This topic outlines the necessary task that you must perform to activate Federal Information Processing Standards (FIPS) mode on the vSphere Replication appliance.

Note: The certificate file format PKCS#12 is not supported in the Certificates configuration in FIPS mode. The PKCS#12 file format uses non-FIPS compliant algorithms as a standard specification.

Prerequisites

Make sure to use trusted certificates when deploying your environment.

Procedure

  1. Start the vSphere Replication Management Server in strict mode.
    1. Navigate to /opt/vmware/hms/conf/hms-fips.conf, open the file and change the following setting.
       "appl_system_cryptography" : true
    2. Remove any stale BCFKS stores.
      rm /opt/vmware/hms/security/*.bks
    3. Restart the vSphere Replication Management Server service.
      systemctl restart hms
  2. Start vSphere Replication in strict mode.
    1. Navigate to /etc/vmware/hbrsrv.xml, open the file and change the following setting.
      <Config>
          <vmacore>
              <ssl>
                  <fips>true</fips>
              </ssl>
          </vmacore>
          </Config>
    2. Edit /usr/lib/vmware/lib/ssl/openssl.cnf, uncomment the following line # .include /usr/lib/vmware/lib/ssl/fipsmodule.cnf, and change the line default_properties = "fips=no" to default_properties = "fips=yes".
      The file fragment must look like this:
      # Refer to the OpenSSL security policy for more information.
      # In ESX this will be generated at boot time.
      .include /usr/lib/vmware/lib/ssl/fipsmodule.cnf
      ...
      [algorithm_sect]
      # Since we use both default and FIPS provider, we need to be specific
      # about which algorithm implementation to use as default.
      default_properties = "fips=yes"
    3. Restart the HBR service.
      systemctl restart hbrsrv
  3. Start dr-configurator service in strict mode.
    1. Navigate to /opt/vmware/dr/conf/drconfig.xml, open the file and change the following setting.
      <Config>
          <vmacore>
              <ssl>
                  <fips>true</fips>
              </ssl>
          </vmacore>
          </Config>
    2. Edit /usr/lib/systemd/system/dr-configurator.service. Uncomment the lines under # Uncomment to enable FIPS.
      The file fragment must look like this.
      # Uncomment to enable FIPS
              Environment=OPENSSL_MODULES=/opt/vmware/dr/lib/ossl-modules
              Environment=OPENSSL_CONF=/opt/vmware/etc/dr/ssl/openssl.cnf
    3. Restart dr-configrator service.
      systemctl daemon-reload
             systemctl restart dr-configurator
  4. Log in the appliance as root user and edit the kernel cmdline.
    1. Open /boot/grub/grub.cfg.
    2. Locate the menuentry entry.
    3. Append the following at the end of the line in each menuentry that starts with linux.
      fips=1
    4. Save the file.
  5. Start the Config UI in strict mode.
    1. Edit /usr/lib/systemd/system/drconfigui.service. Comment out the existing Environment='CATALINA_OPTS=-Xms768m -Xmx1024m' and uncomment the lines under # Uncomment to enable FIPS.
      The file fragment must look like this.
      Environment=JRE_HOME=/usr/java/jre-vmware
      # Comment when enable FIPS
      # Environment='CATALINA_OPTS=-Xms768m -Xmx1024m'
      # Uncomment to enable FIPS
      Environment='SERVICE_CLASSPATH=$CATALINA_BASE/lib/ext/*'
      Environment='CATALINA_OPTS=-Xms768m -Xmx1024m -Djava.security.properties==/opt/vmware/dr-client/conf/vmware-override-java.security -Dorg.bouncycastle.jca.enable_jks=true -Dorg.bouncycastle.fips.approved_only=true'
      
    2. Uncomment the <Manager> tag in the /opt/vmware/drconfigui/conf/context.xml file.
      The file fragment with the tag must look like this.
      <!-- Uncomment to enable FIPS mode.          -->
      <Manager pathname="" secureRandomAlgorithm=""/>
    3. (Optional) Restart the drconfigui service if FIPS is already enabled for the appliance.
      systemctl daemon-reload; systemctl restart drconfigui
  6. Start the UI in strict mode.
    1. Edit /usr/lib/systemd/system/dr-client.service. Comment out the existing Environment='CATALINA_OPTS=-Xms768m -Xmx1024m' and uncomment the lines under # Uncomment to enable FIPS.
      The file fragment must look like this.
      Environment=JRE_HOME=/usr/java/jre-vmware
      # Comment when enable FIPS
      # Environment='CATALINA_OPTS=-Xms768m -Xmx1024m'
      # Uncomment to enable FIPS
      Environment='SERVICE_CLASSPATH=$CATALINA_BASE/lib/ext/*'
      Environment='CATALINA_OPTS=-Xms768m -Xmx1024m -Djava.security.properties==/opt/vmware/dr-client/conf/vmware-override-java.security -Dorg.bouncycastle.jca.enable_jks=true -Dorg.bouncycastle.fips.approved_only=true'
      
    2. Uncomment the <Manager> tag in the /opt/vmware/dr-client/conf/context.xml file.
      The file fragment with the tag must look like this.
      <!-- Uncomment to enable FIPS mode.              -->
      <Manager pathname="" secureRandomAlgorithm=""/>
    3. Edit the /opt/vmware/dr-client/lib/h5dr.properties file and modify parameters to point to BCFKS format keystore and truststore with root CA certificates.
      The property must look like this.
      drTrustStorePass=<same as keyStorePass>
      drTrustStoreName=h5dr.truststore.bks
      keyStoreName=h5dr.keystore.bks
      If you choose to use a truststore other than the default one, you must add a link to the truststore in /opt/vmware/dr-client/lib/ or /opt/vmware/dr-client/webapps/dr/WEB-INF/classes/. The keystore format must be BCFKS. To import it from JKS format use the following command.
      $JAVA_HOME/bin/keytool -importkeystore -srckeystore <path-to-jks-keystore> -srcstoretype JKS -srcstorepass <keystorepass> -destkeystore <path-to-target-bks-keystore> -deststoretype BCFKS -deststorepass <keystorepass> -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath /opt/vmware/dr-client/lib/ext/bc-fips-1.0.2.3.jar
      Note: The keystore and truststore files you use must have Others: Read permission. After reconfiguring the appliance you must reedit the file /opt/vmware/dr-client/lib/h5dr.properties according the rules above.
    4. (Optional) Restart the dr-client service if FIPS is already enabled for the appliance.
      systemctl daemon-reload; systemctl restart dr-client
  7. Start the UI plugin (dr-client-plugin) in strict mode.
    1. Edit /usr/lib/systemd/system/dr-client-plugin.service. Comment out the existing Environment='CATALINA_OPTS=-Xms768m -Xmx1024m' and uncomment the lines under # Uncomment to enable FIPS.
      The file fragment must look like this.
      Environment=JRE_HOME=/usr/java/jre-vmware
      # Comment when enable FIPS
      # Environment='CATALINA_OPTS=-Xms768m -Xmx1024m'
      # Uncomment to enable FIPS
      Environment='SERVICE_CLASSPATH=$CATALINA_BASE/lib/ext/*'
      Environment='CATALINA_OPTS=-Xms768m -Xmx1024m -Djava.security.properties==/opt/vmware/dr-client/conf/vmware-override-java.security -Dorg.bouncycastle.jca.enable_jks=true -Dorg.bouncycastle.fips.approved_only=true'
    2. Uncomment the <Manager> tag in the /opt/vmware/dr-client-plugin/conf/context.xml file.
      The file fragment with the tag must look like this.
      <!-- Uncomment to enable FIPS mode.          -->
      <Manager pathname="" secureRandomAlgorithm=""/>
    3. (Optional) Restart the dr-client-plugin service if FIPS is already enabled for the appliance.
      systemctl daemon-reload; systemctl restart dr-client-plugin
  8. Start the REST API service (dr-rest) in strict mode.
    1. Edit /usr/lib/systemd/system/dr-rest.service. Comment out the existing Environment='CATALINA_OPTS=-Xms768m -Xmx1024m' and uncomment the lines under # Uncomment to enable FIPS.
      The file fragment must look like this.
      Environment=JRE_HOME=/usr/java/jre-vmware
      # Comment when enable FIPS
      # Environment='CATALINA_OPTS=-Xms768m -Xmx1024m'
      # Uncomment to enable FIPS
      Environment='SERVICE_CLASSPATH=$CATALINA_BASE/lib/ext/*'
      Environment='CATALINA_OPTS=-Xms768m -Xmx1024m -Djava.security.properties==/opt/vmware/dr-client/conf/vmware-override-java.security -Dorg.bouncycastle.jca.enable_jks=true -Dorg.bouncycastle.fips.approved_only=true'
      
    2. Uncomment the <Manager> tag in the /opt/vmware/dr-rest/conf/context.xml file.
      The file fragment with the tag must look like this.
      <!-- Uncomment to enable FIPS mode.          -->
      <Manager pathname="" secureRandomAlgorithm=""/>
    3. (Optional) Restart the dr-rest service if FIPS is already enabled for the appliance.
      systemctl daemon-reload; systemctl restart dr-rest
  9. Reboot the appliance.
    Make sure that the systemctl daemon-reload command is executed at least once after making the modifications and before rebooting the appliance.
    Note: SSHD will read that the kernel has enabled FIPS mode and will activate it too. There is no need to edit anything in the sshd configuration.

What to do next

Validate that FIPS mode is activated.