This topic outlines the necessary task that you must perform to activate Federal Information Processing Standards (FIPS) mode on the Site Recovery Manager 9.0.1 appliance.
Note: The certificate file format
PKCS#12 is not supposrted in the Certificates configuration in FIPS mode. The
PKCS#12 file format uses non-FIPS compliant algorithms as a standart specification.
Prerequisites
Make sure to use trusted certificates when deploying your environment.
Procedure
- Edit the configuration files for the Site Recovery Manager services.
- Navigate to /opt/vmware/dr/conf/drconfig.xml, open the file and change the following setting.
<Config> <vmacore> <ssl> <fips>true</fips> </ssl> </vmacore> </Config>
- Navigate to /opt/vmware/srm/conf/vmware-dr.template.xml, open the file and change the following setting.
<Config> <vmacore> <ssl> <fips>true</fips> </ssl> </vmacore> </Config>
- (Optional) If the appliance is configured, edit the /opt/vmware/srm/conf/vmware-dr.xml file.
<Config> <vmacore> <ssl> <fips>true</fips> </ssl> </vmacore> </Config>
- Navigate to /opt/vmware/dr/conf/drconfig.xml, open the file and change the following setting.
- Start the Site Recovery Manager services in strict mode.
- Edit /usr/lib/systemd/system/dr-configurator.service. Uncomment the lines under # Uncomment to enable FIPS.
The file fragment must look like this.
# Uncomment to enable FIPS Environment=OPENSSL_MODULES=/opt/vmware/dr/lib/ossl-modules Environment=OPENSSL_CONF=/opt/vmware/etc/dr/ssl/openssl.cnf
- Edit /usr/lib/systemd/system/srm-server.service. Uncomment the lines under # Uncomment to enable FIPS.
The file fragment must look like this.
# Uncomment to enable FIPS Environment=OPENSSL_MODULES=/opt/vmware/dr/lib/ossl-modules Environment=OPENSSL_CONF=/opt/vmware/etc/dr/ssl/openssl.cnf
- Restart the dr-configurator and the srm-server. Run the following commands.
systemctl daemon-reload systemctl restart dr-configurator systemctl restart srm-server
- Edit /usr/lib/systemd/system/dr-configurator.service. Uncomment the lines under # Uncomment to enable FIPS.
- Log in the appliance as root user and edit the kernel cmdline.
- Open /boot/grub/grub.cfg.
- Locate the menuentry entry.
- Append the following at the end of the line in each menuentry that starts with linux.
fips=1
- Save the file.
- Start the Config UI in strict mode.
- Edit /opt/vmware/drconfigui/conf/service.env. Uncomment the environment variable set FIPS_ENABLED=True.
The file fragment must look like this.
# Environment variable to mark is FIPS mode enabled # Uncomment to enable FIPS FIPS_ENABLED=True
- (Optional) Restart the drconfigui service if FIPS is already enabled for the appliance.
systemctl restart drconfigui
- Edit /opt/vmware/drconfigui/conf/service.env. Uncomment the environment variable set FIPS_ENABLED=True.
- Start the UI in strict mode.
- Edit /opt/vmware/dr-client/conf/service.env. Uncomment the environment variable set FIPS_ENABLED=True.
The file fragment must look like this.
# Environment variable to mark is FIPS mode enabled # Uncomment to enable FIPS FIPS_ENABLED=True
- Edit /opt/vmware/dr-client/lib/h5dr.properties and modify parameters to point to BCFKS format keystore and truststore with root CA certificates.
The property must look like this.
drTrustStorePass=<same as keyStorePass> drTrustStoreName=h5dr.truststore.bks keyStoreName=h5dr.keystore.bks
- Edit the /opt/vmware/dr-client/lib/h5dr.properties file and modify parameters to point to BCFKS format keystore and truststore with root CA certificates.
The property must look like this.
drTrustStorePass=<same as keyStorePass> drTrustStoreName=h5dr.truststore.bks keyStoreName=h5dr.keystore.bks
If you choose to use a truststore other than the default one, you must add a link to the truststore in /opt/vmware/dr-client/lib/ or /opt/vmware/dr-client/webapps/dr/WEB-INF/classes/. The keystore format must be BCFKS. To import it from JKS format use the following command.$JAVA_HOME/bin/keytool -importkeystore -srckeystore <path-to-jks-keystore> -srcstoretype JKS -srcstorepass <keystorepass> -destkeystore <path-to-target-bks-keystore> -deststoretype BCFKS -deststorepass <keystorepass> -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath /opt/vmware/dr-client/lib/ext/bc-fips-1.0.2.4.jar
Note: The keystore and truststore files you use must have Others: Read permission. After reconfiguring the appliance you must reedit the file /opt/vmware/dr-client/lib/h5dr.properties according the rules above. - (Optional) Restart the dr-client service if FIPS is already enabled for the appliance.
systemctl restart dr-client
- Edit /opt/vmware/dr-client/conf/service.env. Uncomment the environment variable set FIPS_ENABLED=True.
- Start the UI plugin (dr-client-plugin) in strict mode.
- Edit /opt/vmware/dr-client-plugin/conf/service.env. Uncomment the environment variable set FIPS_ENABLED=True.
The file fragment must look like this.
# Environment variable to mark is FIPS mode enabled # Uncomment to enable FIPS FIPS_ENABLED=True
- (Optional) Restart the dr-client-plugin service if FIPS is already enabled for the appliance.
systemctl restart dr-client-plugin
- Edit /opt/vmware/dr-client-plugin/conf/service.env. Uncomment the environment variable set FIPS_ENABLED=True.
- Start the REST API service (dr-rest) in strict mode.
- Edit /opt/vmware/dr-rest/conf/service.env. Uncomment the environment variable set FIPS_ENABLED=True.
The file fragment must look like this.
# Environment variable to mark is FIPS mode enabled # Uncomment to enable FIPS FIPS_ENABLED=True
- Edit /opt/vmware/dr-rest/lib/dr-rest-api.properties and add parameters to point to BCFKS format truststore with root CA certificates.
The property must look like this.
drTrustStorePass=<same as the keyStorePass of dr-client> drTrustStoreName=dr-rest.truststore.bks
- (Optional) Restart the dr-rest service if FIPS is already enabled for the appliance.
systemctl restart dr-rest
- Edit /opt/vmware/dr-rest/conf/service.env. Uncomment the environment variable set FIPS_ENABLED=True.
- Start the VMware Live Recovery agent service (dr-dpx-agent) in strict mode.
- Edit the /opt/vmware/dr-dpx-agent/conf/service.env file.
# Environment variable to mark is FIPS mode enabled # Uncomment to enable FIPS FIPS_ENABLED=True
- Restart the
dr-dpx-agent
service on the appliance.systemctl restart dr-dpx-agent
- Edit the /opt/vmware/dr-dpx-agent/conf/service.env file.
- Reboot the appliance.
Note: SSHD will read that the kernel has enabled FIPS mode and will activate it too. There is no need to edit anything in the sshd configuration.
What to do next
Validate that FIPS mode is activated.