Friday, December 29, 2017

PCI DSS 3.2 implementation date draws near - are you ready?

As all retailers know, becoming and staying compliant with Payment Card Industry (PCI) Data Security Standards (DSS) is a big job. PCI is THE ecommerce security standard and in order to accept payment with Visa, MasterCard, American Express, Discover and others, you must comply with their security standards.

The latest version of these standards, PCI DSS 3.2, were released back in April 2016 and had two specific requirements for changes to communication protocols, SSL v3 and TLS 1.0, both of which are to be removed by June 30, 2018.

As 2017 draws to a close, there are two dates in 2018 that are very important if your employer is subject to PCI DSS standards. The first is February 1, 2018 and the second is June 30, 2018.

Until January 31, 2018, the requirements introduced in PCI DSS 3.2 are considered best practices. Starting February 1, 2018 they are effective as requirements and must be used.

After June 30, 2018, all entities must have stopped the use of SSL/early TLS as a security control and use only secure versions of the protocol. This means you can no longer use any version of SSL and can only use TLS v1.1/1.2. Prior to June 30, 2018, existing implementations that use SSL and/or early TLS must have a formal Risk Mitigation and Migration Plan in place.

Failure to meet these dates and requirements could cause your organization to fail audits and be subject to fees and penalties. The article below is dated, but provides a good overview of  the consequences of failing a PCI audit:

7 Critical Consequences Of Failing PCI Compliance - Forbes

If you're interested in learning more about PCI-DSS 3.2, you can review this document or research additional information on the PCI Security Standards Council site and the PCI Compliance Guide site:

What you need to know about the VMware vSphere TLS Reconfiguration utility

Recently I have had a number of conversations about the VMware vSphere TLS Reconfiguration utility. This utility  is used to modify the TLS configuration for v6.0U3 / 6.5 / 6.5U1 of vCenter, ESXi and VUM (if you are using vCenter Server Appliance (VCSA) 6.5 or greater.)

The primary use for the utility is to disable TLS 1.0 across the core vSphere components (vCenter, ESXi and VUM). Additional information and details can be found in the following kb articles:

Status of TLSv1.1/1.2 Enablement and TLSv1.0 Disablement across VMware products (2145796)
Managing TLS protocol configuration for vSphere 6.5 (2147469)
Managing TLS protocol configuration for vSphere 6.0 Update 3 (2148819)

It is important to note that while there is only one TLS Reconfiguration utility, there are currently three versions of the utility available for each vCenter platform (Windows and VCSA).

As you upgrade your vCenter from 6.0U3 to 6.5 and then to 6.5U1, you must remember to also upgrade the TLS Reconfiguration utility at the same time. Failure to do so will result in errors and an unsupported configuration which I found out first hand when I forgot to update the utility after upgrading the VCSA.

I have put together the information below help identify the version of the TLS Reconfiguration utility goes with which version of vCenter and a quick link to the download.

You will need valid MyVMware credentials to access the utility and you should be logged in first to follow the download links in the table below.

TLS Reconfiguration version / vCenter version table:
TLS Reconfiguration Utility Build number
vSphere version
Download link
6.5 U1 (a,b,c,d)
6.5 GA (a,b,c,d,e,f)
6.0 U3 (a,b,c)
I hope this helps save you time and confusion!

Friday, March 17, 2017

Proceed with caution when upgrading to 6.0 Update 3 or Update 3a

As with any release, it is important to read the release notes...there are often some hidden nuggets of information that you need to know.

That is certainly the case with vSphere 6.0 Update 3 or Update 3a, especially if you are thinking about upgrading to vSphere 6.5 after that in a short timeframe.

According to the release notes for 6.0 Update 3,, and 6.0U3a,, it is currently not supported to then upgrade to 6.5 from either release.

Here's the important snippet from the release notes:
Upgrade Notes for This Release

Upgrading from vCenter Server 6.0 Update 3 to vCenter Server 6.5 is not supported.

Update: It is now possible to upgrade from 6.0U3 to 6.5U1 which was released on July 27,2017.