When you enable the FIPS mode, any secure communication to or from the NSX Manager will use cryptographic algorithms and protocols that are allowed by the United States Federal Information Processing Standards (FIPS).

About this task

  • In a Cross-vCenter NSX environment, you should enable the FIPS mode on each NSX Manager separately.

  • If one of the NSX Managers is not configured for FIPS, you must still ensure that it uses a secure communication method which complies with the FIPS standards.

  • Both primary and secondary NSX Managers must be on the same TLS version for universal synchronization to work correctly.

Important:

Changing FIPS mode reboots the NSX Manager virtual appliance.

Prerequisites

  • Verify any partner solutions are FIPS mode certified. See the VMware Compatibility Guide at http://www.vmware.com/resources/compatibility/search.php?deviceCategory=security.

  • If you have upgraded from an earlier version of NSX, do not enable FIPS mode until the upgrade to NSX 6.3.0 is complete. See Understand FIPS Mode and NSX Upgrade in the NSX Upgrade Guide.

  • Verify that the NSX Manager is NSX 6.3.0 or later.

  • Verify that the NSX Controller cluster is NSX 6.3.0 or later.

  • Verify that all host clusters running NSX workloads are prepared with NSX 6.3.0 or later.

  • Verify that all NSX Edge appliances are version 6.3.0 or later, and that FIPS mode has been enabled on the required NSX Edge appliances. See Change FIPS Mode on NSX Edge.

Procedure

  1. Log in to the NSX Manager virtual appliance.
  2. Under Appliance Management, click Manage Appliance Settings.
  3. From the Settings panel, click General.
  4. Click Edit next to FIPS Mode and TLS settings.

  5. To enable FIPS mode, select the Enable FIPS Mode check box.
  6. For Server and Client, select the check boxes for the required TLS protocol version.
    Note:

    When FIPS mode is enabled, NSX Manager disables the TLS protocols that are not complaint to the FIPS standards. 

  7. Click OK.

    The NSX Manager appliance reboots, and FIPS is enabled.