Envoy must exclusively use the HTTPS protocol for client connections.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-256742	VCRP-70-000006	SV-256742r889164_rule		Medium

Description
Remotely accessing vCenter via Envoy involves sensitive information going over the wire. To protect the confidentiality and integrity of these communications, Envoy must be configured to use an encrypted session of HTTPS rather than plain-text HTTP. The Secure Sockets Layer (SSL) configuration block inside the rhttpproxy configuration must be present and correctly configured to safely enable Transport Layer Security (TLS).

Description

Remotely accessing vCenter via Envoy involves sensitive information going over the wire. To protect the confidentiality and integrity of these communications, Envoy must be configured to use an encrypted session of HTTPS rather than plain-text HTTP. The Secure Sockets Layer (SSL) configuration block inside the rhttpproxy configuration must be present and correctly configured to safely enable Transport Layer Security (TLS).

STIG	Date
VMware vSphere 7.0 vCenter Appliance RhttpProxy Security Technical Implementation Guide	2023-02-21

Details

Check Text ( C-60417r889162_chk )
At the command prompt, run the following command: # xmllint --xpath '/config/ssl' /etc/vmware-rhttpproxy/config.xml Expected result: /etc/vmware-rhttpproxy/ssl/rui.key /etc/vmware-rhttpproxy/ssl/rui.crt localhost If the output does not match the expected result, this is a finding.

Fix Text (F-60360r889163_fix)
Navigate to and open: /etc/vmware-rhttpproxy/config.xml Locate the first block and set its content to the following: /etc/vmware-rhttpproxy/ssl/rui.key /etc/vmware-rhttpproxy/ssl/rui.crt localhost Restart the service for changes to take effect. # vmon-cli --restart rhttpproxy