For vSphere 6.7 see the Managing TLS Protocol Configuration with the TLS Configurator Utility section of the vSphere Security guide.
Disabling TLSv1.0 and enabling TLSv1.1 and/or TLSv1.2 will be a multi-phase process in a vSphere environment:
- Install the TLS Reconfigurator Utility on the vCenter Server and Platform Services Controller; if the Platform Services Controller is embedded on the vCenter Server, users only need to install the utility on vCenter Server.
- Disable vCenter Server's and vSphere Update Manager's use of TLSv1.0 and enable the use of TLSv1.1 and/or TLSv1.2.
- The ESXi hosts managed by the vCenter Server will then be updated to disable the use of TLSv1.0 and enable the use of TLSv1.1 and/or TLSv1.2 either by a per-host or per-cluster level modification.
- The Platform Services Controller would be updated to disable the use of TLSv1.0 and enable the use of TLSv1.1 and/or TLSv1.2.
Note:- The PSC in the embedded mode with vCenter is also included in the above step 1.
The TLS Reconfiguration Utility is delivered with two components to cover managing the TLS protocols for the vCenter Server, vSphere Update Manager and the Platform Services Controller with the VcTlsReconfigurator component and ESXi hosts and clusters with the EsxTlsReconfigurator component. These components are located in these directories:
For vCenter Server for Windows:
- C:\Program Files\VMware\CIS\vSphereTLSReconfigurator\VcTlsReconfigurator
- C:\Program Files\VMware\CIS\vSphereTLSReconfigurator\EsxTlsReconfigurator
For vCenter Server Appliance:
For vCenter version 6.5 and version 6.7:
- /usr/lib/vmware-vSphereTlsReconfigurator/VcTlsReconfigurator
- /usr/lib/vmware-vSphereTlsReconfigurator/EsxTlsReconfigurator
For vCenter version 7.0 and version 8.0:
- /usr/lib/vmware-TlsReconfigurator/VcTlsReconfigurator
- /usr/lib/vmware-TlsReconfigurator/EsxTlsReconfigurator
Installing the TLS Reconfiguration Utility:
The TLS Reconfiguration Utility is not provided with the vCenter Server and vCenter Server Appliance and must be downloaded separately. Follow these steps on installing the TLS Reconfiguration Utility:
- Go to https://support.broadcom.com/ for vSphere.
- Using the Select Version drop-down menu, select your version of vSphere.
- Download the following depending on the use of Windows or Appliance in the environment.
vSphere 6.5 and later
For vCenter Server for Windows: VMware-vSphereTlsReconfigurator-6.5.0-4635484.x86_64.msi
For vCenter Server Appliance: VMware-vSphereTlsReconfigurator-6.5.0-4635484.x86_64.rpm
For vSphere 6.5 Update 1 and later
For vCenter Server for Windows: VMware-vSphereTlsReconfigurator-6.5.0-5597882.x86_64.msi
For vCenter Server Appliance: VMware-vSphereTlsReconfigurator-6.5.0-5597882.x86_64.rpm
- Upload the file to the vCenter Server and/or Platform Services Controller:
For the vCenter Server Appliance and Platform Services Controller Appliance, use an SCP client to upload the file.
For Windows vCenter Server or Windows Platform Services Controller, copy the appropriate file.
- For vCenter Server for Windows:
- On the Windows Server running vCenter Server, log in as an administrative user.
- Install the MSI file.
- Locate the MSI file, substituting the xxxxxxx for the appropriate build: VMware-vSphereTlsReconfigurator-6.5.0-xxxxxxx.x86_64.msi
- For vCenter Server Appliance:
- Connect to the vCenter Server Appliance with an SSH session and root credentials.
- Run this command to enable the Bash shell:
shell
- In the Bash shell, locate the directory where the VMware-vSphereTlsReconfigurator-6.5.0-xxxxxxx.x86_64.rpm was uploaded.
- Run the below rpm command, substituting the xxxxxxx for the appropriate build:
rpm -Uvh VMware-vSphereTlsReconfigurator-6.5.0-xxxxxxx.x86_64.rpm
Updating the TLS Reconfiguration Utility:
After upgrading from vSphere 6.5 to vSphere 6.5 Update 1 or later, you must update the TLS Reconfiguration Utility binaries on your vCenter Server. Follow the below steps to update.
- Go to customerconnect.vmware.com for vSphere.
- Using the Select Version drop-down menu, select your version of vSphere.
- Download the following depending on the use of Windows or Appliance in the environment.
For vSphere 6.5
For vCenter Server for Windows: VMware-vSphereTlsReconfigurator-6.5.0-4635484.x86_64.msi
For vCenter Server Appliance: VMware-vSphereTlsReconfigurator-6.5.0-4635484.x86_64.rpm
For vSphere 6.5 Update 1 and later
For vCenter Server for Windows: VMware-vSphereTlsReconfigurator-6.5.0-5597882.x86_64.msi
For vCenter Server Appliance: VMware-vSphereTlsReconfigurator-6.5.0-5597882.x86_64.rpm
- Upload the file to the vCenter Server and/or Platform Services Controller:
For the vCenter Server Appliance and Platform Services Controller Appliance, use an SCP client to upload the file.
For Windows vCenter Server or Windows Platform Services Controller, copy the appropriate file.
- For vCenter Server for Windows:
- On the Windows Server running vCenter Server, log in as an administrative user.
- Locate the MSI file containing the latest TLS Reconfiguration Utility.
- Install the MSI file.
- For vCenter Server Appliance:
- Connect to the vCenter Server Appliance with an SSH session and root credentials.
- Run this command to enable the Bash shell:
shell
- In the Bash shell, locate the directory where the latest version of the TLS Reconfiguration Utility RPM was uploaded.
- Run the below rpm command, substituting the xxxxxxx for the appropriate build:
rpm -Uvh VMware-vSphereTlsReconfigurator-6.5.0-5597882.x86_64.rpm
You should observe the following output:
root@vcenter [ /tmp ]# rpm -Uvh VMware-vSphereTlsReconfigurator-6.5.0-5597882.x86_64.rpm
Preparing...
Updating / installing...
1:VMware-vSphereTlsReconfigurator-6################################# [ 50%]
Cleaning up / removing...
2:VMware-vSphereTlsReconfigurator-6################################# [100%]
Disabling TLSv1.0 using the TLS Reconfiguration Utility:
This section covers; disabling TLSv1.0 and enabling TLSv1.1 and TLSv1.2, disabling TLSv1.0 and TLSv1.1, and enabling only TLSv1.2 across vCenter Server, vSphere Update Manager, Platform Services Controller, and ESXi hosts. Disabling protocols must be done in this order:
- vSphere Update Manager
- vCenter Server
- ESXi hosts
- Platform Services Controller
Warning: Before proceeding, ensure all of these elements are running versions compatible with TLSv1.0 disablement.
Note:
For vCenter Server and Platform Services Controller for Windows
- Connect to the Windows Server.
- Open an administrative command prompt.
- Change the directory to the vSphereTlsReconfigurator using this command:
cd C:\Program Files\VMware\CIS\vSphereTlsReconfigurator\
- Manually back up all of the configurations for all supported services on the vCenter Server and Platform Services Controller:
Note: The TLS Reconfigurator Utility will perform a backup operation each time a modification against the vCenter Server, Platform Services Controller or vSphere Updater Manager has been executed. Use this process only if you need to create a backup to a specific user directory.
- Change the directory to the VcTlsReconfigurator using this command:
cd VcTlsReconfigurator
- Execute this command to perform a backup:
directory_path\VcTlsReconfigurator> reconfigureVc backup
By default, this will output to this directory:
c:\users\<current user>\appdata\local\temp\<year><month><day>T<time></time>
To output to a specific directory, run this command
directory_path\VcTlsReconfigurator> reconfigureVc backup -d <backup directory path>
- A successful backup will look like this:
vCenter Transport Layer Security reconfigurator, version=6.5.0, build=4635484
For more information refer to the following article: https://kb.vmware.com/kb/2147469
Log file: "C:\ProgramData\VMware\vCenterServer\logs\vSphere-TlsReconfigurator\VcTlsReconfigurator.log".
================= Backing up vCenter Server TLS configuration ==================
Using backup directory: c:\users\<username>\appdata\local\temp\20161108T161539
Backing up: vspherewebclientsvc
Backing up: vmware-autodeploy-waiter
Backing up: rhttpproxy
Backing up: VMwareSTS
Backing up: vsphere-ui
Backing up: VMWareDirectoryService
Backing up: VMWareCAMService
- Update all of the configurations for all supported services on the vCenter Server. Once the chosen command has been run, the vCenter Server will require a reboot.
Note: For products communicating to the vCenter Server which still require TLSv1.0 to be enabled, this will cease connectivity.
- Disable TLSv1.0 on the vCenter Server, and enable higher versions of TLSv1.x.
- To disable TLSv1.0 and enable both TLSv1.1 and TLSv1.2, execute this command to perform a reconfiguration:
directory_path\VcTlsReconfigurator> reconfigureVc update -p TLSv1.1 TLSv1.2
- To disable TLSv1.0 and TLSv1.1, and enable only TLSv1.2, execute this command to perform a reconfiguration:
directory_path\VcTlsReconfigurator> reconfigureVc update -p TLSv1.2
- Repeat this on the remaining vCenter Server.
- Update the configuration for all supported services on the ESXi hosts managed by each of the vCenter Servers:
- Change the directory to the EsxTlsReconfigurator using this command:
cd ..\EsxTlsReconfigurator
- Disable TLSv1.0 on the ESXi hosts, and enable higher versions of TLSv1.x. This can be done either on a per-host or per-cluster basis in addition to disabling TLSv1.0 and enabling TLSv1.1 and TLSv1.2 or disabling TLSv1.0 and enabling only TLSv1.2.
Note: If --protocol or -p is not included, this will default to TLSv1.2 only
- To disable TLSv1.0 and enable both TLSv1.1 and TLSv1.2 on an individual ESXi host inside of the vCenter Server, execute this command to perform a reconfiguration:
directory_path\EsxTlsReconfigurator> reconfigureEsx vCenterHost -h <ESXi_Host_Name> -u <Administrative_User> -p TLSv1.1 TLSv1.2
- To disable TLSv1.0 and TLSv1.1, and enable only and TLSv1.2 on an individual ESXi host inside of the vCenter Server, execute this command to perform a reconfiguration:
directory_path\EsxTlsReconfigurator> reconfigureEsx vCenterHost -h <ESXi_Host_Name> -u <Administrative_User> -p TLSv1.2
- To disable TLSv1.0 and enable both TLSv1.1 and TLSv1.2 on an vCenter Server Host Cluster, execute this command to perform a reconfiguration:
directory_path\EsxTlsReconfigurator> reconfigureEsx vCenterCluster -c <Cluster_Name> -u <Administrative_User> -p TLSv1.1 TLSv1.2
- To disable TLSv1.0 and TLSv1.1, and enable only and TLSv1.2 on an vCenter Server Host Cluster, execute this command to perform a reconfiguration:
directory_path\EsxTlsReconfigurator> reconfigureEsx vCenterCluster -c <Cluster_Name> -u <Administrative_User> -p TLSv1.2
- Once completed, the hosts will be flagged for reboot. Reboot the ESXi hosts in order to complete the TLS protocol changes.
- Repeat this on the next cluster or ESXi host within the managing vCenter Server as appropriate.
Available in vSphere 6.5 Update 1: To disable TLSv1.0 and enable both TLSv1.1 and TLSv1.2 on a standalone ESXi host, not in the vCenter Server inventory, execute this command to perform a reconfiguration:
Note: You must execute this from a vCenter Server
directory_path\EsxTlsReconfigurator> reconfigureEsx ESXiHost -h <ESXi_Host_Name> -u root -p TLSv1.1 TLSv1.2
Available in vSphere 6.5 Update 1 To disable TLSv1.0 and TLSv1.1, and enable only TLSv1.2 on a standalone ESXi host, not in the vCenter Server inventory, execute this command to perform a reconfiguration:
Note: You must execute this from a vCenter Server
directory_path\EsxTlsReconfigurator> reconfigureEsx ESXiHost -h <ESXi_Host_Name> -u root -p TLSv1.2
- Update all of the configuration for all supported services on the Platform Services Controller:
Note: If you have older 6.0.x or 5.5.x vCenter Servers are still connected to the Platform Services Controller, this step will cause the vCenter Servers to stop communicating to the PSC. Only proceed with this step after confirming that all vCenter Servers are running a compatible version.
- Change the directory to the VcTlsReconfigurator using this command:
cd C:\Program Files\VMware\CIS\vSphereTlsReconfigurator\VcTlsReconfigurator
- Disable TLSv1.0 on the Platform Services Controller, and enable higher versions of TLSv1.x.
Note: If --protocol or -p is not included, this will default to TLSv1.2 only
- To disable TLSv1.0 and enable both TLSv1.1 and TLSv1.2, execute this command to perform a reconfiguration:
directory_path\VcTlsReconfigurator> reconfigureVc update -p TLSv1.1 TLSv1.2
- To disable TLSv1.0 and TLSv1.1, and enable only TLSv1.2, execute this command to perform a reconfiguration:
directory_path\VcTlsReconfigurator> reconfigureVc update -p TLSv1.2
- Repeat this operation on the remaining Platform Services Controller in the vSphere domain.
Once completed, all vCenter Servers, the managed ESXi hosts, and the associated Platform Services Controllers will no longer be using TLSv1.0
For vCenter Server Appliance and Platform Services Controller Appliance:
- Connect to the vCenter Server Appliance using an SSH session.
- Run this command to enable the Bash shell:
shell
- In the Bash shell, change directories to this directory:
cd /usr/lib/vmware-vSphereTlsReconfigurator/
- Manually backup all of the configurations for all supported services on the vCenter Server and Platform Services Controller:
Note: The TLS Reconfigurator Utility will perform a backup operation each time it is executed. Use this process only if you need to create a backup to a specific user directory.
- Change the directory to VcTlsReconfigurator with this command:
cd VcTlsReconfigurator
- Execute this command to perform a backup:
directory_path/VcTlsReconfigurator> ./reconfigureVc backup
By default, this will output to this directory:
/tmp/<year><month><day>T<time></time>
In order to output to a specific directory, use this command
directory_path/VcTlsReconfigurator> ./reconfigureVc backup -d <backup directory path>
- Update all of the configuration for all supported services on the vCenter Server and vSphere Update Manager. Once the chosen command has been run, the vCenter Server will require a reboot.
Note: If you have products communicating to the vCenter Server that still require TLSv1.0 to be enabled, this will cease connectivity.
- Disable TLSv1.0 on the vCenter Server, and enable higher versions of TLSv1.x.
- To disable TLSv1.0 and enable both TLSv1.1 and TLSv1.2, execute this command to perform a reconfiguration:
directory_path/VcTlsReconfigurator> ./reconfigureVc update -p TLSv1.1 TLSv1.2
- To disable TLSv1.0 and TLSv1.1, and enable only TLSv1.2, execute this command to perform a reconfiguration:
directory_path/VcTlsReconfigurator> ./reconfigureVc update -p TLSv1.2
- Repeat this on the next vCenter Server as appropriate.
- Update all of the configurations for all supported services on the ESXi hosts. This can be done either on a per-host or per-cluster basis in addition to disabling TLSv1.0 and enabling TLSv1.1 and TLSv1.2 or disabling TLSv1.0 and enabling only TLSv1.2.
- Change the directory to the EsxTlsReconfigurator using this command:
cd ../EsxTlsReconfigurator
- Disable TLSv1.0 on the ESXi hosts, and enable higher versions of TLSv1.x. This can be done either on a per-host or per-cluster basis in addition to disabling TLSv1.0 and enabling TLSv1.1 and TLSv1.2 or disabling TLSv1.0 and enabling only TLSv1.2.
Note: If --protocol or -p is not included, this will default to TLSv1.2 only
- To disable TLSv1.0 and enable both TLSv1.1 and TLSv1.2 on an individual ESXi inside of the vCenter Server, execute this command to perform a reconfiguration:
directory_path/EsxTlsReconfigurator> ./reconfigureEsx vCenterHost -h <ESXi_Host_Name> -u <Administrative_User> -p TLSv1.1 TLSv1.2
- To disable TLSv1.0 and TLSv1.1, and enable only TLSv1.2 on an individual ESXi inside of the vCenter Server, execute this command to perform a reconfiguration:
directory_path/EsxTlsReconfigurator> ./reconfigureEsx vCenterHost -h <ESXi_Host_Name> -u <Administrative_User> -p TLSv1.2
- To disable TLSv1.0 and enable both TLSv1.1 and TLSv1.2 on an ESXi Cluster, execute this command to perform a reconfiguration:
directory_path/EsxTlsReconfigurator> ./reconfigureEsx vCenterCluster -c <Cluster_Name> -u <Administrative_User> -p TLSv1.1 TLSv1.2
- To disable TLSv1.0 and TLSv1.1, and enable only TLSv1.2 on an ESXi Cluster, execute this command to perform a reconfiguration:
directory_path/EsxTlsReconfigurator> ./reconfigureEsx vCenterCluster -c <Cluster_Name> -u <Administrative_User> -p TLSv1.2
- Once completed, the hosts will be flagged for reboot. Reboot the ESXi hosts in order to complete the TLS protocol changes.
- Repeat this on the next cluster or ESXi host within the managing vCenter Server as appropriate.
- Update all of the configuration for all supported services on the Platform Services Controller:
Note: If you have older vCenter Servers 6.0.x or 5.5.x still connected to the Platform Services Controller, this step will cause the vCenter Servers to stop communicating to the PSC. Only proceed with this step after confirming that all vCenter Servers are running a compatible version.
- Change the directory to the VcTlsReconfigurator using this command:
cd /usr/lib/vmware-vSphereTlsReconfigurator/VcTlsReconfigurator
- Disable TLSv1.0 on the Platform Services Controller, and enable higher versions of TLSv1.x.
Note: If --protocol or -p is not included, this will default to TLSv1.2 only
- To disable TLSv1.0 and enable both TLSv1.1 and TLSv1.2, execute this command to perform a reconfiguration:
directory_path\VcTlsReconfigurator> ./reconfigureVc update -p TLSv1.1 TLSv1.2
- To disable TLSv1.0 and TLSv1.1, and enable only TLSv1.2, execute this command to perform a reconfiguration:
directory_path\VcTlsReconfigurator> ./reconfigureVc update -p TLSv1.2
- Repeat this operation on the remaining Platform Services Controller in the vSphere domain.
Once completed, all vCenter Server Appliances, the managed ESXi hosts and the associated Platform Services Controller Appliances will no longer be using TLSv1.0