Latest ESXi versions support TLS 1.1 and TLS 1.2 as default ciphers to be used for WBEM SFCB daemon. However, SapphireIMS WBEM client component works with SSLV3, TLS 1.0 ciphers hence SapphreIMS fails to discover such ESXI host with error “Unable to connect”.
If you look at /var/log/syslog file at ESXi server when client tries to connect, you will see logs like -
sfcb-CIMXML-Processor : Error accepting SSL connection
sfcb-CIMXML-Processor :SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:339:
sfcb-CIMXML-Processor :SSL routines:SSL3_GET_CLIENT_HELLO:wrong version number
sfcb-CIMXML-Processor SSL Error 1: Code 336027900, String: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
We are in process of upgrading our client component and until then work around is to allow SSLV3 or TLS 1.0 ciphers in the daemon so that client can properly negotiate ciphers during connection.
The steps to configure at ESXi server are –
- Esxcli system wbem set --enable 0
- Edit the file /etc/sfcb/sfcb.cfg and add the below lines and save
enableSSLv3: false
enableTLSv1: true
enableTLSv1_1: false
enableTLSv1_2: false - /etc/init.d/sfcbd-watchdog restart
- /etc/init.d/wsman restart
- Esxcli system wbem set --enable 1
- Chkconfig sfcbd-watchdog on