Envoy must exclusively use the HTTPS protocol for client connections.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-256742 | VCRP-70-000006 | SV-256742r889164_rule | CCI-002314 | medium |
| Description | ||||
| Remotely accessing vCenter via Envoy involves sensitive information going over the wire. To protect the confidentiality and integrity of these communications, Envoy must be configured to use an encrypted session of HTTPS rather than plain-text HTTP. The Secure Sockets Layer (SSL) configuration block inside the rhttpproxy configuration must be present and correctly configured to safely enable Transport Layer Security (TLS). | ||||
| STIG | Date | |||
| VMware vSphere 7.0 vCenter Appliance RhttpProxy Security Technical Implementation Guide | 2023-02-21 | |||
Details
Check Text (C-256742r889164_chk)
At the command prompt, run the following command:
# xmllint --xpath '/config/ssl' /etc/vmware-rhttpproxy/config.xml
Expected result:
<ssl>
<!-- The server private key file -->
<privateKey>/etc/vmware-rhttpproxy/ssl/rui.key</privateKey>
<!-- The server side certificate file -->
<certificate>/etc/vmware-rhttpproxy/ssl/rui.crt</certificate>
<!-- vecs server name. Currently vecs runs on all node types. -->
<vecsServerName>localhost</vecsServerName>
</ssl>
If the output does not match the expected result, this is a finding.
Fix Text (F-60360r889163_fix)
Navigate to and open:
/etc/vmware-rhttpproxy/config.xml
Locate the first <ssl> block and set its content to the following:
<ssl>
<!-- The server private key file -->
<privateKey>/etc/vmware-rhttpproxy/ssl/rui.key</privateKey>
<!-- The server side certificate file -->
<certificate>/etc/vmware-rhttpproxy/ssl/rui.crt</certificate>
<!-- vecs server name. Currently vecs runs on all node types. -->
<vecsServerName>localhost</vecsServerName>
</ssl>
Restart the service for changes to take effect.
# vmon-cli --restart rhttpproxy