Remove SSL Cipher 3DES for Auto Deploy on Port 6501 and 6502
Article ID: 316454
Updated On:
Products
VMware vCenter Server
Issue/Introduction
Ports 6501 and 6502 are used by the Auto Deploy service within vCenter; both ports are required to be opened.
When using Tenable or other 3rd party vulnerability scanner, results may include a warning on ports 6501 and 6502.
Environment
VMware vCenter Server
Resolution
At this time, VMware does not consider these as vulnerabilities.
Workaround:
To remove the Triple Data Encryption Algorithm (Triple DES) also known as 3DES cipher for the Auto Deploy service, perform the below workaround steps.
Note: Before making any changes on the vCenter, take powered off snapshots of all vCenters in the ELM environment.
Workaround:
To remove the Triple Data Encryption Algorithm (Triple DES) also known as 3DES cipher for the Auto Deploy service, perform the below workaround steps.
Note: Before making any changes on the vCenter, take powered off snapshots of all vCenters in the ELM environment.
- SSH into the affected vCenter
- Back up the following file
cp /etc/vmware-rbd/httpd/conf.d/vhosts-common-opts ~/vhosts-common-opts_BACKUP
- Edit the vhosts-common-opts file
vi /etc/vmware-rbd/httpd/conf.d/vhosts-common-opts
- Add :!3DES to the end of the following line:
SSLCipherSuite ${SSL_CIPHER_SUITE}
Example: the line should look like below.
SSLCipherSuite ${SSL_CIPHER_SUITE}:!3DES
Example: the line should look like below.
SSLCipherSuite ${SSL_CIPHER_SUITE}:!3DES
- Save the file
:wq!
- If the Auto Deploy service is running, restart the Auto Deploy service.
service-control --restart vmware-rbd-watchdog
- Perform a vulnerability scan and confirm the 3DES cipher is no longer present.
Additional Information
To discover what ports are needed by VMware products and solutions, use VMware Ports and Protocol - https://ports.esp.vmware.com/
Feedback
Yes
No
Powered by
