Log Insight 2.5 and 3.0 cannot establish connection to remote TLSv1.1 or TLSv1.2 servers
search cancel

Log Insight 2.5 and 3.0 cannot establish connection to remote TLSv1.1 or TLSv1.2 servers

book

Article ID: 340399

calendar_today

Updated On:

Products

VMware Aria Suite

Issue/Introduction

Symptoms:
  • VMware vRealize Log Insight 2.5 and 3.0 cannot establish secure connections to remote TLSv1.1 or TLSv1.2 servers.

  • Connections from Log Insight to VMware vRealize Operations fail. In the /storage/var/loginsight/runtime.log or /storage/var/loginsight/ui_runtime.log file, you see entries similar to:

    [thread/10.x.x.x ERROR] [com.vmware.loginsight.vcopssuite.VcopsSuiteApiRequest] [failed to post resource to vRealize Operations Manager]
    javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake


  • Connections from Log Insight to VMware vCenter Server fail. In the /storage/var/loginsight/runtime.log or /storage/var/loginsight/ui_runtime.log file, you see entries similar to:

    [thread/10.x.x.x ERROR] [com.vmware.loginsight.vsphere.client.VimClient] [Exception while consuming connection: com.sun.xml.internal.ws.client.ClientTransportException: HTTP transport error: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake]


Environment

VMware vRealize Log Insight 3.0.x
VMware vRealize Log Insight 2.5.x

Resolution

VMware vRealize Log Insight 2.5 and 3.0 support connections to remote TLS v1.0 servers out of the box. However additional configuration is required to enable support for TLS v1.1 and TLS v1.2.

To enable outbound connections to TLS v1.1 and TLS v1.2 servers, modify two shell scripts on each vRealize Log Insight cluster node:

  1. Open a console or SSH connection to the vRealize Log Insight appliance and login as root.

  2. Modify configuration for the UI service.

    1. Change to the apache-tomcat-version/bin diirectory.

      For Log Insight 3.0: cd /usr/lib/loginsight/application/3rd_party/apache-tomcat-7.0.57/bin/
      For Log Insight 2.5: cd /usr/lib/loginsight/application/3rd_party/apache-tomcat-6.0.36/bin/

    2. Create the setenv.sh file using a text editor. The file may not exist. For more information, see Editing files using vi or nano (1020302).

    3. Append the line:

      export CATALINA_OPTS="$CATALINA_OPTS -Dhttps.protocols=TLSv1.1,TLSv1.2 -Ddeployment.security.TLSv1=false"

    4. Save and close the file.

  3. Modify configuration for the background daemon service.

    1. Open the file/etc/default/loginsight using a text editor. The file may not exist. For more information, see Editing files using vi or nano (1020302).

    2. Append the line:

      STRATA_JAVA_OPTS="$STRATA_JAVA_OPTS -Dhttps.protocols=TLSv1.1,TLSv1.2 -Ddeployment.security.TLSv1=false"

    3. Save the file.

  4. Restart the loginsight service using the command:

    service loginsight restart


Additional Information

Editing files on an ESX host using vi or nano