TLS protocol configuration options for vSphere Replication 8.x
Article ID: 317496
Updated On:
Products
VMware Live Recovery
VMware vSphere ESXi
Issue/Introduction
In vSphere Replication 8.1, 8.2, and 8.3, the TLS protocol versions, 1.1, and 1.2 are enabled by default. The purpose of this article is to guide a customer through modifying the TLS protocols on the individual services of vSphere Replication.
Environment
VMware vSphere Replication 8.x
Resolution
To disable TLSv1.1 use the following steps.
| Service | Port | Configuration steps |
|---|---|---|
| Configuration steps for vSphere Replication Management Service (hms) | 8043 | Configuration steps for hms service. |
| Configuration steps for vSphere Replication service (hbrsrv) | 8123 | Configuration steps for hbrsrv service. |
| Configuration steps for VMware Virtual Appliance Management Interface (VAMI) | 5480 | Configuration steps for vami service. |
| Configuration steps for Site Recovery UI | 443 | Configuration steps for Site Recovery UI |
NOTE: Always make a backup copy of the configuration file before you start editing.
Configuration steps for vSphere Replication Management Service - port 8043
- Log in to the vSphere Replication appliance using PuTTY.
- Open the file
/opt/vmware/hms/conf/hms-configuration.xmlin an editor and change the value of hms-ssl-enabled-protocols to TLSv1.2. - Save the file.
- Restart hms service.
service hms restart
Configuration steps for vSphere Replication service - port 8123
- Log in to vSphere Relication Appliance and vSphere Replication Server using PuTTY.
- Open the file
/etc/vmware/hbrsrv.xmlin an editor, locate the tag <vmacore><ssl> and add <sslOptions>386023424</sslOptions> in to disable TLSv1.1<vmacore> <ssl> <sslOptions>117587968</sslOptions> </ssl> </vmacore> - Save the file.
- Restart the service.
service hbrsrv restart
| SSL/TLS Protocols | Value |
|---|---|
| Disable SSLv3 + Disable TLSv1.0 | 117587968 |
| Disable SSLv3 + Disable TLSv1.0 + Disable TLSv1.1 | 386023424 |
| Re-Enable all versions of TLS (1.0,1.1 and 1.2) | 50479104 |
Configuration steps for VMware Virtual Appliance Management Interface (VAMI) - port 5480
- Go to
/opt/vmware/etc/lighttpd/lighttpd.conf. - Create a backup copy of the file.
- Open the file in an editor and search for the ssl.use-tlsv11.
- To disable TLS 1.1 make sure that: ssl.use-sslv2, ssl.use-tlsv10, ssl.use-tlsv11 properties are all having a value of "disable" and ssl.use-tlsv12 have a value of "enable".
Site Recovery UI runs in an Apache Tomcat server and to change the supported TLS version perform the following steps on an HMS appliance:
- Open Apache Tomcat configuration file with a text editor.
vi /var/opt/apache-tomcat/conf/server.xml
- Look for a 'Connector' tag that defines a tomcat connector responding on address="::" and port="8443". It should also have a 'SSLHostConfig' tag as a child. For example it should look like:
<Connector SSLEnabled="true" Secure="true" address="::" maxThreads="150" port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol">
<SSLHostConfig ciphers="!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES" protocols="TLSv1.2">
<Certificate certificateKeystoreFile="lib/hms-keystore.jks" certificateKeystorePassword="H55MSDVcNUdsAwlP" type="RSA" />
</SSLHostConfig>
</Connector>
<SSLHostConfig ciphers="!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES" protocols="TLSv1.2">
<Certificate certificateKeystoreFile="lib/hms-keystore.jks" certificateKeystorePassword="H55MSDVcNUdsAwlP" type="RSA" />
</SSLHostConfig>
</Connector>
In the SSLHostConfig xml tag look for an argument named 'protocols' this is what defines the supported TLS versions. For example 'TLSv1.1+TLSv1.2' means that TLS 1.1 and TLS 1.2 are both supported and can be used
for connection. To only allow TLS 1.2 set the value to 'TLSv1.2'.
for connection. To only allow TLS 1.2 set the value to 'TLSv1.2'.
- After modifying server.xml file you need to restart tomcat service.
service tomcat restart
Feedback
Yes
No
Powered by
