ESXI-70-000090 - The ESXi host rhttpproxy daemon must use FIPS 140-2 validated cryptographic modules to protect the confidentiality of remote access sessions.

Information

ESXi runs a reverse proxy service called rhttpproxy that front ends internal services and application programming interfaces (APIs) over one HTTPS port by redirecting virtual paths to localhost ports.

This proxy implements a FIPS 140-2 validated OpenSSL cryptographic module that is in FIPS mode by default. This configuration must be validated and maintained to protect the traffic that rhttpproxy manages.

Solution

From an ESXi shell, run the following command:

# esxcli system security fips140 rhttpproxy set -e true

or

From a PowerCLI command prompt while connected to the ESXi host, run the following commands:

$esxcli = Get-EsxCli -v2
$arguments = $esxcli.system.security.fips140.rhttpproxy.set.CreateArgs()
$arguments.enable = $true
$esxcli.system.security.fips140.rhttpproxy.set.Invoke($arguments)

Item Details

Audit Name: DISA VMware vSphere 7.0 ESXi STIG v1r4 Unix

Category: ACCESS CONTROL

Plugin: Unix

Control ID: e414993f11ba581d1f062f24d1ed9643b19b09e597eaaf768b08aa0e23698070

Detections

Analytics

ESXI-70-000090 - The ESXi host rhttpproxy daemon must use FIPS 140-2 validated cryptographic modules to protect the confidentiality of remote access sessions.

Information

Solution

See Also

Item Details