The vAMI must transmit only encrypted representations of passwords.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-90223	VRAU-VA-000235	SV-100873r1_rule		High

Description
Passwords need to be protected at all times, and encryption is the standard method for protecting passwords during transmission. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Application servers have the capability to utilize either certificates (tokens) or user IDs and passwords in order to authenticate. When the application server transmits or receives passwords, the passwords must be encrypted.

Description

Passwords need to be protected at all times, and encryption is the standard method for protecting passwords during transmission. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Application servers have the capability to utilize either certificates (tokens) or user IDs and passwords in order to authenticate. When the application server transmits or receives passwords, the passwords must be encrypted.

STIG	Date
VMW vRealize Automation 7.x vAMI Security Technical Implementation Guide	2018-10-12

Details

Check Text ( C-89915r1_chk )
At the command prompt, execute the following command: grep '^ssl.engine' /opt/vmware/etc/lighttpd/lighttpd.conf If the value of "ssl.engine" is not set to "enable", or is missing or is commented out, this is a finding.

Fix Text (F-96965r1_fix)
Navigate to and open /opt/vmware/etc/lighttpd/lighttpd.conf. Configure the lighttpd.conf file with the following value: 'ssl.engine = "enable"'