Envoy must be configured to operate in FIPS mode.

An XCCDF Rule

Description

<VulnDiscussion>Envoy ships with FIPS 140-2 validated OpenSSL cryptographic libraries and is configured by default to run in FIPS mode. This module is used for all cryptographic operations performed by Envoy, including protection of data-in-transit over the client Transport Layer Security (TLS) connection. Satisfies: SRG-APP-000014-WSR-000006, SRG-APP-000179-WSR-000111, SRG-APP-000416-WSR-000118, SRG-APP-000439-WSR-000188, SRG-APP-000179-WSR-000110</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-256739r889155_rule
Severity: Medium
References: CCI-000068 CCI-000803 CCI-002418 CCI-002450
Updated: 8 months ago

Navigate to and open: 
 
/etc/vmware-rhttpproxy/config.xml 
 
Locate the <config>/<vmacore>/<ssl> block and configure <fips> as follows: 
 <fips>true</fips> 
 
Restart the service for changes to take effect. 
 
# vmon-cli --restart rhttpproxy

Envoy must be configured to operate in FIPS mode.

Description

Remediation - Manual Procedure