You can disable earlier versions of TLS for port 8084 by modifying the vci-integrity.xmlconfiguration file. The process is different for Port 9087.

About this task

Note:

Before you disable a TLS version, make sure that none of the services that communicate with vSphere Update Manager use that version.

Prerequisites

Stop the vSphere Update Manager service. See the Installing and Administering VMware vSphere Update Manager documentation.

Procedure

  1. Stop the vSphere Update Manager service.
  2. Navigate to the Update Manager installation directory which is different for 6.0 and 6.5.

    Version

    Location

    vSphere 6.0

    C:\Program Files (x86)\VMware\Infrastructure\Update Manager

    vSphere 6.5

    C:\Program Files\VMware\Infrastructure\Update Manager

  3. Make a backup of the vci-integrity.xml file and open the file.
  4. Add an <sslOptions> tag in the vci-integrity.xml file.
     <ssl>
           <handshakeTimeoutMs>120000</handshakeTimeoutMS>
           <sslOptions>sslOptions_value</sslOptions>
     </ssl>
    
     <ssl>
           <privateKey>ssl/rui.key</privateKey>
           <certificate>ssl/rui.crt</certificate>
           <sslOptions>sslOptions_value</sslOptions>
     </ssl>
    
  5. Depending on the TLS version that you want to disable, use one of the following decimal values in the <sslOptions> tag.
    • To disable only TLSv1.0, use the decimal value 117587968.

    • To disable TLSv1.0 and TLSv1.1, use the decimal value 386023424

  6. Save the file.
  7. Restart the vSphere Update Manager service.