The vCenter Server must use DOD-approved encryption to protect the confidentiality of network sessions.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-265978	SRG-APP-000014	VCSA-80-000009	SV-265978r1003613_rule	2024-12-16	2

Description
Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that exploit vulnerabilities in this protocol. In vCenter 8 Update 3, Transport Layer Security (TLS) Profiles were introduced that allow users to manage and configure TLS parameters for the vCenter server. Several TLS profiles are available by default but not all may be suitable for high security environments.

Description

Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that exploit vulnerabilities in this protocol. In vCenter 8 Update 3, Transport Layer Security (TLS) Profiles were introduced that allow users to manage and configure TLS parameters for the vCenter server. Several TLS profiles are available by default but not all may be suitable for high security environments.

ℹ️ Check
From the vSphere Client, go to Developer Center >> API Explorer. Select "appliance" from the "Select API" drop down list then scroll down to the "tls/profiles/global" section. Expand the GET call and click Execute and review the response for the configured global TLS profile. or From a PowerCLI command prompt while connected to the vCenter server, run the following command: Invoke-GetTlsProfilesGlobal If the global TLS profile is not "NIST_2024", this is a finding.

ℹ️ Check

From the vSphere Client, go to Developer Center >> API Explorer. Select "appliance" from the "Select API" drop down list then scroll down to the "tls/profiles/global" section. Expand the GET call and click Execute and review the response for the configured global TLS profile. or From a PowerCLI command prompt while connected to the vCenter server, run the following command: Invoke-GetTlsProfilesGlobal If the global TLS profile is not "NIST_2024", this is a finding.

✔️ Fix
From the vSphere Client, go to Developer Center >> API Explorer. Select "appliance" from the "Select API" drop down list then scroll down to the "tls/profiles/global" section. Expand the PUT call and enter the following in the value box: { "profile": "NIST_2024" } Click Execute and Continue to configure a new global TLS profile. or From a PowerCLI command prompt while connected to the vCenter server, run the following command: Invoke-SetProfilesGlobalAsync -TlsProfilesGlobalSetSpec (Initialize-TlsProfilesGlobalSetSpec -VarProfile NIST_2024) To monitor the status of the operation the task id from the command output can be used with the "Invoke-GetTask" command. For example: Invoke-GetTask -Task 66b247c2-fe02-4425-9338-1c88eb856138:com.vmware.appliance.tls.profiles.global

✔️ Fix

From the vSphere Client, go to Developer Center >> API Explorer. Select "appliance" from the "Select API" drop down list then scroll down to the "tls/profiles/global" section. Expand the PUT call and enter the following in the value box: { "profile": "NIST_2024" } Click Execute and Continue to configure a new global TLS profile. or From a PowerCLI command prompt while connected to the vCenter server, run the following command: Invoke-SetProfilesGlobalAsync -TlsProfilesGlobalSetSpec (Initialize-TlsProfilesGlobalSetSpec -VarProfile NIST_2024) To monitor the status of the operation the task id from the command output can be used with the "Invoke-GetTask" command. For example: Invoke-GetTask -Task 66b247c2-fe02-4425-9338-1c88eb856138:com.vmware.appliance.tls.profiles.global