Wednesday, March 29, 2017

Disable TLS v1.0 and v1.1 in vSphere 6.0

This is a very rough post with the base information - I will make this part of a series soon. 

This quick post only focuses on the use of the TLS tool in vSphere 6.0 in a very simple environment (VCSA with embedded PSC, hosts in the 3 situations used in the tool) for demonstration purposes. 

Also, note that only port 443 is tested, but both vSphere and ESXi have many other ports, some even outside of the TLS tool configuration.

This post focuses on only leaving TLS 1.2 enabled. Other posts which helped me and constitute good reading are: by GaneshSekarbabu by DanRaymond65

We will basically put in practice KB 2148819:

Before we start, make super sure you are running at least 6.0 Update 3 and your vCenter and hosts are on the same release! Also download the rpm version of the TLS tool from the same location where the VCSA is downloaded from.

If you are going to do the whole environment, the basic order is:

1) vCenters
2) hosts
3) PSCs

Steps needed to be able to run the tool:

#Open SSH (or use the VCSA console). You may need to follow this if it's not enabled already

#It's always a good idea to verify the SSH keys match

#Now execute these commands. Enable Bash shell:
shell.set --enable True

#Launch the "Bash" shell which is really a "pi shell":

#Change shell to Bash so SCP works (doesn't otherwise, not explained in the KB)
chsh -s "/bin/bash" root

*Go copy the TLS RPM file to the VCSA now*

#I copied the file to /tmp (or wherever, but notice you have to change the directory to what you used)
cd /tmp

#U is upgrade (assumes install if no older version found), v is verbose, h is hash (progress display)
rpm -Uvh VMware-vSphereTlsReconfigurator-6.0.0-5051284.x86_64.rpm

#Change directory to where TLS Reconfigurator was installed to
cd /usr/lib/vmware-vSphereTlsReconfigurator/

vCenter and PSC steps

#Switch to vCenter tool directory 
cd VcTlsReconfigurator

#Take a backup as per the KB
./reconfigureVc backup

*Go copy the backup directory to a safe place. Why? WHY NOT?*

Note a scan of port 443 before running the tool using sslscan (from a windows executable) shows TLS 1.0 and 1.1 are active:

#Do some damage! I mean, set TLS v1.2 as the only accepted protocol
./reconfigureVc update -p TLSv1.2

#Type a "y" to proceed. It doesn't really re-start the whole appliance, just the services

#Note it actually takes another backup. Gotta protect GSS :)

#Finally you will get a status report which confirms that only TLS v1.2 is configured

#The vSphere Client service takes a little longer to start than the rest. You can monitor it via the shell with
service vsphere-client status

#Note a scan of port 443 after running the tool shows only TLS 1.2 is now enabled:

ESXi steps

#Hosts MUST be rebooted after these commands for all changes to take effect!!

#Switch to ESX tool directory 
cd /usr/lib/vmware-vSphereTlsReconfigurator/EsxTlsReconfigurator

You have 3 options for host changes - by cluster, by host joined to this vCenter, or standalone hosts.

#If you are doing hosts joined to a vCenter inside a Cluster (this does the whole cluster)

#./reconfigureEsx vCenterCluster -c <Cluster_Name> -u <Administrative_User> -p TLSv1.2
./reconfigureEsx vCenterCluster -c MyCluster -u administrator@vsphere.local -p TLSv1.2

#It asks for the user's passwords and executes

#Don't forget to reboot the host!
#Scan before change

#Scan after change and reboot

#If you are doing one host joined to a vCenter

#./reconfigureEsx vCenterHost -h <ESXi_Host_Name> -u <Administrative_User> -p TLSv1.2
./reconfigureEsx vCenterHost -h -u administrator@vsphere.local -p TLSv1.2

#It asks for the user's passwords and executes

#Don't forget to reboot the host!

#Scan before change

#Scan after change and reboot

#If you are doing a host that is not joined to a vCenter

#./reconfigureEsx ESXiHost -h <ESXi_Host_Name> -u <User> -p TLSv1.2
./reconfigureEsx ESXiHost -h -u root -p TLSv1.2

#Note this uses a local ESXi account since this host is not in this vCenter

#Don't forget to reboot the host!

#Scan before change

#Scan after change and reboot

Hope this helps. I'll go into a bit more detail as soon as I have some time! Ping me on twitter if you have any comments please.


  1. I found these blog in search results while i am searching for vvmware jobs in hyderabad.Thank You admin for sharing this post.It is useful for me.

  2. Thank you for the very helpful article. May I humbly suggest that you add some call-outs for VMware KB 2149000 and VMware KB 2137109? I implemented this change in our PCI-Non-Prod environment and bricked myself out of the desktop client and powercli. (FYI web client still works, which makes sense)

    I didn't realize until I actually went and read the KB that you referenced that this was a known thing with additional modifications required for each client. Since you do a great job walking everyone through all of the server-side steps, the client-side requirements for upgrades are worth mentioning.) Thanks again!