The vCenter Server for Windows must enable revocation checking for certificate based authentication.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-94823	VCWN-65-000060	SV-104653r1_rule		Medium

Description
The system must establish the validity of the user supplied identity certificate using OCSP and/or CRL revocation checking.

STIG	Date
VMware vSphere 6.5 vCenter Server for Windows Security Technical Implementation Guide	2020-03-27

Details

Check Text ( C-94019r1_chk )
1. Login to the Platform Services Controller web interface with administrator@vsphere.local from https:///psc In an embedded deployment the Platform Services Controller host name or IP address is the same as the vCenter Server host name or IP address. If you specified a different SSO domain during installation, log in as administrator@. 2. Browse to Single Sign-On > Configuration. 3. Click the "Smart Card Configuration" tab 4. Click the "Certificate Revocation Settings" tab If "Revocation Check" does not show as enabled, this is a finding.

Check Text ( C-94019r1_chk )

1. Login to the Platform Services Controller web interface with administrator@vsphere.local from

https:///psc

In an embedded deployment the Platform Services Controller host name or IP address is the same as the vCenter Server host name or IP address.

If you specified a different SSO domain during installation, log in as administrator@.

2. Browse to Single Sign-On > Configuration.

3. Click the "Smart Card Configuration" tab

4. Click the "Certificate Revocation Settings" tab

If "Revocation Check" does not show as enabled, this is a finding.

Fix Text (F-100947r1_fix)
1. Login to the Platform Services Controller web interface with administrator@vsphere.local from https:///psc In an embedded deployment the Platform Services Controller host name or IP address is the same as the vCenter Server host name or IP address. If you specified a different SSO domain during installation, log in as administrator@. 2. Browse to Single Sign-On > Configuration. 3. Click the "Smart Card Configuration" tab 4. Click the "Certificate Revocation Settings" tab 5. Click the "Enable Revocation Check" button By default the PSC will use the CRL from the certificate to check revocation check status. OCSP with CRL fallback is recommended but this setting is site specific and should be configured appropriately.

Fix Text (F-100947r1_fix)

1. Login to the Platform Services Controller web interface with administrator@vsphere.local from

https:///psc

In an embedded deployment the Platform Services Controller host name or IP address is the same as the vCenter Server host name or IP address.

If you specified a different SSO domain during installation, log in as administrator@.

2. Browse to Single Sign-On > Configuration.

3. Click the "Smart Card Configuration" tab

4. Click the "Certificate Revocation Settings" tab

5. Click the "Enable Revocation Check" button

By default the PSC will use the CRL from the certificate to check revocation check status. OCSP with CRL fallback is recommended but this setting is site specific and should be configured appropriately.