You can disable earlier versions of TLS for port 9087 by modifying the jetty-vum-ssl.xml configuration file. The process is different for Port 8084.

About this task

Note:

Before you disable a TLS version, make sure that none of the services that communicate with vSphere Update Manager use that version.

Prerequisites

Stop the vSphere Update Manager service. See the Installing and Administering VMware vSphere Update Manager documentation.

Procedure

  1. Stop the vSphere Update Manager service.
  2. Navigate to the Update Manager installation directory, which is different for vSphere 6.0 and vSphere 6.5.

    Version

    Location

    vSphere 6.0

    C:\Program Files (x86)\VMware\Infrastructure\Update Manager

    vSphere 6.5

    C:\Program Files\VMware\Infrastructure\Update Manager

  3. Make a backup of the jetty-vum-ssl.xml file and open the file.
  4. Disable earlier versions of TLS by changing the file.

    Option

    Description

    Disable TLS 1.0. Leave TLS 1.1 and TLS 1.2 enabled.

    <Set name="ExcludeProtocols">
         <Array type="java.lang.String">
             <Item>TLSv1</Item>
         </Array>
    </Set>

    Disable TLS 1.0 and TLS 1.1. Leave TLS 1.2 enabled.

    <Set name="ExcludeProtocols">
         <Array type="java.lang.String">
             <Item>TLSv1</Item>
             <Item>TLSv1.1</Item>
         </Array>
    </Set>
  5. Save the file.
  6. Restart the vSphere Update Manager service.