tc Server UI must be configured with FIPS 140-2 compliant ciphers for HTTPS connections.

From VMware vRealize Operations Manager 6.x tc Server Security Technical Implementation Guide

Part of SRG-APP-000014-WSR-000006

Associated with: CCI-000068

SV-99449r1_rule tc Server UI must be configured with FIPS 140-2 compliant ciphers for HTTPS connections.

Vulnerability discussion

Encryption of data-in-flight is an essential element of protecting information confidentiality. If a web server uses weak or outdated encryption algorithms, then the server's communications can potentially be compromised.The US Federal Information Processing Standards (FIPS) publication 140-2, Security Requirements for Cryptographic Modules (FIPS 140-2) identifies eleven areas for a cryptographic module used inside a security system that protects information. FIPS 140-2- approved ciphers provide the maximum level of encryption possible for a private web server.Configuration of ciphers used by tc Server are set in the “catalina.properties” file. Only those ciphers specified in the configuration file, and which are available in the installed OpenSSL library, will be used by tc Server while encrypting data for transmission.

Check content

At the command prompt, execute the following command: grep vmware-ssl.ssl.ciphers.list /usr/lib/vmware-vcops/tomcat-web-app/conf/catalina.properties If the value of “vmware-ssl.ssl.ciphers.list” does not match the list of FIPS 140-2 ciphers or is missing, this is a finding. Note: To view a list of FIPS 140-2 ciphers, at the command prompt execute the following command: openssl ciphers 'FIPS'

Fix text

Navigate to and open /usr/lib/vmware-vcops/tomcat-web-app/conf/catalina.properties. Navigate to and locate “vmware-ssl.ssl.ciphers.list”. Configure the “vmware-ssl.ssl.ciphers.list” with FIPS 140-2 compliant ciphers.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer