You can configure VMware Cloud Director on Linux to use FIPS 140-2 validated cryptographic modules and to run in FIPS-compliant mode.

The Federal Information Processing Standard (FIPS) 140-2 is a U.S. and Canadian government standard that specifies security requirements for cryptographic modules. The NIST Cryptographic Module Validation Program (CMVP) validates the cryptographic modules compliant with the FIPS 140-2 standards.

The goal of VMware Cloud Director FIPS support is to ease the compliance and security activities in various regulated environments. To learn more about support for FIPS 140-2 in VMware products, see https://www.vmware.com/security/certifications/fips.html.

In VMware Cloud Director, FIPS-validated cryptography is deactivated by default. By activating FIPS mode, you configure VMware Cloud Director to use FIPS 140-2 validated cryptographic modules and to run in FIPS-compliant mode.

Important: When you activate FIPS mode, the integration with VMware Aria Automation Orchestrator does not work.

VMware Cloud Director uses the following FIPS 140-2 validated cryptographic modules:

  • VMware’s BC-FJA (Bouncy Castle FIPS Java API), version 1.0.2.3: Certificate #3673 (under NIST review for 1.0.2.3. Approved for version 1.0.2.1. Corresponding Bouncy Castle FIPS module approved for version 1.0.2.3 per Certificate #3514)
  • VMware’s OpenSSL FIPS Object Module, version 2.0.20-vmw: Certificate #3857

For information about activating FIPS mode on the VMware Cloud Director appliance, see Activate or Deactivate FIPS Mode on the VMware Cloud Director Appliance.

Prerequisites

  • Install and activate the rng-tools set of utilities. See https://wiki.archlinux.org/index.php/Rng-tools.
  • If metrics collection is activated, verify that the Cassandra certificates follow the X.509 v3 certificate standard and include all the necessary extensions. You must configure Cassandra with the same cipher suites that VMware Cloud Director uses. For information about the allowed SSL ciphers, see Managing the List of Allowed SSL Ciphers.
  • If you want to use SAML encryption, you must regenerate one of the key pairs for the existing organizations and re-exchange the SAML metadata. Organizations created with VMware Cloud Director 10.2.x and earlier, have two identical key pairs and you must regenerate one of the key pairs. Organizations created with VMware Cloud Director 10.3 and later have two distinct key pairs and you do not need to regenerate any of them.

Procedure

  1. From the primary left navigation panel, select Administration.
  2. In the left panel, under Settings, select SSL.
  3. Click Enable.
  4. Confirm that your environment meets all prerequisites to activating FIPS mode.
    If your environment does not meet all prerequisites before starting the FIPS mode configuration, VMware Cloud Director might become inaccessible.
  5. To confirm you want to start the process, click Enable.
    When the configuration finishes, VMware Cloud Director displays a message to restart your cloud cells.
  6. After VMware Cloud Director displays a message to restart your cloud cells, restart every cell in the VMware Cloud Director server group.

What to do next

  • Deactivate FIPS mode by clicking Disable, and after VMware Cloud Director indicates that the configuration is ready, restart the cells.
  • You can view the FIPS status of the active VMware Cloud Director cells by using the fips-mode CMT command. See View the FIPS Status of All Active Cells in the VMware Cloud Director Installation, Configuration, and Upgrade Guide.
  • To avoid host header injection vulnerabilities, activate host header verification.
    1. Log in directly or by using an SSH client to the VMware Cloud Director console as root.
    2. Activate host header verification using the cell management tool.
      /opt/vmware/vcloud-director/bin/cell-management-tool manage-config -n vcloud.http.enableHostHeaderCheck -v true