Activate or Deactivate FIPS Mode on the VMware Cloud Director Appliance

Starting with version 10.2.2, you can configure the VMware Cloud Director appliance to use FIPS 140-2 validated cryptographic modules and to run in FIPS-compliant mode.

The Federal Information Processing Standard (FIPS) 140-2 is a U.S. and Canadian government standard that specifies security requirements for cryptographic modules. The NIST Cryptographic Module Validation Program (CMVP) validates the cryptographic modules compliant with the FIPS 140-2 standards.

The goal of VMware Cloud Director FIPS support is to ease the compliance and security activities in various regulated environments. To learn more about support for FIPS 140-2 in VMware products, see https://www.vmware.com/security/certifications/fips.html.

VMware Cloud Director FIPS-validated cryptography is deactivated by default. By activating FIPS mode, you configure VMware Cloud Director to use FIPS 140-2 validated cryptographic modules and to run in FIPS-compliant mode.

Note: Activating FIPS mode also activates reverse lookup of host names.

Important: When you activate FIPS mode, the integration with vRealize Orchestrator does not work.

In VMware Cloud Director 10.2.2 when you activate FIPS mode, you cannot encrypt SAML assertions. When not in FIPS mode, there is no restriction on assertion encryption.

VMware Cloud Director uses the following FIPS 140-2 validated cryptographic modules:

VMware’s BC-FJA (Bouncy Castle FIPS Java API), version 1.0.2.1: Certificate #3673
VMware’s OpenSSL FIPS Object Module, version 2.0.20-vmw: Certificate #3857

VMware Cloud Director is in a bundle with the cell management tool (CMT). However, the cell management tool is not FIPS-compliant.

When using the VMware Cloud Director appliance, to configure the appliance to run in FIPS-compliant mode, you must manage both the appliance FIPS mode and the cell FIPS mode.

Appliance FIPS mode is the mode of the underlying appliance OS, embedded database, and various system libraries.
Cell FIPS mode is the mode of the VMware Cloud Director cell running on each appliance.

For activating and deactivating FIPS mode on VMware Cloud Director on Linux, see Enable FIPS Mode on the Cells in the Server Group.

Prerequisites

If metrics collection is activated, verify that the Cassandra certificates follow the X.509 v3 certificate standard and include all the necessary extensions. You must configure Cassandra with the same cipher suites that VMware Cloud Director uses. For information about the allowed SSL ciphers, see Managing the List of Allowed SSL Ciphers.
Unregister VMware Cloud Director from the vCenter Lookup Service. See Configure vSphere Services in the VMware Cloud Director Service Provider Admin Portal Guide.

Procedure

From the top navigation bar of the Service Provider Admin Portal, select Administration.
In the left panel, under Settings, select SSL.
Click Enable.
To confirm that you want to start the process, click Enable.

When the configuration finishes, VMware Cloud Director displays an Enable in Progress (Awaiting cells restart) message, and you can continue to step 5. When you run the API command in step 5, the VMware Cloud Director appliance automatically restarts the cells.
To turn on or turn off the appliance FIPS mode, use the VMware Cloud Director appliance API to make a PUT request to the fips/{node_name} URL. See VMware Cloud Director Appliance API.

Note: You must use the {node_name} of the machine processing the PUT request.
Example: Actiavting FIPS Mode
Request:
```
PUT https://vcloud.example.com:5480/api/1.0.0/fips/{node_name}
Content-Type: application/json
...
{
    "applianceFips": "ON"
}
```
Repeat step 5 for each appliance, for example, primary, standby, and application types.

What to do next

To confirm the state of the cells, you can use the VMware Cloud Director appliance management UI. See View the VMware Cloud Director Appliance FIPS Mode.