You are following Managing TLS protocol configuration for vSphere 6.5 (2147469) to disable TLSv1.0 and enable both TLSv1.1 and TLSv1.2 on 6.5b vCenter Server with an embedded Platform Services Controller.
When you run reconfigureVc update -p TLSv1.1 TLSv1.2 you receive the following error – vami-lighttp supports either pure TLSv1.2 or all TLS versions. Falling back to all TLS versions.
Note – This happens on the external PSCs (which are done last)
vSphere Update Manager
vCenter Server
ESXi hosts
Platform Services Controller
- Login to the VAMI :5480 to enable ssh and bash
- Putty into the VCSA and type int the following so you can winscp in. chsh -s /bin/bash
- WinSCP in and upload VMware-vSphereTlsReconfigurator-6.5.0-4635484.x86_64.rpm to /tmp Do not exit WinSCP so you can download a copy of the backup file.
VMware vSphere TLS Configurator – download - Disable WinSCP chsh -s /bin/appliancesh
- rpm -Uvh /tmp/VMware-vSphereTlsReconfigurator-6.5.0-4635484.x86_64.rpm
- /usr/lib/vmware-vSphereTlsReconfigurator/VcTlsReconfigurator/./reconfigureVc backup -d /tmp/tls-backup
Using the WinSCP you left open, download /tmp/tls-backup
Download the /usr/lib/vmware-vSphereTlsReconfigurator/VcTlsReconfigurator/README file. That is how I found the server only command line. - disable TLSv1.0 and enable both TLSv1.1 and TLSv1.2
/usr/lib/vmware-vSphereTlsReconfigurator/VcTlsReconfigurator/./reconfigureVc update -p TLSv1.1 TLSv1.2
disable TLSv1.0 and enable only TLSv1.2 for the VAMI
/usr/lib/vmware-vSphereTlsReconfigurator/VcTlsReconfigurator/./reconfigureVc update -p TLSv1.2 -s vami-lighttp
/usr/lib/vmware-vSphereTlsReconfigurator/VcTlsReconfigurator/./reconfigureVc scan
Test 1.0
openssl.exe s_client -connect vcsa2.lab.com:5480 -tls1
Test 1.2
openssl.exe s_client -connect vcsa2.lab.com:5480 -tls1_2
