How do I activate FIPS on the Site Recovery Manager appliance

This topic outlines the necessary task that you must perform to activate Federal Information Processing Standards (FIPS) mode on the Site Recovery Manager appliance.

Note: The certificate file format PKCS#12 is not supposrted in the Certificates configuration in FIPS mode. The PKCS#12 file format uses non-FIPS compliant algorithms as a standart specification.

Prerequisites

Make sure to use trusted certificates when deploying your environment.

Procedure

Edit the configuration files for the Site Recovery Manager services.
1. Navigate to /opt/vmware/dr/conf/drconfig.xml, open the file and change the following setting.
```
<Config>
    <vmacore>
        <ssl>
            <fips>true</fips>
        </ssl>
    </vmacore>
</Config>
```
2. Navigate to /opt/vmware/srm/conf/vmware-dr.template.xml, open the file and change the following setting.
```
<Config>
    <vmacore>
        <ssl>
            <fips>true</fips>
        </ssl>
    </vmacore>
</Config>
```
3. (Optional) If the appliance is configured, edit the /opt/vmware/srm/conf/vmware-dr.xml file.
```
<Config>
    <vmacore>
        <ssl>
            <fips>true</fips>
        </ssl>
    </vmacore>
</Config>
```
Start the Site Recovery Manager services in strict mode.
1. Edit /usr/lib/systemd/system/dr-configurator.service. Uncomment the lines under # Uncomment to enable FIPS.
  The file fragment must look like this.
```
# Uncomment to enable FIPS
Environment=OPENSSL_MODULES=/opt/vmware/dr/lib/ossl-modules
Environment=OPENSSL_CONF=/opt/vmware/etc/dr/ssl/openssl.cnf
```
2. Edit /usr/lib/systemd/system/srm-server.service. Uncomment the lines under # Uncomment to enable FIPS.
  The file fragment must look like this.
```
# Uncomment to enable FIPS
Environment=OPENSSL_MODULES=/opt/vmware/dr/lib/ossl-modules
Environment=OPENSSL_CONF=/opt/vmware/etc/dr/ssl/openssl.cnf
```
3. Restart the dr-configurator and the srm-server. Run the following commands.
```
systemctl daemon-reload
systemctl restart dr-configurator
systemctl restart srm-server
```
Log in the appliance as root user and edit the kernel cmdline.
1. Open /boot/grub/grub.cfg.
2. Locate the menuentry entry.
3. Append the following at the end of the line in each menuentry that starts with linux.
  fips=1
4. Save the file.

Start the Config UI in strict mode.

Edit /usr/lib/systemd/system/drconfigui.service. Comment out the existing Environment='CATALINA_OPTS=-Xms768m -Xmx1024m' and uncomment the lines under # Uncomment to enable FIPS.

The file fragment must look like this.

Environment=JRE_HOME=/usr/java/jre-vmware
# Comment when enable FIPS
# Environment='CATALINA_OPTS=-Xms768m -Xmx1024m'
# Uncomment to enable FIPS
Environment='SERVICE_CLASSPATH=$CATALINA_BASE/lib/ext/*'
Environment='CATALINA_OPTS=-Xms768m -Xmx1024m -Djava.security.properties==/opt/vmware/dr-client/conf/vmware-override-java.security -Dorg.bouncycastle.jca.enable_jks=true -Dorg.bouncycastle.fips.approved_only=true'

Uncomment the <Manager> tag in the /opt/vmware/drconfigui/conf/context.xml file.
The file fragment with the tag must look like this.
```

<Manager pathname="" secureRandomAlgorithm=""/>
```
(Optional) Restart the drconfigui service if FIPS is already enabled for the appliance.
systemctl daemon-reload; systemctl restart drconfigui

Start the UI in strict mode.
1. Edit /usr/lib/systemd/system/dr-client.service. Comment out the existing Environment='CATALINA_OPTS=-Xms768m -Xmx1024m' and uncomment the lines under # Uncomment to enable FIPS.
  The file fragment must look like this.
```
Environment=JRE_HOME=/usr/java/jre-vmware
# Comment when enable FIPS
# Environment='CATALINA_OPTS=-Xms768m -Xmx1024m'
# Uncomment to enable FIPS
Environment='SERVICE_CLASSPATH=$CATALINA_BASE/lib/ext/*'
Environment='CATALINA_OPTS=-Xms768m -Xmx1024m -Djava.security.properties==/opt/vmware/dr-client/conf/vmware-override-java.security -Dorg.bouncycastle.jca.enable_jks=true -Dorg.bouncycastle.fips.approved_only=true'
```
2. Uncomment the <Manager> tag in the /opt/vmware/dr-client/conf/context.xml file.
  The file fragment with the tag must look like this.
```

<Manager pathname="" secureRandomAlgorithm=""/>
```
3. Edit the /opt/vmware/dr-client/lib/h5dr.properties file and modify parameters to point to BCFKS format keystore and truststore with root CA certificates.
  The property must look like this.
```
drTrustStorePass=<same as keyStorePass>
drTrustStoreName=h5dr.truststore.bks
keyStoreName=h5dr.keystore.bks
```
  If you choose to use a truststore other than the default one, you must add a link to the truststore in /opt/vmware/dr-client/lib/ or /opt/vmware/dr-client/webapps/dr/WEB-INF/classes/. The keystore format must be BCFKS. To import it from JKS format use the following command.
```
$JAVA_HOME/bin/keytool -importkeystore -srckeystore <path-to-jks-keystore> -srcstoretype JKS -srcstorepass <keystorepass> -destkeystore <path-to-target-bks-keystore> -deststoretype BCFKS -deststorepass <keystorepass> -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath /opt/vmware/dr-client/lib/ext/bc-fips-1.0.2.3.jar
```
  Note: The keystore and truststore files you use must have Others: Read permission. After reconfiguring the appliance you must reedit the file /opt/vmware/dr-client/lib/h5dr.properties according the rules above.
4. (Optional) Restart the dr-client service if FIPS is already enabled for the appliance.
  systemctl daemon-reload; systemctl restart dr-client
Start the UI plugin (dr-client-plugin) in strict mode.
1. Edit /usr/lib/systemd/system/dr-client-plugin.service. Comment out the existing Environment='CATALINA_OPTS=-Xms768m -Xmx1024m' and uncomment the lines under # Uncomment to enable FIPS.
  The file fragment must look like this.
```
Environment=JRE_HOME=/usr/java/jre-vmware
# Comment when enable FIPS
# Environment='CATALINA_OPTS=-Xms768m -Xmx1024m'
# Uncomment to enable FIPS
Environment='SERVICE_CLASSPATH=$CATALINA_BASE/lib/ext/*'
Environment='CATALINA_OPTS=-Xms768m -Xmx1024m -Djava.security.properties==/opt/vmware/dr-client/conf/vmware-override-java.security -Dorg.bouncycastle.jca.enable_jks=true -Dorg.bouncycastle.fips.approved_only=true'
```
2. Uncomment the <Manager> tag in the /opt/vmware/dr-client-plugin/conf/context.xml file.
  The file fragment with the tag must look like this.
```

<Manager pathname="" secureRandomAlgorithm=""/>
```
3. (Optional) Restart the dr-client-plugin service if FIPS is already enabled for the appliance.
  systemctl daemon-reload; systemctl restart dr-client-plugin
Start the REST API service (dr-rest) in strict mode.
1. Edit /usr/lib/systemd/system/dr-rest.service. Comment out the existing Environment='CATALINA_OPTS=-Xms768m -Xmx1024m' and uncomment the lines under # Uncomment to enable FIPS.
  The file fragment must look like this.
```
Environment=JRE_HOME=/usr/java/jre-vmware
# Comment when enable FIPS
# Environment='CATALINA_OPTS=-Xms768m -Xmx1024m'
# Uncomment to enable FIPS
Environment='SERVICE_CLASSPATH=$CATALINA_BASE/lib/ext/*'
Environment='CATALINA_OPTS=-Xms768m -Xmx1024m -Djava.security.properties==/opt/vmware/dr-client/conf/vmware-override-java.security -Dorg.bouncycastle.jca.enable_jks=true -Dorg.bouncycastle.fips.approved_only=true'
```
2. Uncomment the <Manager> tag in the /opt/vmware/dr-rest/conf/context.xml file.
  The file fragment with the tag must look like this.
```

<Manager pathname="" secureRandomAlgorithm=""/>
```
3. (Optional) Restart the dr-rest service if FIPS is already enabled for the appliance.
  systemctl daemon-reload; systemctl restart dr-rest
Reboot the appliance.
Make sure that the systemctl daemon-reload command is executed at least once after making the modifications and before rebooting the appliance.
Note: SSHD will read that the kernel has enabled FIPS mode and will activate it too. There is no need to edit anything in the sshd configuration.

What to do next

Validate that FIPS mode is activated.