You can configure VMware Cloud Director 10.2.2 and later on Linux to use FIPS 140-2 validated cryptographic modules and to run in FIPS-compliant mode.
The Federal Information Processing Standard (FIPS) 140-2 is a U.S. and Canadian government standard that specifies security requirements for cryptographic modules. The NIST Cryptographic Module Validation Program (CMVP) validates the cryptographic modules compliant with the FIPS 140-2 standards.
The goal of VMware Cloud Director FIPS support is to ease the compliance and security activities in various regulated environments. To learn more about support for FIPS 140-2 in VMware products, see https://www.vmware.com/security/certifications/fips.html.
In VMware Cloud Director, FIPS-validated cryptography is deactivated by default. By activating FIPS mode, you configure VMware Cloud Director to use FIPS 140-2 validated cryptographic modules and to run in FIPS-compliant mode.
In VMware Cloud Director 10.2.2 when you activate FIPS mode, you cannot encrypt SAML assertions. When not in FIPS mode, there is no restriction on assertion encryption.
VMware Cloud Director uses the following FIPS 140-2 validated cryptographic modules:
- VMware’s BC-FJA (Bouncy Castle FIPS Java API), version 1.0.2.1: Certificate #3673
- VMware’s OpenSSL FIPS Object Module, version 2.0.20-vmw: Certificate #3857
VMware Cloud Director is in a bundle with the cell management tool (CMT). However, the cell management tool is not FIPS-compliant.
For information about activating FIPS mode on the VMware Cloud Director appliance, see Activate or Deactivate FIPS Mode on the VMware Cloud Director Appliance.
Prerequisites
- Verify that the certificates have the
KeyCertSign
bit asserted by using OpenSSL. FIPS mode can function only if the VMware Cloud Director SSL certificates have theKeyCertSign
asserted.openssl crl2pkcs7 -nocrl -certfile certificates.pem | openssl pkcs7 -print_certs -text -noout
If the certificates do not include the extension, specify theKeyCertSign
bit when creating an SSL certificate keystore. - Install and activate the
rng-tools
set of utilities. See https://wiki.archlinux.org/index.php/Rng-tools. - If metrics collection is activated, verify that the Cassandra certificates follow the X.509 v3 certificate standard and include all the necessary extensions. You must configure Cassandra with the same cipher suites that VMware Cloud Director uses. For information about the allowed SSL ciphers, see Managing the List of Allowed SSL Ciphers.
- Unregister VMware Cloud Director from the vCenter Lookup Service. See Configure vSphere Services.
Procedure
What to do next
- Deactivate FIPS mode by clicking Disable, and after VMware Cloud Director indicates that the configuration is ready, restart the cells.
- You can view the FIPS status of the active VMware Cloud Director cells by using the fips-mode CMT command. See View the FIPS Status of All Active Cells in the VMware Cloud Director Installation, Configuration, and Upgrade Guide.