Disable TLS Versions - VMware

 Befor start the changes

• shutdown PSC and VC - take snapshots / Backup DBs
• Make sure any other system connecting to VC /PSC compatible with the tls 1.2/1.1 based on your preferd configuration.
• Also you can take a manual backup of the TLS configuration

https://docs.vmware.com/en/VMware-vSphere/6.0/com.vmware.vsphere.security.doc/GUID-9560949F-1E29-458F-BA14-833760A0AFCF.html


Start with Downloding the - VMware vSphere TLS Configurator
( for VCSA download the rpm)

VMware vSphere TLS Configurator
File size: 444.0 KB
File type: msi

Download Now

Read More
https://my.vmware.com/web/vmware/details?downloadGroup=VC60U3F&productId=491&rPId=24398




==============================

 Install TLS configurater in the VC / (external PSC)
(for VCSA - install the rpm)

 Fist disable the TLS on Windows vCenter 

cd C:\Program Files\VMware\CIS\vSphereTlsReconfigurator\VcTlsReconfigurator

 

reconfigureVc update -p TLSv1.1 TLSv1.2




allow some time to restart the services

once it completed you can see enable TLS vesion for  each service 





to enable just version 1.2 -

reconfigureVc update -p TLSv1.2




 https://docs.vmware.com/en/VMware-vSphere/6.0/com.vmware.vsphere.security.doc/GUID-145A078D-2F33-4B39-987C-0F2C91BB23CB.html

====================================

 Next is to disable on ESXi


from the vCenter switch to the EsxTlsReconfigurator directory

cd ..\EsxTlsReconfigurator






to enable version 1.2 & 1.1
reconfigureEsx vCenterCluster -c Cluster_Name -u Administrative_User -p TLSv1.1 TLSv1.2


Just to enable 1.2 only
reconfigureEsx vCenterCluster -c Cluster_Name -u Administrative_User -p TLSv1.2




































https://docs.vmware.com/en/VMware-vSphere/6.0/com.vmware.vsphere.security.doc/GUID-BDCE47DD-8AD2-4C98-94FF-7769D0BEE1C2.html


****Need to restart each ESXi host in order to affect the changers.




=======================================

If it's VC deployment with external PSC didsable the TLS version of the PSC finally.

cd C:\Program Files\VMware\CIS\vSphereTlsReconfigurator\VcTlsReconfigurator



to enable version 1.2 & 1.1

reconfigureVc update -p TLSv1.1 TLSv1.2



Just to enable 1.2 only
reconfigureVc update -p TLSv1.2






allow some time to restart the services  

once it completed you can see enable TLS vesion for  each service




https://docs.vmware.com/en/VMware-vSphere/6.0/com.vmware.vsphere.security.doc/GUID-E3A9B9F1-80CF-41DA-AA49-B9E235837788.html




***************

• Make sure all the services connected to VC /PSC and ESXi compatible with TLS version 
• once you desable TLS v 1.0 you will face isseus with RDP and other conectivity -  fix RDP issue  - https://www.netwoven.com/2018/05/15/solved-credssp-encryption-oracle-remediation/
• it's up to you to fix those issues caused by TLS version mismathes