Configuration properties that relate to security can be modified in the service configuration files.

In the VMware Cloud Director Availability service configuration files, you can modify the following security-related properties. For information about the service configuration files, see Services configuration files.

Property Name Default Value Description
session.timeout 1800000

The time in milliseconds to keep inactive sessions active.

Each HTTP request resets the timer.

The default value is 30 minutes.

Applies to the following services:
  • Replicator Service
  • Manager Service
  • Cloud Service
  • Tunnel Service
session.maxage 86400000

The maximum session length in milliseconds.

Even if the session is kept alive, after the time specified in this property, the session is terminated.

This property prevents attacks based on stolen session cookies.

The default value is 24 hours.

Applies to the following services:
  • Replicator Service
  • Manager Service
  • Cloud Service
  • Tunnel Service
https.endpoint.protocols TLSv1.2

Corresponds to sslEnabledProtocols in Apache Tomcat.

For more information, see Apache Tomcat Configuration Reference in the Apache Tomcat documentation.

Applies to the following services:
  • Replicator Service
  • Manager Service
  • Cloud Service
  • Tunnel Service
https.endpoint.ciphers
Caution: Whilst being able to configure other cipher suites, ensure that you only use secure ciphers.
For example, exclude DH and use secure ciphers:

HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA:!DH

Corresponds to ciphers from SSLHostConfig in Apache Tomcat.

For information about SSLHostConfig, see Apache Tomcat Configuration Reference in the Apache Tomcat documentation.

Applies to the following services:
  • Replicator Service
  • Manager Service
  • Cloud Service
  • Tunnel Service
vcd.hostnameverifier.noop false

When set to true, skips the verification of the host name of VMware Cloud Director when establishing a TLS session.

Used to prevent an SSL error when the VMware Cloud Director certificate subject or its list of SANs does not contain the provided VMware Cloud Director address.

Applies only to the Cloud Service.

web.cors.allowedOrigins (empty string)

A list of origins (Cross-Origin Resource Sharing (CORS)) that are allowed to access the web resources.

Applicable when operating a custom web server serving the plug-in with an iframe.

The default value does not allow any origins, but due to the integrated user interface plug-in, the Cloud Service implicitly allows requests from VMware Cloud Director.

Applies to the following services:
  • Replicator Service
  • Manager Service
  • Cloud Service
  • Tunnel Service
admin.allow.from (empty string)

Controls the source IP addresses that are allowed to establish server sessions. In a production environment, deactivate the root access authentication from the Tunnel Service, as requests come from the Internet.

The default value states: if the service has tunneling configuration set, reject tunnel requests, otherwise allow all.

Applies to the following services:
  • Replicator Service
  • Manager Service
  • Cloud Service
  • Tunnel Service