility is only supported on the vCenter Server Appliance. For more information on disabling TLS protocols on vSphere Update Manager on Windows, consult the below references -
  • Ensure that the legacy ESXi 6.0 and 5.x hosts managed by the vCenter Server support TLSv1.1 and TLSv1.2. Upon disabling TLSv1.0 on vCenter Server 6.5, legacy ESXi 5.x and 6.0 hosts that have not been upgraded to compatible versions that support TLSv1.1 and/or TLSv1.2 will no longer be able to be managed by vCenter Server.
  • Using a TLSv1.2-only connection to an external Microsoft SQL Server is supported in vSphere 6.5 Update 2 and vSphere 6.7. For more information, see Enforce an encrypted connection to a Microsoft SQL Server database.
  • Using a TLSv1.2-only connection to an external Oracle database is not currently supported.
  • Disablement of TLSv1.0 on vCenter Server and/or Platform Services Controller on Windows Server 2008 as the Host OS (Windows) supports only TLSv1.0. Newer versions of Windows Server support the disablement of TLSv1.0. For more information, consult the Microsoft TechNet Article TLS/SSL Settings in the Server Roles and Technologies Guide.
  • After applying TLS configuration changes to a Host directly or through cluster configuration via Host Profiles; the Host services need to be restarted for the changes to take effect.
  • If the vSphere Web Client port was modified from the default 9443 in vSphere 6.0 Update 3 and upgraded to vSphere 6.5 Update 1 or later TLSv1.1 and TLSv1.2 will be enabled on the custom port.
  • When using vCenter High Availability, destroy/disable the current configuration before running the TLS Configuration utility.
Disclaimer: VMware is not responsible for the reliability of any data, opinions, advice, or statements made on third-party websites. The inclusion of such links does not imply that VMware endorses, recommends, or accepts any responsibility for the content of such sites.

Environment

VMware vSphere ESXi 6.5
VMware vCenter Server 6.5
VMware vSphere ESXi 6.7
VMware vCenter Server 6.7
VMware vSphere ESXi 7.0
VMware vCenter Server 7.0
VMware vSphere ESXi 8.0
VMware vCenter Server 8.0

Resolution

For vSphere 6.7 see the Managing TLS Protocol Configuration with the TLS Configurator Utility section of the vSphere Security guide.

Disabling TLSv1.0 and enabling TLSv1.1 and/or TLSv1.2 will be a multi-phase process in a vSphere environment:

  1. Install the TLS Reconfigurator Utility on the vCenter Server and Platform Services Controller; if the Platform Services Controller is embedded on the vCenter Server, users only need to install the utility on vCenter Server.
  2. Disable vCenter Server's and vSphere Update Manager's use of TLSv1.0 and enable the use of TLSv1.1 and/or TLSv1.2.
  3. The ESXi hosts managed by the vCenter Server will then be updated to disable the use of TLSv1.0 and enable the use of TLSv1.1 and/or TLSv1.2 either by a per-host or per-cluster level modification.
  4. The Platform Services Controller would be updated to disable the use of TLSv1.0 and enable the use of TLSv1.1 and/or TLSv1.2.
Note:-  The PSC in the embedded mode with vCenter is also included in the above step 1.
 

The TLS Reconfiguration Utility is delivered with two components to cover managing the TLS protocols for the vCenter Server, vSphere Update Manager and the Platform Services Controller with the VcTlsReconfigurator component and ESXi hosts and clusters with the EsxTlsReconfigurator component. These components are located in these directories:

For vCenter Server for Windows:
  • C:\Program Files\VMware\CIS\vSphereTLSReconfigurator\VcTlsReconfigurator
  • C:\Program Files\VMware\CIS\vSphereTLSReconfigurator\EsxTlsReconfigurator
For vCenter Server Appliance:

For vCenter version 6.5 and version 6.7:
  • /usr/lib/vmware-vSphereTlsReconfigurator/VcTlsReconfigurator
  • /usr/lib/vmware-vSphereTlsReconfigurator/EsxTlsReconfigurator

For vCenter version 7.0 and version 8.0:

  • /usr/lib/vmware-TlsReconfigurator/VcTlsReconfigurator
  • /usr/lib/vmware-TlsReconfigurator/EsxTlsReconfigurator

Installing the TLS Reconfiguration Utility:

The TLS Reconfiguration Utility is not provided with the vCenter Server and vCenter Server Appliance and must be downloaded separately. Follow these steps on installing the TLS Reconfiguration Utility:
  1. Go to https://support.broadcom.com/ for vSphere.
  2. Using the Select Version drop-down menu, select your version of vSphere.
  3. Download the following depending on the use of Windows or Appliance in the environment.

    vSphere 6.5 and later

    For vCenter Server for Windows:
    VMware-vSphereTlsReconfigurator-6.5.0-4635484.x86_64.msi

    For vCenter Server Appliance: VMware-vSphereTlsReconfigurator-6.5.0-4635484.x86_64.rpm

    For vSphere 6.5 Update 1 and later

    For vCenter Server for Windows: VMware-vSphereTlsReconfigurator-6.5.0-5597882.x86_64.msi
    For vCenter Server Appliance: VMware-vSphereTlsReconfigurator-6.5.0-5597882.x86_64.rpm
     
  4. Upload the file to the vCenter Server and/or Platform Services Controller:

    For the vCenter Server Appliance and Platform Services Controller Appliance, use an SCP client to upload the file.
    For Windows vCenter Server or Windows Platform Services Controller, copy the appropriate file.
  • For vCenter Server for Windows:
    1. On the Windows Server running vCenter Server, log in as an administrative user.
    2. Install the MSI file.
    3. Locate the MSI file, substituting the xxxxxxx for the appropriate build: VMware-vSphereTlsReconfigurator-6.5.0-xxxxxxx.x86_64.msi
  • For vCenter Server Appliance:
    1. Connect to the vCenter Server Appliance with an SSH session and root credentials.
    2. Run this command to enable the Bash shell:
shell
  1. In the Bash shell, locate the directory where the VMware-vSphereTlsReconfigurator-6.5.0-xxxxxxx.x86_64.rpm was uploaded.
  2. Run the below rpm command, substituting the xxxxxxx for the appropriate build:

    rpm -Uvh VMware-vSphereTlsReconfigurator-6.5.0-xxxxxxx.x86_64.rpm

Updating the TLS Reconfiguration Utility:

After upgrading from vSphere 6.5 to vSphere 6.5 Update 1 or later, you must update the TLS Reconfiguration Utility binaries on your vCenter Server. Follow the below steps to update.

  1. Go to customerconnect.vmware.com for vSphere.
  2. Using the Select Version drop-down menu, select your version of vSphere.
  3. Download the following depending on the use of Windows or Appliance in the environment.
For vSphere 6.5

For vCenter Server for Windows:
VMware-vSphereTlsReconfigurator-6.5.0-4635484.x86_64.msi

For vCenter Server Appliance: VMware-vSphereTlsReconfigurator-6.5.0-4635484.x86_64.rpm

For vSphere 6.5 Update 1 and later

For vCenter Server for Windows:
VMware-vSphereTlsReconfigurator-6.5.0-5597882.x86_64.msi 

For vCenter Server Appliance: VMware-vSphereTlsReconfigurator-6.5.0-5597882.x86_64.rpm
  1. Upload the file to the vCenter Server and/or Platform Services Controller:


For the vCenter Server Appliance and Platform Services Controller Appliance, use an SCP client to upload the file.
For Windows vCenter Server or Windows Platform Services Controller, copy the appropriate file.

  • For vCenter Server for Windows:
  1. On the Windows Server running vCenter Server, log in as an administrative user.
  2. Locate the MSI file containing the latest TLS Reconfiguration Utility.
  3. Install the MSI file.
  • For vCenter Server Appliance:
  1. Connect to the vCenter Server Appliance with an SSH session and root credentials.
  2. Run this command to enable the Bash shell:
shell
  1. ​In the Bash shell, locate the directory where the latest version of the TLS Reconfiguration Utility RPM was uploaded.
  2. Run the below rpm command, substituting the xxxxxxx for the appropriate build:

rpm -Uvh VMware-vSphereTlsReconfigurator-6.5.0-5597882.x86_64.rpm

You should observe the following output:

root@vcenter [ /tmp ]# rpm -Uvh VMware-vSphereTlsReconfigurator-6.5.0-5597882.x86_64.rpm
Preparing...
Updating / installing...
1:VMware-vSphereTlsReconfigurator-6################################# [ 50%]
Cleaning up / removing...
2:VMware-vSphereTlsReconfigurator-6################################# [100%]

 

Disabling TLSv1.0 using the TLS Reconfiguration Utility:

This section covers; disabling TLSv1.0 and enabling TLSv1.1 and TLSv1.2, disabling TLSv1.0 and TLSv1.1, and enabling only TLSv1.2 across vCenter Server, vSphere Update Manager, Platform Services Controller, and ESXi hosts. Disabling protocols must be done in this order:
  1. vSphere Update Manager
  2. vCenter Server
  3. ESXi hosts
  4. Platform Services Controller
Warning: Before proceeding, ensure all of these elements are running versions compatible with TLSv1.0 disablement.

Note:
For vCenter Server and Platform Services Controller for Windows
  1. Connect to the Windows Server.
  2. Open an administrative command prompt.
  3. Change the directory to the vSphereTlsReconfigurator using this command:

    cd C:\Program Files\VMware\CIS\vSphereTlsReconfigurator\
     
  4. Manually back up all of the configurations for all supported services on the vCenter Server and Platform Services Controller:

    Note: The TLS Reconfigurator Utility will perform a backup operation each time a modification against the vCenter Server, Platform Services Controller or vSphere Updater Manager has been executed. Use this process only if you need to create a backup to a specific user directory.
     
    1. Change the directory to the VcTlsReconfigurator using this command:

      cd VcTlsReconfigurator
       
    2. Execute this command to perform a backup:

      directory_path\VcTlsReconfigurator> reconfigureVc backup

      By default, this will output to this directory:

      c:\users\<current user>\appdata\local\temp\<year><month><day>T<time></time>

      To output to a specific directory, run this command

      directory_path\VcTlsReconfigurator> reconfigureVc backup -d <backup directory path>
       
    3. A successful backup will look like this:

      vCenter Transport Layer Security reconfigurator, version=6.5.0, build=4635484
      For more information refer to the following article: https://kb.vmware.com/kb/2147469
      Log file: "C:\ProgramData\VMware\vCenterServer\logs\vSphere-TlsReconfigurator\VcTlsReconfigurator.log".
      ================= Backing up vCenter Server TLS configuration ==================
      Using backup directory: c:\users\<username>\appdata\local\temp\20161108T161539
      Backing up: vspherewebclientsvc
      Backing up: vmware-autodeploy-waiter
      Backing up: rhttpproxy
      Backing up: VMwareSTS
      Backing up: vsphere-ui
      Backing up: VMWareDirectoryService
      Backing up: VMWareCAMService

       
  5. Update all of the configurations for all supported services on the vCenter Server. Once the chosen command has been run, the vCenter Server will require a reboot.

    Note: For products communicating to the vCenter Server which still require TLSv1.0 to be enabled, this will cease connectivity.
     
    1. Disable TLSv1.0 on the vCenter Server, and enable higher versions of TLSv1.x.
      • To disable TLSv1.0 and enable both TLSv1.1 and TLSv1.2, execute this command to perform a reconfiguration:

        directory_path\VcTlsReconfigurator> reconfigureVc update -p TLSv1.1 TLSv1.2
         
      • To disable TLSv1.0 and TLSv1.1, and enable only TLSv1.2, execute this command to perform a reconfiguration:

        directory_path\VcTlsReconfigurator> reconfigureVc update -p TLSv1.2
         
    2. Repeat this on the remaining vCenter Server.
       
  6. Update the configuration for all supported services on the ESXi hosts managed by each of the vCenter Servers:
     
    1. Change the directory to the EsxTlsReconfigurator using this command:

      cd ..\EsxTlsReconfigurator
       
    2. Disable TLSv1.0 on the ESXi hosts, and enable higher versions of TLSv1.x. This can be done either on a per-host or per-cluster basis in addition to disabling TLSv1.0 and enabling TLSv1.1 and TLSv1.2 or disabling TLSv1.0 and enabling only TLSv1.2.

      Note: If --protocol or -p is not included, this will default to TLSv1.2 only
       
      • To disable TLSv1.0 and enable both TLSv1.1 and TLSv1.2 on an individual ESXi host inside of the vCenter Server, execute this command to perform a reconfiguration:

        directory_path\EsxTlsReconfigurator> reconfigureEsx vCenterHost -h <ESXi_Host_Name> -u <Administrative_User> -p TLSv1.1 TLSv1.2
         
      • To disable TLSv1.0 and TLSv1.1, and enable only and TLSv1.2 on an individual ESXi host inside of the vCenter Server, execute this command to perform a reconfiguration:

        directory_path\EsxTlsReconfigurator> reconfigureEsx vCenterHost -h <ESXi_Host_Name> -u <Administrative_User> -p TLSv1.2
         
      • To disable TLSv1.0 and enable both TLSv1.1 and TLSv1.2 on an vCenter Server Host Cluster, execute this command to perform a reconfiguration:

        directory_path\EsxTlsReconfigurator> reconfigureEsx vCenterCluster -c <Cluster_Name> -u <Administrative_User> -p TLSv1.1 TLSv1.2
         
      • To disable TLSv1.0 and TLSv1.1, and enable only and TLSv1.2 on an vCenter Server Host Cluster, execute this command to perform a reconfiguration:

        directory_path\EsxTlsReconfigurator> reconfigureEsx vCenterCluster -c <Cluster_Name> -u <Administrative_User> -p TLSv1.2
         
    3. Once completed, the hosts will be flagged for reboot. Reboot the ESXi hosts in order to complete the TLS protocol changes.
       
    4. Repeat this on the next cluster or ESXi host within the managing vCenter Server as appropriate.
Available in vSphere 6.5 Update 1: To disable TLSv1.0 and enable both TLSv1.1 and TLSv1.2 on a standalone ESXi host, not in the vCenter Server inventory, execute this command to perform a reconfiguration:

Note: You must execute this from a vCenter Server

directory_path\EsxTlsReconfigurator> reconfigureEsx ESXiHost -h <ESXi_Host_Name> -u root -p TLSv1.1 TLSv1.2

Available in vSphere 6.5 Update 1 To disable TLSv1.0 and TLSv1.1, and enable only TLSv1.2 on a standalone ESXi host, not in the vCenter Server inventory, execute this command to perform a reconfiguration:

Note: You must execute this from a vCenter Server

directory_path\EsxTlsReconfigurator> reconfigureEsx ESXiHost -h <ESXi_Host_Name> -u root -p TLSv1.2
  1. Update all of the configuration for all supported services on the Platform Services Controller:

    Note: If you have older 6.0.x or 5.5.x vCenter Servers are still connected to the Platform Services Controller, this step will cause the vCenter Servers to stop communicating to the PSC. Only proceed with this step after confirming that all vCenter Servers are running a compatible version.
     
    1. Change the directory to the VcTlsReconfigurator using this command:

      cd C:\Program Files\VMware\CIS\vSphereTlsReconfigurator\VcTlsReconfigurator
       
    2. Disable TLSv1.0 on the Platform Services Controller, and enable higher versions of TLSv1.x.

      Note: If --protocol or -p is not included, this will default to TLSv1.2 only
       
      • To disable TLSv1.0 and enable both TLSv1.1 and TLSv1.2, execute this command to perform a reconfiguration:

        directory_path\VcTlsReconfigurator> reconfigureVc update -p TLSv1.1 TLSv1.2
         
      • To disable TLSv1.0 and TLSv1.1, and enable only TLSv1.2, execute this command to perform a reconfiguration:

        directory_path\VcTlsReconfigurator> reconfigureVc update -p TLSv1.2
         
    3. Repeat this operation on the remaining Platform Services Controller in the vSphere domain.
Once completed, all vCenter Servers, the managed ESXi hosts, and the associated Platform Services Controllers will no longer be using TLSv1.0
 
 
For vCenter Server Appliance and Platform Services Controller Appliance:
  1. Connect to the vCenter Server Appliance using an SSH session.
  2. Run this command to enable the Bash shell:

    shell
     
  3. In the Bash shell, change directories to this directory:

    cd /usr/lib/vmware-vSphereTlsReconfigurator/
     
  4. Manually backup all of the configurations for all supported services on the vCenter Server and Platform Services Controller:

    Note: The TLS Reconfigurator Utility will perform a backup operation each time it is executed. Use this process only if you need to create a backup to a specific user directory.
     
    1. Change the directory to VcTlsReconfigurator with this command:

      cd VcTlsReconfigurator
       
    2. Execute this command to perform a backup:

      directory_path/VcTlsReconfigurator> ./reconfigureVc backup

      By default, this will output to this directory:

      /tmp/<year><month><day>T<time></time>

      In order to output to a specific directory, use this command

      directory_path/VcTlsReconfigurator> ./reconfigureVc backup -d <backup directory path>
       
  5. Update all of the configuration for all supported services on the vCenter Server and vSphere Update Manager. Once the chosen command has been run, the vCenter Server will require a reboot.

    Note: If you have products communicating to the vCenter Server that still require TLSv1.0 to be enabled, this will cease connectivity.
     
    1. Disable TLSv1.0 on the vCenter Server, and enable higher versions of TLSv1.x.
       
      • To disable TLSv1.0 and enable both TLSv1.1 and TLSv1.2, execute this command to perform a reconfiguration:

        directory_path/VcTlsReconfigurator> ./reconfigureVc update -p TLSv1.1 TLSv1.2
         
      • To disable TLSv1.0 and TLSv1.1, and enable only TLSv1.2, execute this command to perform a reconfiguration:

        directory_path/VcTlsReconfigurator> ./reconfigureVc update -p TLSv1.2
         
    2. Repeat this on the next vCenter Server as appropriate.
       
  6. Update all of the configurations for all supported services on the ESXi hosts. This can be done either on a per-host or per-cluster basis in addition to disabling TLSv1.0 and enabling TLSv1.1 and TLSv1.2 or disabling TLSv1.0 and enabling only TLSv1.2.
     
    1. Change the directory to the EsxTlsReconfigurator using this command:

      cd ../EsxTlsReconfigurator
       
    2. Disable TLSv1.0 on the ESXi hosts, and enable higher versions of TLSv1.x. This can be done either on a per-host or per-cluster basis in addition to disabling TLSv1.0 and enabling TLSv1.1 and TLSv1.2 or disabling TLSv1.0 and enabling only TLSv1.2.

      Note: If --protocol or -p is not included, this will default to TLSv1.2 only
       
      • To disable TLSv1.0 and enable both TLSv1.1 and TLSv1.2 on an individual ESXi inside of the vCenter Server, execute this command to perform a reconfiguration:

        directory_path/EsxTlsReconfigurator> ./reconfigureEsx vCenterHost -h <ESXi_Host_Name> -u <Administrative_User> -p TLSv1.1 TLSv1.2
         
      • To disable TLSv1.0 and TLSv1.1, and enable only TLSv1.2 on an individual ESXi inside of the vCenter Server, execute this command to perform a reconfiguration:

        directory_path/EsxTlsReconfigurator> ./reconfigureEsx vCenterHost -h <ESXi_Host_Name> -u <Administrative_User> -p TLSv1.2
         
      • To disable TLSv1.0 and enable both TLSv1.1 and TLSv1.2 on an ESXi Cluster, execute this command to perform a reconfiguration:

        directory_path/EsxTlsReconfigurator> ./reconfigureEsx vCenterCluster -c <Cluster_Name> -u <Administrative_User> -p TLSv1.1 TLSv1.2
         
      • To disable TLSv1.0 and TLSv1.1, and enable only TLSv1.2 on an ESXi Cluster, execute this command to perform a reconfiguration:

        directory_path/EsxTlsReconfigurator> ./reconfigureEsx vCenterCluster -c <Cluster_Name> -u <Administrative_User> -p TLSv1.2
         
    3. Once completed, the hosts will be flagged for reboot. Reboot the ESXi hosts in order to complete the TLS protocol changes.
    4. Repeat this on the next cluster or ESXi host within the managing vCenter Server as appropriate.
       
  7. Update all of the configuration for all supported services on the Platform Services Controller:

    Note: If you have older vCenter Servers 6.0.x or 5.5.x still connected to the Platform Services Controller, this step will cause the vCenter Servers to stop communicating to the PSC. Only proceed with this step after confirming that all vCenter Servers are running a compatible version.
     
    1. Change the directory to the VcTlsReconfigurator using this command:

      cd /usr/lib/vmware-vSphereTlsReconfigurator/VcTlsReconfigurator
       
    2. Disable TLSv1.0 on the Platform Services Controller, and enable higher versions of TLSv1.x.

      Note: If --protocol or -p is not included, this will default to TLSv1.2 only
       
      • To disable TLSv1.0 and enable both TLSv1.1 and TLSv1.2, execute this command to perform a reconfiguration:

        directory_path\VcTlsReconfigurator> ./reconfigureVc update -p TLSv1.1 TLSv1.2
         
      • To disable TLSv1.0 and TLSv1.1, and enable only TLSv1.2, execute this command to perform a reconfiguration:

        directory_path\VcTlsReconfigurator> ./reconfigureVc update -p TLSv1.2
         
    3. Repeat this operation on the remaining Platform Services Controller in the vSphere domain.
Once completed, all vCenter Server Appliances, the managed ESXi hosts and the associated Platform Services Controller Appliances will no longer be using TLSv1.0

Additional Information

VMware Skyline Health Diagnostics for vSphere - FAQ

Performing a Recovery using the TLS Reconfiguration Utility:

This section covers; recovering from a previous settings change using the TLS Reconfiguration Utility and re-enabling previously used TLS protocols. This disables TLSv1.0 and TLSv1.1, and enables only TLSv1.2 across the vCenter Server, vSphere Update Manager, Platform Services Controller, and ESXi hosts. Disabling protocols must be done in this order:
  1. vSphere Update Manager
  2. vCenter Server
  3. Platform Services Controller
 
For vCenter Server and Platform Services Controller for Windows
  1. Connect to the Windows Server.
  2. Open an administrative command prompt.
  3. Change the directory to the vSphereTlsReconfigurator using this command:

    cd C:\Program Files\VMware\CIS\vSphereTlsReconfigurator\VcTlsReconfigurator
     
  4. Review the previous backups taken using the below commands:

    C:\ProgramData\VMware\vCenterServer\logs\vSphere-TlsReconfigurator\VcTlsReconfigurator.log

    Use the below output as an example:

    c:\users\<username>\appdata\local\temp\20161108T161539
    c:\users\<username>\appdata\local\temp\20161108T171539

     
  5. Manually run the below command to perform a restore:

    directory_path\VcTlsReconfigurator> reconfigureVc restore -d <Directory Path from Step 4>

    Use the below output as an example:

    directory_path\VcTlsReconfigurator> reconfigureVc restore -d c:\users\<username>\appdata\local\temp\20161108T171539

     
  6. Repeat this operation accordingly on the remaining vCenter Servers
  7. Repeat this operation accordingly on all Platform Services Controllers
 
For vCenter Server Appliance and Platform Services Controller Appliance:
  1. Connect to the vCenter Server Appliance using an SSH session.
  2. Run this command to enable the Bash shell:

    shell
     
  3. In the Bash shell, change directories to this directory:

    cd /usr/lib/vmware-TlsReconfigurator/VcTlsReconfigurator
     
  4. Review the previous backups taken using the below commands:

    grep "backup directory" /var/log/vmware/vSphere-TlsReconfigurator/VcTlsReconfigurator.log

    Use the below output as an example:

    yyyy-mm-dd INFO Using backup directory: /tmp/20161117T172920
    yyyy-mm-dd INFO Using backup directory: /tmp/20161117T173259

     
  5. Manually run the below command to perform a restore:

    directory_path\VcTlsReconfigurator> reconfigureVc restore -d <Directory Path from Step 4>

    Use the below output as an example:

    directory_path\VcTlsReconfigurator> reconfigureVc restore -d /tmp/20161117T172920
     
  6. Repeat this operation accordingly on the remaining vCenter Server Appliances
  7. Repeat this operation accordingly on all Platform Services Controller Appliances

Scanning vCenter for enabled TLS protocols

For vCenter Server and Platform Services Controller for Windows
  1. Connect to the Windows Server.
  2. Open an administrative command prompt.
  3. Change directory to the vSphereTlsReconfigurator using this command:

    cd C:\Program Files\VMware\CIS\vSphereTlsReconfigurator\VcTlsReconfigurator
     
  4. Run this command to output the TLS protocols on the endpoints:

    reconfigureVc scan

    For Example:

    reconfigureVc scan

    vCenter Transport Layer Security reconfigurator, version=6.5.0, build=4635484
    For more information refer to the following article: https://kb.vmware.com/kb/2147469
    Log file: "/var/log/vmware/vSphere-TlsReconfigurator/VcTlsReconfigurator.log".
    ==================== Scanning vCenter Server TLS endpoints =====================
    +---------------------+-------------------+-------------------------+
    | Service Name | TLS Endpoint Port | TLS Version(s) |
    +---------------------+-------------------+-------------------------+
    | vmware-stsd | | NOT RUNNING |
    | vmcam | | NOT RUNNING |
    | vmware-rhttpproxy | 443 | TLSv1.0 TLSv1.1 TLSv1.2 |
    | rsyslog | 1514 | TLSv1.0 TLSv1.1 TLSv1.2 |
    | vmdird | 636 | TLSv1.0 TLSv1.1 TLSv1.2 |
    | vmdird | 11712 | TLSv1.0 TLSv1.1 TLSv1.2 |
    | vmware-rbd-watchdog | | NOT RUNNING |
    | vmware-updatemgr | 8084 | TLSv1.0 TLSv1.1 TLSv1.2 |
    | vmware-updatemgr | 9087 | TLSv1.0 TLSv1.1 TLSv1.2 |
    | vsphere-client | 9443 | TLSv1.0 TLSv1.1 TLSv1.2 |
    | vsphere-ui | 5443 | TLSv1.0 TLSv1.1 TLSv1.2 |
    | vami-lighttp | 5480 | TLSv1.0 TLSv1.1 TLSv1.2 |
    +---------------------+-------------------+-------------------------+
For vCenter Server Appliance and Platform Services Controller Appliance:
  1. Connect to the vCenter Server Appliance using an SSH session.
  2. Run this command to enable the Bash shell:

    shell
     
  3. In the Bash shell, change directories to this directory:

    cd /usr/lib/vmware-TlsReconfigurator/VcTlsReconfigurator
     
  4. Run this command to output the TLS protocols on the endpoints:

    ./reconfigureVc scan

    For Example:

    ./reconfigureVc scan

    vCenter Transport Layer Security reconfigurator, version=6.5.0, build=4635484
    For more information refer to the following article: https://kb.vmware.com/kb/2147469
    Log file: "/var/log/vmware/vSphere-TlsReconfigurator/VcTlsReconfigurator.log".
    ==================== Scanning vCenter Server TLS endpoints =====================
    +---------------------+-------------------+-------------------------+
    | Service Name | TLS Endpoint Port | TLS Version(s) |
    +---------------------+-------------------+-------------------------+
    | vmware-stsd | | NOT RUNNING |
    | vmcam | | NOT RUNNING |
    | vmware-rhttpproxy | 443 | TLSv1.0 TLSv1.1 TLSv1.2 |
    | rsyslog | 1514 | TLSv1.0 TLSv1.1 TLSv1.2 |
    | vmdird | 636 | TLSv1.0 TLSv1.1 TLSv1.2 |
    | vmdird | 11712 | TLSv1.0 TLSv1.1 TLSv1.2 |
    | vmware-rbd-watchdog | | NOT RUNNING |
    | vmware-updatemgr | 8084 | TLSv1.0 TLSv1.1 TLSv1.2 |
    | vmware-updatemgr | 9087 | TLSv1.0 TLSv1.1 TLSv1.2 |
    | vsphere-client | 9443 | TLSv1.0 TLSv1.1 TLSv1.2 |
    | vsphere-ui | 5443 | TLSv1.0 TLSv1.1 TLSv1.2 |
    | vami-lighttp | 5480 | TLSv1.0 TLSv1.1 TLSv1.2 |
    +---------------------+-------------------+-------------------------+
For ESXi hosts:

From the vCenter Server/vCenter Server Appliance, execute the following from the command line.

Note: For Windows-installed vCenter Server the OpenSSL utility is located at C:\ProgramData\VMware\VMware Virtualcenter\SSL

To test TLSv1.0 Availability:

openssl s_client -connect ESXi_host.local:443 -tls1

To Test TLSv1.1 Availability:

openssl s_client -connect ESXi_host.local:443 -tls1_1

To test TLSv1.2 Availability:

openssl s_client -connect ESXi_host.local:443 -tls1_2

Depending on what protocols were manipulated on the ESXi hosts, you will see one of two responses:

On a successful response from the ESXi host, indicating that protocol is Disabled:

openssl s_client -connect ESXi_host.local:443 -tls1

CONNECTED(00000003)
140482545034904:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:659:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1531202233
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---

On a successful response from the ESXi host, indicating that protocol is Active:

openssl s_client -connect ESXi_host.local:443 -tls1_2

CONNECTED(00000003)
depth=1 CN = CA, DC = vsphere, DC = local, C = US, ST = California, O = ESXi_host.local, OU = VMware
verify return:1
depth=0 C = US, ST = California, L = Palo Alto, O = VMware, OU = VMware, CN = ESXi_host.local, emailAddress = [email protected]
verify return:1
---
Certificate chain
 0 s:/C=US/ST=California/L=Palo Alto/O=VMware/OU=VMware/CN=ESXi_host.local/[email protected]
   i:/CN=CA/DC=vsphere/DC=local/C=US/ST=California/O=ESXi_host.local/OU=VMware
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEbTCCA1WgAwIBAgIJANff9zMGN32bMA0GCSqGSIb3DQEBCwUAMIGiMQswCQYD
...
SSmYDnrTWA6Qg7Yl1RrKc2OArJTIczewBoxOsgVic5Tv
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Palo Alto/O=VMware/OU=VMware/CN=ESXi_host.local/[email protected]
issuer=/CN=CA/DC=vsphere/DC=local/C=US/ST=California/O=ESXi_host.local/OU=VMware
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1617 bytes and written 433 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID:
    Session-ID-ctx:
    Master-Key: BDD2E34F930B785CD60EEAE67D7DFC06FE2FD30DB9D87CDFE6BF6778345D031FBF2BC4B33986DB79E328B1728B59B095
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1531202247
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---

Status of TLSv1.1/1.2 Enablement and TLSv1.0 Disablement across VMware products
How to manage SSL and TLS Protocols for ESXi SFCB Daemon

Impact/Risks:
Some steps will require reboots of systems and disabling service versions. Please review the entire procedure before beginning.