Unable to apply storage policies to virtual machines residing on a VMware vSAN cluster with SSLv3 disabled
search cancel

Unable to apply storage policies to virtual machines residing on a VMware vSAN cluster with SSLv3 disabled

book

Article ID: 336311

calendar_today

Updated On:

Products

VMware vCenter Server VMware vSAN

Issue/Introduction

Symptoms:
  • Disabling SSLv3 in vpxd.cfg causes the application of vSAN storage policies to fail.
  • Cannot apply a storage profile to a vSAN object.
  • In the %ALLUSERSPROFILE%\Application Data\VMware\Infrastructure\Profile-Driven Storage\Logssps.log file, you see entries similar to:

    2015-04-29T06:13:12.152-06:00 [05584 info 'commonvpxLro' opID=########-######20-6f-5a-18] [VpxLRO] -- BEGIN task-internal-1965 -- -- VsanUpdateVasaProviderLRO -- 2015-04-29T06:13:12.154-06:00 [05220 warning 'ProxySvc'] SSL Handshake failed for stream <io_obj p:0x000000000a8e78f8, h:3780, <TCP '[::1]:443'>, <TCP '[::1]:64651'>>, error: class Vmacore::Ssl::SSLException(SSL Exception: error:1408A10B:SSL routines:SSL3_GET_CLIENT_HELLO:wrong version number) 2015-04-29T06:13:12.154-06:00 [03112 error 'HttpConnectionPool-000001'] [ConnectComplete] Connect failed to <cs p:000000000d81a210, TCP:localhost:443>; cnx: (null), error: class Vmacore::Ssl::SSLException(SSL Exception: error:140000DB:SSL routines:SSL routines:short read) 2015-04-29T06:13:12.154-06:00 [05584 error 'vpxdvpxdMoStoragePod' opID=########-######20-6f-5a-18] [StoragePodMo::GetStorageManager] Received exception from SMS: SSL Exception: error:140000DB:SSL routines:SSL routines:short read, unable to find StorageManager

    Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.


Environment

VMware vSAN 6.x

Cause

This issue occurs when SSLv3 settings are disabled in the vpxd.cfg file.
 
Currently, using TLS with storage profiles is not supported. To be able to apply storage profiles, use SSLv3.

Resolution

This is an expected behavior. SSLv3 must be enabled for VMware vSAN to function correctly.
 
To see if SSLv3 is enabled on vCenter Server or vCenter Server Appliance:
  • On a vCenter Virtual Appliance (VCVA), run this command:

    openssl s_client -connect[HOST]:443 -ssl3
  • On a Windows vCenter Server, run this command:

    openssl.exe s_client -connect[HOST]:443 -ssl3
If SSLv3 is enabled you see the certificate information.
 
Note: This setting is enabled by default.
 
To enable SSLv3 for the vCenter Server or vCenter Server Appliance:
  1. Take a backup of the vpxd.cfg file. By default, this file is located at:
     
    • vCenter Server Appliance: /etc/vmware-vpx/vpxd.cfg
    • Windows vCenter Server: C:\ProgramData\VMware\VMware VirtualCenter\vpxd.cfg
       
  2. Open the vpxd.cfg file using a text editor.
  3. Remove <sslVersion>tlsv1</sslVersion> under <vpxd> tag.
  4. Restart the vCenter Server service.

    If you are using vCenter Server Appliance, restart the server in the VCVA by running this command:

    service vmware-vpxd restart && service vmware-vpxd tomcat-start && service vmware-sps start
     
  5. Restart the host in Windows:


Powered by Wolken Software