VSphere Replication 8.x - Turn off TLS 1.1 on port 443
Article ID: 338473
Updated On:
Products
VMware Live Recovery
VMware vSphere ESXi
Issue/Introduction
To disable TLS 1.1 and only leave TLS 1.2 enabled on port 443
Symptoms:
Due to stricter security requirements for some customers, TLS 1.1 may need to be disabled on port 443 for the VSphere Replication Appliances
Symptoms:
Due to stricter security requirements for some customers, TLS 1.1 may need to be disabled on port 443 for the VSphere Replication Appliances
Environment
VMware vSphere Replication 8.x
Resolution
1. Connect to the vSphere Replication appliance via SSH. Open Apache Tomcat configuration file with a text editor (I would actually use WinSCP to copy the file out for edit unless you are familiar with VI):
vi /var/opt/apache-tomcat/conf/server.xml
2. Look for a 'Connector' tag that defines a tomcat connector responding on address="::" and port="8443". It should also have a 'SSLHostConfig' tag as a child. For example it should look like:
<Connector SSLEnabled="true" Secure="true" address="::" maxThreads="150" port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol">
<SSLHostConfig ciphers="!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES" protocols="TLSv1.2">
<Certificate certificateKeystoreFile="lib/hms-keystore.jks" certificateKeystorePassword="H55MSDVcNUdsAwlP" type="RSA" />
</SSLHostConfig>
</Connector>
In the SSLHostConfig xml tag look for an argument named 'protocols' this is what defines the supported TLS versions. For example 'TLSv1.1+TLSv1.2' means that TLS 1.1 and TLS 1.2 are both supported and can be used
for connection. To only allow TLS 1.2 set the value to 'TLSv1.2'.
3. After modifying server.xml file you need to restart tomcat service:
service tomcat restart
vi /var/opt/apache-tomcat/conf/server.xml
2. Look for a 'Connector' tag that defines a tomcat connector responding on address="::" and port="8443". It should also have a 'SSLHostConfig' tag as a child. For example it should look like:
<Connector SSLEnabled="true" Secure="true" address="::" maxThreads="150" port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol">
<SSLHostConfig ciphers="!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES" protocols="TLSv1.2">
<Certificate certificateKeystoreFile="lib/hms-keystore.jks" certificateKeystorePassword="H55MSDVcNUdsAwlP" type="RSA" />
</SSLHostConfig>
</Connector>
In the SSLHostConfig xml tag look for an argument named 'protocols' this is what defines the supported TLS versions. For example 'TLSv1.1+TLSv1.2' means that TLS 1.1 and TLS 1.2 are both supported and can be used
for connection. To only allow TLS 1.2 set the value to 'TLSv1.2'.
3. After modifying server.xml file you need to restart tomcat service:
service tomcat restart
Additional Information
Impact/Risks:
Note: Take a snapshot of the vSphere Replication appliance prior to working with this KB
Note: Take a snapshot of the vSphere Replication appliance prior to working with this KB
Feedback
Yes
No
Powered by
