vSphere 5.0 Ports and Services
Service | Port | Configuration Steps |
Hostd | 443 | |
Authd | 902 | |
SFCBD | 5989 | |
Virtual Appliance Management Interface (VAMI) | 5480 | |
Authentication proxy service (CAM) | 51915 | |
Syslog Collector (vmsyslogcollector) | 1514 | |
VMware vSphere Web Client Service (vspherewebclientsvc) | 9443 | |
VirtualCenter Server service (vpxd) | 443 | |
vCenter Inventory Service database (invsvc) | 10109 | |
VMware VirtualCenter Management Webservices | 8443 | |
SPS | 21100(VCSA), 31100(windows) | |
Auto Deploy servie port Auto Deploy management port | 6501 6502 | |
vSphere Update Manager | 8084/9087 | |
vCenter Server Appliance | 5489 | vCenter Server Appliance |
Hostd service - Port 443
Enabling SSLv3 ProtocolTo enable SSLv3 protocol on Hostd service for ESXi 5.0 patch released on 06/14/2016 follow these steps:
- Login to ESXi using putty.exe
- To enable SSLv3 is run the following command:
esxcli system settings advanced set -o /UserVars/ESXiHostdDisabledProtocols -s ""
- Restart the rhttpproxy services by running the following command:
/etc/init.d/hostd restart
- Run the following command to get a list of disabled protocols for hostd:
esxcli system settings advanced list -o /UserVars/ESXiHostdDisabledProtocols
Where:
Path: /UserVars/ESXiHostdDisabledProtocols
Type: string
Int Value: 0
Default Int Value: 0
Min Value: 0
Max Value: 0
String Value:
Default String Value:
Valid Characters: *
Disabling SSLv3 ProtocolTo disable SSLv3 protocol follow these steps:
- Login to ESXi using putty.exe
- Run the following command to disable SSLv3:
esxcli system settings advanced set -o /UserVars/ESXiHostdDisabledProtocols -s "SSLv3"
- Restart the rhttpproxy services by running the following command:
/etc/init.d/hostd restart
- Run the following command to get a list of disabled protocols for hostd:
esxcli system settings advanced list -o /UserVars/ESXiHostdDisabledProtocols
Where:
Path: /UserVars/ESXiHostdDisabledProtocols
Type: string
Int Value: 0
Default Int Value: 0
Min Value: 0
Max Value: 0
String Value: sslv3
Default String Value:
Valid Characters: *
In event of unexpected behavior, restore the earlier backed up proxy configuration file to revert the system to clean state, as it was before.
HostProfile
Configuration of the Hostd can also be captured through host profile by following these steps:
- Log in to VC with vSphere Web Client.
- Right click the target host and click Extract Host Profile to create a new hostprofile.
- After the hostprofile is created, navigate to Home > Host Profiles > your_host_profile to edit it.
- In the Edit Host Profiles tab, you can find the entry for hostd under [Advanced Configuration Settings] > [Advanced Options] > [Advanced Configuration Options] > ESXiHostdDisabledProtocols
- The application of hostd in host profile is the same as other settings. If the configuration for hostd is included in host profile, difference between host profile and target host for hostd is displayed and replaced when choosing the target host to apply the host profile.
Authd - Port 902
Enabling SSLv3 ProtocolTo enable SSLv3 protocol on Authd service for ESXi 5.0 patch released on 06/14/2016follow these steps:
- Login to ESXi using putty.exe.
- To enable SSLv3, run the following command:
esxcli system settings advanced set -o /UserVars/VMAuthdDisabledProtocols50 -s ""
- Run the following command to get a list of disabled protocols for authd:
esxcli system settings advanced list -o /UserVars/VMAuthdDisabledProtocols50
Where:
Path: /UserVars/VMAuthdDisabledProtocols50
Type: string
Int Value: 0
Default Int Value: 0
Min Value: 0
Max Value: 0
String Value:
Default String Value:
Valid Characters: *
Disabling SSLv3 ProtocolTo disable SSLv3 protocol follow these steps:
- Login to ESXi using putty.exe
- To disable sslv3, run the following command:
esxcli system settings advanced set -o /UserVars/VMAuthdDisabledProtocols50 -s "sslv3"
- Run the following command to get a list of disabled protocols for authd:
esxcli system settings advanced list -o /UserVars/VMAuthdDisabledProtocols50
Where:
Path: /UserVars/VMAuthdDisabledProtocols50
Type: string
Int Value: 0
Default Int Value: 0
Min Value: 0
Max Value: 0
String Value: sslv3
Default String Value:
Valid Characters: *
In event of unexpected behavior, restore the earlier backed up proxy configuration file to revert the system to clean state, as it was before.
HostProfile
Configuration of the Authd can also be captured through host profile by following these steps:
- Log in to VC with vSphere Web Client.
- Right click the target host and click Extract Host Profile to create a new hostprofile.
- After the hostprofile is created, navigate to Home > Host Profiles > your_host_profile to edit it.
- In the Edit Host Profiles tab, you can find the entry for authd under [Advanced Configuration Settings] > [Advanced Options] > [Advanced Configuration Options] > VMAuthdDisabledProtocols50.
- The application of authd in host profile is the same as other settings. If the configuration for authd is included in host profile, difference between host profile and target host for authd is displayed and replaced when choosing the target host to apply the host profile.
SFCBD - Port 5989
Enabling SSLv3 ProtocolTo enable SSLv3 protocol on SFCBD service for ESXi 5.0 patch released on 06/14/2016 follow these steps:
- Log in to ESXi usingputty.exe.
- Run the following command and edit the file:
vi /etc/sfcb/sfcb.cfg
enableSSLv3: true
- Save the file.
- Restart the service for configuration to take effect using below command:
/etc/init.d/sfcbd-watchdog restart
Disabling SSLv3 ProtocolTo disable SSLv3 protocol on SFCBD service for ESXi 5.0 patch released on 06/14/2016 follow these steps:
- Log in to ESXi using putty.exe.
- Run the following command to modify the file and to disable SSLv3:
vi /etc/sfcb/sfcb.cfg
- Add new entry similar to the following to disable SSLv3. If the entry exists, set the value to false:
enableSSLv3: false
- Save the file.
HostProfileConfiguration for CIM can also be captured by host profile:
- Log in to vCenter Server with C#.
- Right click the target host and click Extract Host Profile to create a new host profile.
- Choose Home > Host Profiles > your host profile to edit it.
- On the Edit Host Profiles tab, > Select General System Settings> Management Agent Confirguraion under SFCB Configuration > Settings > enable sslv3.
- Apply the host profile to stateful or stateless systems.
- Restart the service for configuration to take effect using below command:
/etc/init.d/sfcbd-watchdog restart
Virtual Appliance Management Interface (VAMI) service - Port 5480
Enabling SSLv3 ProtocolTo enable SSLv3 protocol on VAMI service for vCenter Server 5.0 Update 3g follow these steps:
- Go to /opt/vmware/etc/lighttpd/lighttpd.conf file.
- Create a backup copy of the file.
- Search for this line:
ssl.use-sslv3="disable"
- Modify the line to:
ssl.use-sslv3="enable"
- Save the file.
- Restart the VAMI Service with the following command:
service vami-lighttp restart
Disbaling SSLv3 ProtocolTo disable SSLv3 protocol on VAMI service for vCenter Server 5.0 Update 3g follow these steps:
- Go to/opt/vmware/etc/lighttpd/lighttpd.conf.
- Create a backup copy of the file.
- Search for this line:
ssl.use-sslv3="enable"
- Add the following line in the cofig file, in case there is no ssl.use-sslv3="enable"
ssl.engine = "enable"
- Modify the line to:
ssl.use-sslv3="disable"
- Save the file.
- Restart the VAMI Service with the following command:
service vami-lighttp restart
Authentication proxy (CAM) service - Port 51915
Enabling SSLv3 ProtocolTo enable SSLv3 protocol on CAM service for vCenter Server 5.0 Update 3g follow these steps:
- Open and run the Registry Editor on the server where VMware Authentication Proxy is installed, as an administrator.
- Navigate to this location in the Registry Editor window:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\
- In the navigation tree, right-click Protocols, and select New > Key.
- Enter SSL3.0 as the key name.
- Repeat step 5 to create two SSL3.0 keys. Name the two keys as Server and Client.
- Right-click on the Client key, and select New > DWORD (32-bit) Value.
- Enter DisabledByDefault as the value name.
- Double-click DisabledByDefault, and enter 0 as the data value.
- Click OK.
- Right-click on the Sever key, and select New > DWORD (32-bit) Value.
- Enter Enabled as the value name.
- Double-click Enabled, and enter 1 as the data value.
- Click OK
- Restart the server.
Disbaling SSLv3 ProtocolTo disable SSLv3 protocol on CAM service forvCenter Server 5.0 Update 3g follow these steps:
- Open and run the Registry Editor on the server where VMware Authentication Proxy is installed, as an administrator.
- Navigate to this location in the Registry Editor window:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\
- In the navigation tree, right-click Protocols, and select New > Key.
- Enter SSL3.0 as the key name.
- Create two keys under SSL3.0 key and name them as Server and Client.
- Right-click on the Client key, and select New > DWORD (32-bit) Value.
- Enter DisabledByDefault as the value name.
- Double-click DisabledByDefault, and enter 1 as the data value.
- Click OK.
- Right-click on the Sever key, and select New > DWORD (32-bit) Value.
- Enter Enabled as the value name.
- Double-click Enabled, and enter 0 as the data value.
- Click OK
- Restart the server.
Syslog Collector service - Port 1514
Enabling SSLv3 ProtocolTo enable SSLv3 protocol on Syslog Collector service for vCenter Server 5.0 Update 3g follow these steps:
- Access the configuration file from the following locations:
- Windows default location: C:\ProgramData\VMware\VMware Syslog Collector\vmconfig-syslog.xml
- vCenter Server Appliance default location:/etc/syslog-ng/stunnel.conf.
- Create a backup copy of the file.
- For Windows, edit the file to remove <disableSSLv3></disableSSLv3> node as shown here:
<ssl>
<defaultSSLPath>C:\ProgramData\VMware\vCenterServer\cfg\vmsyslogcollector\ssl</defaultSSLPath>
<privateKey>vmsyslogcollector.key</privateKey>
<certificate>vmsyslogcollector.crt</certificate>
</ssl>
- For VCSA:
Remove options=NO_SSLv3 from the configuration file.
- Save the file and restart.
- Window: Restart the vmsyslogcollector Service.
VCSA: Service syslog-collector restart
Disabling SSLv3 ProtocolTo disable SSLv3 protocol on Syslog Collector service for vCenter Server 5.0 Update 3g follow these steps:
- Access the configuration file from the following locations:
- Windows default location: C:\ProgramData\VMware\VMware Syslog Collector\vmconfig-syslog.xml
- vCenter Server Appliance default location: /etc/syslog-ng/stunnel.conf
- Create a backup copy of the file.
- For Windows, edit the file to add <disableSSLv3></disableSSLv3> node as shown here:
<ssl>
<defaultSSLPath>C:\ProgramData\VMware\vCenterServer\cfg\vmsyslogcollector\ssl</defaultSSLPath>
<privateKey>vmsyslogcollector.key</privateKey>
<certificate>vmsyslogcollector.crt</certificate>
<disableSSLv3></disableSSLv3>
</ssl>
- For VCSA:
Add new line "options=NO_SSLv3" in the /etc/syslog-ng/stunnel.conf configuration file.
- Save the file and restart.
Windows: Restart the vmsyslogcollector service
VCSA: /etc/init.d/syslog-collector restart
VMware vSphere Web Client Service (vspherewebclientsv) - Port 9443
Enabling SSLv3 ProtocolTo enable SSLv3 protocol on vSphere Web Client Service service forvCenter Server 5.0 Update 3g follow these steps:
- Open thetomcat-server.xml file:
- Windows default location:C:\Program Files\VMware\Infrastructure\vSphereWebClient\server\config\tomcat-server.xml
- vCenter Server Appliance default location:/usr/lib/vmware-vsphere-client/server/config/tomcat-server.xml
- Create a backup copy of the file.
- Edit the file to add SSLv3 to sslEnabledProtocols list as shown here to enable SSLv3:
<Connector port="9443" protocol="HTTP/1.1" sslEnabledProtocols="SSLv3, TLSv1">
- Save the file.
- Restart the Management webservices.
Windows: Restart VMware management webservices service.
VCSA: Restart VPXD service.
Disabling SSLv3 ProtocolTo disable SSLv3 protocol on vSphere Web Client Service service for vCenter Server 5.0 Update 3g follow these steps:
- Open the tomcat-server.xml file:
- Windows default location:C:\Program Files\VMware\Infrastructure\vSphereWebClient\server\config\tomcat-server.xml
- vCenter Server Appliance default location:/usr/lib/vmware-vsphere-client/server/config/tomcat-server.xml
- Create a backup copy of the file.
- Edit the file to remove SSLv3 to sslEnabledProtocols="TLSv1" list as shown here to disable SSLv3:
<Connector port="9443" protocol="HTTP/1.1" sslEnabledProtocols="TLSv1">
- Save the file.
- For windows, restart the VMware Management webservices.
- For VCSA, restart VPXD.
VMware Virtual Center Server (vpxd) - Port 443
Enabling SSLv3 ProtocolTo enable SSLv3 protocol on Virtual Center Server service forvCenter Server 5.0 Update 3g follow these steps:
- Open the vpxd.cfg file:
- Windows default location:C:\ProgramData\VMware\VMware VirtualCenter\vpxd.cfg
- vCenter Server Appliance default location:/etc/vmware-vpx/vpxd.cfg
- Create a backup copy of the file.
- Edit the file remove the <sslOptions></sslOptions> to enable SSLv3 respectively:
<vmacore>
<cacheProperties>true</cacheProperties>
<ssl>
<useCompression>true</useCompression>
</ssl>
<threadPool>
<TaskMax>90</TaskMax>
<threadNamePrefix>vpxd</threadNamePrefix>
</threadPool>
</vmacore>
- Save the file.
- Restart the vpxd Service.
- Windows default location: Restart the VMware VirtualCenter Server service from services.msc
- vCenter Server Appliance: Execute the command from command prompt:
/etc/init.d/vmware-vpxd restart.
Disbaling SSLv3 Protocol
To disable SSLv3 protocol on Virtual Center Server service forvCenter Server 5.0 Update 3g follow these steps:
- Open the vpxd.cfg file:
- Windows default location:C:\ProgramData\VMware\VMware VirtualCenter\vpxd.cfg
- vCenter Server Appliance default location: /etc/vmware-vpx/vpxd.cfg
- Create a backup copy of the file.
- Edit the file to add<sslOptions>50479104</sslOptions> to disable SSLv3:
<vmacore>
<cacheProperties>true</cacheProperties>
<ssl>
<useCompression>true</useCompression>
<sslOptions>50479104</sslOptions>
</ssl>
<threadPool>
<TaskMax>90</TaskMax>
<threadNamePrefix>vpxd</threadNamePrefix>
</threadPool>
</vmacore>
- Save the file.
- Restart the vpxd Service.
- Windows default location: Restart the VMware VirtualCenter Server service from services.msc
- vCenter Server Appliance: Execute the command from command prompt:
/etc/init.d/vmware-vpxd restart.
vCenter Inventory Service database (invsvc) - XDB Port 10109, 10443
Enabling SSLv3 ProtocolTo enable SSLv3 protocol on invsvc service for vCenter Server vCenter Server 5.0 Update 3g follow these steps:
- Open the query-server-config.xml file:
- Windows default location:C:\Program Files\VMware\Infrastructure\Inventory Service\lib\server\config\server-confg.xml
- vCenter Server Appliance default location:/usr/lib/vmware-vpx/inventoryservice/lib/server/config/server-config.xml
- Create a backup copy of the file.
- Edit the file to add SSLv3 to enabledProtocols list as shown here to enable SSLv3:
<property name="enabledProtocols" value="SSLv3,TLSv1" />
- Save the file.
- Restart the Inventory Services.
Disbaling SSLv3 ProtocolTo disable SSLv3 protocol on invsvc service forvCenter Server 5.0 Update 3g follow these steps:
- Open the query-server-config.xml file:
- Windows default location: C:\Program Files\VMware\Infrastructure\Inventory Service\lib\server\config\server-confg.xml.
- vCenter Server Appliance default location: /usr/lib/vmware-vpx/inventoryservice/lib/server/config/server-config.xml.
- Create a backup copy of the file.
- Edit the file to remove SSLv3 from enabledProtocols list disable SSLv3:
<property name="enabledProtocols" value="TLSv1" />
- For VCSA:
Change the corresponding query-server-config.xml and server-config.xml files available in usr/lib/vmware-vpx/inventoryservice/lib/server/config
- Save the file.
- Restart the Inventory Service.
VMware Virtual Center Management Webservices - Port 8443
Enabling SSLv3 ProtocolTo enable SSLv3 protocol on Virtual Center Management Webservices for vCenter Server 5.0 Update 3g follow these steps:
- Open theeserver.xml file:
- Windows default location: C:\Program Files\VMware\Infrastructure\tomcat\conf\server.xml
- vCenter Server Appliance default location: /usr/lib/vmware-vpx/tomcat/conf/server.xml
- Create a backup copy of the file.
- Edit the file to add SSLv3 tosslEnabledProtocols list as shown here to enable SSLv3:
<property name="enabledProtocols" value="SSLv3,TLSv1"/>
- Save the file.
- For windows, restart the VMware Management webservices.
- For VCSA, restart VPXD.
Disabling SSLv3 ProtocolTo disable SSLv3 protocol on Virtual Center Management Webservices for vCenter Server 5.0 Update 3g follow these steps:
- Open the server.xml file:
- Windows default location: C:\Program Files\VMware\Infrastructure\tomcat\conf\server.xml
- vCenter Server Appliance default location: /usr/lib/vmware-vpx/tomcat/conf/server.xml
- Create a backup copy of the file.
- Edit the file to remove SSLv3 to sslEnabledProtocols list as shown here to disable SSLv3:
<property name="enabledProtocols" value="TLSv1"/>
- For VCSA:
Change the value in /usr/lib/vmware-vpx/tomcat/conf/server.xml file.
- Save the file.
- Restart the Management webservices.
Windows: Restart VMware management webservices service.
VCSA: Restart VPXD service.
SPS - Port 21100(VCSA), 31100(Windows)
Enabling SSLv3 Protocol
To enable SSLv3 protocol on SPS for vCenter Server 5.0 Update 3g follow these steps:
- Open the sps-spring-config.xml file:
- Windows default location: C:\Program Files\VMware\Infrastructure\Profile-Driven Storage\conf\sps-spring-config.xml
- vCenter Server Appliance default location: /usr/lib/vmware-vpx/sps/conf/sps-spring-config.xml
- Create a backup copy of the file.
- Edit the file to add value SSLv3 to enabledProtocols list as shown here to enable SSLv3:
<property name="enabledProtocols" value="SSLv3,TLSv1 "/>
- Save the file.
- Restart the SPS service.
Disabling SSLv3 Protocol
To disable SSLv3 protocol on SPS for vCenter Server 5.0 Update 3g follow these steps:
- Open the sps-spring-config.xml file:
- Windows default location: C:\Program Files\VMware\Infrastructure\Profile-Driven Storage\conf\sps-spring-config.xml
- vCenter Server Appliance default location: /usr/lib/vmware-vpx/sps/conf/sps-spring-config.xml
- Create a backup copy of the file.
- To disable SSLv3, remove the string SSLv3 from the list of EnabledProtocols insps-spring-config list:
Change <property name="enabledProtocols" value="SSLv3,TLSv1"/>" to <property name="enabledProtocols" value="TLSv1"/>"
- Save the file.
- Restart the vmware-sps service.
Auto Deploy - Port 6501/6502
Enabling SSLv3 ProtocolTo enable SSLv3 protocol on Auto Deploy service for vCenter Server 5.0 Update 3g follow these steps:
- Run the following command to Connect to vCenter Server:
PowerCLI C:\Program Files (x86)\VMware\Infrastructure\vSphere PowerCLI> Connect-VIServer -Server <FQDN_hostname or IP Address of vCenter Server>
- Run the following command to check the current status of SSLv3:
PowerCLI C:\Program Files (x86)\VMware\Infrastructure\vSphere PowerCLI> Get-DeployOption
KeyValue
vlan-id0
disable-sslv31
- Run the following command to enable SSLv3:
To enable: PowerCLI C:\Program Files (x86)\VMware\Infrastructure\vSphere PowerCLI> Set-DeployOption disable-sslv3 0
- Restart the Auto Deploy service to update the change.
Disabling SSLv3 ProtocolTo disable SSLv3 protocol on Auto Deploy service forvCenter Server 5.0 Update 3g follow these steps:
- Run the following command to Connect to vCenter Server:
PowerCLI C:\Program Files (x86)\VMware\Infrastructure\vSphere PowerCLI> Connect-VIServer -Server <FQDN_hostname or IP Address of vCenter Server>
- Run the following command to check the current status of SSLv3:
PowerCLI C:\Program Files (x86)\VMware\Infrastructure\vSphere PowerCLI> Get-DeployOption
KeyValue
vlan-id0
disable-sslv30
- Open modify autodeploy config file, to disable SSLv3:
- Windows default location: c:\ProgramData\VMware\VMware vSphere Autodeploy\vmconfig-autodeploy
- vCenter Server Appliance default location: /etc/vmware-rbd/autodeploy-setup.xml
- Edit the file and change the value from True to False to diasble sslv3 as shown here:
<ssl>
<disable-sslv3>False</disable-sslv3>
<ssl>
- Run the following command to disable SSLv3:
To disable:PowerCLI C:\Program Files (x86)\VMware\Infrastructure\vSphere PowerCLI> Set-DeployOption disable-sslv3 1
- Restart the Auto Deploy service to update the change.
Update Manager - Port 9087/8084
Enabling SSLv3 ProtocolTo enable SSLv3 protocol on Update Manager service forvCenter Server 5.0 Update 3g follow these steps:
- Stop the vSphere Update Manager service.
- Go to Update Manager Install Directory.
- Edit the following to enable SSLv3:
- For port 9087, search and delete <Item>SSLv3</Item> from the jetty-vum-ssl.xml file:
<New class="org.eclipse.jetty.util.ssl.SslContextFactory">
<Arg>
<Set name="ExcludeProtocols">
<Array type="java.lang.String">
<Item>SSLv3</Item>
</Array>
</Set>
</New>
</Arg>
- For port 8084 , search and delete <sslOptions>33554432</sslOptions> from the vci-interity.xml file:
<ssl>
<cipherList>AES128-SHA, AES256-SHA</cipherList>
<handshakeTimeoutMs>120000</handshakeTimeoutMS>
<sslOptions>33554432</sslOptions>
<ssl>
<ssl>
<privateKey>ssl/rui.key</privateKey>
<certificate>ssl/rui.crt</certificate>
<sslOptions>33554432</sslOptions>
<ssl>
- Save and Restart the vSphere Update Manager service.
Disabling SSLv3 ProtocolTo disable SSLv3 protocol on Update Manager service forvCenter Server 5.0 Update