vSphere Infra - Disable TLSv1 and TLSv1.1

vSphere Infra - Disable TLSv1 and TLSv1.1

below are the methods used in vSphere 6.5 and 6.7

Disable TLSv1 and TLSv1.1 on vCenter Server Appliance

1) Scan to check current status



/usr/lib/vmware-TlsReconfigurator/VcTlsReconfigurator/reconfigureVc scan




Above scan result shows us there are TLSv1.0 and TLSv1.1 enabled. 

2) Now to enable only TLS1.2 use below command

Note-: This is not a live change. Proceeding this step will restart vCenter services. 



/usr/lib/vmware-TlsReconfigurator/EsxTlsReconfigurator/reconfigureVc update -p TLSv1.2


Once complete you can see




Disable TLSv1 and TLSv1.1 on ESXi servers

1) On VCSA appliance CD to ESXTLSReconfigu




cd /usr/lib/vmware-TlsReconfigurator/EsxTlsReconfigurator


You have three options.

a) Run it against ESXi host / ESXi hosts
b) Run it against vCenter Cluster / vCenter Clusters

To run it against a vCenter clustervCenter clustes 


./reconfigureEsx vCenterCluster -c Cluster_Name -u Administrative_vCenter_User -p TLSv1.2

Command support providing multiple cluster names in comma separated format. 

To run it against ESXi host / ESXi hosts


./reconfigureEsx vCenterHost -h ESXi_Host_Name -u Administrative_vCenter_User -p TLSv1.2

Command support providing multiple ESXi names / IP address in comma separated format. 


Also take a look at William's script here. There are two functions here, which makes it much easier and can also scan ESXi hosts, which is missing in reconfigureEsx natively.




Comments

Post a Comment

Popular posts from this blog

vCenter Maintenance - Issue Non-ephemeral Portgroup

Image
Hi Friends, We had a issue last day due a miss configuration. We used to keep our vCenters on ephemeral port groups for troubleshooting purposes in case of any issue. We have a new vCenter now and as per standards our project team put that on a portgroup which was named as "ephemeral", but it was quiet late we found it was not actually setup as an ephemeral port group, but static instead :(. So issue was a config issue, but I wanted to share how we solved it hopping it might help someone in other situations too. The story is like this.  We planned to test an outage situation, by bringing down vCenter, to test if our VRA pre-build check can identify it. One of our lazy engineers went to Web Client of the ESXi server hosting vCenter and decided to turn the NIC off for the test. He received below error while turning it back on Description :- Reconfigure this virtual machine Virtual machine :- Non-PROD_vCenter State -: Failed - Invalid configuration for device '3...
Read more

vMotion Failing at 21% with error ""The vMotion failed because the destination host did not receive data from the source host on the vMotion network. Please check your vMotion network settings and physical network configuration and ensure they are correct."

Image
vMotion Failing at 21% with error ""The vMotion failed because the destination host did not receive data from the source host on the vMotion network. Please check your vMotion network settings and physical network configuration and ensure they are correct." Scenario We built a new ESXi 6.7 Cluster and we couldn't make vMotions work there Troubleshooting steps 1) Make sure there is no IP address conflict. 2) SSH to ESXi and do a VMK Ping check For Default TCP/IP Stack vmkping 10.11.7.188 Or If you are using Multi NIC vMotion, you might want to specify which VMK interface to use vmkping -I vmk<vmkinterfacenumber> <Destination VMK IP to Ping> Eg -:  vmkping -I vmk3 192.168.1.1 For vMotion Stack I f you try above vmkping command on a ESXi host with VMK interfaces on VMK stack, they will fail with an error  Unknown interface 'vmk': Invalid argument Because the command is looking for TCP/IP stack by default and this VMK wont be listed there. So you need...
Read more

applmgmt service wont start on PSC Appliace post converge operation

Scenario We had a vCenter with External PSC. We converged them and converge job was successful execpt a cert warning. After a week we tried to decommission the old PSC appliance and found that the status is shown in WebClient as "Unknown" Up on checking we found  applmgmt in stopped state. Tried to start it but it failed with below error [ ~ ]# service-control --status Running:  lwsmd pschealth vmafdd vmcad vmdird vmdnsd vmonapi vmware-analytics vmware-certificatemanagement vmware-cis-license vmware-cm vmware-rhttpproxy vmware-sca vmware-sts-idmd vmware-stsd vmware-vapi-endpoint vmware-vmon Stopped:  applmgmt vmware-statsmonitor [ ~ ]# service-control --start applmgmt Operation not cancellable. Please wait for it to finish... Performing start operation on service applmgmt... Error executing start on service applmgmt. Details {     "detail": [         {             "tra...
Read more