Security scanner identifies self-signed certificates on cloud proxy
search cancel

Security scanner identifies self-signed certificates on cloud proxy

book

Article ID: 437602

calendar_today

Updated On:

Products

VCF Operations VCF Operations/Automation (formerly VMware Aria Suite)

Issue/Introduction

The security scanner (Qualys, Nessus, Tenable, Rapid7, etc.) identified self-signed certificates on the Operations Cloud Proxy appliance on ports 1514, 6514, or 8443

Environment

  • VCF Operations 9.0.x
  • Aria Operations 8.18.x

Cause

The Operations cloud proxy appliance utilizes self-signed SSL certificates for specific functions. These SSL certificates cannot be modified.

  • Ports 1514 and 6514 are used to relay secure syslog to Operations for Logs when the Log Forwarding feature is enabled in the Classic Cloud Proxy. Log forwarding is always enabled for the Unified Cloud Proxy
  • Port 8443 is used for collecting data from open source telegraf agents. This feature is always enabled in both Classic and Unified Cloud Proxy.

Resolution

If the Log Forwarding feature and/or the collection of metrics from open source telegraf agents is not used in the environment, the traffic to these ports can be blocked on the cloud proxy appliance utilizing the internal firewall service.

  1. Log in to the cloud proxy appliance as root via SSH or vSphere Console

  2. Create a backup copy of the configuration files that will be edited

    1. For the Log Forwarding feature (ports 1514 and 6514)

      cp -p /opt/vmware/etc/vmware-vcf-logForwarder-firewall.conf{,.$(date '+%Y%m%d_%H%M%S')}

    2. For the open source telegraf feature (port 8443)

      cp -p /opt/vmware/etc/vmware-vcops-arc-firewall.conf{,.$(date '+%Y%m%d_%H%M%S')}

  3. Open the configuration file for editing

    1. For Log Forwarding feature (ports 1514 and 6514)

      vi /opt/vmware/etc/vmware-vcf-logForwarder-firewall.conf

    2. For the open source telegraf feature (port 8443)

      vi /opt/vmware/etc/vmware-vcops-arc-firewall.conf

  4. Remove the ports from the TCPPORTS= line

    1. For Log Forwarding feature (ports 1514 and 6514)

      Example before edit

      TCPPORTS="$TCPPORTS 8500 9543 9000 6514 1514 514"

      Example after edit

      TCPPORTS="$TCPPORTS 8500 9543 9000 514"

    2. For the open source telegraf feature (port 8443)

      Example before edit

      TCPPORTS="$TCPPORTS 8443"

      Example after edit

      TCPPORTS="$TCPPORTS"

  5. Save and exit the file

    :wq

  6. Restart the firewall service

    systemctl restart vmware-vcops-firewall

  7. Repeat steps 1 through 6 for any other cloud proxy appliances

Additional Information

VMware Ports and Protocols

Note: These manual firewall changes will be overwritten during the next cloud proxy update, causing the security scanner to flag the appliance again post-upgrade. The same steps will need to be reapplied after any upgrade of the cloud proxy.

Powered by Wolken Software