This KB provides you with script utility package for automatically enabling or disabling of SSLv3 protocol for 5.5 VC, vCenter Server Appliance (55U3e onwards), Update Manager, and ESXi (ESXi550-201608001 release).

The script automates the steps mentioned in the KB 2139396 .

Windows vCenter Server:

1. Copy or Download the SecurityProtoMgmt55.zip to vCenter server.
   
2. Unzip the package on to a local drive for example, c:\ drive.
   
3. Run the following command in the command prompt as administrator:
   cd C:\SecurityProtoMgmt55
   
4. Run the following script:
   C:\SecurityProtoMgmt55>python ssl.py

vCenter Server Appliance:

1. Copy or Download the SecurityProtoMgmt55.zip to vCenter Server Appliance host.
2. Unzip the package on to a local drive for example, /root/ drive.
   
3. SSH to host and cd to the folder unzipped:
   cd /root/SecurityProtoMgmt55
   
4. Run the following script:
   #python ssl.py

Windows vSphere Update Manager:

Install 64 bit Python of version 2.7.8 (Download from https://www.python.org/downloads/release/python-278/).

1. Copy/Download the SecurityProtoMgmt55.zip file to VUM server.
   
2. Unzip on to local drive for example, C:\ drive.
   
3. Open a command prompt as an administrator and cd to the folder unzipped, that is cd C:\SecurityProtoMgmt55.
   
4. Run the following utility:
   C:\SecurityProtoMgmt55>python ssl.py

ESXi:

1. Download the SecurityProtoMgmt55.zip and unzip on to local drive for example c:\ drive.
   
2. Run the following command to change the directory to the unzipped folder, for example:
   cd c:\SecurityProtoMgmt55
   
3. Run the following command to see various commands usage:
   C:\SecurityProtoMgmt55>java -jar secprotomgmt.jar --help

vSphere High Availability/FDM

1. Download the SecurityProtoMgmt55.zip and unzip on to local drive for example c:\ drive.
   
2. Run the following command to change the directory to the unzipped folder, for example:
   cd c:\SecurityProtoMgmt55.
   
3. Run the following command to see various commands usage:
   C:\SecurityProtoMgmt55>java -jar fdmsecprotomgmt.jar --help

Note:

• Disabling SSLv3 protocol might break VC product interoperability with other solutions. Please refer to compatibility matrix before proceeding.
  
• First configure SSLv3 Protocol on vCenter Server and then proceed with the ESXi hosts.
  
• While configuring SSLv3 protocol, follow the order like SSO, Inventory Service (IS), vCenter Server, NGC, syslog, vSphere Update Manager(VUM), Autodeploy and other components, in case of distributed environments (for example, SSO and VC on different nodes).
  
• Authentication proxy service (CAM), Autodeploy, vSAN Observer services are out of scope for this tool.
  
• Enabling SSLv3 is not supported on VMDIR 11712 port.
  
• Before configuring SSLv3 Protocols take snapshot as backup.
  
• After SSLv3 configuration on VCVA, autodeploy service might be seen as stopped. Restart the service and configure SSL for autodeploy service manually, by following the steps mentioned in KB 2146255.
  
• All vCenter / ESXi services shall be restarted automatically, as needed, after the protocol configuration is done on all services.
  
• For SSLv3 configuration on ESXi services, utility enables SSH on ESXi for logging into host via SSH connection and perform configuration changes for SSLv3 protocol enablement/disablement. Once operation is complete, SSH service state is reverted to its original state.
  
• Before configuring SSLv3 Protocol on vSphere HA service (FDM port 8182), ensure all other vCenter Server and ESXi server services/ports are running with same protocol versions.
  
• Before configuring SSLv3 Protocol on vSphere HA service (FDM port 8182), take back up of all vSphere HA enabled cluster configuration settings.