How Do I Change FIPS Mode by using the VMware Aria Suite Lifecycle REST API

VMware products support the Federal Information Processing Standard or FIPS so that they can be certified for use in government departments and regulated industries. You can use the API to change FIPS mode for VMware Aria Suite Lifecycle, VMware Aria Automation, VMware Aria Operations, and VMware Aria Operations for Logs.

What is FIPS Compliance?

A product is FIPS 140-2 compliant when all security related issues of cryptography and random number generation use CMVP Validated Crypto Modules. To be FIPS compliant, most VMware products only make calls to the OpenSSL or Bouncy Castle libraries.

You can enable or disable FIPS mode in VMware Aria Suite Lifecycle. You can only enable FIPS mode in VMware Aria Suite products.

How do I enable FIPS mode in VMware Aria Suite Lifecycle?

You can enable FIPS mode in VMware Aria Suite Lifecycle during installation or after. You enable FIPS during installation using the OVA file and selecting FIPS property in all install steps. You enable FIPS after installation by using the API.

Before enabling FIPS mode:

Verify that you are running VMware Aria Suite Lifecycle 8.2 or later.
Verify that all general Day 2 prerequisites have been satisfied. See Performing Day 2 operations using VMware Aria Suite Lifecycle APIs.

To enable FIPS mode after installation, use the following request.

curl -X POST\
  '$url/lcm/locker/api/fips' \  
  -H 'Authorization: Basic YWRtaW5AbG9jYWw6VGhpc0lzUGFzc3dvcmQ=' \
  -H 'Content-Type: application/json'
  -d '{
     "enabled": true,
     "state": "ENABLED",
     "description": "",
     "request": null
} | jq "."

A snippet from a successful response shows that the FIPS mode is changing, and provides a request ID that you can use to check the status of the request through completion.

{
  "enabled": false,  
  "state": "CHANGING",
  "description": "Enabling FIPS mode for vRealize Suite Lifecycle Manager appliance and services.",
  "request": {
    "requestId": "23dre7d7-1413-4ce3-b277-b0eba2adba9b"
}

How do I disable FIPS mode in VMware Aria Suite Lifecycle before I upgrade?

Before you upgrade VMware Aria Suite Lifecycle, use the API to disable FIPS mode because the upgrade process uses the vCenter Service Appliance Management Interface (VAMI) and problems can occur with the VAMI when FIPS mode is enabled. To disable FIPS mode before you upgrade, use the following request.

curl -X POST\
  '$url/lcm/locker/api/fips' \  
  -H 'Authorization: Basic YWRtaW5AbG9jYWw6VGhpc0lzUGFzc3dvcmQ=' \
  -H 'Content-Type: application/json'
  -d '{
     "enabled": false,
     "state": "DISABLED",
     "description": "",
     "request": null
} | jq "."

A snippet from a successful response shows that the FIPS mode is changing, and provides a request ID that you can use to check the status of the request through completion.

{
  "enabled": true,  
  "state": "CHANGING",
  "description": "Disabling FIPS mode for vRealize Suite Lifecycle Manager appliance and services.",
  "request": {
    "requestId": "5e239981-15d6-4e00-859d-2f0645a856"
}

How do I enable FIPS mode in VMware Aria Suite products?

You can enable FIPS mode in version 8.3 or later of VMware Aria Automation, VMware Aria Operations or VMware Aria Operations for Logs. After enabling, you cannot disable FIPS mode in VMware Aria Suite products.

For VMware Aria Automation, you can only enable FIPS mode during product installation. Day 2 enablement is not supported.

Before enabling FIPS mode in any VMware Aria Suite product, verify that all general installation prerequisites have been satisfied. See Prerequisites for Installing and Importing Products.

How do I enable FIPS mode during product installation?

To enable FIPS mode during product installation, you add a parameter in the products section of the request payload.

"fipsMode":"\true\""

For example, with the fipsMode parameter added to the VMware Aria Operations installation, the complete request appears as follows.

curl -X POST \
  '$url/lcm/lcops/api/v2/environments' \
  -H 'Authorization: Basic YWRtaW5AbG9jYWw6VGhpc0lzUGFzc3dvcmQ=' \
  -H 'Content-Type: application/json' \
  -d '{
    "environmentName": "vrops_large_deployments",
    "infrastructure": {
      "properties": {
        "dataCenterVmid": "ee6ce426-ca13-4e56-ad9e-c34a4d3d90c2",
        "regionName": "default",
        "zoneName": "default",
        "vCenterName": "LCM-VC2",
        "vCenterHost": "lcm-vc2.sqa.local",
        "vcUsername": "[email protected]",
        "vcPassword": "",
        "acceptEULA": "true",
        "enableTelemetry": "true",
        "adminEmail": "[email protected]",
        "defaultPassword": "",
        "certificate": "",
        "cluster": "Datacenter#Cluster-01",
        "storage": "ISCSI-15TB-04",
        "folderName": "",
        "resourcePool": "",
        "diskMode": "thin",
        "network": "infra-traffic-1024",
        "masterVidmEnabled": "false",
        "dns": "10.141.66.213,10.118.183.252",
        "domain": "sqa.local",
        "gateway": "10.196.57.253",
        "netmask": "255.255.254.0",
        "searchpath": "sqa.local",
        "timeSyncMode": "ntp",
        "ntp": "ntp1.eng.vmware.com",
        "isDhcp": "false"
      }
    },
    "products": [
      {
        "id": "vrops",
        "version": "8.0.1",
        "properties": {
          "licenseRef": "locker:license:eab62-bc21-643cf0b9cafa:license",
          "certificate": "locker:certificate:f4e98b983:vmware",
          "productPassword": "locker:password:d21-d9de2c10:VMware1!",
          "disableTls": "",
          "timeSyncMode": "ntp",
          "masterVidmEnabled": false,
          "ntp": "ntp1.eng.vmware.com",
          "affinityRule": false,
          "configureAffinitySeparateAll": "true",
          "deployOption": "large"
          "fipsMode" : "true"
        },
        "clusterVIP": {
          "clusterVips": []
        },
        "nodes": [
          {
            "type": "remotecollector",
            "properties": {
              "vmName": "vrops-remotecollector",
              "hostName": "sqa.local",
              "deployOption": "smallrc",
              "ip": "4.4.4.4",
              "gateway": "2.2.2.2",
              "domain": "2.2.2.2",
              "searchpath": "2.2.2.2",
              "dns": "10.141.66.213",
              "netmask": "2.2.2.2",
              "extendedStorage": "",
              "timeZone": "",
              "ntp": "",
              "vCenterHost": "lcm-vc1.sqa.local",
              "cluster": "Datacenter-01#Cluster-01",
              "resourcePool": "",
              "folderName": "",
              "network": "dvs-55-Network-314b11d9-c958-4aa2-af98-cd5439a970d7",
              "storage": "ISCSI-15TB-02",
              "diskMode": "thin",
              "contentLibraryItemId": "",
              "vCenterName": "lcm-vc1",
              "vcUsername": "[email protected]",
              "vcPassword": "locker:password:4984d8e4-825b-4694-99cf-db80b41b5ac2:vc-password"
            }
          },
          {
            "type": "master",
            "properties": {
              "vmName": "mastervmname",
              "hostName": "lcm-57-68.sqa.local",
              "ip": "10.196.57.68"
            }
          },
          {
            "type": "replica",
            "properties": {
              "vmName": "replicavmname",
              "hostName": "lcm-12-34.sqa.local",
              "ip": "10.196.12.34"
            }
          },
          {
            "type": "data",
            "properties": {
              "vmName": "datavmname",
              "hostName": "lcm-12-35.sqa.local",
              "ip": "10.196.12.35"
            }
          }
        ]
      }
    ]
  }' | jq "."

For the steps to take after the installation request, see Deploy your Products using the VMware Aria Suite Lifecycle API.

How do I enable FIPS mode in products as part of Day 2 operations?

To enable FIPS mode for a product after installation, you first get the environment ID of the product by using the following command.

curl -X GET \
  '$url/lcm/lcops/api/v2/environments' \
  -H 'Authorization: Basic YWRtaW5AbG9jYWw6VGhpc0lzUGFzc3dvcmQ=' \
  -H 'Content-Type: application/json' \
}' | jq "."

Check the response for an environment that includes the product that you are updating. For example, to enable FIPS mode in VMware Aria Operations, look for the environment that includes the vrops product and assign variables for the environmentId and the productId.

environmentId = "<environmentId_value_from_response>"
productId = "vrops"

To enable FIPS mode for VMware Aria Operations, use the following command .

curl -X POST \
  '$url/lcm/lcops/api/v2/environments/$environmentId/products/$productId/fips' \
  -H 'Authorization: Basic YWRtaW5AbG9jYWw6VGhpc0lzUGFzc3dvcmQ=' \
  -H 'Content-Type: application/json' \
  -d '{
    "fipsMode" : "\true\""
}' | jq "."

A snippet from a successful response provides a request ID that you can use to check the status of the request through completion.

{
    "requestId": "a0d8d8cd-ac87-4b5c-ba8b-7a0173c56b55"
}