How to disable TLS 1.0 and 1.1 in vRealize Operations Manager 6.x
search cancel

How to disable TLS 1.0 and 1.1 in vRealize Operations Manager 6.x

book

Article ID: 340147

calendar_today

Updated On:

Products

VMware Aria Suite

Issue/Introduction

Note: The steps in this article apply to vRealize Operations Manager 6.2 and later releases.

Transport Layer Security (TLS) 1.0 is enabled by default in vRealize Operations Manager. TLS 1.0 is a superseded version of TLS and is enabled for vRealize Operations Manager compatibility with external products.
These external product issues are known to occur when TLS 1.0 is disabled.
  • vRealize Orchestrator cannot run REST workflows against vRealize Operations Manager. VMware recommends using vRealize Orchestror 6.0.4 or later and using SNMP traps instead of the REST API for workflows.
  • vSphere cannot download the next generation client (NGC) plug-in from vRealize Operations Manager 6.5 or earlier versions.
  • Previously registered Endpoint Operations agents might not communicate with vRealize Operations Manager 6.4 or earlier versions. This issue was fixed with vRealize Operations Manager 6.5.
  • vRealize Operations Manager reports might not display dashboards. This issue was fixed with vRealize Operations Manager 6.5.
  • vRealize Operations Manager cannot integrate with vRealize Log Insight 3.0. VMware recommends the use of a more current version of vRealize Log Insight.


Environment

VMware vRealize Operations Manager 6.6.x
VMware vRealize Operations Manager 6.5.x
VMware vRealize Operations Manager 6.3.x
VMware vRealize Operations Manager 6.4.x
VMware vRealize Operations Manager 7.0.x
VMware vRealize Operations Manager 6.7.x
VMware vRealize Operations Manager 6.2.x

Resolution

TLS 1.0 is not strictly required by vRealize Operations Manager internal communications and can be disabled by performing these steps on each node in the cluster.
 

Section 1: Disable TLS 1.0 in 6.2.x and later for Web Access

  1. Log in to a console session on the node.

    Note: VCOPS_BASE is set to /usr/lib/vmware-vcops by default, or C:\vmware\vcenter-operations on Windows.
     
  2. Backup the Apache HTTPD configuration file:

    cp $VCOPS_BASE/../vmware-vcopssuite/utilities/conf/vcops-apache.conf $VCOPS_BASE/../vmware-vcopssuite/utilities/conf/vcops-apache.conf.bak
     
  3. Open $VCOPS_BASE/../vmware-vcopssuite/utilities/conf/vcops-apache.conf in a text editor.
  4. Add -TLSv1 to the SSLProtocol line.

    The modified line should look similar to:

    SSLProtocol All -SSLv2 -SSLv3 -TLSv1
     
  5. Save and close vcops-apache.conf.
     
  6. Run this command to restart the Web server:

    $VMWARE_PYTHON_BIN $VCOPS_BASE/../vmware-vcopssuite/utilities/bin/restartHttpd.py force

    On Windows:

    %VMWARE_PYTHON_BIN% %VCOPS_BASE%\..\vmware-vcopssuite\utilities\bin\restartHttpd.py force

    Note: If you're on vRealize Operations Manager 6.6.x, continue to section 2.
To verify that TLS 1.0 is disabled, check port 443 on all nodes.
 
  1. For each node, run the following command:
     
    • vApp: $VCOPS_BASE/../vmware-vcopssuite/openssl/bin/openssl s_client -connect node-FQDN-or-IP-address:443 -tls1
    • RHEL: $VCOPS_BASE/../openssl/bin/openssl s_client -connectnode-FQDN-or-IP-address:443 -tls1
    • Windows: %VCOPS_BASE%\..\openssl\bin\openssl s_client -connectnode-FQDN-or-IP-address:443 -tls
       
  2. Verify that the command fails with error messages similar to any one of these:
     
    • CONNECTED(00000005)
    • 2283136:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:645:

      Alternatively:

      New, (NONE), Cipher is (NONE)
      Secure Renegotiation IS NOT supported
      Compression: NONE
      Expansion: NONE
      No ALPN negotiated
      SSL-Session:
      Protocol : TLSv1
      Cipher : 0000
      Session-ID:


      Note: The Session-ID is empty and various NONE values appear.

To verify that the later version of TLS is enabled, perform these steps:

  1. Repeat the earlier openssl command, replacing -tls1 with -tls1_2.
  2. Verify that the connection succeeds with messages similar to this example:

    New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384
    Server public key is 4096 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    SSL-Session:
    Protocol : TLSv1.2
    Cipher : AES256-GCM-SHA384
    Session-ID: 93A27AFCEBF1FC3845CB3AB3F34A7651F97D7551C42E0278577B73629E748FC2


    Note: The protocol includes TLSv1.2 and a valid Session-ID appears.

Section 2: Disable TLS 1.0 and 1.1 in 6.6.x and later for Java Components

Note: This section is only applicable for vRealize Operations Manager 6.6.x and later.
  1. Log in to vRealize Operations Manager Master node as root through SSH or Console.
  2. Backup the $VMWARE_JAVA_HOME/lib/security/java.security file:

    cp $VMWARE_JAVA_HOME/lib/security/java.security $VMWARE_JAVA_HOME/lib/security/java.security.bak
     
  3. Open $VMWARE_JAVA_HOME/lib/security/java.security in a text editor.
  4. On the jdk.tls.disabledAlgorithms property, add TLSv1 and TLSv1.1 after SSLv3.
Example: jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, MD5withRSA, DH keySize < 2048, \
     EC keySize < 224 , DES40_CBC, RC4_40, 3DES_EDE_CBC
  1. Save and close the file.
  2. Repeat steps 1-5 on all nodes in the cluster.
  3. Log in to vRealize Operations Manager Admin UI.
  4. Click Take Offline to take the vRealize Operations Manager cluster offline.
  5. Once the cluster is offline, click Bring Online to bring the vRealize Operations Manager cluster online.
 

Additional Information

For translated versions of this article, see: