Configuring the Cryptographic Functionality
You can use ESXCLI to manage the cryptographic functionality.
The following examples require restarting the
HTTP proxy or a host reboot. Specify one of the options listed in Connection Options for ESXCLI Host Management Commands
in place of
<conn_options>
. esxcli <conn_options> system settings advanced set -o /UserVars/ESXiVPsDisabledProtocols -s <value> esxcli <conn_options> system settings advanced set -o /UserVars/ESXiVPsAllowedCiphers -s <value>
You can use the
/UserVars/ESXiVPsDisabledProtocols
advanced option to specify the
protocols that are disabled when establishing secure communications with ESXi
. The value is a comma-separated list of protocols.
The valid values are sslv3
, tlsv1
,
tlsv1.1
, tlsv1.2
. For example, to disable
sslv3
, tlsv1
, and tlsv1.1
, you
can run the following command. esxcli <conn_options> system settings advanced set -o /UserVars/ESXiVPsDisabledProtocols -s "sslv3,tlsv1,tlsv1.1"
You can use the
/UserVars/ESXiVPsAllowedCiphers
advanced option to specify the
ciphers allowed for secure communcations with ESXi
. The value is a colon-separated list of ciphers, in the form
required by the OpenSSL SSL_CTX_set_cipher_list
API. The command has
the following syntax. esxcli <conn_options> system settings advanced set -o /UserVars/ESXiVPsAllowedCiphers -s <cipherlist>
The following example can potentially affect
guest-related key destruction.
How memory pages are zeroed out for virtual
machines and user-space applications is determined by the
/Mem/MemEagerZero
advanced option. This option determines how long
residual information resides in memory after it is no longer in use.When
/Mem/MemEagerZero
is
set to 0, which is the default value, memory pages are zeroed when they are allocated to
virtual machines and user-space applications. While this prevents exposing information
from virtual machines to other clients, previous content can remain present in memory
for a long time if the memory is not reused.For more immediate content destruction, you
can set
/Mem/MemEagerZero
to 1. In this case, memory pages are zeroed
when a user-space application exits. For virtual machines, memory pages are zeroed when
the virtual machine powers off, when its pages are migrated, or when virtual machine
memory is reclaimed.For example, to set
/Mem/MemEagerZero
to 1, use the following command.esxcli <conn_options> system settings advanced set -o /Mem/MemEagerZero -i 1