How Do I Change FIPS Mode by using the vRealize Suite Lifecycle Manager REST API

VMware products support the Federal Information Processing Standard or FIPS so that they can be certified for use in government departments and regulated industries. You can use the API to change FIPS mode for vRealize Suite Lifecycle Manager, vRealize Automation, vRealize Operations Manager, and vRealize Log Insight.

What is FIPS Compliance?

A product is FIPS 140-2 compliant when all security related issues of cryptography and random number generation use CMVP Validated Crypto Modules. To be FIPS compliant, most VMware products only make calls to the OpenSSL or Bouncy Castle libraries.

You can enable or disable FIPS mode in vRealize Suite Lifecycle Manager. You can only enable FIPS mode in vRealize Suite products.

How do I enable FIPS mode in vRealize Suite Lifecycle Manager?

You can enable FIPS mode in vRealize Suite Lifecycle Manager during installation or after. You enable FIPS during installation using the OVA file and selecting FIPS property in all install steps. You enable FIPS after installation by using the API.

Before enabling FIPS mode:

Verify that you are running vRealize Suite Lifecycle Manager 8.2 or later.
Verify that all general Day 2 prerequisites have been satisfied. See Performing Day 2 operations using vRealize Suite Lifecycle Manager APIs.

To enable FIPS mode after installation, use the following request.

curl -X POST\
  '$url/lcm/locker/api/fips' \  
  -H 'Authorization: Basic YWRtaW5AbG9jYWw6VGhpc0lzUGFzc3dvcmQ=' \
  -H 'Content-Type: application/json'
  -d '{
     "enabled": true,
     "state": "ENABLED",
     "description": "",
     "request": null
} | jq "."

A snippet from a successful response shows that the FIPS mode is changing, and provides a request ID that you can use to check the status of the request through completion.

{
  "enabled": false,  
  "state": "CHANGING",
  "description": "Enabling FIPS mode for vRealize Suite Lifecycle Manager appliance and services.",
  "request": {
    "requestId": "23dre7d7-1413-4ce3-b277-b0eba2adba9b"
}

How do I disable FIPS mode in vRealize Suite Lifecycle Manager before I upgrade?

Before you upgrade vRealize Suite Lifecycle Manager, use the API to disable FIPS mode because the upgrade process uses the vCenter Service Appliance Management Interface (VAMI) and problems can occur with the VAMI when FIPS mode is enabled. To disable FIPS mode before you upgrade, use the following request.

curl -X POST\
  '$url/lcm/locker/api/fips' \  
  -H 'Authorization: Basic YWRtaW5AbG9jYWw6VGhpc0lzUGFzc3dvcmQ=' \
  -H 'Content-Type: application/json'
  -d '{
     "enabled": false,
     "state": "DISABLED",
     "description": "",
     "request": null
} | jq "."

A snippet from a successful response shows that the FIPS mode is changing, and provides a request ID that you can use to check the status of the request through completion.

{
  "enabled": true,  
  "state": "CHANGING",
  "description": "Disabling FIPS mode for vRealize Suite Lifecycle Manager appliance and services.",
  "request": {
    "requestId": "5e239981-15d6-4e00-859d-2f0645a856"
}

How do I enable FIPS mode in vRealize Suite products?

You can enable FIPS mode in version 8.3 or later of vRealize Automation, vRealize Operations Manager or vRealize Log Insight. After enabling, you cannot disable FIPS mode in vRealize Suite products.

For vRealize Automation, you can only enable FIPS mode during product installation. Day 2 enablement is not supported.

Before enabling FIPS mode in any vRealize Suite product, verify that all general installation prerequisites have been satisfied. See Prerequisites for Installing and Importing Products.

How do I enable FIPS mode during product installation?

To enable FIPS mode during product installation, you add a parameter in the products section of the request payload.

"fipsMode":"\true\""

For example, with the fipsMode parameter added to the vRealize Operations Manager installation, the complete request appears as follows.

curl -X POST \
  '$url/lcm/lcops/api/v2/environments' \
  -H 'Authorization: Basic YWRtaW5AbG9jYWw6VGhpc0lzUGFzc3dvcmQ=' \
  -H 'Content-Type: application/json' \
  -d '{
    "environmentName": "vrops_large_deployments",
    "infrastructure": {
      "properties": {
        "dataCenterVmid": "ee6ce426-ca13-4e56-ad9e-c34a4d3d90c2",
        "regionName": "default",
        "zoneName": "default",
        "vCenterName": "LCM-VC2",
        "vCenterHost": "lcm-vc2.sqa.local",
        "vcUsername": "[email protected]",
        "vcPassword": "",
        "acceptEULA": "true",
        "enableTelemetry": "true",
        "adminEmail": "[email protected]",
        "defaultPassword": "",
        "certificate": "",
        "cluster": "Datacenter#Cluster-01",
        "storage": "ISCSI-15TB-04",
        "folderName": "",
        "resourcePool": "",
        "diskMode": "thin",
        "network": "infra-traffic-1024",
        "masterVidmEnabled": "false",
        "dns": "10.141.66.213,10.118.183.252",
        "domain": "sqa.local",
        "gateway": "10.196.57.253",
        "netmask": "255.255.254.0",
        "searchpath": "sqa.local",
        "timeSyncMode": "ntp",
        "ntp": "ntp1.eng.vmware.com",
        "isDhcp": "false"
      }
    },
    "products": [
      {
        "id": "vrops",
        "version": "8.0.1",
        "properties": {
          "licenseRef": "locker:license:eab62-bc21-643cf0b9cafa:license",
          "certificate": "locker:certificate:f4e98b983:vmware",
          "productPassword": "locker:password:d21-d9de2c10:VMware1!",
          "disableTls": "",
          "timeSyncMode": "ntp",
          "masterVidmEnabled": false,
          "ntp": "ntp1.eng.vmware.com",
          "affinityRule": false,
          "configureAffinitySeparateAll": "true",
          "deployOption": "large"
          "fipsMode" : "true"
        },
        "clusterVIP": {
          "clusterVips": []
        },
        "nodes": [
          {
            "type": "remotecollector",
            "properties": {
              "vmName": "vrops-remotecollector",
              "hostName": "sqa.local",
              "deployOption": "smallrc",
              "ip": "4.4.4.4",
              "gateway": "2.2.2.2",
              "domain": "2.2.2.2",
              "searchpath": "2.2.2.2",
              "dns": "10.141.66.213",
              "netmask": "2.2.2.2",
              "extendedStorage": "",
              "timeZone": "",
              "ntp": "",
              "vCenterHost": "lcm-vc1.sqa.local",
              "cluster": "Datacenter-01#Cluster-01",
              "resourcePool": "",
              "folderName": "",
              "network": "dvs-55-Network-314b11d9-c958-4aa2-af98-cd5439a970d7",
              "storage": "ISCSI-15TB-02",
              "diskMode": "thin",
              "contentLibraryItemId": "",
              "vCenterName": "lcm-vc1",
              "vcUsername": "[email protected]",
              "vcPassword": "locker:password:4984d8e4-825b-4694-99cf-db80b41b5ac2:vc-password"
            }
          },
          {
            "type": "master",
            "properties": {
              "vmName": "mastervmname",
              "hostName": "lcm-57-68.sqa.local",
              "ip": "10.196.57.68"
            }
          },
          {
            "type": "replica",
            "properties": {
              "vmName": "replicavmname",
              "hostName": "lcm-12-34.sqa.local",
              "ip": "10.196.12.34"
            }
          },
          {
            "type": "data",
            "properties": {
              "vmName": "datavmname",
              "hostName": "lcm-12-35.sqa.local",
              "ip": "10.196.12.35"
            }
          }
        ]
      }
    ]
  }' | jq "."

For the steps to take after the installation request, see Deploy your Products using the vRealize Suite Lifecycle Manager API.

How do I enable FIPS mode in products as part of Day 2 operations?

To enable FIPS mode for a product after installation, you first get the environment ID of the product by using the following command.

curl -X GET \
  '$url/lcm/lcops/api/v2/environments' \
  -H 'Authorization: Basic YWRtaW5AbG9jYWw6VGhpc0lzUGFzc3dvcmQ=' \
  -H 'Content-Type: application/json' \
}' | jq "."

Check the response for an environment that includes the product that you are updating. For example, to enable FIPS mode in vRealize Operations Manager, look for the environment that includes the vrops product and assign variables for the environmentId and the productId.

environmentId = "<environmentId_value_from_response>"
productId = "vrops"

To enable FIPS mode for vRealize Operations Manager, use the following command .

curl -X POST \
  '$url/lcm/lcops/api/v2/environments/$environmentId/products/$productId/fips' \
  -H 'Authorization: Basic YWRtaW5AbG9jYWw6VGhpc0lzUGFzc3dvcmQ=' \
  -H 'Content-Type: application/json' \
  -d '{
    "fipsMode" : "\true\""
}' | jq "."

A snippet from a successful response provides a request ID that you can use to check the status of the request through completion.

{
    "requestId": "a0d8d8cd-ac87-4b5c-ba8b-7a0173c56b55"
}