Crypto-agility configuration for CDS Client is described below.

Currently the DaaS Agent uses default ciphers and SSL protocols supported by the gSoap library. Below are the registry keys to customize the ciphers and SSL protocols.

Note the following:

ClientSecureProtocols

  • Key Path: HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware DaaS Agent\ClientSecureProtocols
  • Type: String
  • Format of Value: Combination of following values separated by |
    • SOAP_TLSv1

      Adding this value in the registry will make the agent use one of the following protocols to communicate to the tenant: TLSv1.0, TLSv1.1, or TLSv1.2.

    • SOAP_SSLv3_TLSv1

      Adding this value in the registry will make the agent use either the SSLV3 or TLSv1 (v1.0, v1.1 or v1.2) protocol to communicate to the tenant.

    • SOAP_SSLv3

      Adding this value in the registry will make the agent use only the SSLV3 protocol to communicate to the tenant.

    • SOAP_TLSv1_0

      Adding this value in the registry will make the agent use only the TLS v1.0 protocol to communicate to the tenant.

    • SOAP_TLSv1_1

      Adding this value in the registry will make the agent use only the TLS v1.1 protocol to communicate to the tenant.

    • SOAP_TLSv1_2

      Adding this value in the registry will make the agent to use only the TLS v1.2 protocol to communicate to the tenant.

  • Default Value: SOAP_TLSv1_1|SOAP_TLSv1_2

    Indicates that Agent will use either TLSV1.1 or TLSV1.2 protocol to communicate to the Tenant.

ClientCipherSuites

ClientAuthenticationSettings

  • Key Path: HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware DaaS Agent\ClientAuthenticationSettings
  • Type: String
  • Format of Value: Combination of following values separated by |
    • SOAP_SSL_REQUIRE_SERVER_AUTHENTICATION

      Adding this key into the value requires servers to authenticate to the client.

      Note: Only this configuration has been tested.
    • SOAP_SSL_SKIP_HOST_CHECK

      Adding this key into the value disables checking of the common name of the host in the certificate.

    • SOAP_SSL_ALLOW_EXPIRED_CERTIFICATE

      Adding this key into the value disables checking of the expiration date of the certificate and omits CRL (Certificate Revocation Lists) checks.

    • SOAP_SSL_NO_DEFAULT_CA_PATH

      Adding this key into the value disables default_verify_paths (OpenSSL).

    • SOAP_SSL_RSA

      Adding this key into the value makes the agent use RSA to authenticate with the tenant.

  • Default Value: SOAP_SSL_REQUIRE_SERVER_AUTHENTICATION

CipherSuites

  • Key Path: HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware VDM\Agent\Configuration\SSL\CipherSuites
  • Type: String
  • Format of Value: Specify multiple ciphers with colon delimiter.

ProtocolsNotToBeDisabled

  • Key Path: HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware VDM\Agent\Configuration\SSL\ ProtocolsNotToBeDisabled
  • Type: DWORD (32-bit)
  • Format of Value:
    • To enable TLSv1 and above, specify 04000000 as the hex value.
    • To enable TLSv1_1 and above, specify 10000000 as the hex value.
    • To enable TLSv1_2 and above, specify 08000000 as the hex value (this is the current default).