How to disable TLS 1.0 and 1.1 in vRealize Operations Manager 6.x
Article ID: 340147
Updated On:
Products
VMware Aria Suite
Issue/Introduction
Note: The steps in this article apply to vRealize Operations Manager 6.2 and later releases.
Transport Layer Security (TLS) 1.0 is enabled by default in vRealize Operations Manager. TLS 1.0 is a superseded version of TLS and is enabled for vRealize Operations Manager compatibility with external products.
These external product issues are known to occur when TLS 1.0 is disabled.
Transport Layer Security (TLS) 1.0 is enabled by default in vRealize Operations Manager. TLS 1.0 is a superseded version of TLS and is enabled for vRealize Operations Manager compatibility with external products.
These external product issues are known to occur when TLS 1.0 is disabled.
- vRealize Orchestrator cannot run REST workflows against vRealize Operations Manager. VMware recommends using vRealize Orchestror 6.0.4 or later and using SNMP traps instead of the REST API for workflows.
- vSphere cannot download the next generation client (NGC) plug-in from vRealize Operations Manager 6.5 or earlier versions.
- Previously registered Endpoint Operations agents might not communicate with vRealize Operations Manager 6.4 or earlier versions. This issue was fixed with vRealize Operations Manager 6.5.
- vRealize Operations Manager reports might not display dashboards. This issue was fixed with vRealize Operations Manager 6.5.
- vRealize Operations Manager cannot integrate with vRealize Log Insight 3.0. VMware recommends the use of a more current version of vRealize Log Insight.
Environment
VMware vRealize Operations Manager 6.6.x
VMware vRealize Operations Manager 6.5.x
VMware vRealize Operations Manager 6.3.x
VMware vRealize Operations Manager 6.4.x
VMware vRealize Operations Manager 7.0.x
VMware vRealize Operations Manager 6.7.x
VMware vRealize Operations Manager 6.2.x
VMware vRealize Operations Manager 6.5.x
VMware vRealize Operations Manager 6.3.x
VMware vRealize Operations Manager 6.4.x
VMware vRealize Operations Manager 7.0.x
VMware vRealize Operations Manager 6.7.x
VMware vRealize Operations Manager 6.2.x
Resolution
TLS 1.0 is not strictly required by vRealize Operations Manager internal communications and can be disabled by performing these steps on each node in the cluster.
Section 1: Disable TLS 1.0 in 6.2.x and later for Web Access
- Log in to a console session on the node.
Note: VCOPS_BASE is set to /usr/lib/vmware-vcops by default, or C:\vmware\vcenter-operations on Windows.
- Backup the Apache HTTPD configuration file:
cp $VCOPS_BASE/../vmware-vcopssuite/utilities/conf/vcops-apache.conf $VCOPS_BASE/../vmware-vcopssuite/utilities/conf/vcops-apache.conf.bak
- Open $VCOPS_BASE/../vmware-vcopssuite/utilities/conf/vcops-apache.conf in a text editor.
- Add -TLSv1 to the SSLProtocol line.
The modified line should look similar to:
SSLProtocol All -SSLv2 -SSLv3 -TLSv1
- Save and close vcops-apache.conf.
- Run this command to restart the Web server:
$VMWARE_PYTHON_BIN $VCOPS_BASE/../vmware-vcopssuite/utilities/bin/restartHttpd.py force
On Windows:
%VMWARE_PYTHON_BIN% %VCOPS_BASE%\..\vmware-vcopssuite\utilities\bin\restartHttpd.py force
Note: If you're on vRealize Operations Manager 6.6.x, continue to section 2.
To verify that TLS 1.0 is disabled, check port 443 on all nodes.
- For each node, run the following command:
- vApp: $VCOPS_BASE/../vmware-vcopssuite/openssl/bin/openssl s_client -connect node-FQDN-or-IP-address:443 -tls1
- RHEL: $VCOPS_BASE/../openssl/bin/openssl s_client -connectnode-FQDN-or-IP-address:443 -tls1
- Windows: %VCOPS_BASE%\..\openssl\bin\openssl s_client -connectnode-FQDN-or-IP-address:443 -tls
- Verify that the command fails with error messages similar to any one of these:
- CONNECTED(00000005)
- 2283136:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:645:
Alternatively:
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : 0000
Session-ID:
Note: The Session-ID is empty and various NONE values appear.
To verify that the later version of TLS is enabled, perform these steps:
- Repeat the earlier openssl command, replacing -tls1 with -tls1_2.
- Verify that the connection succeeds with messages similar to this example:
New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : AES256-GCM-SHA384
Session-ID: 93A27AFCEBF1FC3845CB3AB3F34A7651F97D7551C42E0278577B73629E748FC2
Note: The protocol includes TLSv1.2 and a valid Session-ID appears.
Section 2: Disable TLS 1.0 and 1.1 in 6.6.x and later for Java Components
Note: This section is only applicable for vRealize Operations Manager 6.6.x and later.
- Log in to vRealize Operations Manager Master node as root through SSH or Console.
- Backup the $VMWARE_JAVA_HOME/lib/security/java.security file:
cp $VMWARE_JAVA_HOME/lib/security/java.security $VMWARE_JAVA_HOME/lib/security/java.security.bak
- Open $VMWARE_JAVA_HOME/lib/security/java.security in a text editor.
- On the jdk.tls.disabledAlgorithms property, add TLSv1 and TLSv1.1 after SSLv3.
Example: jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, MD5withRSA, DH keySize < 2048, \
EC keySize < 224 , DES40_CBC, RC4_40, 3DES_EDE_CBC
EC keySize < 224 , DES40_CBC, RC4_40, 3DES_EDE_CBC
- Save and close the file.
- Repeat steps 1-5 on all nodes in the cluster.
- Log in to vRealize Operations Manager Admin UI.
- Click Take Offline to take the vRealize Operations Manager cluster offline.
- Once the cluster is offline, click Bring Online to bring the vRealize Operations Manager cluster online.
Feedback
Yes
No
Powered by
