Configuring SSLv3 protocol on vSphere 5.1
search cancel

Configuring SSLv3 protocol on vSphere 5.1

book

Article ID: 340163

calendar_today

Updated On:

Products

VMware vCenter Server VMware vSphere ESXi

Issue/Introduction

Support for SSLv3 protocol is enabled by default and is configurable.

Note: To disable SSLv3 in your vSphere environment, you need to update ESXi to ESXi 5.1 patch [3872664] released on 05/24/2016 and update vCenter Server to vCenter Server 5.1 Update 3d first and then manually disable SSLv3 through configuration settings, for more information, see KB 2139396.

ESXi hosts updated to ESXi 5.1 patch [3872664] released on 05/24/2016 can be managed by older vCenter Server only if SSLv3 is not disabled in ESXi hosts.

VMware highly recommends you to update ESXi hosts to ESXi 5.1 patch [3872664] while managing them from vCenter Server 5.1 Update 3d.

The following products might not work if SSLv3 is disabled in vSphere 5.1 environment:

  • Site Recovery Manager
  • Big Data Extensions
For more information on products eligible for SSLv3 disablement with vSphere 5.1, see KB 2145484.


Environment

VMware vCenter Server 5.1.x
VMware vSphere ESXi 5.1

Resolution

vSphere 5.1 Ports and Services

Service

Port

Configuration Steps
Hostd
443
Authd
902
SFCBD
5989
Single Sign On (SSO)
7444
Virtual Appliance Management Interface (VAMI)
5480
Authentication proxy service (CAM)
51915
Syslog Collector (vmsyslogcollector)
1514
VMware vSphere Web Client Service (vspherewebclientsvc)
9443
VirtualCenter Server service (vpxd)
443
vCenter Inventory Service database (invsvc)
10109
VMware VirtualCenter Management Webservices
8443
SPS
21100(VCSA), 31100(windows)
Auto Deploy servie port
Auto Deploy management port

6501
6502

Log Browser12443Log Browser service
vSphere Update Manager
8084/9087

Hostd service - Port 443

Enabling SSLv3 Protocol

To enable SSLv3 protocol on Hostd service for ESXi 5.1 patch [3872664] released on 05/24/2016 follow these steps:

  1. Login to ESXi using putty.exe

  2. To enable SSLv3 is run the following command:
    esxcli system settings advanced set -o /UserVars/ESXiRhttpproxyDisabledProtocols51 -s ""

  3. Restart the rhttpproxy services by running the following command:
    /etc/init.d/rhttpproxy restart
    watchdog-rhttpproxy: Terminating watchdog process with PID 6276
    rhttpproxy stopped.
    rhttpproxy started.

  4. Run the following command to get a list of disabled protocols for hostd:

    esxcli system settings advanced list -o /UserVars/ESXiRhttpproxyDisabledProtocols51
    Where:
    Path: /UserVars/ESXiRhttpproxyDisabledProtocols51
    Type: string
    Int Value: 0
    Default Int Value: 0
    Min Value: 0
    Max Value: 0
    String Value:
    Default String Value:
    Valid Characters: *

Disabling SSLv3 Protocol

To disable SSLv3 protocol follow these steps:

  1. Login to ESXi using putty.exe

  2. Run the following command to disable SSLv3:
    esxcli system settings advanced set -o /UserVars/ESXiRhttpproxyDisabledProtocols51 -s "SSLv3"

  3. Restart the rhttpproxy services by running the following command:

    /etc/init.d/rhttpproxy restart
    watchdog-rhttpproxy: Terminating watchdog process with PID 6276
    rhttpproxy stopped.
    rhttpproxy started.

  4. Run the following command to get a list of disabled protocols for hostd:

    esxcli system settings advanced list -o /UserVars/ESXiRhttpproxyDisabledProtocols51

    Where:
    Path: /UserVars/ESXiRhttpproxyDisabledProtocols51
    Type: string
    Int Value: 0
    Default Int Value: 0
    Min Value: 0
    Max Value: 0
    String Value: sslv3
    Default String Value:
    Valid Characters: *


In event of unexpected behavior, restore the earlier backed up proxy configuration file to revert the system to clean state, as it was before.

HostProfile

Configuration of the Hostd can also be captured through host profile by following these steps:

  1. Log in to VC with vSphere Web Client.

  2. Right click the target host and click Extract Host Profile to create a new hostprofile.

  3. After the hostprofile is created, navigate to Home > Host Profiles > your_host_profile to edit it.

  4. In the Edit Host Profiles tab, you can find the entry for hostd under [Advanced Configuration Settings] > [Advanced Options] > [Advanced Configuration Options] > ESXiRhttpproxyDisabledProtocols51

  5. The application of hostd in host profile is the same as other settings. If the configuration for hostd is included in host profile, difference between host profile and target host for hostd is displayed and replaced when choosing the target host to apply the host profile.

Authd - Port 902

Enabling SSLv3 Protocol

To enable SSLv3 protocol on Authd service for ESXi 5.1 patch [3872664] released on 05/24/2016 follow these steps:

  1. Login to ESXi using putty.exe

  2. To enable SSLv3, run the following command:
    esxcli system settings advanced set -o /UserVars/VMAuthdDisabledProtocols51 -s ""

  3. Run the following command to get a list of disabled protocols for authd:
    esxcli system settings advanced list -o /UserVars/VMAuthdDisabledProtocols51

    Where:
    Path: /UserVars/VMAuthdDisabledProtocols51
    Type: string
    Int Value: 0
    Default Int Value: 0
    Min Value: 0
    Max Value: 0
    String Value:
    Default String Value:
    Valid Characters: *

Disabling SSLv3 Protocol

To disable SSLv3 protocol follow these steps:

  1. Login to ESXi using putty.exe

  2. To disable SSLv3, run the following command:
    esxcli system settings advanced set -o /UserVars/VMAuthdDisabledProtocols51 -s "SSLv3"

  3. Run the following command to get a list of disabled protocols for authd:
    esxcli system settings advanced list -o /UserVars/VMAuthdDisabledProtocols51

    Where:
    Path: /UserVars/VMAuthdDisabledProtocols51
    Type: string
    Int Value: 0
    Default Int Value: 0
    Min Value: 0
    Max Value: 0
    String Value: sslv3
    Default String Value:
    Valid Characters: *


In event of unexpected behavior, restore the earlier backed up proxy configuration file to revert the system to clean state, as it was before.

HostProfile

Configuration of the Authd can also be captured through host profile by following these steps:

  1. Log in to VC with vSphere Web Client.

  2. Right click the target host and click Extract Host Profile to create a new hostprofile.

  3. After the hostprofile is created, navigate to Home > Host Profiles > your_host_profile to edit it.

  4. In the Edit Host Profiles tab, you can find the entry for authd under [Advanced Configuration Settings] > [Advanced Options] > [Advanced Configuration Options] > VMAuthdDisabledProtocols51.

  5. The application of authd in host profile is the same as other settings. If the configuration for authd is included in host profile, difference between host profile and target host for authd is displayed and replaced when choosing the target host to apply the host profile.

SFCBD - Port 5989

Enabling SSLv3 Protocol
To enable SSLv3 protocol on SFCBD service for ESXi 5.1 patch [3872664] released on 05/24/2016 follow these steps:
  1. Log in to ESXi usingputty.exe .

  2. Run the following command and edit the file:

    vi /etc/sfcb/sfcb.cfg
    enableSSLv3: true

  3. Save the file.

  4. Restart the service for configuration to take effect using below command:

    /etc/init.d/sfcbd-watchdog restart
Disabling SSLv3 Protocol
To disable SSLv3 protocol on SFCBD service for ESXi 5.1 Update 3d follow these steps:
  1. Log in to ESXi usingputty.exe .

  2. Run the following command to modify the file and to disable SSLv3:

    vi /etc/sfcb/sfcb.cfg

  3. Add new entry similar to the following to disable SSLv3. If the entry exists, set the value to false:

    enableSSLv3: false

  4. Save the file.

  5. Run the following command to restart the service for configuration to take effect:

    /etc/init.d/sfcbd-watchdog restart
    /etc/init.d/sfcbd-watchdog status

    sfcbd is running.

HostProfile
Configuration for CIM can also be captured by host profile:

  1. Log in to vCenter Server with C#.

  2. Right click the target host and click Extract Host Profile to create a new host profile.

  3. Choose Home > Host Profiles > your host profile to edit it.

  4. On the Edit Host Profiles tab, > Select General System Settings> Management Agent Confirguraion under SFCB Configuration > Settings > enable SSL v3

  5. Apply the host profile to stateful or stateless systems.

  6. Restart the service for configuration to take effect using below command:

    /etc/init.d/sfcbd-watchdog restart

Single Sign On - Port 7444

Enabling SSLv3 Protocol

To enable SSLv3 protocol on SS0 service for vCenter Server 5.1 Update 3d follow these steps:

  1. Open the server.xml file.

    • Windows default location: C:\Program Files\VMware\Infrastructure\SSOServer\conf\server.xml
    • vCenter Server Appliance default location: /usr/lib/vmware-sso/conf/server.xml


  2. Create a backup copy of the file.

  3. Edit the file to add the SSLv3 value to the two instances of sslEnabledProtocols tag, so that it lists as :
    sslEnabledProtocols="SSLv3,TLSv1"

  4. Save the file.

  5. Restart the vmware-sso service.

    • For vCenter Server Appliance: Restart the vmware-sso service using the command service vmware-sso restart
    • For Windows: Restart the vCenter Single Sign On service from services.msc.
Disabling SSLv3 Protocol

To disable SSLv3 protocol on SS0 service for vCenter Server 5.1 Update 3d follow these steps:

  1. Open the server.xml file.

    • Windows default location: C:\Program Files\VMware\Infrastructure\SSOServer\conf\server.xml
    • vCenter Server Appliance default location: /usr/lib/vmware-sso/conf/server.xml

  2. Create a backup copy of the file.

  3. Edit the file to remove the SSLv3 value from the two instances of sslEnabledProtocols tag, to disable SSLv3 as follows
    sslEnabledProtocols="TLSv1"
  4. Save the file.

  5. Restart the vmware-sso service.

    • For vCenter Server Appliance: Restart the vmware-sso service using the command service vmware-sso restart.
    • For Windows: Restart the vCenter Single Sign On service from services.msc.

Virtual Appliance Management Interface (VAMI) service - Port 5480

Enabling SSLv3 Protocol

To enable SSLv3 protocol on VAMI service for vCenter Server 5.1 Update 3d follow these steps:

  1. Go to /opt/vmware/etc/lighttpd/lighttpd.conf file.

  2. Create a backup copy of the file.

  3. Search for this line:

    ssl.use-sslv3="disable"

  4. Modify the line to:

    ssl.use-sslv3="enable"

  5. Save the file.

  6. Restart the VAMI Service with the following command:

    service vami-lighttp restart
Disbaling SSLv3 Protocol

To disable SSLv3 protocol on VAMI service for vCenter Server 5.1 Update 3d follow these steps:

  1. Go to/opt/vmware/etc/lighttpd/lighttpd.conf.

  2. Create a backup copy of the file.

  3. Search for this line:

    ssl.use-sslv3="enable"

  4. Add the following line in the cofig file, in case there is no ssl.use-sslv3="enable"

    ssl.engine = "enable"

  5. Modify the line to:

    ssl.use-sslv3="disable"

  6. Save the file.

  7. Restart the VAMI Service with the following command:

    service vami-lighttp restart

Authentication proxy (CAM) service - Port 51915

Enabling SSLv3 Protocol

To enable SSLv3 protocol on CAM service for vCenter Server 5.1 Update 3d follow these steps:

  1. Open and run the Registry Editor on the server where VMware Authentication Proxy is installed, as an administrator.

  2. Navigate to this location in the Registry Editor window:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\

  3. In the navigation tree, right-click Protocols, and select New > Key.

  4. Enter SSL3.0 as the key name.

  5. Repeat step 5 to create two SSL3.0 keys. Name the two keys as Server and Client.

  6. Right-click on the Client key, and select New > DWORD (32-bit) Value.

    • Enter DisabledByDefault as the value name.
    • Double-click DisabledByDefault, and enter 0 as the data value.
    • Click OK.

  7. Right-click on the Sever key, and select New > DWORD (32-bit) Value.

    • Enter Enabled as the value name.
    • Double-click Enabled, and enter 1 as the data value.
    • Click OK

  8. Restart the server.
Disbaling SSLv3 Protocol

To disable SSLv3 protocol on CAM service for vCenter Server 5.1 Update 3d follow these steps:

  1. Open and run the Registry Editor on the server where VMware Authentication Proxy is installed, as an administrator.

  2. Navigate to this location in the Registry Editor window:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\

  3. In the navigation tree, right-click Protocols, and select New > Key.

  4. Enter SSL3.0 as the key name.

  5. Create two keys under SSL3.0 key and name them as Server and Client.

  6. Right-click on the Client key, and select New > DWORD (32-bit) Value.

    • Enter DisabledByDefault as the value name.
    • Double-click DisabledByDefault, and enter 1 as the data value.
    • Click OK.



  7. Right-click on the Sever key, and select New > DWORD (32-bit) Value.

    • Enter Enabled as the value name.
    • Double-click Enabled, and enter 0 as the data value.
    • Click OK

  8. Restart the server.

Syslog Collector service - Port 1514

Enabling SSLv3 Protocol

To enable SSLv3 protocol on Syslog Collector service for vCenter Server 5.1 Update 3d follow these steps:

  1. Access the configuration file from the following locations:

    • Windows default location:C:\ProgramData\VMware\VMware Syslog Collector\vmconfig-syslog.xml
    • vCenter Server Appliance default location:/etc/syslog-ng/stunnel.conf

  2. Create a backup copy of the file.

  3. For Windows, edit the file to remove <disableSSLv3></disableSSLv3> node as shown here:

    <ssl>
    <defaultSSLPath>C:\ProgramData\VMware\vCenterServer\cfg\vmsyslogcollector\ssl</defaultSSLPath>
    <privateKey>vmsyslogcollector.key</privateKey>
    <certificate>vmsyslogcollector.crt</certificate>
    </ssl>

  4. For VCSA:

    Removeoptions=NO_SSLv3 from the configuration file.

  5. Save the file and restart.

  6. Window: Restart the vmsyslogcollector Service.

    VCSA: Service syslog-collector restart
Disabling SSLv3 Protocol

To disable SSLv3 protocol on Syslog Collector service for vCenter Server 5.1 Update 3d follow these steps:

  1. Access the configuration file from the following locations:

    • Windows default location: C:\ProgramData\VMware\VMware Syslog Collector\vmconfig-syslog.xml
    • vCenter Server Appliance default location: /etc/syslog-ng/stunnel.conf

  2. Create a backup copy of the file.

  3. For Windows, edit the file to add <disableSSLv3></disableSSLv3> node as shown here:

    <ssl>
    <defaultSSLPath>C:\ProgramData\VMware\vCenterServer\cfg\vmsyslogcollector\ssl</defaultSSLPath>
    <privateKey>vmsyslogcollector.key</privateKey>
    <certificate>vmsyslogcollector.crt</certificate>
    <disableSSLv3></disableSSLv3>
    </ssl>

  4. For VCSA:

    Add new line "options=NO_SSLv3" in the /etc/syslog-ng/stunnel.conf configuration file.

  5. Save the file and restart.

    Windows: Restart the vmsyslogcollector service

    VCSA: /etc/init.d/syslog-collector restart

VMware vSphere Web Client Service (vspherewebclientsv) - Port 9443

Enabling SSLv3 Protocol

To enable SSLv3 protocol on vSphere Web Client Service service for vCenter Server 5.1 Update 3d follow these steps:

  1. Open thetomcat-server.xml file:

    • Windows default location:C:\Program Files\VMware\Infrastructure\vSphereWebClient\server\config\tomcat-server.xml
    • vCenter Server Appliance default location:/usr/lib/vmware-vsphere-client/server/config/tomcat-server.xml

  2. Create a backup copy of the file.

  3. Edit the file to add SSLv3 to sslEnabledProtocols list as shown here to enable SSLv3:

    <Connector port="9443" protocol="HTTP/1.1" sslEnabledProtocols="SSLv3, TLSv1">

  4. Save the file.

  5. Restart the Management webservices.

    Windows: Restart VMware management webservices service.

    VCSA: Restart VPXD service.
Disabling SSLv3 Protocol

To disable SSLv3 protocol on vSphere Web Client Service service for vCenter Server 5.1 Update 3d follow these steps:

  1. Open thetomcat-server.xml file:

    • Windows default location:C:\Program Files\VMware\Infrastructure\vSphereWebClient\server\config\tomcat-server.xml

    • vCenter Server Appliance default location:/usr/lib/vmware-vsphere-client/server/config/tomcat-server.xml

  2. Create a backup copy of the file.

  3. Edit the file to remove SSLv3 to sslEnabledProtocols="TLSv1" list as shown here to disable SSLv3:

    <Connector port="9443" protocol="HTTP/1.1" sslEnabledProtocols="TLSv1">

  4. Save the file.

  5. For windows, restart the VMware Management webservices.

  6. For VCSA, restart VPXD.

VMware Virtual Center Server (vpxd) - Port 443

Enabling SSLv3 Protocol

To enable SSLv3 protocol on Virtual Center Server service for vCenter Server 5.1 Update 3d follow these steps:

  1. Open thevpxd.cfg file:

    • Windows default location:C:\ProgramData\VMware\VMware VirtualCenter\vpxd.cfg
    • vCenter Server Appliance default location:/etc/vmware-vpx/vpxd.cfg

  2. Create a backup copy of the file.

  3. Edit the file remove the<sslOptions></sslOptions> to enable SSLv3 respectively:


    <vmacore>
    <cacheProperties>true</cacheProperties>
    <ssl>
    <useCompression>true</useCompression>
    </ssl>
    <threadPool>
    <TaskMax>90</TaskMax>
    <threadNamePrefix>vpxd</threadNamePrefix>
    </threadPool>
    </vmacore>

  4. Save the file.

  5. Restart the vpxd Service.
    • Windows default location: Restart the VMware VirtualCenter Server service from services.msc

    • vCenter Server Appliance: Execute the command from command prompt:
      /etc/init.d/vmware-vpxd restart.

Disbaling SSLv3 Protocol

To disable SSLv3 protocol on Virtual Center Server service for vCenter Server 5.1 Update 3d follow these steps:

  1. Open thevpxd.cfg file:

    • Windows default location:C:\ProgramData\VMware\VMware VirtualCenter\vpxd.cfg
    • vCenter Server Appliance default location:/etc/vmware-vpx/vpxd.cfg

  2. Create a backup copy of the file.

  3. Edit the file to add<sslOptions>50479104</sslOptions> to disable SSLv3:

    <vmacore>
    <cacheProperties>true</cacheProperties>
    <ssl>
    <useCompression>true</useCompression>
    <sslOptions>50479104</sslOptions>
    </ssl>
    <threadPool>
    <TaskMax>90</TaskMax>
    <threadNamePrefix>vpxd</threadNamePrefix>
    </threadPool>
    </vmacore>

  4. Save the file.

  5. Restart the vpxd Service.

    • Windows default location: Restart the VMware VirtualCenter Server service from services.msc

    • vCenter Server Appliance: Execute the command from command prompt:
      /etc/init.d/vmware-vpxd restart.

    vCenter Inventory Service database (invsvc) - XDB Port 10109, 10443

    Enabling SSLv3 Protocol

    To enable SSLv3 protocol on invsvc service for vCenter Server 5.1 Update 3d follow these steps:

    1. Open thequery-server-config.xml file:

      • Windows default location:C:\Program Files\VMware\Infrastructure\Inventory Service\lib\server\config\server-confg.xml
      • vCenter Server Appliance default location:/usr/lib/vmware-vpx/inventoryservice/lib/server/config/server-config.xml

    2. Create a backup copy of the file.

    3. Edit the file to add SSLv3 to enabledProtocols list as shown here to enable SSLv3:

      <property name="enabledProtocols" value="SSLv3,TLSv1" />

    4. Save the file.

    5. Restart the Inventory Services.
    Disbaling SSLv3 Protocol

    To disable SSLv3 protocol on invsvc service for vCenter Server 5.1 Update 3d follow these steps:

    1. Open thequery-server-config.xmlfile:

      • Windows default location:C:\Program Files\VMware\Infrastructure\Inventory Service\lib\server\config\server-confg.xml
      • vCenter Server Appliance default location:/usr/lib/vmware-vpx/inventoryservice/lib/server/config/server-config.xml

    2. Create a backup copy of the file.

    3. Edit the file to remove SSLv3 from enabledProtocols list disable SSLv3:

      <property name="enabledProtocols" value="TLSv1" />

    4. For VCSA:
      Change the corresponding query-server-config.xml and server-config.xml files available in usr/lib/vmware-vpx/inventoryservice/lib/server/config

    5. Save the file.

    6. Restart the Inventory Service.

    VMware Virtual Center Management Webservices - Port 8443

    Enabling SSLv3 Protocol

    To enable SSLv3 protocol on Virtual Center Management Webservices for vCenter Server 5.1 Update 3d follow these steps:

    1. Open theserver.xml file:

      • Windows default location:C:\Program Files\VMware\Infrastructure\tomcat\conf\server.xml
      • vCenter Server Appliance default location:/usr/lib/vmware-vpx/tomcat/conf/server.xml

    2. Create a backup copy of the file.

    3. Edit the file to add SSLv3 tosslEnabledProtocols list as shown here to enable SSLv3:

      <property name="enabledProtocols" value="SSLv3,TLSv1"/>

    4. Save the file.

    5. For windows, restart the VMware Management webservices.

    6. For VCSA, restart VPXD.
    Disabling SSLv3 Protocol

    To disable SSLv3 protocol on Virtual Center Management Webservices for vCenter Server 5.1 Update 3d follow these steps:

    1. Open theserver.xml file:

      • Windows default location:C:\Program Files\VMware\Infrastructure\tomcat\conf\server.xml
      • vCenter Server Appliance default location:/usr/lib/vmware-vpx/tomcat/conf/server.xml

    2. Create a backup copy of the file.

    3. Edit the file to remove SSLv3 tosslEnabledProtocols list as shown here to disable SSLv3:

      <property name="enabledProtocols" value="TLSv1"/>

    4. For VCSA:
      Change the value in /usr/lib/vmware-vpx/tomcat/conf/server.xml file.

    5. Save the file.

    6. Restart the Management webservices.

      Windows: Restart VMware management webservices service.

      VCSA: Restart VPXD service.

    SPS - Port 21100(VCSA), 31100(Windows)

    Enabling SSLv3 Protocol
    To enable SSLv3 protocol on SPS for vCenter Server 5.1 Update 3d follow these steps:

    1. Open thesps-spring-config.xml file:

      • Windows default location:C:\Program Files\VMware\Infrastructure\Profile-Driven Storage\conf\sps-spring-config.xml
      • vCenter Server Appliance default location:/usr/lib/vmware-vpx/sps/conf/sps-spring-config.xml

    2. Create a backup copy of the file.

    3. Edit the file to add value SSLv3 to enabledProtocolslist as shown here to enable SSLv3:

      <property name="enabledProtocols" value="SSLv3,TLSv1 "/>

    4. Save the file.

    5. Restart the SPS service.

    Disabling SSLv3 Protocol
    To disable SSLv3 protocol on SPS for vCenter Server 5.1 Update 3d follow these steps:

    1. Open thesps-spring-config.xml file:

      • Windows default location:C:\Program Files\VMware\Infrastructure\Profile-Driven Storage\conf\sps-spring-config.xml
      • vCenter Server Appliance default location:/usr/lib/vmware-vpx/sps/conf/sps-spring-config.xml

    2. Create a backup copy of the file.

    3. To disable SSLv3, remove the string SSLv3 from the list of EnabledProtocols insps-spring-config list:

      Change <property name="enabledProtocols" value="SSLv3,TLSv1"/>" to <property name="enabledProtocols" value="TLSv1"/>"

    4. Save the file.

    5. Restart the vmware-sps service.

    Auto Deploy - Port 6501/6502

    Enabling SSLv3 Protocol

    To enable SSLv3 protocol on Auto Deploy service for vCenter Server 5.1 Update 3d follow these steps:

    1. Run the following command to Connect to vCenter Server:

      PowerCLI C:\Program Files (x86)\VMware\Infrastructure\vSphere PowerCLI> Connect-VIServer -Server <FQDN_hostname or IP Address of vCenter Server>

    2. Run the following command to check the current status of SSLv3:

      PowerCLI C:\Program Files (x86)\VMware\Infrastructure\vSphere PowerCLI> Get-DeployOption

      KeyValue

      vlan-id0
      disable-sslv31

    3. Run the following command to enable SSLv3:

      To enable: PowerCLI C:\Program Files (x86)\VMware\Infrastructure\vSphere PowerCLI> Set-DeployOption disable-sslv3 0

    4. Restart the Auto Deploy service to update the change.
    Disabling SSLv3 Protocol

    To disable SSLv3 protocol on Auto Deploy service for vCenter Server 5.1 Update 3d follow these steps:

    1. Run the following command to Connect to vCenter Server:

      PowerCLI C:\Program Files (x86)\VMware\Infrastructure\vSphere PowerCLI> Connect-VIServer -Server <FQDN_hostname or IP Address of vCenter Server>

    2. Run the following command to check the current status of SSLv3:

      PowerCLI C:\Program Files (x86)\VMware\Infrastructure\vSphere PowerCLI> Get-DeployOption
      KeyValue
      vlan-id0
      disable-sslv30

    3. Run the following command to enable SSLv3:

      To disable:PowerCLI C:\Program Files (x86)\VMware\Infrastructure\vSphere PowerCLI> Set-DeployOption disable-sslv3 1

    4. Restart the Auto Deploy service to update the change.

    Log Browser - Port 12443

    Enabling SSLv3 Protocol

    To enable SSLv3 protocol on Log Browser service for vCenter Server 5.1 Update 3d follow these steps:

    1. Open the logbrowser.properties file:

      • Windows default location: C:\Program Files\VMware\Infrastructure\vSphereWebClient\logbrowser\conf\logbrowser.properties
      • vCenter Server Appliance default location: /usr/lib/vmware-logbrowser/conf/logbrowser.properties
    2. Create a backup copy of the file.

    3. Edit the file to add SSLv3 from the following line to enable SSLv3:

      exclude-protocols=sslv3

    4. Save the file.

    5. Restart the Log Browser service.
    Disabling SSLv3 Protocol

    To disable SSLv3 protocol on Log Browser service for vCenter Server 5.1 Update 3d follow these steps:

    1. Open the logbrowser.properties file:

      • Windows default location: C:\Program Files\VMware\Infrastructure\vSphereWebClient\logbrowser\conf\logbrowser.properties
      • vCenter Server Appliance default location: /usr/lib/vmware-logbrowser/conf/logbrowser.properties

    2. Create a backup copy of the file.

    3. Edit the file to remove SSLv3 from the following line to disabled SSLv3:

      exclude-protocols=sslv3

    4. Save the file.

    5. Restart the Log Browser service.

    Update Manager - Port 9087/8084

    Enabling SSLv3 Protocol

    To enable SSLv3 protocol on Update Manager service for vCenter Server 5.1 Update 3d follow these steps:

    1. Stop the vSphere Update Manager service.

    2. Go to Update Manager Install Directory.

    3. Edit the following to enable SSLv3:

      • For port 9087, search and delete <Item>SSLv3</Item> from the jetty-vum-ssl.xml file:

        <Arg>
        <New class="org.eclipse.jetty.util.ssl.SslContextFactory">
        <Set name="ExcludeProtocols">
        <Array type="java.lang.String">
        <Item>SSLv3</Item>
        </Array>
        </Set>
        </New>
        </Arg>

      • For port 8084 , search and delete <sslOptions>33554432</sslOptions> from the vci-interity.xml file:

        <ssl>
        <cipherList>AES128-SHA, AES256-SHA</cipherList>
        <handshakeTimeoutMs>120000</handshakeTimeoutMS>
        <sslOptions>33554432</sslOptions>
        <ssl>
        <ssl>
        <privateKey>ssl/rui.key</privateKey>
        <certificate>ssl/rui.crt</certificate>
        <sslOptions>33554432</sslOptions>
        <ssl>

    4. Save and Restart the vSphere Update Manager service.
    Disabling SSLv3 Protocol

    To disable SSLv3 protocol on Update Manager service for vCenter Server 5.1 Update 3d follow these steps:

    1. Stop the vSphere Update Manager service.

    2. Go to Update Manager Install Directory.

    3. Edit the following to disable SSLv3:

      • For port 9087, add the following text after the <New class="org.eclipse.jetty.server.ssl.SslSocketConnector"> to the jetty-vum-ssl.xml file:
        <Arg>
        <New class="org.eclipse.jetty.util.ssl.SslContextFactory">
        <Set name="ExcludeProtocols">
        <Array type="java.lang.String">
        <Item>SSLv3</Item>
        </Array>
        </Set>
        </New>
        </Arg>

      • For port 8084, add <sslOptions>33554432</sslOptions> to the vci-interity.xml file:
        <ssl>
        <cipherList>AES128-SHA, AES256-SHA</cipherList>
        <handshakeTimeoutMs>120000</handshakeTimeoutMS>
        <sslOptions>33554432</sslOptions>
        <ssl>
        <ssl>
        <privateKey>ssl/rui.key</privateKey>
        <certificate>ssl/rui.crt</certificate>
        <sslOptions>33554432</sslOptions>
        <ssl>

    4. Save and Restart the vSphere Update Manager service.

    Additional Information

    For translated versions of this article, see:
    Powered by Wolken Software