You can configure your VMware Cloud Director appliance to use FIPS 140-2 validated cryptographic modules and to run in FIPS-compliant mode.

The Federal Information Processing Standard (FIPS) 140-2 is a U.S. and Canadian government standard that specifies security requirements for cryptographic modules. The NIST Cryptographic Module Validation Program (CMVP) validates the cryptographic modules compliant with the FIPS 140-2 standards.

The goal of VMware Cloud Director FIPS support is to ease the compliance and security activities in various regulated environments. To learn more about support for FIPS 140-2 in VMware products, see https://www.vmware.com/security/certifications/fips.html.

VMware Cloud Director FIPS-validated cryptography is deactivated by default. By activating FIPS mode, you configure VMware Cloud Director to use FIPS 140-2 validated cryptographic modules and to run in FIPS-compliant mode.

Important: When you activate FIPS mode, the integration with VMware Aria Automation Orchestrator does not work.

VMware Cloud Director uses the following FIPS 140-2 validated cryptographic modules:

  • VMware’s BC-FJA (Bouncy Castle FIPS Java API), version 1.0.2.3: Certificate #3673 (under NIST review for 1.0.2.3. Approved for version 1.0.2.1. Corresponding Bouncy Castle FIPS module approved for version 1.0.2.3 per Certificate #3514)
  • VMware’s OpenSSL FIPS Object Module, version 2.0.20-vmw: Certificate #3857
When using the VMware Cloud Director appliance, to configure the appliance to run in FIPS-compliant mode, you must manage both the appliance FIPS mode and the cell FIPS mode.
  • Appliance FIPS mode is the mode of the underlying appliance OS, embedded database, and various system libraries.
  • Cell FIPS mode is the mode of the VMware Cloud Director cell running on each appliance.

For activating and deactivating FIPS mode on VMware Cloud Director on Linux, see Enable FIPS Mode on the Cells in the Server Group.

Prerequisites

  • If metrics collection is activated, verify that the Cassandra certificates follow the X.509 v3 certificate standard and include all the necessary extensions. You must configure Cassandra with the same cipher suites that VMware Cloud Director uses. For information about the allowed SSL ciphers, see Managing the List of Allowed SSL Ciphers.
  • If you want to use SAML encryption, you must regenerate one of the key pairs for the existing organizations and re-exchange the SAML metadata. Organizations created with VMware Cloud Director 10.2.x and earlier, have two identical key pairs and you must regenerate one of the key pairs. Organizations created with VMware Cloud Director 10.3 and later have two distinct key pairs and you do not need to regenerate any of them.

Procedure

  1. From the top navigation bar of the Service Provider Admin Portal, select Administration.
  2. In the left panel, under Settings, select SSL.
  3. Activate or deactivate FIPS mode on the cells in the server group.
    Option Description
    Activate
    1. Click Enable.
    2. Confirm that your system meets all FIPS requirements and you want to start the process, and click Enable.
    Deactivate
    1. Click Disable.
    2. Confirm that you understand that you must restart the cells for FIPS mode to be deactivated, and click Disable.

    When the configuration finishes, VMware Cloud Director displays an Enable in Progress (Awaiting cells restart) or Disable in Progress (Awaiting cells restart) message, and you can continue to step 4. When you activate or deactivate FIPS mode from the appliance management UI, the VMware Cloud Director appliance automatically restarts the cells.

  4. Log in as root to the appliance management UI at https://appliance_eth1_IP_address:5480.
  5. In the left panel, select the System Configuration tab.
  6. To turn on or turn off the appliance FIPS mode, click the Enable or Disable button for the node you are logged into.
    You can turn on or turn off the appliance FIPS mode only on the node you are logged into.
  7. Confirm the action and verify that FIPS mode is activated or deactivated successfully.
  8. Repeat step 4 to step 7 for each appliance, for example, primary, standby, and application types.

What to do next

  • To confirm the state of the cells, see View the FIPS Mode of Your VMware Cloud Director Appliance.
  • To avoid host header injection vulnerabilities, activate host header verification.
    1. Log in directly or by using an SSH client to the VMware Cloud Director console as root.
    2. Activate host header verification using the cell management tool.
      /opt/vmware/vcloud-director/bin/cell-management-tool manage-config -n vcloud.http.enableHostHeaderCheck -v true

View the FIPS Mode of Your VMware Cloud Director Appliance

You can use the VMware Cloud Director appliance management UI to view the FIPS mode of your appliance.

When using the VMware Cloud Director appliance, to configure the VMware Cloud Director appliance to run in FIPS-compliant mode, you must manage both the appliance FIPS mode and the cell FIPS mode.

  • The appliance FIPS mode is the mode of the underlying appliance OS, embedded database, and various system libraries.
  • The cell FIPS mode is the mode of the VMware Cloud Director cell running on each appliance.
On the System Configuration tab of the VMware Cloud Director appliance management UI, you can find the FIPS mode information.
Table 1. FIPS Mode State
Health Description
Green check mark The appliance and cell FIPS modes match. Both modes are either on or off.
Yellow exclamation mark The cell FIPS mode is in a Pending restart state. Use the appliance API to activate or deactivate the appliance FIPS mode. Changing the appliance FIPS mode automatically restarts the VMware Cloud Director cell service.
Red exclamation mark The VMware Cloud Director appliance cannot determine the cell FIPS mode. The VMware Cloud Director service failing on the appliance can cause the cell FIPS mode to be undetermined.

Prerequisites

Activate or Deactivate FIPS Mode on Your VMware Cloud Director Appliance

Procedure

  1. Log in as root to the appliance management UI at https://primary_eth1_ip_address:5480.
  2. From the left panel, select System Configuration.
  3. View the status of the appliance and cell FIPS mode on each node.