tc Server HORIZON must use cryptographic modules that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when authenticating users and processes.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-240806	VRAU-TC-000460	SV-240806r674436_rule		Medium

Description
Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified and cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised due to weak algorithms. FIPS 140-2 is the current standard for validating cryptographic modules and NSA Type-X (where X=1, 2, 3, 4) products are NSA-certified, hardware-based encryption modules. vRA relies upon the OpenSSL suite of encryption libraries. A special carefully defined software component called the OpenSSL FIPS Object Module has been created from the OpenSSL libraries to provide FIPS 140-2 validated encryption. This Module was designed for compatibility with OpenSSL so that products using the OpenSSL API can be converted to use validated cryptography with minimal effort.

Description

Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified and cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised due to weak algorithms. FIPS 140-2 is the current standard for validating cryptographic modules and NSA Type-X (where X=1, 2, 3, 4) products are NSA-certified, hardware-based encryption modules. vRA relies upon the OpenSSL suite of encryption libraries. A special carefully defined software component called the OpenSSL FIPS Object Module has been created from the OpenSSL libraries to provide FIPS 140-2 validated encryption. This Module was designed for compatibility with OpenSSL so that products using the OpenSSL API can be converted to use validated cryptography with minimal effort.

STIG	Date
VMware vRealize Automation 7.x tc Server Security Technical Implementation Guide	2021-06-23

Details

Check Text ( C-44039r674435_chk )
At the command prompt, execute the following command: grep bio-ssl.cipher.list /opt/vmware/horizon/workspace/conf/catalina.properties If the value of "bio-ssl.cipher.list" does not match the list of FIPS 140-2 ciphers or is missing, this is a finding. Note: To view a list of FIPS 140-2 ciphers, at the command prompt execute the following command: openssl ciphers 'FIPS'

Fix Text (F-43998r674161_fix)
Navigate to and open /opt/vmware/horizon/workspace/conf/catalina.properties. Navigate to and locate "bio-ssl.cipher.list". Configure the "bio-ssl.cipher.list" with FIPS 140-2 compliant ciphers.