Command line utility for SSLv3 security protocol configuration (Enable or Disable SSLv3)
Article ID: 338269
Updated On:
Products
VMware vCenter Server
VMware vSphere ESXi
Issue/Introduction
This article provides information on the utility script for automatically enabling and disabling SSLv3. With the command line utility SSLv3 protocol can be enabled/disabled across all vCenter server and ESXi server services.
For more information on how to use the script on ESXi/VC 5.5, see KB 2146231 .
For more information on how to use the script on ESXi/VC 5.1, see KB 2145712.
For more information on how to use the script on ESXi/VC 5.0, see KB 2145928.
For more information on how to use the script on ESXi/VC 5.1, see KB 2145712.
For more information on how to use the script on ESXi/VC 5.0, see KB 2145928.
Environment
VMware vCenter Server 5.0.x
Resolution
vCenter server – SSL Security Protocol Configuration Command Line Utility
Features
- Automatically modify the configuration files to disable/enable SSLv3 on all vCenter server services except Autodeploy, Authentication Proxy and vSAN Observer service.
- Utility will take backup of all the configuration files before making any modifications. For example, vpxd.cfg will be saved as vpxd-bak.cfg in the same directory.
- Utility reverts the configuration changes done, to restore the state as it was before, when there is a failure in doing configuration changes or restarting services.
- Utility will support vCenter servers configured with custom port, custom path and distributed environments.
- Utility has inbuilt scanner intelligence (TestSSLServer) for scanning ports to determine what protocols are already enabled and whether configuration was successful.
Pre-requisites for running Utility on Windows
- Install 64 bit Python of version 2.7.8 (Download from https://www.python.org/downloads/release/python-278/)
Different options available with the script
- Enable SSLv3 on all vCenter server Ports
- Disable SSLv3 on all vCenter server Ports
- Scan protocols enabled on all vCenter server Ports
ESXi server – SSL Security Protocol Configuration Command Line Utility
Features
- Automatically modify the configuration files and run esxcli commands to disable\enable SSLv3 on all ESXi Services (Authd, Hostd/Rhttpproxy, SFCBD, vSAN VP).
- For vSphere HA/FDM Service, Utility automatically adds advanced option das.config.vmacore.ssl.sslOptions (with appropriate value) on all vSphere HA enabled cluster and reconfigures HA on all Clustered ESXi hosts for changes to take effect.
- Utility will take backup of configuration files before making any modifications. For example, /etc/sfcb/sfcb.cfg will be saved as /etc/sfcb/sfcb.cfg.bkup in the same directory.
- Utility has inbuilt scanner intelligence (TestSSLServer) for scanning ports to determine what protocols are already enabled and whether configuration was successful.
- Utility reverts the configuration changes done, to restore the state as it was before, when there is a failure in doing configuration changes for a particular port.
- Utility can be used to apply security protocol configuration on selected, multiple ESXi Servers (run through vCenter Server) or single ESXi Server (run directly against ESXi Server), in one go.
- Utility generates report (csv file) with all ESXi server’s configuration result such as what security protocols were enabled earlier on each port, after configuration what protocols are enabled and etc.
- Utility provides a way to encrypt and record ESXi server(s) password, before providing it as an input.
Pre-requisites for running Utility
Java runtime environment /JDK where Java version is 1.7.0_45 or higher
Different options available with the Utility
- Enable SSLv3 on all ESXi Server Ports.
- Disable SSLv3 on all ESXi Server Ports.
- Get All ESXi server's details from vCenter Server and record it in a csv file.
- Encrypt plain ESXi password to record ESXi server(s) password in csv file for providing it as an input to the utility later.
Feedback
Yes
No
Powered by
