Workspace ONE Access 22.05 connector can perform cryptographic operations using Federal Information Processing Standard (FIPS) 140-2 compliant algorithms. You can enable the use of these algorithms by performing a fresh installation of Workspace ONE Access connector 22.05 in FIPS mode.

The Federal Information Processing Standard (FIPS) 140-2 is a U.S. and Canadian government standard that specifies security requirements for cryptographic modules. See the VMware Federal Information Processing Standards (FIPS) information page.

Workspace ONE Access connector does not support upgrading or migrating from a non-FIPS installation to a FIPS installation or from a FIPS installation to a non-FIPS installation. All connector versions prior to 22.05 were non-FIPS installations.

Important:
  • Workspace ONE Access connector in FIPS mode is supported with Workspace ONE Access FedRAMP tenants only. Other types of tenants and on-premises Workspace ONE Access installations do not support the connector in FIPS mode.
  • The Virtual App service does not support FIPS mode. Workspace ONE Access connectors with FIPS mode enabled do not support integrating with Citrix, Horizon, Horizon Cloud Service on Microsoft Azure with Single-Pod Broker, or Horizon Cloud Service on IBM Cloud. A Workspace ONE Access connector with FIPS mode enabled supports integrating virtual apps that are running in Horizon Cloud Service on Microsoft Azure with Universal Broker.

Installing Workspace ONE Access Connector in FIPS Mode

To activate FIPS mode for the Workspace ONE Access connector, you select the Enable FIPS option during installation.


The Enable FIPS option is selected in the image.
Important:
  • You cannot change the mode after installation, from FIPS mode to non-FIPS mode or from non-FIPS mode to FIPS mode. Therefore, review the requirements and prerequisites carefully and decide whether you want to enable FIPS or not before you begin the installation.
  • Also be aware that a FIPS installation can only be upgraded to a FIPS installation, and a non-FIPS installation can only be upgraded to a non-FIPS installation.

Requirements and Prerequisites for FIPS Mode

For the connector in FIPS mode, the following requirements and prerequisites apply.

  • Ensure that you install all connector instances in FIPS mode. All connector instances associated with a Workspace ONE Access tenant must either run in FIPS mode, or all must run in non-FIPS mode, regardless of which enterprise services are installed on them. Do not deploy some of the connector instances in FIPS mode and others in non-FIPS mode.
  • For directories of type Active Directory over Integrated Windows Authentication (IWA):
    • To create a directory of type Active Directory over IWA in Workspace ONE Access, the Bind DN user password must have a minimum length of 14 characters.
    • The 14 character minimum length for passwords also applies to all synced users in the IWA directory.
    • If the sAMAccountName attribute is used, the user's sAMAccountName plus domain name must have a minimum length of 16 characters.
  • For the Change Password feature for Active Directory:
    • The Change Password feature for Active Directory requires a minimum length of 14 characters for end user passwords.

      Existing passwords must meet this requirement. Users will not be able to change their passwords from the Intelligent Hub app or portal if their existing password is less than 14 characters.

      New passwords must also meet this requirement. The 14-character minimum is not enforced when users create a new password from the Intelligent Hub app or portal. However, if the new password is not at least 14 characters long, the user will not be able to change the password again. Also, if the user belongs to a directory of type Active Directory over Integrated Windows Authentication, the user will not be able to log in to the Intelligent Hub app or portal with the new password.

    • If the sAMAccountName attribute is used, the user's sAMAccountName plus domain name must have a minimum length of 16 characters.
  • If you set up the connection to Active Directory with the STARTTLS required for all connections or LDAPS required for all connections option selected, the domain controllers must have valid, public CA-signed certificates.

The best practice is to implement these prerequisites before installing the Workspace ONE Access connector in FIPS mode.