When enabling FIPS on vCenter Server Appliance, some components present functional constraints currently.
No differences should be noted after enabling FIPS on vCenter Server, however there are some considerations to be aware of.
|Product or Component||Consideration||Workaround|
|VMware Directory Service||Some legacy components of the VMware Directory Service (vmdir) use the SHA-1 cryptographic hash function for digital signatures, which FIPS 140-2 does not support.||None at the moment.|
|Python||In some instances, Python uses its built-in cryptographic functionality instead of OpenSSL. For example, when Python runs a cryptographic algorithm but then for some reason OpenSSl fails, Python switches to its internal implementation for these algorithms.||None at the moment.
Note: VMware cannot conduct FIPS certification for Python's internal algorithms.
|vSphere Single Sign-On||When you enable FIPS, vCenter Server supports only cryptographic modules for federated authentication. As a result, RSA SecureID and some CAC cards no longer function.||Use federated authentication. See the vSphere Authentication documentation for details.|
|Non-VMware and partner vSphere Client UI plug-ins||These plug-ins might not work with FIPS enabled.||Upgrade plug-ins to use conformant encryption libraries. See "Preparing Local Plug-ins for FIPS Compliance" at https://code.vmware.com/docs/13385/preparing-local-plug-ins-for-fips-compliance.|