← Back to VMware vSphere 7.0 vCenter Security Technical Implementation Guide

V-256333

CAT II (Medium)

The vCenter Server must enable revocation checking for certificate-based authentication.

Rule ID

SV-256333r919043_rule

STIG

VMware vSphere 7.0 vCenter Security Technical Implementation Guide

Version

V1R3

CCIs

CCI-000185 CCI-001954 CCI-001991 CCI-002010

Discussion

The system must establish the validity of the user-supplied identity certificate using Online Certificate Status Protocol (OCSP) and/or Certificate Revocation List (CRL) revocation checking. Satisfies: SRG-APP-000175, SRG-APP-000392, SRG-APP-000401, SRG-APP-000403

Check Content

If a federated identity provider is configured and used for an identity source and supports Smartcard authentication, this is not applicable.

From the vSphere Client, go to Administration >> Single Sign On >> Configuration >> Identity Provider >> Smart Card Authentication.

Under Smart card authentication settings >> Certificate revocation, verify "Revocation check" does not show as disabled.

If "Revocation check" shows as disabled, this is a finding.

Fix Text

From the vSphere Client, go to Administration >> Single Sign On >> Configuration >> Identity Provider >> Smart Card Authentication.

Under Smart card authentication settings >> Certificate revocation, click the "Edit" button.

Configure revocation checking per site requirements. OCSP with CRL failover is recommended.

By default, both locations are pulled from the cert. CRL location can be overridden in this screen, and local responders can be specified via the sso-config command line tool. Refer to the supplemental document for more information.

Note: If FIPS mode is enabled on vCenter, OCSP revocation validation may not function and CRL used instead.