Rule ID
SV-265978r1003613_rule
Version
V2R3
CCIs
CCI-000068, CCI-000382, CCI-001184, CCI-001453, CCI-001941, CCI-002418, CCI-002420, CCI-002421, CCI-002422, CCI-002450
Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that exploit vulnerabilities in this protocol. In vCenter 8 Update 3, Transport Layer Security (TLS) Profiles were introduced that allow users to manage and configure TLS parameters for the vCenter server. Several TLS profiles are available by default but not all may be suitable for high security environments.
From the vSphere Client, go to Developer Center >> API Explorer. Select "appliance" from the "Select API" drop down list then scroll down to the "tls/profiles/global" section. Expand the GET call and click Execute and review the response for the configured global TLS profile. or From a PowerCLI command prompt while connected to the vCenter server, run the following command: Invoke-GetTlsProfilesGlobal If the global TLS profile is not "NIST_2024", this is a finding.
From the vSphere Client, go to Developer Center >> API Explorer.
Select "appliance" from the "Select API" drop down list then scroll down to the "tls/profiles/global" section.
Expand the PUT call and enter the following in the value box:
{
"profile": "NIST_2024"
}
Click Execute and Continue to configure a new global TLS profile.
or
From a PowerCLI command prompt while connected to the vCenter server, run the following command:
Invoke-SetProfilesGlobalAsync -TlsProfilesGlobalSetSpec (Initialize-TlsProfilesGlobalSetSpec -VarProfile NIST_2024)
To monitor the status of the operation the task id from the command output can be used with the "Invoke-GetTask" command. For example:
Invoke-GetTask -Task 66b247c2-fe02-4425-9338-1c88eb856138:com.vmware.appliance.tls.profiles.global