VMware Identity Manager 3.3.6 can perform cryptographic operations using FIPS (Federal Information Processing Standard) 140-2 compliant algorithms. You can enable the use of these algorithms by performing a fresh installation of VMware Identity Manager 3.3.6 in FIPS mode. VMware Identity Manager does not support upgrading from a non-FIPS installation to a FIPS installation.
The Federal Information Processing Standard (FIPS) 140-2 is a U.S. and Canadian government standard that specifies security requirements for cryptographic modules. See the VMware Federal Information Processing Standards (FIPS) information page.
Deploy FIPS mode when you deploy VMware Identity Manager 3.3.6.
- You cannot enable FIPS mode later if FIPS mode is disabled at the time of installation.
- You cannot disable FIPS mode after you enable FIPS mode during the VMware Identity Manager installation.
For general information about performing a fresh 3.3.6 installation, see the 3.3 version of Installing and Configuring VMware Identity Manager for Linux guide, which also applies to 3.3.6. For FIPS mode, also follow these FIPS-related requirements and guidelines.
vSphere Requirements for FIPS Mode
- vCenter Server 6.5 or later
- ESXi 6.5 or later
Overview of Setting Up VMware Identity Manager 3.3.6 in FIPS Mode
To install VMware Identity Manager in FIPS mode, perform the following administrative tasks.
- To deploy VMware Identity Manager, deploy the OVF template using the vSphere Client or the vSphere Web Client by following the instructions in VMware Identity Manager OVA File.
- In the Deploy OVF Template wizard, enable the FIPS property.
As the instructions in the preceding link describe, you must specify information in the Deploy OVF Template wizard. For VMware Identity Manager 3.3.6, that wizard includes a FIPS specific property that you must enable to deploy 3.3.6 in FIPS mode.
Note: FIPS mode must be enabled before you power on VMware Identity Manager. - After you deploy the VMware Identity Manager virtual appliance, use the setup wizard to configure the VMware Identity Manager environment.
- To verify that FIPS mode is enabled, using the VMware Identity Manager console, confirm that the System Diagnostics page lists FIPS mode enabled.
- Installing VMware Identity Manager Connector automatically activates FIPS mode. Use VMware Identity Manager Connector 3.3.6. If you deploy an older connector version, an error occurs.
- For Active Directory over Integrated Windows Authentication (IWA), the minimum password length requirement for Active Directory users is 14 characters. The best practice is to implement the 14-character minimum before you install VMware Identity Manager in FIPS mode.
- Enabling the Change Password feature for Active Directory users requires a minimum password length of 14 characters.