Tuesday, 11 June 2019

Disabling TLS 1.0 and 1.1 on vCenter and ESXi

I have been working with a customer who's needed to disable TLS 1.0 and 1.1 across all of their estate; I was focusing on vCenter, ESXi and NSX.

This is covered in the official documentation is all covered  https://docs.vmware.com/en/VMware-vSphere/6.5/com.vmware.vsphere.security.doc/GUID-82028A21-8AB5-4E2E-90B8-A01D1FAD77B1.html

The process that I followed was vCenter --> ESXi Hosts -->  NSX Manager.

To start with, the TLS Reconfigurator tool is downloadable from here

Choose the version of vCenter you have (.rpm for vCSA and .msi for Windows):

For me, I am using the VCSA and I think most deployments use this now - so the following instructions cover the VCSA...

To begin, copy the rpm file to the VCSA.  Use something like WinSCP and FileZilla.  Note, you may need to enable the bash shell for root to allow this:

Copy it somewhere sensible like /tmp.  Once you've done this, install the tool by running rpm -Uvh /tmp/VMware-vSphereTlsReconfigurator-**********.x86_64.rpm.  This will install the tool into /usr/lib/vmware-vSphereTlsReconfigurator.  CD to this.


There are two sub folders here; we will start in VcTlsReconfigurator...

To disable both TLS 1.0 and 1.1 against the vCenter, first take a snapshot, then run the following command:

reconfigureVc update -p TLSv1.2

This will run through all of the components of vCenter, report what the version of TLS currently is, and will report after the script has run, what the new version of TLS is after the execution has completed.  Please note, this will stop the vCenter services:

Before:

After:


Done - this should take no more than 5 minutes.  Onto the ESXi hosts; run cd ../EsxiTlsReconfigurator.

 Assuming you want to disable both TLS 1.0 and 1.1, there are two options you can run here...  Against a cluster and against an individual host:
  • reconfigureEsx vCenterCluster -c {clustername} -u administrator@vsphere.local -p TLSv1.2
  • reconfigureEsx vCenterHost -h {hostname.fqdn} -u administrator@vsphere.local -p TLSv1.2
It is so much easier to run this against a cluster than an individual host; you will need to specify the administrator@vsphere.local password each time, so it will be time consuming to do against an individual host...  However, it's worth knowing the option is available.  

Initially, this will not make any changes; in order to apply the changes, you need to restart each host to set the TLS settings:

After which, all of the ESXi hosts will be patched.  On the vCenter, you can remove the .rpm file from /tmp and reset the root user's shell back to the Appliance shell by running chsh -s /bin/appliancesh root.


Finally, onto the NSX Manager.  Connect to the manager UI, login with the admin credentials, click on 'Manage Appliance Settings', and click on 'Edit' next to 'FIPS Mode and TLS settings':


Again, this will restart the NSX Manager services but will not impact service.

5 comments:

  1. hello,

    When trying to update the hosts from the reconfigure vc, I get this:
    root@hostname [ /usr/lib/vmware-vSphereTlsReconfigurator/EsxTlsReconfigurator ]# ./reconfigureEsx vCenterHost -h hostname -u root -p TLSv1.1 TLSv1.2
    ESXi Transport Layer Security reconfigurator, version=6.5.0, build=7766806
    For more information refer to the following article: https://kb.vmware.com/kb/2147469
    Log file: "/var/log/vmware/vSphere-TlsReconfigurator/EsxTlsReconfigurator.log".
    Connecting to vCenter Server at: "localhost".
    Password:
    Traceback (most recent call last):
    File "./reconfigureEsx", line 564, in
    main()
    File "./reconfigureEsx", line 560, in main
    args.func(args)
    File "./reconfigureEsx", line 233, in ReconfigureVCenterHosts
    serviceInstance = GetConnection(args, VC_IP)
    File "./reconfigureEsx", line 513, in GetConnection
    sslContext=context)
    File "/usr/lib/vmware-vSphereTlsReconfigurator/EsxTlsReconfigurator/pyVim/connect.py", line 684, in SmartConnect
    raise Exception("%s:%s is not a VIM server" % (host, port))
    Exception: localhost:443 is not a VIM server

    Any ideas?

    Thanks

    ReplyDelete
  2. The article was up to the point and described the information very effectively. Thanks to blog author for wonderful and informative post.
    Security Solution firm

    ReplyDelete
  3. hello ,
    IS video is availeble for this activity ...

    ReplyDelete