In vCenter Server 8.0 Update 3, TLS configuration is done via TLS Profiles.

If you are using Auto Deploy in the environment, please review the below linked article before proceeding with changing the TLS profile, as iPXE does not support NIST_2024, and possibly others.

• Error: "Operation not Permitted" after upgrade to 8.x and enabling NIST profile when booting ESXi host with Auto Deploy

vCenter Server 8.0 U3

In vCenter 8.0 Update 3 there is a new approach to TLS management. TLS configuration is done via TLS profiles. This is achieved by using the API Explorer in the vCenter Web Client or using CURL on the command line. There is also a script attached to this KB to simplify this procedure.

Depending on your environment, you may need to choose a TLS profile that uses or does not use certain "Cipher Suites". 

NOTE: vCenter Server TLS Profiles Update Operation has special requirements on VCHA enabled setups.

• See "Remediate TLSProfiles Set API failures on VCHA Cluster".
• Do not use the attached script for VCHA deployments.
  

Create valid backups or snapshot of the vCenter Server you are changing the TLS configuration on.

• If in linked mode then take cold snapshots of all linked vCenter Servers  before proceeding.
• The script attached to this KB can be used to simplify the procedure documented herein. 

Changing TSL profile via API explorer:

• Review VC - Manage TLS profile using API to find steps on accessing the VC API explorer.

  
  Note: You can use the search bar on the right of the API Explorer page to limit the view to what you are looking for (e.g., tls).

  

   

  Example:

  If wanting to change the TLS profile from “COMPATIBLE” to “NIST_2024”, please do the following.

  • For API > Appliance > “tls/profiles/global/” use this value: { "profile": "NIST_2024" }. Click the "Execute" button.

  • You can confirm the change was successful by executing the “tls/profiles/global/” GET command. If the value has changed properly, you should see the profile value as “NIST_2024”.

Change TLS profile from VCSA command line:

• SSH to the vCenter Server you want to change TLS configuration on.
• Run the following command to see what ciphers and TLS versions are currently enabled:
  
  /usr/lib/vmware-vsr/bin/ssl_scanner --host localhost:443 | less

Example output:
  
  
  
  In the above example TLS 1.2 is enabled and the accepted/rejected ciphers are listed. TLS 1.3 is disabled.
  
  OpenSSL can also be used to check TLS.
  • Verify TLS 1.2 with openssl:
    
    openssl s_client -connect localhost:443 -tls1_2
    
    
  • Verify TLS 1.3 with openssl:
    
    openssl s_client -connect localhost:443 -tls1_3
    
    

Using CURL to interact with TLS Profiles

• If using a custom SSO domain name, change "vsphere.local" to your SSO custom domain name.
• Change "PASSWORD_HERE" to the SSO administrator account password.
• There may be an authentication error when running some of commands due to the session ID expiring. If that happens, refresh the session ID by running the first command in the list below.
• To interact with TLS profiles using CURL on the command line we must first attain a session ID that we can use with the subsequent commands.
• To get a session ID run this command:
  
  curl -k -X POST --header 'Content-Type: application/json' --header 'Accept: application/json' --header 'vmware-use-header-authn: test' --header 'vmware-api-session-id: null' -u '[email protected]:PASSWORD_HERE' 'https://localhost/rest/com/vmware/cis/session'
  
  Example output:
  
  
  In this example the session ID is: 1bee8c95cc8ab1a8145b956f07db3ac2

Note: It may be necessary to repeat the above command to generate a new session ID if the previously generated one becomes expired.
  
  
• Using the session ID taken from the command above, run the following command to get the currently applied TLS profile:
  
  curl -k -X GET 'https://localhost/api/appliance/tls/profiles/global' -H 'vmware-api-session-id:1bee8c95cc8ab1a8145b956f07db3ac2'

Example output:
  
  
  In this example the profile that is currently applied the "COMPATIBLE" profile.
  
  
• To change the currently applied profile to "NIST_2024", run the following command:
  
  curl -k -X  PUT 'http://localhost/api/appliance/tls/profiles/global?vmw-task=true' -H 'vmware-api-session-id: 1bee8c95cc8ab1a8145b956f07db3ac2' -H 'Content-type: application/json' -d '{ "profile": "NIST_2024" }'

Example output:
  
  
  
• To track the task progress, take note of the task ID returned from the previous command. In this case the task ID is:
  
  f2f6f330-b298-4a92-a50b-7d1adf91217e:com.vmware.appliance.tls.profiles.global
  
  
• Using this task ID and Session ID from above, run the following command to get progress:
  
  curl -k -X GET 'https://localhost/api/cis/tasks/f2f6f330-b298-4a92-a50b-7d1adf91217e:com.vmware.appliance.tls.profiles.global?return_all=TRUE' -H 'vmware-api-session-id:1bee8c95cc8ab1a8145b956f07db3ac2'

Example output:
  

You can find the list of Cipher Suites being used for each currently available TLS profile in vSphere from “How vSphere Implements TLS Using TLS Profiles”.

To get a list of enabled/disabled ciphers and TLS versions for each TLS Profile run the following command:

curl -k -X GET 'https://localhost/api/appliance/tls/profiles' -H "vmware-api-session-id: 31bee8c95cc8ab1a8145b956f07db3ac2" | jq

To get a list of enabled/disabled ciphers and TLS versions for a specific TLS profile:

curl -s -k -X GET 'https://localhost/api/appliance/tls/profiles/COMPATIBLE-NON-FIPS' -H "vmware-api-session-id: 31bee8c95cc8ab1a8145b956f07db3ac2" | jq 


The current available TLS profiles for vCenter Server 8.0 Update 3 are:

• NIST_2024
• COMPATIBLE
• COMPATIBLE-NON-FIPS

Note: Currently there is no "MANUAL" profile available for vCenter, and the existing profiles cannot be changed. You will find that the API Explorer for TLS commands does not provide the “PUT” command for “tls/profiles”, only “GET” commands to list what is already available.

To use the attached bash script to change/review TLS profiles:

• Copy the attached bash script to the vCenter you want to change the TLS profile on.
• Run chmod against the file:
  
  chmod +x TLS_PROFILE.sh
  
  
• Run the script and follow on-screen instructions.