VMware vSphere SDKs and Tools 8.0

8.0 7.0 6.7 6.5

Configuring the Cryptographic Functionality

You can use ESXCLI to manage the cryptographic functionality.
The following examples require restarting the HTTP proxy or a host reboot. Specify one of the options listed in Connection Options for ESXCLI Host Management Commands in place of
<conn_options>
. 
esxcli <conn_options> system settings advanced set -o /UserVars/ESXiVPsDisabledProtocols -s <value>
esxcli <conn_options> system settings advanced set -o /UserVars/ESXiVPsAllowedCiphers -s <value>
You can use the
/UserVars/ESXiVPsDisabledProtocols
 advanced option to specify the protocols that are disabled when establishing secure communications with
ESXi
. The value is a comma-separated list of protocols. The valid values are
sslv3
,
tlsv1
,
tlsv1.1
,
tlsv1.2
. For example, to disable
sslv3
,
tlsv1
, and
tlsv1.1
, you can run the following command. 
esxcli <conn_options> system settings advanced set -o /UserVars/ESXiVPsDisabledProtocols -s "sslv3,tlsv1,tlsv1.1"
You can use the
/UserVars/ESXiVPsAllowedCiphers
 advanced option to specify the ciphers allowed for secure communcations with
ESXi
. The value is a colon-separated list of ciphers, in the form required by the OpenSSL
SSL_CTX_set_cipher_list
 API. The command has the following syntax. 
esxcli <conn_options> system settings advanced set -o /UserVars/ESXiVPsAllowedCiphers -s <cipherlist>
The following example can potentially affect guest-related key destruction.
How memory pages are zeroed out for virtual machines and user-space applications is determined by the
/Mem/MemEagerZero
 advanced option. This option determines how long residual information resides in memory after it is no longer in use.
When
/Mem/MemEagerZero
 is set to 0, which is the default value, memory pages are zeroed when they are allocated to virtual machines and user-space applications. While this prevents exposing information from virtual machines to other clients, previous content can remain present in memory for a long time if the memory is not reused.
For more immediate content destruction, you can set
/Mem/MemEagerZero
 to 1. In this case, memory pages are zeroed when a user-space application exits. For virtual machines, memory pages are zeroed when the virtual machine powers off, when its pages are migrated, or when virtual machine memory is reclaimed.
For example, to set
/Mem/MemEagerZero
 to 1, use the following command.
esxcli <conn_options> system settings advanced set -o /Mem/MemEagerZero -i 1

Content feedback and comments