Friday, December 29, 2017

PCI DSS 3.2 implementation date draws near - are you ready?

As all retailers know, becoming and staying compliant with Payment Card Industry (PCI) Data Security Standards (DSS) is a big job. PCI is THE ecommerce security standard and in order to accept payment with Visa, MasterCard, American Express, Discover and others, you must comply with their security standards.

The latest version of these standards, PCI DSS 3.2, were released back in April 2016 and had two specific requirements for changes to communication protocols, SSL v3 and TLS 1.0, both of which are to be removed by June 30, 2018.

As 2017 draws to a close, there are two dates in 2018 that are very important if your employer is subject to PCI DSS standards. The first is February 1, 2018 and the second is June 30, 2018.

Until January 31, 2018, the requirements introduced in PCI DSS 3.2 are considered best practices. Starting February 1, 2018 they are effective as requirements and must be used.

After June 30, 2018, all entities must have stopped the use of SSL/early TLS as a security control and use only secure versions of the protocol. This means you can no longer use any version of SSL and can only use TLS v1.1/1.2. Prior to June 30, 2018, existing implementations that use SSL and/or early TLS must have a formal Risk Mitigation and Migration Plan in place.

Failure to meet these dates and requirements could cause your organization to fail audits and be subject to fees and penalties. The article below is dated, but provides a good overview of  the consequences of failing a PCI audit:

7 Critical Consequences Of Failing PCI Compliance - Forbes

If you're interested in learning more about PCI-DSS 3.2, you can review this document or research additional information on the PCI Security Standards Council site and the PCI Compliance Guide site:

https://blog.pcisecuritystandards.org/pci-dss-32-is-here
https://blog.pcisecuritystandards.org/reducing-risk-ssl-early-tls-mitigation-and-migration
https://www.pcicomplianceguide.org/whats-new-in-pci-dss-3-2/
https://www.pcicomplianceguide.org/pci-dss-v3-1-and-ssl-what-you-should-do-now/
https://www.pcicomplianceguide.org/ssl-and-early-tls-new-migration-dates-announced/

What you need to know about the VMware vSphere TLS Reconfiguration utility

Recently I have had a number of conversations about the VMware vSphere TLS Reconfiguration utility. This utility  is used to modify the TLS configuration for v6.0U3 / 6.5 / 6.5U1 of vCenter, ESXi and VUM (if you are using vCenter Server Appliance (VCSA) 6.5 or greater.)

The primary use for the utility is to disable TLS 1.0 across the core vSphere components (vCenter, ESXi and VUM). Additional information and details can be found in the following kb articles:

Status of TLSv1.1/1.2 Enablement and TLSv1.0 Disablement across VMware products (2145796)
Managing TLS protocol configuration for vSphere 6.5 (2147469)
Managing TLS protocol configuration for vSphere 6.0 Update 3 (2148819)

It is important to note that while there is only one TLS Reconfiguration utility, there are currently three versions of the utility available for each vCenter platform (Windows and VCSA).

As you upgrade your vCenter from 6.0U3 to 6.5 and then to 6.5U1, you must remember to also upgrade the TLS Reconfiguration utility at the same time. Failure to do so will result in errors and an unsupported configuration which I found out first hand when I forgot to update the utility after upgrading the VCSA.

I have put together the information below help identify the version of the TLS Reconfiguration utility goes with which version of vCenter and a quick link to the download.

You will need valid MyVMware credentials to access the utility and you should be logged in first to follow the download links in the table below.

TLS Reconfiguration version / vCenter version table:
TLS Reconfiguration Utility Build number
vSphere version
Download link
6.5.0-5597882
6.5 U1 (a,b,c,d)
6.5.0-4635484
6.5 GA (a,b,c,d,e,f)
6.0.0-5051284
6.0 U3 (a,b,c)
I hope this helps save you time and confusion!

Friday, March 17, 2017

Proceed with caution when upgrading to 6.0 Update 3 or Update 3a

As with any release, it is important to read the release notes...there are often some hidden nuggets of information that you need to know.

That is certainly the case with vSphere 6.0 Update 3 or Update 3a, especially if you are thinking about upgrading to vSphere 6.5 after that in a short timeframe.

According to the release notes for 6.0 Update 3, http://pubs.vmware.com/Release_Notes/en/vsphere/60/vsphere-vcenter-server-60u3-release-notes.html, and 6.0U3a, http://pubs.vmware.com/Release_Notes/en/vsphere/60/vsphere-vcenter-server-60u3a-release-notes.html, it is currently not supported to then upgrade to 6.5 from either release.

Here's the important snippet from the release notes:
Upgrade Notes for This Release

Upgrading from vCenter Server 6.0 Update 3 to vCenter Server 6.5 is not supported.


Update: It is now possible to upgrade from 6.0U3 to 6.5U1 which was released on July 27,2017.

Saturday, November 19, 2016

PCI DSS / FIPS 140-2 - TLS 1.0 / 1.1 disablement and VMware products

UPDATE - 3/4/2017

With the November 15, 2016 release of vSphere 6.5 and the February 28, 2017 release of vSphere 6.0 Update 3, VMware customers now have the ability to disable TLS 1.0 and TLS 1.1 for the majority of the VMware products they use. There are a few products still being worked on and updates or releases are pending. Specific product status is outlined in kb 2145796 and there is a link to the kb article below.

NOTE: Review the kb articles closely as there are caveats for some products that are still being addressed.

NOTE: If you don't see your product or version listed in the kb article, it is very possible it will not be updated to support TLS 1.0 / 1,1 disablement. You may need to upgrade to a newer version of a product to get support for TLS 1.0 / 1,1 disablement.

TLS 1.0 disablement is critical to pass PCI DSS compliance scans and audits which must be completed by June 30, 2018. In addition to PCI DSS, there are many regulatory bodies, government agencies and company policies which have security and compliance requirements for TLS 1.0 / 1.1 disablement. This includes FIPS 140-2 standard which requires a minimum of TLS 1.1 and recommends TLS 1.2.

Before attempting to disable TLS 1.0 or TLS 1.1, it is critical to review all VMware products along with any third party products you are using, such as backup or monitoring software that talk directly with either vCenter or ESXi hosts, to make sure they continue to function with TLS 1.0 / 1.1 disabled and only TLS 1.2 enabled. It is likely that updates will need to be installed for both VMware and third party products to versions which support TLS 1.0 / 1.1 disablement and utilize TLS 1.2 BEFORE attempting to disable TLS 1.0 or TLS 1.1.

Below are links to the official VMware kb articles and the location where you can download the scripts for either the Windows vCenter or the vCenter Appliance. The scripts are needed to change the TLS Configuration on vCenter, ESXi hosts and VUM. Other VMware products have their own kb article on how to manually change the TLS Configuration.

Status of TLSv1.1/1.2 Enablement and TLSv1.0 Disablement across VMware products (2145796)
https://kb.vmware.com/kb/2145796

vSphere 6.5:
Managing TLS protocol configuration for vSphere 6.5 (2147469)
https://kb.vmware.com/kb/2147469

Link to download TLS configuration script for vSphere 6.5:
https://my.vmware.com/group/vmware/get-download?downloadGroup=VC650

vSphere 6.0 Update 3:
Managing TLS protocol configuration for vSphere 6.0 Update 3 (2148819)
https://kb.vmware.com/kb/2148819

Link to download TLS configuration script for vSphere 6.0 Update 3:
https://my.vmware.com/group/vmware/get-download?downloadGroup=VC60U3

Thursday, January 21, 2016

Planning for VMtools after vSphere 5.5 U3b and 6.0 U1b updates

In September 2015, VMware announced the separation of the VMtools development and release cycles from vSphere releases.

Recently there were two releases, 5.5 U3b & 6.0 U1b which included VMtools v10.0, but a newer version, 10.0.5, is out which does contain some fixes.

As you plan your upgrades to either 5.5 U3b or 6.0 U1b and are looking to upgrade the VMtools package, I would take a close look at v10.0.5 and make it your standard version.

NOTE: This does not apply to Horizon View environments. As noted in a previous post, VMtools v10 are currently not supported on View environments.

Below is a link to the VMtools 10.0.5 download page where to find the latest version of the VMtools: https://my.vmware.com/web/vmware/details?downloadGroup=VMTOOLS1005&productId=491 

Here are links to a couple blog posts related to the separation of release cycles for VMtools from vSphere.

VMware Tools 10.0.0 Released

VMware Tools Lifecycle: Why Tools Can Drive You Crazy (and How to Avoid it!)