NSX can be configured to use FIPS 140-2 validated cryptographic modules to comply with FIPS requirements. The modules are validated to FIPS 140-2 standards by the NIST Cryptographic Module Validation Program (CMVP).
All exceptions to FIPS compliance can be retrieved using the compliance report. See View Compliance Status Report for more information.
- VMware’s BoringCrypto Module 3.0: Certificate #4028
- VMware’s OpenSSL FIPS Object Module version 2.0.20-vmw: Certificate #3857
- BC-FJA (Bouncy Castle FIPS Java API) version 1.0.2.1: Certificate #3673
- VMware’s IKE Crypto Module version 1.1.0: Certificate #3435
- VMware’s VPN Crypto Module version 2.0: Certificate #4286
You can find more information about the cryptographic modules that VMware has validated against the FIPS 140-2 standard here: https://www.vmware.com/security/certifications/fips.html.
By default, load balancer uses modules that have FIPS mode turned off. You can turn on FIPS mode for the modules used by load balancer. See Configure Global FIPS Compliance Mode for Load Balancer for more information.
- For southbound connections between the controller component of the NSX Manager appliance and other nodes, X509 certificate-based authentication is used with FIPS 140-2 validated OpenSSL algorithm. The connections support TLS 1.2-based cipher suites with AES 128-bit, 256-bit, or 384-bit encryption keys.
- The controller function and the management function of the NSX Manager appliance run on the same node. Hence, there is no north-bound cross-node communication between the controller and manager components of the NSX Manager appliance.