ESXi 6.7 host server discovery is failing with unable to connect error using WBEM secure protocol though port 5989 is accessible, and credentials are correct. What could be the issue?

Latest ESXi versions support TLS 1.1 and TLS 1.2 as default ciphers to be used for WBEM SFCB daemon. However, SapphireIMS WBEM client component works with SSLV3, TLS 1.0 ciphers hence SapphreIMS fails to discover such ESXI host with error “Unable to connect”.
If you look at /var/log/syslog file at ESXi server when client tries to connect, you will see logs like -

sfcb-CIMXML-Processor : Error accepting SSL connection
sfcb-CIMXML-Processor :SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:339:
sfcb-CIMXML-Processor :SSL routines:SSL3_GET_CLIENT_HELLO:wrong version number
sfcb-CIMXML-Processor SSL Error 1: Code 336027900, String: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol

We are in process of upgrading our client component and until then work around is to allow SSLV3 or TLS 1.0 ciphers in the daemon so that client can properly negotiate ciphers during connection.
The steps to configure at ESXi server are –

  1. Esxcli system wbem set --enable 0
  2. Edit the file /etc/sfcb/sfcb.cfg and add the below lines and save
    enableSSLv3: false
    enableTLSv1: true
    enableTLSv1_1: false
    enableTLSv1_2: false
  3. /etc/init.d/sfcbd-watchdog restart
  4. /etc/init.d/wsman restart
  5. Esxcli system wbem set --enable 1
  6. Chkconfig sfcbd-watchdog on
1 Like