Symptoms:
- When using vCenter 5.5 in conjunction with NSX 6.3.x or 6.4.x, NSX host preparations will fail with error message stating "Installation of deployment unit failed, please check if ovf/vib urls are accessible, in correct format and all the properties in ovf environment have been configured in service attributes. Please check logs for details." Guest Introspection Service Deployments will also fail.

- Entries similar to the following are annotated in the vsm.log of the NSX Manager:

2018-07-24 22:41:27.346 UTC ERROR taskScheduler-29 EamServiceImpl:467 -
com.vmware.vim.binding.eam.fault.InvalidUrl:
url = https://IP_Address_Of_VIB_Depot/bin/vdn/vibs-6.3.6/6.0-8047312/vxlan.zip,
malformedUrl = false,
unknownHost = false,
connectionRefused = true,
responseCode = null
inherited from com.vmware.vim.binding.eam.fault.EamFault:
 

2018-07-24 22:41:27.355 UTC ERROR taskScheduler-29 InstallTask:192 - error while creating eam agency for deployment ServiceDeploymentConfig [eamAgencyConfig=EamAgencyConfig [agencyName=_{AGENT__NAME}_VMware Network Fabric, agentName=VMware Network Fabric, eamAgentConfigs=[EamAgentConfig [dvFilterEnabled=false, vibUrl=https://IP_Address_Of_VIB_Depot/bin/vdn/vibs-6.3.6/6.0-8047312/vxlan.zip, ovfUrl=null, ovfOptional=false, hostVersion=6.0.*, productLine=null, ovfEnvParams={agentName=agent-name-not-specified}, vmciService=[], vibMatchingRules={}], EamAgentConfig [dvFilterEnabled=false, vibUrl=https://IP_Address_Of_VIB_Depot/bin/vdn/vibs-6.3.6/6.5-8047312/vxlan.zip, ovfUrl=null, ovfOptional=false, hostVersion=6.5.*, productLine=null, ovfEnvParams={agentName=agent-name-not-specified}, vmciService=[], vibMatchingRules={}], EamAgentConfig [dvFilterEnabled=false, vibUrl=https://IP_Address_Of_VIB_Depot/bin/vdn/vibs-6.3.6/6.6-8047312/vxlan.zip, ovfUrl=null, ovfOptional=false, hostVersion=6.6.*, productLine=null, ovfEnvParams={agentName=agent-name-not-specified}, vmciService=[], vibMatchingRules={}], EamAgentConfig [dvFilterEnabled=false, vibUrl=https://IP_Address_Of_VIB_Depot/bin/vdn/vibs-6.3.6/5.5-8072477/vxlan.zip, ovfUrl=null, ovfOptional=false, hostVersion=5.5.*, productLine=null, ovfEnvParams={agentName=agent-name-not-specified}, vmciService=[], vibMatchingRules={}]], clusterIds=[domain-c697229], networkIds=null, datastoreIds=null], ipPoolId=null, deploymentPlugin=null, deploymentUnitId=deploymentunit-4]
com.vmware.vshield.vsm.eam.service.impl.EamException: core-services:857:Invalid URL specified : https://IP_Address_Of_VIB_Depot/bin/vdn/vibs-6.3.6/6.0-8047312/vxlan.zip.

- On the associated Windows vCenter Server, attempting to browse to the URL included in the log message will successfully start, or prompt, download of file specified in URL.

 

VMware vCenter Server 5.5.x
VMware NSX for vSphere 6.4.x
VMware NSX for vSphere 6.3.x

- The issue is caused due to TLS version differences with vCenter 5.5 and NSX 6.3.x and later.

- In vCenter 5.5, ESX Agent Manager is only able to utilize TLS 1.0. Please reference the following documentation for further reference:
- Supported TLS protocols for vSphere 5.5 Update 3e (2145818)
( https://kb.vmware.com/s/article/2145818 )


- By default, NSX 6.3.x and later versions, have TLS 1.0 disabled by default. As such, EAM is unable to establish a connection with the NSX Manager to pull the necessary VIBs and/or OVFs necessary for host preparation or service deployment.


- As one of the first steps of host preparation or deployment of a service deployment, EAM will attempt to connect to the provided VIB/OVF URL as a verification step. If it cannot access the URL, the creation of the agency will fail, and in turn, the host preparation or service deployment will fail.

- Upgrade vCenter Server to 6.0 or later to utilize TLS 1.1 or 1.2

Workaround:

- Specifically enable TLS 1.0 on NSX Manager

- In NSX 6.3.x and later, TLS versions in use can be viewed / specified under:
Manage Appliance Settings >>> FIPS Mode and TLS Settings

- Alternatively, in NSX 6.2.3 and later, the following API calls can be used to retrieve and change the TLS settings of the NSX Manager:

- To Retrieve Currently Enabled TLS Versions:

-- Body = application/xml --

GET /api/1.0/appliance-management/system/tlssettings

-- Will display as the following --

<tlsSettings>
<serverEnabledProtocols>TLSv1,TLSv1.1,TLSv1.2</serverEnabledProtocols>
<clientEnabledProtocols>TLSv1,TLSv1.1,TLSv1.2</clientEnabledProtocols>
</tlsSettings>

- To Change Currently Enabled TLS Versions:

-- Include a comma separated list of the TLS versions you want to enable, for both server and client --

-- Body = application/xml --

POST /api/1.0/appliance-management/system/tlssettings

<tlsSettings>
<serverEnabledProtocols>TLSv1.0,TLSv1.1,TLSv1.2</serverEnabledProtocols>
<clientEnabledProtocols>TLSv1.0,TLSv1.1,TLSv1.2</clientEnabledProtocols>
</tlsSettings>

Impact/Risks:
TLS 1.0 has been deprecated as an insecure protocol. Leaving the protocol open in the environment is a potential security vulnerability.