When you modify Web proxy settings, you have several encryption and user security guidelines to consider.

Note

Restart the vmware-hostd process after making any changes to host directories or authentication mechanisms by entering the command service mgmt-vmware restart.

Do not set up certificates using pass phrases. ESX does not support pass phrases, also known as encrypted keys. If you set up a pass phrase, ESX processes cannot start correctly.

You can configure the Web proxy so that it searches for certificates in a location other than the default location. This capability proves useful for companies that prefer to centralize their certificates on a single machine so that multiple hosts can use the certificates.

Caution

If certificates are not stored locally on the host—for example, if they are stored on an NFS share—the host cannot access those certificates if ESX loses network connectivity. As a result, a client connecting to the host cannot successfully participate in a secure SSL handshake with the host.

To support encryption for user names, passwords, and packets, SSL is enabled by default for vSphere Web Access and vSphere Web services SDK connections. To configure these connections so that they do not encrypt transmissions, disable SSL for your vSphere Web Access connection or vSphere Web Services SDK connection by switching the connection from HTTPS to HTTP.

Consider disabling SSL only if you created a fully trusted environment for these clients, where firewalls are in place and transmissions to and from the host are fully isolated. Disabling SSL can improve performance, because you avoid the overhead required to perform encryption.

To protect against misuse of ESX services, such as the internal Web server that hosts vSphere Web Access, most internal ESX services are accessible only through port 443, the port used for HTTPS transmission. Port 443 acts as a reverse proxy for ESX. You can see a list of services on ESX through an HTTP welcome page, but you cannot directly access these services without proper authorization.

You can change this configuration so that individual services are directly accessible through HTTP connections. Do not make this change unless you are using ESX in a fully trusted environment.

When you upgrade vCenter Server and vSphere Web Access, the certificate remains in place. If you remove vCenter Server and vSphere Web Access, the certificate directory is not removed from the service console.