Use the ciphers command of the cell management tool to configure the set of cipher suites that the cell offers to use during the SSL handshake process.

When a client makes an SSL connection to a VMware Cloud Director cell, the cell offers to use only those ciphers that are configured on its default list of allowed ciphers. Several ciphers are not on this list, either because they are not strong enough to secure the connection, or because they are known to contribute to SSL connection failures.

When you install or upgrade VMware Cloud Director, the installation or upgrade script examines the cell's certificates. If any of the certificates are encrypted using a cipher that is not on the list of allowed ciphers, the installation or the upgrade fails. You can take the following steps to replace the certificates and reconfigure the list of allowed ciphers:
  1. Create certificates that do not use any of the disallowed ciphers. You can use cell-management-tool ciphers -a as shown in List All Allowed Ciphers to list all the ciphers that are allowed in the default configuration.
  2. Use the cell-management-tool certificates command to replace the cell's existing certificates with the new ones.
  3. Use the cell-management-tool ciphers command to reconfigure the list of allowed ciphers and to include all necessary ciphers for use with the new certificates.
    Important: Because the VMRC console requires the use of the AES256-SHA and AES128-SHA ciphers, you cannot disallow them if your VMware Cloud Director clients use the VMRC console.
To manage the list of allowed SSL ciphers, use a command line with the following form:
cell-management-tool ciphers options
Table 1. Cell Management Tool Options and Arguments, ciphers Subcommand
Option Argument Description
--help (-h) None Provides a summary of available commands in this category.
--all-allowed (-a) None List all allowed ciphers.
--compatible-reset (-c) (Deprecated) None Deprecated. Use the --reset option to reset to the default list of allowed ciphers.
--disallow (-d) Comma-separated list of cipher names, as published at https://www.openssl.org/docs/man1.0.2/man1/ciphers.html Disallow the ciphers in specified comma-separated list.
--list (-l) None List currently configured ciphers.
--reset (-r) None Reset to the default list of allowed ciphers. If this cell's certificates use disallowed ciphers, you cannot make an SSL connection to the cell until you install new certificates that use an allowed cipher.

List All Allowed Ciphers

Use the --all-allowed (-a) option to list all the ciphers that the cell is currently allowed to offer during an SSL handshake.

[root@cell1 /opt/vmware/vcloud-director/bin]# ./cell-management-tool ciphers –a

* Product default ciphers:
* TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
* TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
* TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
* TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
* TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
* TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
* TLS_DHE_RSA_WITH_AES_256_CBC_SHA
* TLS_DHE_RSA_WITH_AES_128_CBC_SHA
* TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
* TLS_RSA_WITH_AES_256_GCM_SHA384
* TLS_RSA_WITH_AES_128_GCM_SHA256
* TLS_RSA_WITH_AES_256_CBC_SHA256
* TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
* TLS_RSA_WITH_AES_256_CBC_SHA
* TLS_RSA_WITH_AES_128_CBC_SHA256
* TLS_RSA_WITH_3DES_EDE_CBC_SHA
* TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
* TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
* TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
* TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
* TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
* TLS_RSA_WITH_AES_128_CBC_SHA

Disallow Two Ciphers

Use the --disallow (-d) option to remove one or more ciphers from the list of allowed ciphers. This option requires at least one cipher name. You can supply multiple cipher names in a comma-separated list. You can obtain names for this list from the output of ciphers –a. This example removes two ciphers listed in the previous example.

[root@cell1 /opt/vmware/vcloud-director/bin]# ./cell-management-tool ciphers –d SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA