vRealize Operations Manager disables SSLv3 by default. You must disable weak protocols on all load balancers before you put the system into production.

Procedure

  1. Verify that the protocols are enabled. To verify that the protocols are enabled, run the following commands on each node:
    grep cluster-ssl-protocol /usr/lib/vmware-vcops/user/conf/gemfire.properties | grep -v '#'

    The following result is expected:

    cluster-ssl-protocols=TLSv1.2 TLSv1.1 TLSv1
    grep cluster-ssl-protocol /usr/lib/vmware-vcops/user/conf/gemfire.native.properties | grep -v '#'

    The following result is expected:

    cluster-ssl-protocols=TLSv1.2 TLSv1.1 TLSv1
    grep cluster-ssl-protocol /usr/lib/vmware-vcops/user/conf/gemfire.locator.properties | grep -v '#'

    The following result is expected:

    cluster-ssl-protocols=TLSv1.2 TLSv1.1 TLSv1

  2. Disable TLS 1.0.
    1. Navigate to the administrator user interface at url/admin .
    2. Click Bring Offline.
    3. To disable SSLv3 and TLS 1.0, run the following commands:
      sed -i "/^[^#]*cluster-ssl-protocol/ c\cluster-ssl-protocols=TLSv1.2 
      TLSv1.1" /usr/lib/vmware-vcops/user/conf/gemfire.properties
      sed -i "/^[^#]*cluster-ssl-protocol/ c\cluster-ssl-protocols=TLSv1.2 
      TLSv1.1" /usr/lib/vmware-vcops/user/conf/gemfire.native.properties
      sed -i "/^[^#]*cluster-ssl-protocol/ c\cluster-ssl-protocols=TLSv1.2 
      TLSv1.1" /usr/lib/vmware-vcops/user/conf/gemfire.locator.properties

      Repeat this step for each node

    4. Navigate to the administrator user interface.
    5. Click Bring Online.
  3. Reenable TLS 1.0.
    1. Navigate to the administrator user interface to bring the cluster offline: url/admin.
    2. Click Bring Offline.
    3. To ensure that SSLv3 and TLS 1.0 are disabled, run the following commands:
      sed -i "/^[^#]*cluster-ssl-protocol/ c\cluster-ssl-protocols=TLSv1.2 TLSv1.1 
      TLSv1" /usr/lib/vmware-vcops/user/conf/gemfire.properties 
      sed -i "/^[^#]*cluster-ssl-protocol/ c\cluster-ssl-protocols=TLSv1.2 TLSv1.1 
      TLSv1" /usr/lib/vmware-vcops/user/conf/gemfire.native.properties
      sed -i "/^[^#]*cluster-ssl-protocol/ c\cluster-ssl-protocols=TLSv1.2 TLSv1.1 
      TLSv1" /usr/lib/vmware-vcops/user/conf/gemfire.locator.properties
      				  

      Repeat this step for each node.

    4. Navigate to the administrator user interface to bring the cluster online.
    5. Click Bring Online.