TLS 1.0 is not strictly required by vRealize Operations Manager internal communications and can be disabled by performing these steps on each node in the cluster.
Section 1: Disable TLS 1.0 in 6.2.x and later for Web Access
- Log in to a console session on the node.
Note: VCOPS_BASE is set to /usr/lib/vmware-vcops by default, or C:\vmware\vcenter-operations on Windows.
- Backup the Apache HTTPD configuration file:
cp $VCOPS_BASE/../vmware-vcopssuite/utilities/conf/vcops-apache.conf $VCOPS_BASE/../vmware-vcopssuite/utilities/conf/vcops-apache.conf.bak
- Open $VCOPS_BASE/../vmware-vcopssuite/utilities/conf/vcops-apache.conf in a text editor.
- Add -TLSv1 to the SSLProtocol line.
The modified line should look similar to:
SSLProtocol All -SSLv2 -SSLv3 -TLSv1
- Save and close vcops-apache.conf.
- Run this command to restart the Web server:
$VMWARE_PYTHON_BIN $VCOPS_BASE/../vmware-vcopssuite/utilities/bin/restartHttpd.py force
On Windows:
%VMWARE_PYTHON_BIN% %VCOPS_BASE%\..\vmware-vcopssuite\utilities\bin\restartHttpd.py force
Note: If you're on vRealize Operations Manager 6.6.x, continue to section 2.
To verify that TLS 1.0 is disabled, check port 443 on all nodes.
- For each node, run the following command:
- vApp: $VCOPS_BASE/../vmware-vcopssuite/openssl/bin/openssl s_client -connect node-FQDN-or-IP-address:443 -tls1
- RHEL: $VCOPS_BASE/../openssl/bin/openssl s_client -connectnode-FQDN-or-IP-address:443 -tls1
- Windows: %VCOPS_BASE%\..\openssl\bin\openssl s_client -connectnode-FQDN-or-IP-address:443 -tls
- Verify that the command fails with error messages similar to any one of these:
- CONNECTED(00000005)
- 2283136:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:645:
Alternatively:
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : 0000
Session-ID:
Note: The Session-ID is empty and various NONE values appear.
To verify that the later version of TLS is enabled, perform these steps:
- Repeat the earlier openssl command, replacing -tls1 with -tls1_2.
- Verify that the connection succeeds with messages similar to this example:
New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : AES256-GCM-SHA384
Session-ID: 93A27AFCEBF1FC3845CB3AB3F34A7651F97D7551C42E0278577B73629E748FC2
Note: The protocol includes TLSv1.2 and a valid Session-ID appears.
Section 2: Disable TLS 1.0 and 1.1 in 6.6.x and later for Java Components
Note: This section is only applicable for vRealize Operations Manager 6.6.x and later.
- Log in to vRealize Operations Manager Master node as root through SSH or Console.
- Backup the $VMWARE_JAVA_HOME/lib/security/java.security file:
cp $VMWARE_JAVA_HOME/lib/security/java.security $VMWARE_JAVA_HOME/lib/security/java.security.bak
- Open $VMWARE_JAVA_HOME/lib/security/java.security in a text editor.
- On the jdk.tls.disabledAlgorithms property, add TLSv1 and TLSv1.1 after SSLv3.
Example: jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, MD5withRSA, DH keySize < 2048, \
EC keySize < 224 , DES40_CBC, RC4_40, 3DES_EDE_CBC
- Save and close the file.
- Repeat steps 1-5 on all nodes in the cluster.
- Log in to vRealize Operations Manager Admin UI.
- Click Take Offline to take the vRealize Operations Manager cluster offline.
- Once the cluster is offline, click Bring Online to bring the vRealize Operations Manager cluster online.