Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-94823 | VCWN-65-000060 | SV-104653r1_rule | Medium |
Description |
---|
The system must establish the validity of the user supplied identity certificate using OCSP and/or CRL revocation checking. |
STIG | Date |
---|---|
VMware vSphere 6.5 vCenter Server for Windows Security Technical Implementation Guide | 2020-03-27 |
Check Text ( C-94019r1_chk ) |
---|
1. Login to the Platform Services Controller web interface with administrator@vsphere.local from https:// In an embedded deployment the Platform Services Controller host name or IP address is the same as the vCenter Server host name or IP address. If you specified a different SSO domain during installation, log in as administrator@ 2. Browse to Single Sign-On > Configuration. 3. Click the "Smart Card Configuration" tab 4. Click the "Certificate Revocation Settings" tab If "Revocation Check" does not show as enabled, this is a finding. |
Fix Text (F-100947r1_fix) |
---|
1. Login to the Platform Services Controller web interface with administrator@vsphere.local from https:// In an embedded deployment the Platform Services Controller host name or IP address is the same as the vCenter Server host name or IP address. If you specified a different SSO domain during installation, log in as administrator@ 2. Browse to Single Sign-On > Configuration. 3. Click the "Smart Card Configuration" tab 4. Click the "Certificate Revocation Settings" tab 5. Click the "Enable Revocation Check" button By default the PSC will use the CRL from the certificate to check revocation check status. OCSP with CRL fallback is recommended but this setting is site specific and should be configured appropriately. |