Enabling the FIPS mode turns on the cipher suites that comply with FIPS. Thus, any secure communication to or from the NSX Edge uses cryptographic algorithms or protocols that are allowed by FIPS.

Caution: Changing FIPS mode reboots the NSX Edge appliance causing temporary traffic disruption. This applies whether or not high availability is enabled.

Depending on your requirements, you can enable FIPS on some or all of your NSX Edge appliances. FIPS-enabled NSX Edge appliances can communicate with NSX Edge appliances that do not have FIPS enabled.

If a logical (distributed) router is deployed without an NSX Edge appliance, you cannot modify the FIPS mode. The logical router automatically gets the same FIPS mode as the NSX Controller cluster. If the NSX Controller cluster is NSX 6.3.0 or later, FIPS is enabled.

To change FIPS mode on a universal logical (distributed) router in a cross-vCenter NSX environment that has multiple NSX Edge appliances deployed in the primary and secondary NSX Managers, you must change FIPS mode on all the NSX Edge appliances associated with the universal logical (distributed) router on the primary NSX Manager.

If you change FIPS mode on an NSX Edge appliances with high availability enabled, FIPS will be enabled on both appliances, and the appliances will be rebooted one after the other.

If you want to change FIPS mode for a standalone edge, use the fips enable or fips disable command. For more information, refer to NSX Command Line Interface Reference.

Prerequisites

  • Verify that any partner solutions are FIPS mode certified. See the VMware Compatibility Guide at http://www.vmware.com/resources/compatibility/search.php?deviceCategory=security.
  • If you have upgraded from an earlier version of NSX, do not enable FIPS mode until the upgrade to NSX 6.3.0 is complete. See Understand FIPS Mode and NSX Upgrade in the NSX Upgrade Guide.
  • Verify that the NSX Manager is NSX 6.3.0 or later.
  • Verify that the NSX Controller cluster is NSX 6.3.0 or later.
  • Verify that all host clusters running NSX workloads are prepared with NSX 6.3.0 or later.
  • Verify that all NSX Edge appliances on which you want to enable FIPS are version 6.3.0 or later.
  • Verify that the messaging infrastructure has status GREEN. Use the API method GET /api/2.0/nwfabric/status?resource={resourceId}, where resourceId is the vCenter Managed Object ID of a host or cluster. Look for the status corresponding to the featureId of com.vmware.vshield.vsm.messagingInfra in the response body: 
    <nwFabricFeatureStatus>
            <featureId>com.vmware.vshield.vsm.messagingInfra</featureId>
            <updateAvailable>false</updateAvailable>
            <status>GREEN</status>
            <installed>true</installed>
            <enabled>true</enabled>
            <allowConfiguration>false</allowConfiguration>
        </nwFabricFeatureStatus>

Procedure

  1. Log in to the vSphere Web Client.
  2. Click Networking & Security > NSX Edges.
  3. Select the required edge or router, click Actions (Actions) and select Change FIPS mode.
    The Change FIPS mode dialog box appears.

    Warning message informs you that changing FIPS mode will reboot the NSX Edge Appliance.

  4. Select or deselect the Enable FIPS check box. Click OK.
    The NSX Edge reboots, and FIPS mode is enabled.

What to do next

Optionally, Change FIPS Mode and TLS Settings on NSX Manager.