You can disable earlier versions of TLS for port 8084 by modifying the vci-integrity.xmlconfiguration file. The process is different for Port 9087.
Note: Before you disable a TLS version, make sure that none of the services that communicate with vSphere Update Manager use that version.
Prerequisites
Stop the vSphere Update Manager service. See the Installing and Administering VMware vSphere Update Manager documentation.
Procedure
- Stop the vSphere Update Manager service.
- Navigate to the Update Manager installation directory, which is different for 6.0 and 6.5 and later.
| Version |
Location |
| vSphere 6.0 |
C:\Program Files (x86)\VMware\Infrastructure\Update Manager |
| vSphere 6.5 and later |
C:\Program Files\VMware\Infrastructure\Update Manager |
- Make a backup of the vci-integrity.xml file and open the file.
- Edit the vci-integrity.xml file and add a <protocols> tag.
<vmacore>
<ssl>
<handshakeTimeoutMs>120000</handshakeTimeoutMS>
<protocols>protocols_value</protocols>
</ssl>
</vmacore>
- Depending on the TLS version that you want to enable, use one of the following values in the
<protocols> tag.
| TLS Versions to Enable |
Use... |
| All |
tls1.0,tls1.1,tls1.2. |
| Only TLSv1.1 and TLSv.1.2 |
tls.1.1,tls1.2. |
| Only TLSv1.2 |
tls1.2, or do not include a protocols tag. Because the default is TLS 1.2, no protocols tag is present to start with in vmacore. |
- (Optional) Starting from vSphere 6.0 Update 2, you might have an <sslOptions> tag.
If so, remove the
<sslOptions> tag.
- Save the vci-integrity.xml file.
- Restart the vSphere Update Manager service.
