Managing vSphere TLS

Starting in vSphere 8.0 Update 3, you can manage TLS profiles for ESXi by using the vSphere Client, esxcli commands, or the APIs. For vCenter Server, you manage TLS profiles by using the APIs.

If you use vSphere Configuration Profiles, you can manage the TLS setting for ESXi hosts at the vLCM cluster level. You can change the TLS setting for the cluster and remediate the cluster against this new configuration. For more information, see the chapter on managing vSphere Configuration Profiles in the Managing Host and Cluster Lifecycle documentation.

For standalone ESXi hosts, and non-vLCM clusters, you must manage the TLS profile by using esxcli commands. See the ESXCLI Concepts and Examples documentation and the esxcli online help.

Currently, you can only manage vCenter Server TLS profiles by using the APIs. See vSphere Automation SDKs Programming Guide and vSphere Automation REST API Programming Guide.

View the TLS Profile of an ESXi Host Using the vSphere Client

You can use the vSphere Client to view the TLS profile of an ESXi host that is part of a vLCM cluster.

In vSphere Configuration Profiles, settings that are not explicitly configured use the default values from the appropriate profile. For TLS profiles, the default is COMPATIBLE.

To view the TLS profile of a stand-alone or non-vLCM cluster ESXi host, see View the TLS Profile of an ESXi Host Using the CLI.

Prerequisites

You have enabled vSphere Configuration Profiles and created a draft configuration for the cluster. See the Managing Host and Cluster Lifecycle documentation.

Procedure

In the vSphere Client, navigate to the vLCM cluster that you manage with a single image.
On the Configure tab, click Desired State > Configuration.
On the Settings tab, click system.
Click tls_client or tls_server to view which TLS profile is defined in the current desired configuration document.

View the TLS Profile of an ESXi Host Using the CLI

You can use the CLI to view the currently configured TLS profile of an ESXi host.

For standalone ESXi hosts, and non-vLCM clusters, you must manage the TLS profile by using esxcli commands. For more information, see ESXCLI Reference. For ESXi hosts in a vLCM cluster, you can use either vSphere Configuration Profiles or esxcli commands.

Prerequisites

Enable either SSH or the ESXi Shell on the ESXi host.

Procedure

Connect to the ESXi host.
You can use SSH or the ESXi Shell.
To view the currently configured TLS profile, run the following command.
```
esxcli system tls [client | server] get
```
To view the parameters in the currently configured TLS profile, run the following command:
```
esxcli system tls [client | server] get --show-profile-defaults
```

Change the TLS Profile of an ESXi Host Using the vSphere Client

You can change the TLS profile of an ESXi host. The default TLS profile is COMPATIBLE.

Prerequisites

You have enabled vSphere Configuration Profiles and created a draft configuration for the cluster. See the Managing Host and Cluster Lifecycle documentation.

Procedure

In the vSphere Client, navigate to a cluster that you manage with a single image.
On the Configure tab, click Desired State > Configuration.
On the Settings tab, click system.
Click either tls_client or tls_server.
Depending on if the setting has been previously changed, click either Configure Settings or Edit.
Select the TLS profile from the drop-down.
Click Save.
Remediate the cluster against the draft configuration.
1. To remediate the cluster against the draft configuration, on the Draft tab, click Apply Changes.
2. Follow the steps in the Remediate wizard. For more information, see the Managing Host and Cluster Lifecycle documentation.

Results

All the ESXi hosts in the cluster are compliant with the desired configuration.

Change the TLS Profile of an ESXi Host Using the CLI

You can change the TLS profile of an ESXi host. The default TLS profile is COMPATIBLE.

Prerequisites

Enable either SSH or the ESXi Shell on the ESXi host.

Procedure

Connect to the ESXi host.
You can use either SSH or the ESXi Shell.
Put the ESXi host into maintenance mode.
To change the TLS profile, run the following command.
```
esxcli system tls [client | server] set --profile [COMPATIBLE | NIST_2024 | MANUAL]
```
Note: If you want to make changes to TLS parameters (either at the system-level or service-level), select the MANUAL profile.
Reboot the ESXi host for the change to take effect.
After the ESXi host reboots, take it out of maintenance mode.

Edit the Parameters in the MANUAL TLS Profile Using the CLI

You can edit the set of parameters in the MANUAL TLS profile. To change TLS parameters such as cipher list and cipher suite, you must first set the TLS profile to MANUAL.

Warning: Broadcom does not support the MANUAL TLS profile. Only the COMPATIBLE AND NIST_2024 TLS profiles are supported. Use the MANUAL TLS profile at your own risk.

You must administer parameters in the MANUAL TLS profile by using esxcli commands. Administering the MANUAL TLS profile parameters is not integrated with vSphere Configuration Profiles.

You cannot set TLS parameters for individual vSphere services. The changes that you make by using the MANUAL TLS profile are applied at the system level.

Prerequisites

Enable either SSH or the ESXi Shell on the ESXi host.

Change the TLS profile to MANUAL. See either Change the TLS Profile of an ESXi Host Using the vSphere Client or Change the TLS Profile of an ESXi Host Using the CLI.

Procedure

Connect to the ESXi host.
You can use either SSH or the ESXi Shell.
Put the ESXi host into maintenance mode.
Ensure that the TLS profile is MANUAL.
```
esxcli system tls [client | server] get
```

To change the parameters, run any of the following commands.

esxcli system tls [client | server] set --cipher-list=str
esxcli system tls [client | server] set --cipher-suite=str
esxcli system tls [client | server] set --groups=str
esxcli system tls [client | server] set --protocol-versions=str

where str is a string in OpenSSL-style that is colon-, comma-, or space-delimited. For example: --cipher-list=ECDHE+AESGCM:ECDHE+AES

For more information, run the following command:

esxcli system tls [client | server] set --help

Reboot the ESXi host for the change to take effect.
After the ESXi host reboots, take it out of maintenance mode.

Example

The following example first sets the TLS profile to MANUAL then sets a more restrictive set of curves (groups). A reboot would be required to put the changes into effect.

[root@host1] esxcli system tls server get
   Profile: COMPATIBLE
   Cipher List: <profile default>
   Cipher Suite: <profile default>
   Groups: <profile default>
   Protocol Versions: <profile default>
   Reboot Required: false
[root@host1] esxcli system tls server set --profile MANUAL
[root@host1] esxcli system tls server get
   Profile: MANUAL
   Cipher List: ECDHE+AESGCM:ECDHE+AES
   Cipher Suite: TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384
   Groups: prime256v1:secp384r1:secp521r1
   Protocol Versions: tls1.2,tls1.3
   Reboot Required: true
[root@host1] esxcli system tls server set --groups=prime256v1:secp384r1
[root@host1] esxcli system tls server get
   Profile: MANUAL
   Cipher List: TLS_AES_128_CCM_SHA256
   Cipher Suite: TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384
   Groups: prime256v1:secp384r1
   Protocol Versions: tls1.2,tls1.3
   Reboot Required: true

Manage the TLS Profile of a vCenter Server Host

You use the APIs to view and change the TLS profile for a vCenter Server host.

You can use various ways to execute HTTP requests. This task shows how to use the Developer Center in the vSphere Client to manage TLS profiles. See VMware vCenter Server Management Programming Guide for more information about using APIs to manage the vCenter Server Appliance.

Procedure

Log in to the vCenter Server system with the vSphere Client.
From the Menu, select Developer Center.
Click API Explorer.

From the Select API drop-down, select appliance.

The following API categories and actions are available.

Table 1. vCenter Server TLS APIs
Option	API Category	Associated Action
Gets the list of all TLS profiles and their configuration.	tls/profiles/	GET
Gets the parameters of a specific TLS profile.	tls/profiles/{id}	GET
Gets the name of the current TLS profile configured globally.	tls/profiles/global/	GET
Sets one of the standard profiles that you specify globally.	tls/profiles/global/	PUT Note: This action restarts the vCenter Server services.
Gets the parameters of the current TLS profile configured globally.	tls/manual-parameters/global	GET

Note: Currently, you cannot change the parameters of a vCenter Server TLS profile.

Execute the desired command.