5 Replies Latest reply on Aug 13, 2019 4:24 AM by MartinGustafsson

    TLS Configuratory Utility in Esxi Host 6.7 Build Number 13006603

    vlrk Lurker

      I seen that "Starting with vSphere 6.7, the TLS Configurator utility is included in the product. You no longer download it separately."

       

      I followed below documentations "https://docs.vmware.com/en/VMware-vSphere/6.7/com.vmware.vsphere.security.doc/GUID-BDCE47DD-8AD2-4C98-94FF-7769D0BEE1C2.html"

       

      I am not able to get the folder  of TlsReconfiguraotr also in my host.

       

      [root@localhost:~] ls -ltr /usr/lib/vmware-TlsReconfigurator

      ls: /usr/lib/vmware-TlsReconfigurator: No such file or directory

       

      command "reconfigureEsx" is not being resolved.

       

      [root@localhost:~] reconfigureEsx

      -sh: reconfigureEsx: not found

       

       

      How to get this working TLSConfigurator working?.

       

       

      Thanks

      RK

        • 1. Re: TLS Configuratory Utility in Esxi Host 6.7 Build Number 13006603
          MartinGustafsson Hot Shot
          VMware EmployeesvExpert

          Hi,

           

          /usr/lib/vmware-TlsReconfigurator/EsxTlsReconfigurator/reconfigureEsx is run from vCenter, not ESXi.

           

          root@vcenter [ ~ ]# ls -ltr /usr/lib/vmware-TlsReconfigurator/EsxTlsReconfigurator/

          total 44

          -rw-r--r-- 1 root root  2247 Mar 27 06:28 reconfigure-vvold

          -rw-r--r-- 1 root root  3606 Mar 27 06:28 reconfigure-rhttpproxy

          -rw-r--r-- 1 root root  2122 Mar 27 06:28 reconfigure-vvold.sig

          -rw-r--r-- 1 root root  2122 Mar 27 06:28 reconfigure-rhttpproxy.sig

          -rwxr-xr-x 1 root root 23228 Mar 27 06:28 reconfigureEsx

          -rw-r--r-- 1 root root  1936 Mar 27 06:28 README

          • 2. Re: TLS Configuratory Utility in Esxi Host 6.7 Build Number 13006603
            vlrk Lurker

            Thanks martin,

             

            I tried to change the TLS using below commands , but throws errors.

             

            root@photon-machine [ /usr/lib/vmware-TlsReconfigurator/EsxTlsReconfigurator ]# ./reconfigureEsx vCenterHost -h 10.10.2.2 -u root -p TLSv1.0

            ESXi Transport Layer Security reconfigurator, version=6.7.0, build=13010631

            For more information refer to the following article: https://kb.vmware.com/kb/2147469

            Log file: "/var/log/vmware/vSphere-TlsReconfigurator/EsxTlsReconfigurator.log".

            Connecting to vCenter Server at: "localhost".

            Password:

            Permission to perform this operation was denied.

            Note: Access to ESXi host may be denied if it is managed by vCenter Server instance in lockdown mode.

                  If this is the case please reconfigure the ESXi host through the corresponding vCenter Server instance.

             

             

            Any idea , what other factor should be taken care?.

            • 3. Re: TLS Configuratory Utility in Esxi Host 6.7 Build Number 13006603
              MartinGustafsson Hot Shot
              vExpertVMware Employees

              Are you trying to disable TLS 1.1 and TLS 1.2 and only use TLS 1.0? That won't happen!

               

              Prerequisites

              You have two choices for using TLS in your environment.

              • Disable TLS 1.0, and enable TLS 1.1 and TLS 1.2.
              • Disable TLS 1.0 and TLS 1.1, and enable TLS 1.2.

              Source: Enabling or Disabling TLS Versions in vSphere

               

              Also, the ESXi host 10.10.2.2 must be managed by the vCenter.

              • 4. Re: TLS Configuratory Utility in Esxi Host 6.7 Build Number 13006603
                vlrk Lurker

                Martin,

                 

                 

                Even TLSv1.2 resulting same,

                 

                 

                [ /usr/lib/vmware-TlsReconfigurator/EsxTlsReconfigurator ]# ./reconfigureEsx vCenterHost -h 10.10.2.2 -u root -p TLSv1.2

                ESXi Transport Layer Security reconfigurator, version=6.7.0, build=13010631

                For more information refer to the following article: https://kb.vmware.com/kb/2147469

                Log file: "/var/log/vmware/vSphere-TlsReconfigurator/EsxTlsReconfigurator.log".

                Connecting to vCenter Server at: "localhost".

                Password:

                Permission to perform this operation was denied.

                Note: Access to ESXi host may be denied if it is managed by vCenter Server instance in lockdown mode.

                      If this is the case please reconfigure the ESXi host through the corresponding vCenter Server instance.

                • 5. Re: TLS Configuratory Utility in Esxi Host 6.7 Build Number 13006603
                  MartinGustafsson Hot Shot
                  VMware EmployeesvExpert

                  Is the ESXi host 10.10.2.2 managed by that vCenter? Is it in lockdown mode?

                   

                  You should provide a vCenter administrative user.

                   

                  root@vcenter [ /usr/lib/vmware-TlsReconfigurator/EsxTlsReconfigurator ]# ./reconfigureEsx vCenterHost -h esxi01.home.lan -u administrator@vsphere.local -p TLSv1.2

                  ESXi Transport Layer Security reconfigurator, version=6.7.0, build=13010631

                  For more information refer to the following article: https://kb.vmware.com/kb/2147469

                  Log file: "/var/log/vmware/vSphere-TlsReconfigurator/EsxTlsReconfigurator.log".

                  Connecting to vCenter Server at: "localhost".

                  Password:

                  Validating product version at: "localhost".

                  Validating ESXi host: "esxi01.home.lan".

                  Reconfiguring ESXi host: "esxi01.home.lan".