The vCenter STS service must be configured to use strong encryption ciphers.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-258971	VCST-80-000002	SV-258971r934571_rule		Medium

Description
Tomcat has several remote communications channels. Examples are user requests via http/https, communication to a backend database, or communication to authenticate users. The encryption used to communicate must match the data that is being retrieved or presented. The Tomcat <Connector> element controls the TLS protocol and the associated ciphers used. If a strong cipher is not selected, an attacker may be able to circumvent encryption protections that are configured for the connector. Strong ciphers must be employed when configuring a secured connector. TLSv1.2 or TLSv1.3 ciphers are configured via the server.xml file on a per connector basis. For a list of approved ciphers, refer to NIST SP 800-52 section 3.3.1.1. Satisfies: SRG-APP-000014-AS-000009, SRG-APP-000015-AS-000010, SRG-APP-000172-AS-000120, SRG-APP-000172-AS-000121, SRG-APP-000439-AS-000274

Description

Tomcat has several remote communications channels. Examples are user requests via http/https, communication to a backend database, or communication to authenticate users. The encryption used to communicate must match the data that is being retrieved or presented. The Tomcat <Connector> element controls the TLS protocol and the associated ciphers used. If a strong cipher is not selected, an attacker may be able to circumvent encryption protections that are configured for the connector. Strong ciphers must be employed when configuring a secured connector. TLSv1.2 or TLSv1.3 ciphers are configured via the server.xml file on a per connector basis. For a list of approved ciphers, refer to NIST SP 800-52 section 3.3.1.1. Satisfies: SRG-APP-000014-AS-000009, SRG-APP-000015-AS-000010, SRG-APP-000172-AS-000120, SRG-APP-000172-AS-000121, SRG-APP-000439-AS-000274

STIG	Date
VMware vSphere 8.0 vCenter Appliance Secure Token Service (STS) Security Technical Implementation Guide	2023-10-29

Details

Check Text ( C-62711r934569_chk )
At the command prompt, run the following command: # xmllint --xpath '/Server/Service/Connector/SSLHostConfig/@ciphers' /usr/lib/vmware-sso/vmware-sts/conf/server.xml Expected result: ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" If each result returned does not match the expected result, this is a finding.

Check Text ( C-62711r934569_chk )

At the command prompt, run the following command:

# xmllint --xpath '/Server/Service/Connector/SSLHostConfig/@ciphers' /usr/lib/vmware-sso/vmware-sts/conf/server.xml

Expected result:

ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"

If each result returned does not match the expected result, this is a finding.

Fix Text (F-62620r934570_fix)
Navigate to and open: /usr/lib/vmware-sso/vmware-sts/conf/server.xml For each connector with "SSLEnabled" set to true, configure the ciphers attribute under the "SSLHostConfig" as follows: ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" Restart the service with the following command: # vmon-cli --restart sts

Fix Text (F-62620r934570_fix)

Navigate to and open:

/usr/lib/vmware-sso/vmware-sts/conf/server.xml

For each connector with "SSLEnabled" set to true, configure the ciphers attribute under the "SSLHostConfig" as follows:

ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"

Restart the service with the following command:

# vmon-cli --restart sts