Configuring SSLv3 protocol on vSphere 5.5

search cancel

Configuring SSLv3 protocol on vSphere 5.5

book

Article ID: 324886

calendar_today

Updated On:

Products

VMware vCenter Server VMware vSphere ESXi

Issue/Introduction

ESXi 550-201608001 Patch/ vCenter 5.5 Update 3e Release

Important: Always upgrade vCenter Server to version 5.5 Update 3e before you update ESXi to ESXi 5.5 Patch [ESXi550-201608001] released on 08/04/2016 to avoid issues due to interoperability implication relating to SSLv3 disablement.

Support for SSLv3 protocol is disabled by default
Note: In your vSphere environment, you need to update vCenter Server to vCenter Server 5.5 Update 3e before updating ESXi to ESXi 5.5 Patch [ESXi550-201608001] released on 08/04/2016. vCenter Server will not be able to manage ESXi 5.5 Patch [ESXi550-201608001] released on 08/04/2016, if you update ESXi before updating vCenter Server to version 5.5 Update 3e. For more information about the sequence in which vSphere environments need to be updated, refer KB 2057795.

VMware highly recommends you to update ESXi hosts to ESXi 5.5 Patch [ESXi550-201608001] released on 08/04/2016 while managing them from vCenter Server 5.5 Update 3e.

VMware does not recommend re-enabling SSLv3 due to POODLE vulnerability. If at all you need to enable SSLv3, you need to enable the SSLv3 protocol for all components. For more information, refer KB 2139396.
vSphere 5.5 Update 3e enables support for the TLS versions 1.1 and 1.2 for most of the vSphere components without breaking the previously supported compatibility or interoperability. See KB 2145818 for the list of supported TLS protocols.

vSphere 5.5 Update 3b Release

Important: Always upgrade vCenter Server to version 5.5 Update 3b before you update ESXi to ESXi 5.5 Update 3b to avoid issues due to interoperability implication relating to SSLv3 disablement.

Support for SSLv3 protocol is disabled by default and is configurable
vCenter Server will not be able to manage ESXi 5.5 Update 3b hosts if you update the ESXi hosts before updating vCenter Server to version 5.5 Update 3b. VMware best practices states that the vCenter Server should be upgraded prior to upgrading the managed ESXi hosts. For more information, see After upgrading an ESXi 5.5 host to Update 3b and later, the host is no longer manageable by vCenter Server (2140304)

For more information on the order in which to upgrade your vSphere environment, see Update sequence for VMware vSphere 5.5 and its compatible VMware products (2057795).

For more information surrounding the SSLv3 disablement, refer to VMware ESXi 5.5 Update 3b Release Notes and VMware vCenter Server 5.5 Update 3b Release Notes.
VMware does not recommend re-enabling SSLv3 due to POODLE vulnerability. If at all you need to enable SSLv3, you need to enable the SSLv3 protocol for all components. For more information, refer KB 2139396

Environment

VMware vCenter Server 5.5.x
VMware vSphere ESXi 5.5

Resolution

vSphere ESXi550-201607001 Patch/ vCenter Server 5.5 Update 3e Ports and Services

Note: Always take a backup copy of the configuration file before editing when applying the following steps.

Service	Port	Configuration Steps
Hostd	443	Hostd Service
Authd	902	Authd Service
SFCBD	5989	SFCBD Service
vSAN VP	8080	vSAN VP Service
vSAN Observer	8010	vSAN Observer Service
VMware Directory Service (vmdir)	11712	Vmdir Service
Security Token Service (SSO)	7444	STS Service
Virtual Appliance Management Interface (VAMI)	5480	VAMI Service
Authentication proxy service (CAM)	51915	Authentication proxy Service
Syslog Collector (vmsyslogcollector)	1514	Vmsyslogcollector Service
VMware vSphere Web Client Service (vspherewebclientsvc)	9443	Vspherewebclientsvc Service
VirtualCenter Server service (vpxd)	443	Vpxd Service
vCenter Inventory Service database (invsvc)	10109	Inventory Service Database
vCenter Inventory Service HTTPS	10443	Inventory Service HTTPS
VMware VirtualCenter Management Webservices	8443	VMware VirtualCenter Management Webservices
PBM	8191	PBM Service
SPS	21100(VCSA), 31100(windows)	SPS Service
SMS	22100(VCSA), 32100(windows)	SMS Service
Auto Deploy service	6501 6502	Auto Deploy Service
Update Manager	9087/8084	Update Manager Service
FDM	8182	FDM Service

Hostd service - Port 443

Enabling SSLv3 Protocol

To enable SSLv3 protocol on Hostd service for ESXi 5.5 Patch [ESXi550-201608001] released on 08/04/2016 follow these steps:

Log in to ESXi using putty.exe.
By default SSLv3 is disabled, run the following command to enable it:
esxcli system settings advanced set -o /UserVars/ESXiRhttpproxyDisabledProtocols -s ""
Run the following command to confirm the configuration changes:
# esxcli system settings advanced list -o /UserVars/ESXiRhttpproxyDisabledProtocols Path: /UserVars/ESXiRhttpproxyDisabledProtocols Type: string Int Value: 0 Default Int Value: 0 Min Value: 0 Max Value: 0 String Value: Default String Value: sslv3 Valid Characters: * Description: Rhttpproxy disabled protocols. Choices are sslv3, tlsv1, tlsv1.1, tlsv1.2. By default sslv3 is disabled. If no protocol is specified, all protocols are enabled.
Run the following command to restart the service for configuration to take effect:
/etc/init.d/rhttpproxy restart
Hostd configuration changes can be captured by Hostprofile.
a. Login on VC with Web Browser.
b. Right click the target host and choose "Extract Host Profile" to create a new hostprofile.
c. Once the hostprofile is created, you can choose Home --> Host Profiles --> your host profile to edit it.
d. During "Edit Host Profiles" tab, user can find the entry for Hostd under [Advanced Configuration Settings] --> [Advanced Options] --> [Advanced Configuration Options] --> userVars.ESXiRhttpproxyDisabledProtocols
e. The apply of Hostd in host profile is the same as other settings. If the configuration for Hostd is included in host profile, difference between host profile and target host for Hostd will be displayed and replaced when choosing the target host to apply the host profile.

Disabling SSLv3 Protocol

To disable SSLv3 protocol on Hostd service for ESXi 5.5 Patch [ESXi550-201608001] released on 08/04/2016 follow these steps:

Log in to ESXi using putty.exe.
Run the following command to disable it SSLv3:
esxcli system settings advanced set -o /UserVars/ESXiRhttpproxyDisabledProtocols -s "sslv3"
Run the following command to confirm the configuration changes:
# esxcli system settings advanced list -o /UserVars/ESXiRhttpproxyDisabledProtocols Path: /UserVars/ESXiRhttpproxyDisabledProtocols Type: string Int Value: 0 Default Int Value: 0 Min Value: 0 Max Value: 0 String Value: sslv3 Default String Value:sslv3 Valid Characters: * Description: Rhttpproxy disabled protocols. Choices are sslv3, tlsv1, tlsv1.1, tlsv1.2. By default sslv3 is disabled. If no protocol is specified, all protocols are enabled.
Restart the rhttpproxy service.
Hostd configuration changes can be captured by Hostprofile.
a.Login on VC with Web Browser.
b.Right click the Target Host and choose Extract Host Profile to create a new hostprofile.
c.Once the hostprofile is created, you can choose Home --> Host Profiles --> your host profile to edit it.
d.During Edit Host Profiles tab, user can find the entry for Hostd under [Advanced Configuration Settings] --> [Advanced Options] --> [Advanced Configuration Options] --> userVars.ESXiRhttpproxyDisabledProtocols
e.The apply of Hostd in host profile is the same as other settings. If the configuration for Hostd is included in host profile, difference between host profile and target host for Hostd will be displayed and replaced when choosing the target host to apply the host profile.

In an event when unexpected behavior is observed, you can restore the back up of the rhttpproxy configuration file and restart the rhttpproxy service, to revert the system to a clean state, as it was earlier.

Authd - Port 902

To enable SSLv3 protocol on Authd for ESXi 5.5 Patch [ESXi550-201608001] released on 08/04/2016 follow these steps:

Log in to ESXi using putty.exe .
Run the following command to enable SSLv3:
# esxcli system settings advanced set -o /UserVars/VMAuthdDisabledProtocols -s ""
Run the following command to check configuration changes:
esxcli system settings advanced list -o /UserVars/VMAuthdDisabledProtocols Path: /UserVars/VMAuthdDisabledProtocols Type: string Int Value: 0 Default Int Value: 0 Min Value: 0 Max Value: 0 String Value: Default String Value: sslv3 Valid Characters: * Description: VMAuthd disabled protocols. Choices are sslv3, tlsv1, tlsv1.1, tlsv1.2. By default sslv3 is disabled. If no protocol is specified, all protocols are enabled.

Disabling SSLv3 Protocol

To disable SSLv3 protocol on Authd for ESXi 5.5 Patch [ESXi550-201608001] released on 08/04/2016 follow these steps:

Log in to ESXi using putty.exe .
Run the following command to disable SSLv3:
# esxcli system settings advanced set -o /UserVars/VMAuthdDisabledProtocols -s "sslv3"
Run the following command to check configuration changes:
esxcli system settings advanced list -o /UserVars/VMAuthdDisabledProtocols Path:/UserVars/VMAuthdDisabledProtocols Type: string Int Value: 0 Default Int Value: 0 Min Value: 0 Max Value: 0 String Value: sslv3 Default String Value: sslv3 Valid Characters: * Description: VMAuthd disabled protocols. Choices are sslv3, tlsv1, tlsv1.1, tlsv1.2. By default sslv3 is disabled. If no protocol is specified, all protocols are enabled.

SFCBD - Port 5989

Enabling SSLv3 Protocol

To enable SSLv3 protocol on SFCBD for ESXi 5.5 Patch [ESXi550-201608001] released on 08/04/2016 follow these steps:

Log in to ESXi using putty.exe .
Run the following command and edit the file:
vi /etc/sfcb/sfcb.cfg
enableSSLv3: true
Save the file.
Restart the service for configuration to take effect using below command:
/etc/init.d/sfcbd-watchdog restart

Disabling SSLv3 Protocol

To disable SSLv3 protocol on SFCBD for ESXi 5.5 Patch [ESXi550-201608001] released on 08/04/2016 follow these steps:

Log in to ESXi using putty.exe .
Run the following command and edit the file:
vi /etc/sfcb/sfcb.cfg
enableSSLv3: false
Save the file.
Restart the service for configuration to take effect using below command:
/etc/init.d/sfcbd-watchdog restart

HostProfile

Configuration for CIM can also be captured by host profile:

Log in to vCenter Server with C#.
Right click the target host and click Extract Host Profile to create a new host profile.
Choose Home > Host Profiles > your host profile to edit it.
On the Edit Host Profiles tab, find the entry forenable SSL v3 under SFCB Configuration > Settings.
Apply the host profile to stateful or stateless systems.
Restart the service for configuration to take effect using below command:
/etc/init.d/sfcbd-watchdog restart

vSAN VP - Port 8080

Enabling SSLv3 Protocol

To enable SSLv3 protocol on vSAN VP for ESXi 5.5 Patch [ESXi550-201608001] released on 08/04/2016 follow these steps:

Log in to ESXi using putty.exe .
Run the following command to enable SSLv3:
# esxcli system settings advanced set -o /UserVars/ESXiVPsDisabledProtocols -s ""
Run the following command to check the configuration chages:
esxcli system settings advanced list -o /UserVars/ESXiVPsDisabledProtocols Path: /UserVars/ESXiVPsDisabledProtocols Type: string Int Value: 0 Default Int Value: 0 Min Value: 0 Max Value: 0 String Value: Default String Value: sslv3 Valid Characters: * Description: ESXi VPs disabled protocols. Choices are sslv3, tlsv1, tlsv1.1, tlsv1.2. By default sslv3 is disabled. If no protocol is specified, all protocols are enabled.
Restart vsanvp daemon to take effect of the preceding command:
~# /etc/init.d/vsanvpd restart

Disabling SSLv3 Protocol

To disable SSLv3 protocol on vSAN VP for ESXi 5.5 Patch [ESXi550-201608001] released on 08/04/2016 follow these steps:

Log in to ESXi using putty.exe.
Run the following command to disable SSLv3:
esxcli system settings advanced set -o /UserVars/ ESXiVPsDisabledProtocols -s "sslv3"
Run the following command to check the configuration chages:
esxcli system settings advanced list -o /UserVars/ESXiVPsDisabledProtocols Path: /UserVars/ESXiVPsDisabledProtocols Type: string Int Value: 0 Default Int Value: 0 Min Value: 0 Max Value: 0 String Value: sslv3 Default String Value: sslv3 Valid Characters: * Description: ESXi VPs disabled protocols. Choices are sslv3, tlsv1, tlsv1.1, tlsv1.2. By default sslv3 is disabled. If no protocol is specified, all protocols are enabled.
Restart vsanvp daemon to take effect of the preceding command:
~# /etc/init.d/vsanvpd restart

Enabled or disabled SSL/TLS protocols can be seen using sslscan or TestSSLServer tools on port 8080 of the ESXi host.
Note: Configurations can also be captured by Host Profile.

vSAN Observer - Port 8010

Enabling SSLv3 Protocol

To enable SSLv3 protocol on vSAN Observer for ESXi 5.5 Patch [ESXi550-201608001] released on 08/04/2016 follow these steps:

Deploy vSAN cluster. Log in to vCenter Server as root and log in to RVC as rvc localhost. If on Windows VC, logic to RVC as rvc.bat localhost
Command usages: vsan.observer protocols
-s, --ssl-protocols=<s>

Allowed SSL protocols in comma separated list of sslv3, tlsv1, tlsv1_1, and tlsv1_2.

Disabling SSLv3 Protocol

To disable SSLv3 protocol on vSAN Observer for ESXi 5.5 Patch [ESXi550-201608001] released on 08/04/2016 follow these steps:

Deploy vSAN cluster. Log in to vCenter Server as root and log in to RVC as rvc localhost. If on Windows VC, logic to RVC as rvc.bat localhost
Command usages: vsan.observer protocols
-s, --ssl-protocols=<s>

Allowed SSL protocols in comma separated list of sslv3, tlsv1, tlsv1_1, and tlsv1_2.
Run the following command to disable SSLv3, tlsv1_2 RVC
vsan.observer -r -o -s sslv3,tlsv1_2 computers/VSAN-Cluster/

VMware Directory Service (vmdir) - Port 11712

Supports only TLSv1.

Security Token Service (sts) - Port 7444

Default Support:
Install: TLS protocols are enabled and SSLv3 disabled.
Upgrade: All protocols are enabled including SSLv3.

Enabling SSLv3 Protocol

To enable SSLv3 protocol on Security Token Service Webservices for vCenter Server 5.5 Update 3e follow these steps:

Open theserver.xml file for the vCenter Single Sign-On.
- Windows default location:C:\ProgramData\VMware\CIS\runtime\VMwareSTS\conf\
- vCenter Server Appliance default location:/usr/lib/vmware-sso/conf/server.xml
Create a backup copy of the file.
Search for these line:
'<Connector SSLEnabled="true"'
Append the following to the above line:
'sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"'
Save the file.
Restart the VMware Security Token Service.
To enable SSLv3 along with TLSv1, 1.1, 1.2, find the following line fromserver.xml file:
<Connector SSLEnabled="true"
Edit the line to add SSLv3 tosslEnabledProtocols list as shown here to enable SSLv3:
sslEnabledProtocols="SSLv3,TLSv1,TLSv1.1,TLSv1.2
Restart the VMware Security Token Service by running these commands:
service vmware-stsd restart

Disabling SSLv3 Protocol

To disable SSLv3 protocol on Security Token Service Webservices for vCenter Server 5.5 Update 3e follow these steps:

Open theserver.xml file for the vCenter Single Sign-On.
- Windows default location:C:\ProgramData\VMware\CIS\runtime\VMwareSTS\conf\
- vCenter Server Appliance default location:/usr/lib/vmware-sso/conf/server.xml
Create a backup copy of the file.
Search the following line to disable SSLv3:
'<Connector SSLEnabled="true">'
Edit the line to remove SSLv3 to sslEnabledProtocols list as shown here to disable SSLv3:
sslEnabledProtocols="SSLv3,TLSv1,TLSv1.1,TLSv1.2

Example: '<Connector SSLEnabled="true"''sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"'
Restart the VMware Security Token Service by running these commands:
service vmware-stsd restart

Virtual Appliance Management Interface (VAMI) service - Port 5480

Enabling SSLv3 Protocol

To enable SSLv3 protocol on VAMI Webservices for vCenter Server 5.5 Update 3e follow these steps:

Go to /opt/vmware/etc/lighttpd/lighttpd.conf.
Create a backup copy of the file.
Search for this line:
ssl.use-sslv3="disable"
Modify the line to:
ssl.use-sslv3="enable"
Save the file.
Restart the VAMI Service with the following command:
service vami-lighttp restart

Disabling SSLv3 Protocol

To disable SSLv3 protocol on VAMI for vCenter Server 5.5 Update 3e follow these steps:

Go to /opt/vmware/etc/lighttpd/lighttpd.conf.
Create a backup copy of the file
Search for this line:
ssl.use-sslv3="enable"
Modify the line to:
ssl.use-sslv3="disable"
Save the file.
Restart the VAMI Service with the following command:
service vami-lighttp restart

Authentication proxy service - Port 51915

Enabling SSLv3 Protocol

To enable SSLv3 protocol on Authentication proxy service Webservices for vCenter Server 5.5 Update 3e follow these steps:

Open and run the Registry Editor on the server where VMware Authentication Proxy is installed, as an administrator.
Navigate to this location in the Registry Editor window:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\
In the navigation tree, right-click Protocols and select New > Key.
Enter SSL3.0 as the key name.
Repeat step 5 to create two SSL3.0 keys. Name the two keys as Server and Client.
Right-click on the Client key, and select New > DWORD (32-bit) Value.
- Enter DisabledByDefault as the value name.
- Double-click DisabledByDefault, and enter 0 as the data value.
- Click OK.
Right-click on the Sever key, and select New > DWORD (32-bit) Value.
- Enter Enabled as the value name.
- Double-click Enabled, and enter 1 as the data value.
- Click OK
Restart the server.

Disabling SSLv3 Protocol

To disable SSLv3 protocol on Authentication proxy service for vCenter Server 5.5 Update 3e follow these steps:

Open and run the Registry Editor on the server where VMware Authentication Proxy is installed, as an administrator.
Navigate to this location in the Registry Editor window:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\
In the navigation tree, right-click Protocols and select New > Key.
Enter SSL3.0 as the key name.
Repeat step 5 to create two SSL3.0 keys. Name the two keys as Server and Client.
Right-click on the Client key, and select New > DWORD (32-bit) Value.
- Enter DisabledByDefault as the value name.
- Double-click DisabledByDefault, and enter 0 as the data value.
- Click OK.
Right-click on the Sever key, and select New > DWORD (32-bit) Value.
- Enter Enabled as the value name.
- Double-click Enabled, and enter 1 as the data value.
- Click OK
Restart the server.

Syslog Collector service - Port 1514

Enabling SSLv3 Protocol

To enable SSLv3 protocol on Syslog Collector Webservices for vCenter Server 5.5 Update 3e follow these step

Access the configuration file from the following locations
- Windows default location: C:\ProgramData\VMware\VMware Syslog Collector\vmconfig-syslog.xml
- vCenter Server Appliance default location: /etc/syslog-ng/stunnel.conf

Create a backup copy of the file.

For Windows, edit the file to add <enableSSLv3></enableSSLv3> node as shown here:
<ssl>
<defaultSSLPath>C:\ProgramData\VMware\vCenterServer\cfg\vmsyslogcollector\ssl</defaultSSLPath>
<privateKey>vmsyslogcollector.key</privateKey>
<certificate>vmsyslogcollector.crt</certificate>
<enableSSLv3></enableSSLv3>
</ssl>
For VCSA, remove options=NO_SSLv3 from the configuration file.
Save the file.
Restart the vmsyslogcollector Service.

Service syslog-collector restart

Disabling SSLv3 Protocol

To disable SSLv3 protocol on Syslog Collector Webservices for vCenter Server 5.5 Update 3e follow these steps:

Access the configuration file from the following locations:
- Windows default location:C:\ProgramData\VMware\VMware Syslog Collector\vmconfig-syslog.xml
- vCenter Server Appliance default location: /etc/syslog-ng/stunnel.conf
Create a backup copy of the file.
For Windows, edit the file to remove<enableSSLv3></enableSSLv3> node as shown here:
<ssl> <defaultSSLPath>C:\ProgramData\VMware\vCenterServer\cfg\vmsyslogcollector\ssl</defaultSSLPath> <privateKey>vmsyslogcollector.key</privateKey> <certificate>vmsyslogcollector.crt</certificate> </ssl>
For VCSA:
Add new line "options=NO_SSLv3" in the /etc/syslog-ng/stunnel.conf configuration file.
Save the file.
Restart the vmsyslogcollector Service:
/etc/init.d/syslog-collector restart

VMware vSphere Web Client Service (vspherewebclientsv) - Port 9443

Enabling SSLv3 Protocol

To enable SSLv3 protocol on Web Client Service Webservices for vCenter Server 5.5 Update 3e follow these steps:

Open the tomcat-server.xml file:
- Windows default location:C:\Program Files\VMware\Infrastructure\vSphereWebClient\server\configuration\tomcat-server.xml
- vCenter Server Appliance default location: /usr/lib/vmware-vsphere-client/server/configuration/tomcat-server.xml
Create a backup copy of the file.
Edit the file to add SSLv3 to sslEnabledProtocols list as shown here to enable SSLv3:
<Connector port="9443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="800" acceptCount="300" scheme="https" secure="true"
clientAuth="false" sslEnabledProtocols="SSLv3, TLSv1,TLSv1.1,TLSv1.2"
Save the file.
Restart the webclient Service.

Disabling SSLv3 Protocol

To disable SSLv3 protocol on Web Client Service Webservices for vCenter Server 5.5 Update 3e follow these steps:

Open the tomcat-server.xml file:
- Windows default location:C:\Program Files\VMware\Infrastructure\vSphereWebClient\server\configuration\tomcat-server.xml
- vCenter Server Appliance default location: /usr/lib/vmware-vsphere-client/server/configuration/tomcat-server.xml
Create a backup copy of the file.
Edit the file to remove SSLv3 to sslEnabledProtocols list as shown here to disable SSLv3:
<Connector port="9443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="800" acceptCount="300" scheme="https" secure="true"
clientAuth="false" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
Save the file.
Restart the webclient Service.

VMware Virtual Center Server (vpxd) - Port 443

Enabling SSLv3 Protocol

To enable SSLv3 protocol on vpxd Webservices for vCenter Server 5.5 Update 3e follow these steps:

Open thevpxd.cfg file:
- Windows default location: C:\ProgramData\VMware\VMware VirtualCenter\vpxd.cfg
- vCenter Server Appliance default location: /etc/vmware-vpx/vpxd.cfg
Create a backup copy of the file.
Edit the file to add<sslOptions>16924672</sslOptions> to enable SSLv3 respectively:
<vmacore> <cacheProperties>true</cacheProperties> <ssl> <useCompression>true</useCompression> <sslOptions>16924672</sslOptions> </ssl> <threadPool> <TaskMax>90</TaskMax> <threadNamePrefix>vpxd</threadNamePrefix> </threadPool> </vmacore>
Save the file.
Restart the vpxd service.

Disabling SSLv3 Protocol

To disable SSLv3 protocol on vpxd Webservices for vCenter Server 5.5 Update 3e follow these steps:

Open the vpxd.cfg file:
- Windows default location:C:\ProgramData\VMware\VMware VirtualCenter\vpxd.cfg
- vCenter Server Appliance default location:/etc/vmware-vpx/vpxd.cfg
Create a backup copy of the file.
Edit the file to remove<sslOptions>16924672</sslOptions> to disable SSLv3:
<vmacore> <cacheProperties>true</cacheProperties> <ssl> <useCompression>true</useCompression> </ssl> <threadPool> <TaskMax>90</TaskMax> <threadNamePrefix>vpxd</threadNamePrefix> </threadPool> </vmacore>
Save the file.
Restart the vpxd service.
- Windows default location: Restart the VMware VirtualCenter Server service from services.msc
- vCenter Server Appliance: Execute the following command from command prompt:
  /etc/init.d/vmware-vpxd restart.

<

Additional Information

Service	Port	Configuration Steps
Hostd	443	Hostd service
Authd	902	Authd service
SFCBD	5989	SFCBD service
vSAN VP	8080	vSAN VP service
vSAN Observer	8010	vSAN Observer service
VMware Directory Service (vmdir)	11712	vmdir service
Security Token Service (SSO)	7444	STS service
Virtual Appliance Management Interface (VAMI)	5480	VAMI service
Authentication proxy service (CAM)	51915	Authentication proxy service
Syslog Collector (vmsyslogcollector)	1514	vmsyslogcollector service
VMware vSphere Web Client Service (vspherewebclientsvc)	9443	vspherewebclientsvc service
VirtualCenter Server service (vpxd)	443	vpxd service
vCenter Inventory Service database (invsvc)	10109	Inventory Service database
vCenter Inventory Service HTTPS	10443	Inventory Service HTTPS
VMware VirtualCenter Management Webservices	8443	VMware VirtualCenter Management Webservices
PBM	8191	PBM service
SPS	21100(VCSA), 31100(windows)	SPS service
SMS	22100(VCSA), 32100(windows)	SMS service
Auto Deploy service	6501 6502	Auto Deploy Service
Log Browser		Log Browser service
HTML console	7343	HTML5 console service

Hostd service - Port 443

Enabling SSLv3 Protocol

To enable SSLv3 protocol on Hostd service for ESXi 5.5 Update 3b follow these steps:

Log in to ESXi using putty.exe.
Take a back up of the /etc/vmware/rhttpproxy/config.xml file before editing.
In the configuration file, add the<sslOptions>16924672</sslOptions> entry within the existing <vmacore> tag as shown in the following example to enable SSLv3:
<vmacore> <ssl> <sslOptions>16924672</sslOptions> </ssl> </vmacore>
Save the file.
Restart the rhttpproxy service by running the following command:
/etc/init.d/rhttpproxy restart

Disabling SSLv3 Protocol

To disable SSLv3 protocol on Hostd service for ESXi 5.5 Update 3b follow these steps:

Log in to ESXi using putty.exe.
Take a back up of the/etc/vmware/rhttpproxy/config.xml file before editing.
Delete only the sslOptions entry "<sslOptions>16924672</sslOptions>" from the configuration file “/etc/vmware/rhttpproxy/config.xml” which will be within <vmacore> under the <ssl> tag.
Save the file.
Restart the rhttpproxy service by running the following command:
/etc/init.d/rhttpproxy restart

In an event whenunexpected behavior is observed, you can restore the back up of the rhttpproxy configuration file and restart the rhttpproxy service, to revert the system to a clean state, as it was earlier.

HostProfile

If you enabled SSLv3 along with the default protocols, HostProfile does not capture these settings. This results in the stateless ESXi hosts to lose the ssloptions settings made to proxy service after every reboot.

Use the script in the attached KB2139396_sslprotomgmt.zip file to manage (enable/disable) SSLv3 security protocol for proxy service. Refer to the note below and script documentation enclosed in the zip file for details.

Note: You must be careful when you run the script because the script is not completely tested. VMware recommends to run the script on a Non-production/Test Environment before you run it on production as needed.

Authd - Port 902

The SSL/TLS configuration file for authd is stored in /etc/vmware/esx.conf with entry like:
/advUserOptions/options[0026]/name = "VMAuthdDisabledProtocols"

Enabling SSLv3 Protocol

To enable SSLv3 protocol on Authd for ESXi Update 3b follow these steps:

Log in to ESXi using putty.exe .
Run the following command to enable SSLv3:

# esxcli system settings advanced set -o /UserVars/VMAuthdDisabledProtocols -s ""

Disabling SSLv3 Protocol

To disable SSLv3 protocol on Authd for ESXi Update 3b follow these steps:

Log in to ESXi using putty.exe.
Run the following command to disable SSLv3:

# esxcli system settings advanced set -o /UserVars/VMAuthdDisabledProtocols -s "sslv3"
Run the following command to check configuration changes:

esxcli system settings advanced list -o /UserVars/VMAuthdDisabledProtocols Path: /UserVars/VMAuthdDisabledProtocols Type: string Int Value: 0 Default Int Value: 0 Min Value: 0 Max Value: 0 String Value: sslv3 Default String Value: sslv3 Valid Characters: * Description: VMAuthd disabled protocols. Choices are sslv3, tlsv1, tlsv1.1, tlsv1.2. By default sslv3 is disabled. If no protocol is specified, all protocols are enabled.

HostProfile

Configuration of the Authd can also be captured through host profile by following these steps:

Note: If you do not change the configuration for authd, it may not get displayed in the host profile UI. You can trigger it by just changing it with ESXCLI command.

Log in to VC with vSphere Web Client.
Right click the target host and click Extract Host Profile to create a new hostprofile.
After the hostprofile is created, navigate to Home > Host Profiles > your_host_profile to edit it.
In the Edit Host Profiles tab, you can find the entry for authd under [Advanced Configuration Settings] > [Advanced Options] > [Advanced Configuration Options] > userVars.VMAuthdDisabledProtocols
The application of authd in host profile is the same as other settings. If the configuration for authd is included in host profile, difference between host profile and target host for authd is displayed and replaced when choosing the target host to apply the host profile.

SFCBD - Port 5989

Enabling SSLv3 Protocol

To enable SSLv3 protocol on SFCBD for ESXi 5.5 Update 3b follow these steps:

Log in to ESXi using putty.exe .
Run the following command and edit the file:
vi /etc/sfcb/sfcb.cfg
enableSSLv3: true
Save the file.
Restart the service for configuration to take effect using below command:
/etc/init.d/sfcbd-watchdog restart

Disabling SSLv3 Protocol

To disable SSLv3 protocol on SFCBD for ESXi 5.5 Update 3b follow these steps:

Log in to ESXi using putty.exe .
Run the following command and edit the file:
vi /etc/sfcb/sfcb.cfg
enableSSLv3: false
Save the file.
Restart the service for configuration to take effect using below command:
/etc/init.d/sfcbd-watchdog restart

HostProfile
Configuration for CIM can also be captured by host profile:

Log in to vCenter Server with C#.
Right click the target host and click Extract Host Profile to create a new host profile.
Choose Home > Host Profiles > your host profile to edit it.
On the Edit Host Profiles tab, find the entry forenable SSL v3 under SFCB Configuration > Settings.
Apply the host profile to stateful or stateless systems.
Restart the service for configuration to take effect using below command:
/etc/init.d/sfcbd-watchdog restart

vSAN VP - Port 8080

Enabling SSLv3 Protocol

To enable SSLv3 protocol on vSAN VP for ESXi 5.5 Update 3b follow these steps:

Log in to ESXi using putty.exe .
Run the following command to enable SSLv3:
# esxcli system settings advanced set -o /UserVars/ESXiVPsDisabledProtocols -s ""
Run the following command to check the configuration chages:
esxcli system settings advanced list -o /UserVars/ESXiVPsDisabledProtocols Path: /UserVars/ESXiVPsDisabledProtocols Type: string Int Value: 0 Default Int Value: 0 Min Value: 0 Max Value: 0 String Value: Default String Value: sslv3 Valid Characters: * Description: ESXi VPs disabled protocols. Choices are sslv3, tlsv1, tlsv1.1, tlsv1.2. By default sslv3 is disabled. If no protocol is specified, all protocols are enabled.
Restart vsanvp daemon to take effect of the preceding command:
~# /etc/init.d/vsanvpd restart

Disabling SSLv3 Protocol

To disable SSLv3 protocol on vSAN VP for ESXi 5.5 Update 3b follow these steps:

Log in to ESXi using putty.exe .
Run the following command to disable SSLv3:
esxcli system settings advanced set -o /UserVars/ ESXiVPsDisabledProtocols -s "sslv3"
Run the following command to check the configuration chages:

esxcli system settings advanced list -o /UserVars/ESXiVPsDisabledProtocols Path: /UserVars/ESXiVPsDisabledProtocols Type: string Int Value: 0 Default Int Value: 0 Min Value: 0 Max Value: 0 String Value: sslv3 Default String Value: sslv3 Valid Characters: * Description: ESXi VPs disabled protocols. Choices are sslv3, tlsv1, tlsv1.1, tlsv1.2. By default sslv3 is disabled. If no protocol is specified, all protocols are enabled.
Restart vsanvp daemon to take effect of the preceding command:
~# /etc/init.d/vsanvpd restart

Enabled or disabled SSL/TLS protocols can be seen using sslscan or TestSSLServer tools on port 8080 of the ESXi host.
Note: Configurations can also be captured by Host Profile.

vSAN Observer - Port 8010

Enabling SSLv3 Protocol

To enable SSLv3 protocol on vSAN Observer for ESXi 5.5 Update 3b follow these steps:

Deploy vSAN cluster.
Log in to vCenter Server as root and log in to RVC as rvc localhost. If on Windows VC, logic to RVC as rvc.bat localhost
Command usages: vsan.observer protocols
-s, --ssl-protocols=<s>

Allowed SSL protocols in comma separated list of sslv3, tlsv1, tlsv1_1, and tlsv1_2.

Disabling SSLv3 Protocol

To disable SSLv3 protocol on vSAN Observer for ESXi 5.5 Update 3b follow these steps:

Deploy vSAN cluster.
Log in to vCenter Server as root and log in to RVC as rvc localhost. If on Windows VC, logic to RVC as rvc.bat localhost
Command usages: vsan.observer protocols
-s, --ssl-protocols=<s>
Allowed SSL protocols in comma separated list of sslv3, tlsv1, tlsv1_1, and tlsv1_2.
Run the following command to disable SSLv3, tlsv1_2 RVC
vsan.observer -r -o -s sslv3,tlsv1_2 computers/VSAN-Cluster/

VMware Directory Service (vmdir) - Port 11712

Supports only TLSv1.0

Security Token Service (sts) - Port 7444

Default Support:
Install: TLS protocols are enabled and SSLv3 disabled.
Upgrade: All protocols are enabled including SSLv3.

Enabling SSLv3 Protocol

To enable SSLv3 protocol on Security Token Service Webservices for vCenter Server 5.5 Update 3b follow these steps:

Open theserver.xml file for the vCenter Single Sign-On.
- Windows default location: C:\ProgramData\VMware\CIS\runtime\VMwareSTS\conf\
- vCenter Server Appliance default location: /usr/lib/vmware-sso/conf/server.xml
Create a backup copy of the file.
Search for these line:
'<Connector SSLEnabled="true"'
Append the following to the above line:
'sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"'
Save the file.
Restart the VMware Security Token Service.
To enable SSLv3 along with TLSv1, 1.1, 1.2, find the following line fromserver.xml file:
<Connector SSLEnabled="true"
Edit the line to add SSLv3 tosslEnabledProtocols list as shown here to enable SSLv3:
sslEnabledProtocols="SSLv3,TLSv1,TLSv1.1,TLSv1.2
Restart the VMware Security Token Service by running these commands:
service vmware-stsd restart

Disabling SSLv3 Protocol

To disable SSLv3 protocol on Security Token Service Webservices for vCenter Server 5.5 Update 3b follow these steps:

Open the server.xml file for the vCenter Single Sign-On.
- Windows default location:C:\ProgramData\VMware\CIS\runtime\VMwareSTS\conf\
- vCenter Server Appliance default location:/usr/lib/vmware-sso/conf/server.xml
Create a backup copy of the file.
Search the following line to disable SSLv3:
'<Connector SSLEnabled="true">'
Edit the line to remove SSLv3 to sslEnabledProtocols list as shown here to disable SSLv3:
sslEnabledProtocols="SSLv3,TLSv1,TLSv1.1,TLSv1.2" Example: '<Connector SSLEnabled="true"''sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"'
Restart the VMware Security Token Service by running these commands:
service vmware-stsd restart

Virtual Appliance Management Interface (VAMI) service - Port 5480

Enabling SSLv3 Protocol

To enable SSLv3 protocol on VAMI Webservices for vCenter Server 5.5 Update 3b follow these steps:

Go to /opt/vmware/etc/lighttpd/lighttpd.conf.
Create a backup copy of the file.
Search for this line:
ssl.use-sslv3="disable"
Modify the line to:
ssl.use-sslv3="enable"
Save the file.
Restart the VAMI Service with the following command:
service vami-lighttp restart

Disabling SSLv3 Protocol

To disable SSLv3 protocol on VAMI for vCenter Server 5.5 Update 3b follow these steps:

Go to /opt/vmware/etc/lighttpd/lighttpd.conf
Create a backup copy of the file.
Search for this line:
ssl.use-sslv3="enable"
Modify the line to:
ssl.use-sslv3="disable"
Save the file.
Restart the VAMI Service with the following command:
service vami-lighttp restart

Authentication proxy service - Port 51915

Enabling SSLv3 Protocol

To enable SSLv3 protocol on Authentication proxy service Webservices for vCenter Server 5.5 Update 3b follow these steps:

Open and run the Registry Editor on the server where VMware Authentication Proxy is installed, as an administrator.
Navigate to this location in the Registry Editor window:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\
In the navigation tree, right-click Protocols and select New>Key.
Enter SSL3.0 as the key name.
Repeat step 5 to create two SSL3.0 keys. Name the two keys as Server and Client.
Right-click on the Client key, and select New>DWORD (32-bit) Value.
- Enter DisabledByDefault as the value name.
- Double-click DisabledByDefault, and enter 0 as the data value.
- Click OK.
Right-click on the Sever key, and select New > DWORD (32-bit) Value.
- Enter Enabled as the value name.
- Double-click Enabled, and enter 1 as the data value.
- Click OK
Restart the server.

Disabling SSLv3 Protocol

To disable SSLv3 protocol on Authentication proxy service for vCenter Server 5.5 Update 3b follow these steps:

Open and run the Registry Editor on the server where VMware Authentication Proxy is installed, as an administrator.
Navigate to this location in the Registry Editor window:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\
In the navigation tree, right-click Protocols and select New > Key.
Enter SSL3.0 as the key name.
Repeat step 5 to create two SSL3.0 keys. Name the two keys as Server and Client.
Right-click on the Client key, and select New > DWORD (32-bit) Value.
- Enter DisabledByDefault as the value name.
- Double-click DisabledByDefault, and enter 0 as the data value.
- Click OK.
Right-click on the Sever key, and select New > DWORD (32-bit) Value.
- Enter Enabled as the value name.
- Double-click Enabled, and enter 1 as the data value.
- Click OK
Restart the server.

Syslog Collector service - Port 1514

Enabling SSLv3 Protocol

To enable SSLv3 protocol on Syslog Collector Webservices for vCenter Server 5.5 Update 3b follow these steps:

Access the configuration file from the following locations:
- Windows default location: C:\ProgramData\VMware\VMware Syslog Collector\vmconfig-syslog.xml
- vCenter Server Appliance default location: /etc/syslog-ng/stunnel.conf
Create a backup copy of the file.
For Windows, edit the file to add <enableSSLv3></enableSSLv3> node as shown here:

<ssl>
<defaultSSLPath>C:\ProgramData\VMware\vCenterServer\cfg\vmsyslogcollector\ssl</defaultSSLPath>
<privateKey>vmsyslogcollector.key</privateKey>
<certificate>vmsyslogcollector.crt</certificate>
<enableSSLv3></enableSSLv3>
</ssl>
For VCSA, remove options=NO_SSLv3 from the configuration file.
Save the file.
Restart the vmsyslogcollector Service.

Service syslog-collector restart Disabling SSLv3 Protocol

To disable SSLv3 protocol on Syslog Collector Webservices for vCenter Server 5.5 Update 3b follow these steps:
1. Access the configuration file from the following locations:
  - Windows default location:C:\ProgramData\VMware\VMware Syslog Collector\vmconfig-syslog.xml
  - vCenter Server Appliance default location: /etc/syslog-ng/stunnel.conf
2. Create a backup copy of the file.
3. For Windows, edit the file to remove<enableSSLv3></enableSSLv3> node as shown here: <ssl> <defaultSSLPath>C:\ProgramData\VMware\vCenterServer\cfg\vmsyslogcollector\ssl</defaultSSLPath> <privateKey>vmsyslogcollector.key</privateKey> <certificate>vmsyslogcollector.crt</certificate> </ssl>
4. For VCSA: Add new line "options=NO_SSLv3" in the /etc/syslog-ng/stunnel.conf configuration file.
5. Save the file.
6. Restart the vmsyslogcollector Service: /etc/init.d/syslog-collector restart
VMware vSphere Web Client Service (vspherewebclientsv) - Port 9443

Enabling SSLv3 Protocol

To enable SSLv3 protocol on Web Client Service Webservices for vCenter Server 5.5 Update 3b follow these steps:
1. Open the tomcat-server.xml file:
  - Windows default location:C:\Program Files\VMware\Infrastructure\vSphereWebClient\server\configuration\tomcat-server.xml
  - vCenter Server Appliance default location: /usr/lib/vmware-vsphere-client/server/configuration/tomcat-server.xml
2. Create a backup copy of the file.
3. Edit the file to add SSLv3 to sslEnabledProtocols list as shown here to enable SSLv3: <Connector port="9443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="800" acceptCount="300" scheme="https" secure="true" clientAuth="false" sslEnabledProtocols="SSLv3, TLSv1,TLSv1.1,TLSv1.2"
4. Save the file.
5. Restart the webclient Service.
Disabling SSLv3 Protocol
To disable SSLv3 protocol on Web Client Service Webservices for vCenter Server 5.5 Update 3b follow these steps:
1. Open the tomcat-server.xml file:
  - Windows default location:C:\Program Files\VMware\Infrastructure\vSphereWebClient\server\configuration\tomcat-server.xml
  - vCenter Server Appliance default location: /usr/lib/vmware-vsphere-client/server/configuration/tomcat-server.xml
2. Create a backup copy of the file.
3. Edit the file to remove SSLv3 to sslEnabledProtocols list as shown here to disable SSLv3: <Connector port="9443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="800" acceptCount="300" scheme="https" secure="true" clientAuth="false" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
4. Save the file.
5. Restart the webclient Service.
VMware Virtual Center Server (vpxd) - Port 443

Enabling SSLv3 Protocol

To enable SSLv3 protocol on vpxd Webservices for vCenter Server 5.5 Update 3b follow these steps:
1. Open the vpxd.cfg file:
  - Windows default location: C:\ProgramData\VMware\VMware VirtualCenter\vpxd.cfg
  - vCenter Server Appliance default location: /etc/vmware-vpx/vpxd.cfg
2. Create a backup copy of the file.
3. Edit the file to add <sslOptions>16924672</sslOptions> to enable SSLv3 respectively: <vmacore> <cacheProperties>true</cacheProperties> <ssl> <useCompression>true</useCompression> <sslOptions>16924672</sslOptions> </ssl> <threadPool> <TaskMax>90</TaskMax> <threadNamePrefix>vpxd</threadNamePrefix> </threadPool> </vmacore>
4. Save the file.
5. Restart the vpxd service.
Disabling SSLv3 Protocol

To disable SSLv3 protocol on vpxd Webservices for vCenter Server 5.5 Update 3b follow these steps:
1. Open the vpxd.cfg file:
  - Windows default location:C:\ProgramData\VMware\VMware VirtualCenter\vpxd.cfg
  - vCenter Server Appliance default location:/etc/vmware-vpx/vpxd.cfg
2. Create a backup copy of the file.
3. Edit the file to remove<sslOptions>16924672</sslOptions> to disable SSLv3: <vmacore> <cacheProperties>true</cacheProperties> <ssl> <useCompression>true</useCompression> </ssl> <threadPool> <TaskMax>90</TaskMax> <threadNamePrefix>vpxd</threadNamePrefix> </threadPool> </vmacore>
4. Save the file.
5. Restart the vpxd service.
  - Windows default location: Restart the VMware VirtualCenter Server service from services.msc
  - vCenter Server Appliance: Execute the following command from command prompt: /etc/init.d/vmware-vpxd restart.
vCenter Inventory Service database (invsvc) - XDB Port 10109

Enabling SSLv3 Protocol

To enable SSLv3 protocol on Inventory Service database (invsvc) Webservices for vCenter Server 5.5 Update 3b follow these steps:
1. Open thequery-server-config.xml file:
  - Windows default location: C:\Program Files\VMware\Infrastructure\Inventory Service\lib\server\config\query-service-config.xml
  - vCenter Server Appliance default location: /usr/lib/vmware-vpx/inventoryservice/lib/server/config/query-server-config.xml
2. Create a backup copy of the file.
3. Edit the file to add SSLv3 to value tag as shown here to enable SSLv3 respectively: <property name="protocols" value="SSLv3,TLSv1,TLSv1.1,TLSv1.2" />
4. Save the file.
5. Restart the Inventory Service.
Disabling SSLv3 Protocol

To disable SSLv3 protocol on Inventory Service database (invsvc) for vCenter Server 5.5 Update 3b follow these steps:
1. Open thequery-server-config.xml file:
  - Windows default location:C:\Program Files\VMware\Infrastructure\Inventory Service\lib\server\config\query-service-config.xml
  - vCenter Server Appliance default location:/usr/lib/vmware-vpx/inventoryservice/lib/server/config/query-server-config.xml
2. Create

Feedback

thumb_up Yes

thumb_down No