The following changes will have to be done at source and target sites, on all the appliances deployed for every Service Mesh. There should be no active migration or configuration workflows. There is no impact to Network Extension services when performing these changes.
This section will modify the HCX Connector or Cloud Manager HTTP configuration
[admin@hcx-connector /opt/vmware/config/apache-httpd]$ vim hcx-ssl.conf
# CipherSuite spec taken from https://wiki.mozilla.org/Security/Server_Side_TLS for modern compatibility
SSLProtocol -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 +TLSv1.2
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-
SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES1
28-SHA256:ECDHE-RSA-AES256-SHA256:ECDH-RSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA:ECDH-RSA-AES256-G
CM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
SSLHonorCipherOrder on
TraceEnable off
systemctl restart web-engine
[admin@hcx-connector]$ ccli Welcome to HCX Central CLI [admin@hcx-connector] list |------------------------------------------------------------------------| | Id | Node | Address | State | Selected | |------------------------------------------------------------------------| | 0 | NODE1 | 10.145.208.72:9443 | Connected | | |------------------------------------------------------------------------| [admin@hcx-connector] go 0 Switched to node 0. [admin@hcx-connector:NODE1]
[admin@hcx-connector:NODE1] ssh Welcome to HCX Central CLI Last login: Fri Jan 8 21:25:17 2021 from 127.0.0.1 [root@OnPrem-to-Site1-IX-I1 ~]#
[root@NODE1 /etc/vmware]# vim hbrsrv.xml
<config>
....
<vmacore>
....
<ssl>
<!--
The value 385875968 (i.e. 0x17000000) translates to
"SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1"
when invoking SSL_CTX_set_options().
-->
<sslOptions>385875968</sslOptions>
</ssl>
</vmacore>
....
</config>
systemctl restart hbrsrv
[root@NODE1 /etc/vmware]# vim config
vix.libdir = "/usr/lib/vmware-vix/lib"
libdir = "/usr/lib/vmware"
authd.proxy.nfc = "vmware-hostd:ha-nfc"
authd.proxy.nfcssl = "vmware-hostd:ha-nfcssl"
authd.proxy.vpxa-nfcssl = "vmware-vpxa:vpxa-nfcssl"
authd.proxy.vpxa-nfc = "vmware-vpxa:vpxa-nfc"
authd.fullpath = "/usr/lib/vmware/bin/vmware-authd"
tls.protocols = "tls1.2"
systemctl restart mobilityagent