Sometimes it feels like I should just redirect my blog to William Lam’s. It’s not that I read through it, implementing what he wrote about a year ago; but every time I have a task to tackle he’s in Google’s top five results. Recently my question was TLS, and he wrote my answer 18 months ago.
VMware has a nice tool with great documentation and the best name: The TLS Configurator. The doc does a great job of laying out the tool’s install, usage, and rollback. It isn’t without it’s shortcomings though. As William described, it works well if you have the same version for your vCenter and ESXi hosts, but had issues when you were in a mixed environment. He also found that the tool didn’t disable TLS/SSLv3 for the Small Footprint CIM Broker service. My gripe was that it didn’t include a way to list the currently disabled protocols. As an overly cautious admin, I like to see the settings as they are before and after my meddling. William’s PowerCLI mastery handled all of those issues.
VMware’s documentation lays out that you will want to set your TLS settings in this order:
- Separate Windows VUM server (if applicable)
- ESXi hosts
- External PSC (if applicable)
My VUM is integrated, but my PSC is not; so I used steps 2-4. I followed the VMware doc for my vCenter and PSC, and William’s blog for the hosts. I don’t really have anything to add on top of what’s already out there…just wanted to point out that it’s out there and has helped me!
Note: I’ve tested and written this with 6.5 U1 in mind. I’ve found William’s set module works with my 6.5 U2 hosts, but more configuration is required to actually disable the protocols. Once I get a chance, I’ll get another post up covering U2.