Background Information

The RightScale platform communicates with the RCA-V in your vSphere environment using a secure WebSocket tunnel connection.

Answer

  • A WebSocket connection begins as an HTTP handshake and then upgrades in-place to speak the WebSocket wire protocol. As such, many existing HTTP security mechanisms also apply to a WebSocket connection. https://tools.ietf.org/html/rfc64550
  • The RCA-V Websocket tunnel is configured over TLS/SSL HTTPS port 443 and enables bi-directional communications.
  • The Websocket tunnel does not require enterprises to open additional ports in their firewalls.
  • The WebSocket endpoint is defined by a URL, which means origin-based security can be applied.
  • Client-to-server masking – Each WebSocket frame, with a frame containing a message, is automatically masked to prevent old or badly-implemented intermediaries (man-in-the-middle scenarios) from accidentally or deliberately causing issues based on bytes in the payload. Each frame contains the masking key so WebSocket-aware intermediaries can unmask the messages for protocol or packet inspection, or to enforce security policies, etc.