The ESXi host rhttpproxy daemon must use FIPS 140-2 validated cryptographic modules to protect the confidentiality of remote access sessions.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-256442	ESXI-70-000090	SV-256442r958408_rule	CCI-000068	medium
Description
ESXi runs a reverse proxy service called rhttpproxy that front ends internal services and application programming interfaces (APIs) over one HTTPS port by redirecting virtual paths to localhost ports. This proxy implements a FIPS 140-2 validated OpenSSL cryptographic module that is in FIPS mode by default. This configuration must be validated and maintained to protect the traffic that rhttpproxy manages.
STIG			Date
VMware vSphere 7.0 ESXi Security Technical Implementation Guide			2025-02-11

Related Frameworks

3 paths across 3 frameworks

NIST 800-531 mapping

AC-17(2)

1.00

DISA · V1R4 · disa_xccdf · related
DISA · 2025-01-23 · disa_cci_list · equivalent

NIST 800-1711 mapping

3.1.13

1.00

DISA · V1R4 · disa_xccdf · related
DISA · 2025-01-23 · disa_cci_list · equivalent
NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent

CCI1 mapping

CCI-000068

1.00

DISA · V1R4 · disa_xccdf · related

Details

Check Text (C-256442r958408_chk)

From an ESXi shell, run the following command: # esxcli system security fips140 rhttpproxy get or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: $esxcli = Get-EsxCli -v2 $esxcli.system.security.fips140.rhttpproxy.get.invoke() Expected result: Enabled: true If the output does not match the expected result, this is a finding.

Fix Text (F-60060r886106_fix)

From an ESXi shell, run the following command: # esxcli system security fips140 rhttpproxy set -e true or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: $esxcli = Get-EsxCli -v2 $arguments = $esxcli.system.security.fips140.rhttpproxy.set.CreateArgs() $arguments.enable = $true $esxcli.system.security.fips140.rhttpproxy.set.Invoke($arguments)