Modifying TLS settings in vROps 7.5
May 20, 2019

If you’ve recently upgraded vROps to 7.5 you may wonder post upgrade why your vCenter 5.5 Adapters no longer work (and you see the below error message when testing Adapters….) or if you wrap up REST API calls with PowerShell (like done with PowervROps) and are no longer able to connect in some cases then this might be helpful…

vrops_connection_test_err

First check the following log for something similar to the entry below when you test your Adapters.

Administration > Support > Logs > {node} > Collector > collector.log

[46859] 2019-05-20 23:03:10,356 ERROR [Collector worker thread 11]  com.vmware.vcops.vlsi.VimClientFactory.createVimClientImpl - Exception occurred while creating VIM client. com.vmware.vim.vmomi.client.exception.SslException: javax.net.ssl.SSLHandshakeException: Server chose TLSv1, but that protocol version is not enabled or not supported by the client.

KB67108 will most likely help you (also the Release Notes do also point to this..), but this process is a little cumbersome so here is a set of commands you can run on all nodes in your vROps cluster to resolve this issue.

Part 1

Backup vcops-apache.conf.bak

cp $VCOPS_BASE/../vmware-vcopssuite/utilities/conf/vcops-apache.conf $VCOPS_BASE/../vmware-vcopssuite/utilities/conf/vcops-apache.conf.bak

View current config

grep SSLProtocol $VCOPS_BASE/../vmware-vcopssuite/utilities/conf/vcops-apache.conf

Update config

sed -i '/SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1/c\SSLProtocol All -SSLv2 -SSLv3' $VCOPS_BASE/../vmware-vcopssuite/utilities/conf/vcops-apache.conf

View new config

grep SSLProtocol $VCOPS_BASE/../vmware-vcopssuite/utilities/conf/vcops-apache.conf

Part 2

Backup java.security.bak

cp $VMWARE_JAVA_HOME/lib/security/java.security $VMWARE_JAVA_HOME/lib/security/java.security.bak

View current config

grep 'EC keySize < 224,' $VMWARE_JAVA_HOME/lib/security/java.security

Update config

sed -i '/ EC keySize < 224, TLSv1, TLSv1.1, DES40_CBC, RC4_40, 3DES_EDE_CBC/c\ EC keySize < 224, DES40_CBC, RC4_40, 3DES_EDE_CBC' $VMWARE_JAVA_HOME/lib/security/java.security

View new config

`` grep ‘EC keySize < 224,’ $VMWARE_JAVA_HOME/lib/security/java.security

cp $VCOPS_BASE/../vmware-vcopssuite/utilities/conf/vcops-apache.conf $VCOPS_BASE/../vmware-vcopssuite/utilities/conf/vcops-apache.conf.bak

grep SSLProtocol $VCOPS_BASE/../vmware-vcopssuite/utilities/conf/vcops-apache.conf

sed -i ‘/SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1/c\SSLProtocol All -SSLv2 -SSLv3’ $VCOPS_BASE/../vmware-vcopssuite/utilities/conf/vcops-apache.conf

grep SSLProtocol $VCOPS_BASE/../vmware-vcopssuite/utilities/conf/vcops-apache.conf

cp $VMWARE_JAVA_HOME/lib/security/java.security $VMWARE_JAVA_HOME/lib/security/java.security.bak

grep ‘EC keySize < 224,’ $VMWARE_JAVA_HOME/lib/security/java.security

sed -i ‘/ EC keySize < 224, TLSv1, TLSv1.1, DES40_CBC, RC4_40, 3DES_EDE_CBC/c\ EC keySize < 224, DES40_CBC, RC4_40, 3DES_EDE_CBC’ $VMWARE_JAVA_HOME/lib/security/java.security

grep ‘EC keySize < 224,’ $VMWARE_JAVA_HOME/lib/security/java.security ``

Once done and the cluster nodes have restarted then as per the KB run the following to test that everything is working (or just test the Adapter from the UI).

$VCOPS_BASE/../vmware-vcopssuite/openssl/bin/openssl s_client -connect node-FQDN-or-IP-address:443 -tls1 $VCOPS_BASE/../vmware-vcopssuite/openssl/bin/openssl s_client -connect node-FQDN-or-IP-address:443 -tls1_1