• Port Identification: Port 6443 is confirmed as the Kubernetes API server port, exposed by default on the VMSP platform.

• Configuration Validation:

  • The VMSP global ConfigMap explicitly defines cluster.port: "6443".

  • The kube-vip configuration (values.yaml) identifies lb_port: "6443" for load balancing.

• Scan Results:

  • QID 38170 (CN Mismatch): Occurs when connecting to <vidb_fqdn>:6443. The certificate presented by kube-apiserver contains SANs for internal Kubernetes names (e.g., kubernetes.default.svc) but lacks the external VIDB FQDN.

  • QID 38173 (Signature Verification Failed): Occurs because the kube-apiserver certificate is signed by an internal, self-generated Kubernetes Cluster CA that is not present in public trust stores.

VMware Identity Broker 9.x

The Qualys vulnerabilities are triggered because the Kubernetes control plane (VMSP) exposes the kube-apiserver on port 6443 to external scanners, presenting internal-only certificates that do not match the external FQDN and are not signed by a trusted Certificate Authority (CA).

These do not clear because Qualys only trusts publicly issued certificate authorities. Since this service uses an internal/vendor‑issued certificate, Qualys will continue to flag it by design, even though the certificate is valid and up to date internally. Engage with Qualsys for further help.