vCloud Director requires HTTPS encryption for all server-to-client communication. Port 80 is open, but only redirects the connection to the secured connection port. The vCloud Director user interface is secured by SSL over HTTPS (port 443/TCP). The certificate is installed during configuration of vCloud Director and encrypted to file that is located at $VCLOUD_HOME/etc/certificates. This file is protected by the system.info value in the global.properties file that is located at $VCLOUD-HOME/etc.

The console-proxy connection is also secured by SSL on port 443/TCP. During the initiation of the connection, a key is passed to the browser to authenticate the console session to the console-proxy. This key has an expiration on it to help mitigate a replay attack.

Create the SSL certificates with a key length of at least 2048 bits. Protect the key-store file used to configure the certificates by using a complex password and then removing it from the vCloud Director cells after the configuration is completed.

vCloud Director database communication is sent in plain text over the wire. Therefore, access to the network must be restricted.

When using integrated LDAP authentication, the communication with LDAP server must use encrypted secure LDAP (LDAPS). Otherwise, user credentials can be snooped because they are transmitted in plain text.

Communication from vCloud Director cells to vCenter Single Sign-On (PSC), vCenter Server and NSX Manager is encrypted. Furthermore, it is possible to enhance the security by uploading certificates of each component through the JCEKS KeyStore file.

Disable unsecure SSL 3 and TLS 1.0 ciphers on vCloud Director cells.