This issue occurs due to increased security of the cipher strengths which are, by default, used by the VMware Management Web Services components. Due to this change that was introduced in vSphere 5.1, the host operating system is required to support a higher cipher strength to be able to connect to these components.
In Windows Vista and Windows Server 2008, the proper cipher strengths are built into the operating system. However, for older Windows operating systems, a Microsoft hotfix must be applied to add the supported cipher strengths.
For more information on the cipher strengths that get added with the hotfix, see the Microsoft Knowledge Base article
948963.
Note: The preceding link was correct as of March 18, 2012. If you find a link is broken, provide feedback and a VMware employee will update the link.
Resolution
Windows 2003 (32-bit and 64-bit Edition)
For Windows Server 2003 (32-bit and 64-bit), apply the appropriate hotfix to the machine on which the vSphere Client is installed.
If the vSphere Client is installed on the Windows Server where vCenter Server is installed, you must also apply the patch to that Windows Server.
To download the hotfix for your system, see the Microsoft Knowledge Base article
948963.
Notes:
- You must reboot the machine after applying the hotfix.
- Non-English versions of the hotfixes are also available on the Microsoft site. Click the Show hotfixes for all platforms and languages link on the Hotfix Request page to view the available versions.
Windows XP (32-bit)
There is no hotfix available for Windows XP (32-bit). Microsoft currently only provides limited support for Windows XP, and as a result the hotfix has not been released for it. To resolve this issue, you must upgrade your host operating system to Windows Vista or later, which support the use of high cipher strengths.
If you are unable to upgrade your environment, you may try adding less secure cipher strengths back to the configuration, which allows communication to proceed successfully.
To add less secure cipher strengths back to the configuration:
Cautions:
- This is not a recommended configuration and is provided for backward compatibility purposes only. The below information is provided as-is, is unsupported and to be used at your own risk.
- Implementing the below configuration in which the cipher strength is reduced may not work for Inventory searching via the vSphere Client connected to vCenter Server.
- Log in as an administrator to the server where vCenter Server is installed.
- Navigate to the tomcat configuration directory.
Note: By default, this directory is located at C:\Program Files\VMware\Infrastructure\tomcat\conf\. In vCenter Server Appliance, the file is located at /usr/lib/vmware-vpx/tomcat/conf.
- Open the server.xml file using a text editor.
- Change the Connector text to add support for weaker ciphers by changing it from:
<Connector SSLEnabled="true" acceptCount="100" ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_DH_RSA_WITH_AES_256_CBC_SHA, TLS_DH_DSS_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_DH_RSA_WITH_AES_128_CBC_SHA, TLS_DH_DSS_WITH_AES_128_CBC_SHA" connectionTimeout="20000" executor="tomcatThreadPool" keystoreFile="${bio-vmssl.keyFile.name}" keystorePass="${bio-vmssl.SSL.password}" keystoreType="PKCS12" maxKeepAliveRequests="15" port="${bio-vmssl.https.port}" protocol="HTTP/1.1" redirectPort="${bio-vmssl.https.port}" scheme="https" secure="true"></Connector>
To:
<Connector SSLEnabled="true" acceptCount="100" ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_DH_RSA_WITH_AES_256_CBC_SHA, TLS_DH_DSS_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_DH_RSA_WITH_AES_128_CBC_SHA, TLS_DH_DSS_WITH_AES_128_CBC_SHA <span style="COLOR: #ff0000">,SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA" connectionTimeout="20000" executor="tomcatThreadPool" keystoreFile="${bio-vmssl.keyFile.name}" keystorePass="${bio-vmssl.SSL.password}" keystoreType="PKCS12" maxKeepAliveRequests="15" port="${bio-vmssl.https.port}" protocol="HTTP/1.1" redirectPort="${bio-vmssl.https.port}" scheme="https" secure="true"></Connector>
Note: Add only the red text as indicated and do not change any other options. This adds back support for less secure cipher strengths for backward compatibility purposes.
- Restart the VMware VirtualCenter Management Web Services service. For more information, see Stopping, starting, or restarting vCenter services (1003895).
Additional Information
For translated versions of this article, see: