This article describes the steps to disable any weak ciphers in Update Manager.

1. Navigate to the installation directory of Update Manager server. The default location is:
   C:\Program Files (x86)\VMware\Infrastructure\Update Manager

• Take a backup of the jetty-vum-ssl.xml file before you edit it.

• Open jetty-vum-ssl.xml file in a text editor.

• Find the list of cipher suites in <Array type="java.lang.String"> tag inside <Set name="excludeCipherSuites">.

• Add the weak cipher suite that you intend to disable in the <Item> tag.
  For example: If you want to disable TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 and TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, then:
  <Item><item>TLS_DHE_RSA_WITH_AES_256_CBC_SHA256</Item</item>>
  <Item><item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA256</Item</item>>

• Restart the Update Manager service. See KB1039328 for more information on how to restart Update Manager.

Disabling the Diffie-hellman ciphers

To disable Diffie-hellman ciphers, disable the following ciphers:

1. TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
2. TLS_DHE_RSA_WITH_AES_128_CBC_SHA256