Technical

vCenter Server 6.0 Update 1 Single Sign On and SSLv3

Hi,

vSphere 6.0 Update 1 is out and there’s lots of great updates. One that I think many will be interested in is SSLv3 as it relates to Single Sign-On. From the Update 1 Release Notes

SSLv3 protocol disabled by default on port 7444 in vCenter Server 6.0 Update


When you install vCenter Server 6.0 Update 1, the SSLv3 protocol is disabled on port 7444 by default. When you upgrade from an earlier release of vCenter Server to vCenter Server 6.0 Update 1, the SSLv3
protocol remains enabled on port 7444. Workaround: To disable SSLv3 on port 7444 see KB 2131310

This is important for those of you falling under a number of compliance regulations like PCI. I’m not going to boil the PCI ocean in this blog post. (it’s a BIG ocean!) What I will say is, talk to your TAM’s for more information on SSLv3 and vSphere.

So, what the release notes are telling you is if you install Update 1 fresh, you’re all set. If you are already running 6.0 and upgrade to Update 1, you’ll need to review the steps at KB2131310. These steps are relatively simple. I’ve dropped them in here and embelished them a bit.

1. Connect to the PSC machine.

2. Open the server.xml file for the vCenter Single Sign-On using the vi editor.

I know Windows folks, not my first choice. I prefer Nano but we’ll muscle through this together. I always refer to the vi Cheatsheet when using vi.

– Windows default location: C:ProgramDataVMwarevCenterServerruntimeVMwareSTSServiceconf
– vCenter Server Appliance default location: /usr/lib/vmware-sso/vmware-sts/conf/

 

  • 3. Find the following line:

    <Connector SSLEnabled=”true”
    Type “I” to enter insert mode. Down arrow to the line below and hit Return. Up arrow to the open line.4. Paste the following to the open line:

    sslEnabledProtocols=”TLSv1,TLSv1.1,TLSv1.2″

    See example:

    Screen Shot 2015-09-14 at 4.19.37 PM

    5. Save the file by typing “:wq”. This writes the file and quits vi.

    6. Restart the Security Token Service or the PSC machine to successfully disable SSLv3 on port 7444.

 

You should be good to go. Remember, as always, refer to the KB’s for the latest and greatest information. The VMware GSS group are constantly updating them and that’s what they refer to when they talk to you.

mike