VMware Identity Manager 3.3.6 can perform cryptographic operations using FIPS (Federal Information Processing Standard) 140-2 compliant algorithms. You can enable the use of these algorithms by performing a fresh installation of VMware Identity Manager 3.3.6 in FIPS mode. VMware Identity Manager does not support upgrading from a non-FIPS installation to a FIPS installation.

The Federal Information Processing Standard (FIPS) 140-2 is a U.S. and Canadian government standard that specifies security requirements for cryptographic modules. See the VMware Federal Information Processing Standards (FIPS) information page.

Deploy FIPS mode when you deploy VMware Identity Manager 3.3.6.

Caution:
  • You cannot enable FIPS mode later if FIPS mode is disabled at the time of installation.
  • You cannot disable FIPS mode after you enable FIPS mode during the VMware Identity Manager installation.

For general information about performing a fresh 3.3.6 installation, see the 3.3 version of Installing and Configuring VMware Identity Manager for Linux guide, which also applies to 3.3.6. For FIPS mode, also follow these FIPS-related requirements and guidelines.

vSphere Requirements for FIPS Mode

To support FIPS mode, your VMware Identity Manager deployment must meet the following vSphere requirements.
  • vCenter Server 6.5 or later
  • ESXi 6.5 or later

Overview of Setting Up VMware Identity Manager 3.3.6 in FIPS Mode

Note: To deploy VMware Identity Manager in the FIPS mode using VMware vRealize Suite Lifecycle Manager, see the VMware vRealize Suite Lifecycle Manager documentation.

To install VMware Identity Manager in FIPS mode, perform the following administrative tasks.

  • To deploy VMware Identity Manager, deploy the OVF template using the vSphere Client or the vSphere Web Client by following the instructions in VMware Identity Manager OVA File.
  • In the Deploy OVF Template wizard, enable the FIPS property.

    As the instructions in the preceding link describe, you must specify information in the Deploy OVF Template wizard. For VMware Identity Manager 3.3.6, that wizard includes a FIPS specific property that you must enable to deploy 3.3.6 in FIPS mode.

    Note: FIPS mode must be enabled before you power on VMware Identity Manager.
  • After you deploy the VMware Identity Manager virtual appliance, use the setup wizard to configure the VMware Identity Manager environment.
  • To verify that FIPS mode is enabled, using the VMware Identity Manager console, confirm that the System Diagnostics page lists FIPS mode enabled.
Caution: The following notes apply to deploying VMware Identity Manager in FIPS mode.
  • Installing VMware Identity Manager Connector automatically activates FIPS mode. Use VMware Identity Manager Connector 3.3.6. If you deploy an older connector version, an error occurs.
  • For Active Directory over Integrated Windows Authentication (IWA), the minimum password length requirement for Active Directory users is 14 characters. The best practice is to implement the 14-character minimum before you install VMware Identity Manager in FIPS mode.
  • Enabling the Change Password feature for Active Directory users requires a minimum password length of 14 characters.