Starting in NSX 6.3.0, you can enable FIPS mode, which turns on the cipher suites that comply with FIPS.

Caution: When you upgrade from a version of NSX earlier than NSX 6.3.0 to NSX 6.3.0 or later, you must not enable FIPS mode before the upgrade is completed. Enabling FIPS mode before the upgrade is complete interrupts communication between upgraded and not-upgraded components.

NSX Upgrade and FIPS Status

Table 1. FIPS Mode Status in NSX Components After Upgrade from NSX 6.2 to NSX 6.3 or NSX 6.4.
NSX Component FIPS Mode Status
NSX Manager After upgrade, FIPS mode on NSX Manager appliances is available and turned off. Do not enable FIPS until upgrade of all NSX components is complete, and FIPS has been enabled on all NSX Edge appliances.
NSX Controller cluster After upgrade, the NSX Controller cluster is FIPS compliant. This is not configurable.
NSX host cluster After upgrade, NSX host clusters are FIPS compliant. This is not configurable.
NSX Edge After upgrade, FIPS mode on NSX Edge appliances is available and turned off. Do not enable FIPS until upgrade of all NSX components is complete.
Guest Introspection service VM After upgrade, the Guest Introspection service VM is FIPS compliant. This is not configurable.

Enable FIPS

If you are upgrading from NSX 6.2 to NSX 6.3 or NSX 6.4, and want to enable FIPS, you must complete the following steps:
  1. Verify that any partner solutions are FIPS mode certified. See the VMware Compatibility Guide at http://www.vmware.com/resources/compatibility/search.php?deviceCategory=security. Check the partner documentation for information.
  2. Upgrade NSX Manager to NSX 6.3.0 or later.
  3. Upgrade the NSX Controller cluster to NSX 6.3.0 or later.
  4. Upgrade all host clusters running NSX workloads to NSX 6.3.0 or later.
  5. Upgrade all NSX Edge appliances to NSX 6.3.0 or later.
  6. If installed, upgrade Guest Introspection on all host clusters to NSX 6.3.0 or later.
  7. Enable FIPS mode on NSX Edge appliances. See Change FIPS Mode on NSX Edge in the NSX Administration Guide.
  8. Enable FIPS mode on the NSX Manager appliances. See Change FIPS Mode and TLS Settings on NSX Manager in the NSX Administration Guide.