The Federal Information Processing Standard (FIPS) Publication 140-2 is a U.S. government computer security standard governing cryptographic modules. FIPS 140 is required for any software purchased by the U.S government and U.S military. This release specifically addresses U.S Government accounts which require FIPS 140 compliance.
A configuration parameter, SM_FIPS140, has been introduced for FIPS 140 in the runcmd_env.sh file. The SAM or VMware Smart Assurance administrator can enable or disable this parameter as required. The default value of this parameter is FALSE.
FIPS 140 mode allows you to use SNMP V1, SNMPV2C, SNMP V3, with SHA and AES 128 protocols. FIPS 140 does not support the DES privacy protocol or the MD5 authentication protocol. When you discover an SNMPv3 device, you need to select the option “V3” in the “Add Agent” window. The “Authentication Protocol” option lists only SHA and not MD5, and the “Privacy Protocol” option lists only AES and not DES. This is because MD5 and DES are not supported in FIPS 140 mode. When you discover SNMPv3 devices with MD5 and DES protocol as seed, the devices go to the Pending List and display as “Invalid” or “Unsupported SNMP V3 protocol.”
FIPS 140 mode cannot be enabled or disabled after a server is started. FIPS 140-enabled Domain Managers such as MPLS Manager, Multicast Manager, and Network Protocol Manager can work only with the SAM Global Console 8.1.2 or later for FIPS 140-2 mode.
A non-FIPS 140 mode Broker will not be able to communicate with a FIPS 140-enabled Manager (IP server, SAM server, or Domain Manager). Trying to establish such a connection will result in the enabled Manager going into a DEAD state after couple of minutes. Communication should always happen between FIPS 140-enabled Brokers and Managers.
Inter-domain and FIPS 140 Broker communication happens only when the Broker, Managers, and the SAM Console are all in FIPS 140 mode, else the application will not be operational.
This section covers the following scenarios for FIPS 140: