The ESXi host rhttpproxy daemon must use FIPS 140-2 validated cryptographic modules to protect the confidentiality of remote access sessions.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-256442 | SRG-OS-000033-VMM-000140 | ESXI-70-000090 | SV-256442r958408_rule | 2025-02-11 | 1 |
Description
ESXi runs a reverse proxy service called rhttpproxy that front ends internal services and application programming interfaces (APIs) over one HTTPS port by redirecting virtual paths to localhost ports.
This proxy implements a FIPS 140-2 validated OpenSSL cryptographic module that is in FIPS mode by default. This configuration must be validated and maintained to protect the traffic that rhttpproxy manages.
ℹ️ Check
From an ESXi shell, run the following command:
# esxcli system security fips140 rhttpproxy get
or
From a PowerCLI command prompt while connected to the ESXi host, run the following commands:
$esxcli = Get-EsxCli -v2
$esxcli.system.security.fips140.rhttpproxy.get.invoke()
Expected result:
Enabled: true
If the output does not match the expected result, this is a finding.
✔️ Fix
From an ESXi shell, run the following command:
# esxcli system security fips140 rhttpproxy set -e true
or
From a PowerCLI command prompt while connected to the ESXi host, run the following commands:
$esxcli = Get-EsxCli -v2
$arguments = $esxcli.system.security.fips140.rhttpproxy.set.CreateArgs()
$arguments.enable = $true
$esxcli.system.security.fips140.rhttpproxy.set.Invoke($arguments)