You can use the TLS Configuration utility to enable or disable TLS versions on an ESXi host. As part of the process, you can disable TLS 1.0, and enable TLS 1.1 and TLS 1.2. Or, you can disable TLS 1.0 and TLS 1.1, and enable only TLS 1.2.

For ESXi hosts, you use a different utility than for the other components of your vSphere environment. The utility is release-specific, and cannot be used on a previous release.

Prerequisites

Ensure that any products or services associated with the ESXi host can communicate using TLS 1.1 or TLS 1.2. For products that communicate only using TLS 1.0, connectivity is lost.

This procedure explains how to perform the task on a single host. You can write a script to configure multiple hosts.

Procedure

  1. Log in to the vCenter Server system with the user name and password of the vCenter Single Sign-On user who can run scripts.
  2. Go to the directory where the script is located.
    cd /usr/lib/vmware-TlsReconfigurator/EsxTlsReconfigurator
  3. On a host that is part of a cluster, run one of the following commands.
    • To disable TLS 1.0 and enable both TLS 1.1 and TLS 1.2 on all hosts in a cluster, run the following command.
      ./reconfigureEsx vCenterCluster -c Cluster_Name -u Administrative_User -p TLSv1.1 TLSv1.2
    • To disable TLS 1.0 and TLS 1.1, and enable only TLS 1.2 on all hosts in a cluster, run the following command.
      ./reconfigureEsx vCenterCluster -c Cluster_Name -u Administrative_User -p TLSv1.2
  4. On an individual host, run one of the following commands.
    • To disable TLS 1.0 and enable both TLS 1.1 and TLS 1.2 on an individual host, run the following command.
      ./reconfigureEsx vCenterHost -h ESXi_Host_Name -u Administrative_User -p TLSv1.1 TLSv1.2
      Note: To reconfigure a standalone ESXi host (one that is not part of a vCenter Server system), use the ESXiHost -h HOST -u ESXi_USER options. For the HOST option, you can specify the IP address or FQDN of a single ESXi host, or a list of host IP addresses or FQDNs. For example, to enable both TLS 1.1 and TLS 1.2 on two ESXi hosts:
      reconfigureEsx ESXiHost -h 198.51.100.2 198.51.100.3 -u root -p TLSv1.1 TLSv1.2
    • To disable TLS 1.0 and TLS 1.1, and enable only TLS 1.2 on an individual host, run the following command.
      ./reconfigureEsx vCenterHost -h ESXi_Host_Name -u Administrative_User -p TLSv1.2
  5. Reboot the ESXi host to complete the TLS protocol changes.