How to enable FIPS (Federal Information Processing Standards) on Site Recovery Manager Appliance 8.5
search cancel

How to enable FIPS (Federal Information Processing Standards) on Site Recovery Manager Appliance 8.5

book

Article ID: 312578

calendar_today

Updated On:

Products

VMware Live Recovery

Issue/Introduction

This article summarizes the necessary tasks that must be done in order for Site Recovery Manager product to support running in FIPS mode. Please note this process is only supported on the SRM Appliance.

For previous versions of the Site Recovery Manager appliances, please see: https://kb.vmware.com/s/article/78280

Environment

VMware Site Recovery Manager 8.5.x

Resolution

Enable FIPS mode manually in the Site Recovery Manager appliance

  1. Edit the configuration files for the Site Recovery Manager services with:

    <Config>
    <vmacore>
        <ssl>
            <fips>true</fips>
        </ssl>
    </vmacore>
</Config>
    1. Edit /opt/vmware/dr/conf/drconfig.xml
    2. Edit /opt/vmware/srm/conf/vmware-dr.template.xml
    3. (Optional) If the appliance is configured edit /opt/vmware/srm/conf/vmware-dr.xml
  2. As root user edit the kernel cmdline:
    1. Open /boot/grub/grub.cfg
    2. Locate the "menuentry" entry

    3. In each "menuentry" that starts with "linux" append the following at the end of the line:

      fips=1
    4. Save the file
  3. Start UI in strict mode:

    1. Edit /usr/lib/systemd/system/dr-client.service - comment out the existing Environment='CATALINA_OPTS=-Xms768m -Xmx1024m' and uncomment (remove the #) from the line below # Uncomment to enable FIPS. The file fragment should look like this:

      #Environment='CATALINA_OPTS=-Xms768m -Xmx1024m'
# Uncomment to enable FIPS
Environment='CATALINA_OPTS=-Xms768m -Xmx1024m -Djava.security.properties==/opt/vmware/dr-client/conf/vmware-override-java.security -Djava.ext.dirs=/opt/vmware/dr-client/lib/ext -Dorg.bouncycastle.jca.enable_jks=true -Dorg.bouncycastle.fips.approved_only=true'

    2. Uncomment the <Manager> tag in /opt/vmware/dr-client/conf/context.xml - the file fragment with the tag should look like this:

      <!-- Uncomment to enable FIPS mode.              -->
<Manager pathname="" secureRandomAlgorithm=""/>

    3. Edit /opt/vmware/dr-client/lib/h5dr.properties and modify keyStoreName to point to BCFKS format keystore which contains root CA certificates. The property should look like this:

      keyStoreName=h5dr.keystore.bks

      If you choose to use a truststore other than the default one, link to it should be added to /opt/vmware/dr-client/lib/ or /opt/vmware/dr-client/webapps/dr/WEB-INF/classes/. Keystore format should be BCFKS. To import it from JKS format use the following command:

      $JAVA_HOME/bin/keytool -importkeystore -srckeystore <path-to-jks-keystore> -srcstoretype JKS -srcstorepass <keystorepass> -destkeystore <path-to-target-bks-keystore> -deststoretype BCFKS -deststorepass <keystorepass> -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath /opt/vmware/dr-client/lib/ext/bc-fips-1.0.2.jar


      NOTE: the keystore file you use should have Others: Read permission

    4. Restart dr-client (only if FIPS has already been enabled for the appliance, otherwise skip this step):

      systemctl daemon-reload; systemctl restart dr-client
  4. Start Config UI in strict mode:

    1. Edit /usr/lib/systemd/system/drconfigui.service - comment out the existing Environment='CATALINA_OPTS=-Xms768m -Xmx1024m' and uncomment the one under # Uncomment to enable FIPS. The file fragment should look like this:

      #Environment='CATALINA_OPTS=-Xms768m -Xmx1024m'
# Uncomment to enable FIPS
Environment='CATALINA_OPTS=-Xms768m -Xmx1024m -Djava.security.properties==/opt/vmware/drconfigui/conf/vmware-override-java.security -Djava.ext.dirs=/opt/vmware/drconfigui/lib/ext -Dorg.bouncycastle.jca.enable_jks=true -Dorg.bouncycastle.fips.approved_only=true'

    2. Uncomment the <Manager> tag in /opt/vmware/drconfigui/conf/context.xml - the file fragment with the tag should look like this:

      <!-- Uncomment to enable FIPS mode.          -->
<Manager pathname="" secureRandomAlgorithm=""/>
    3. Restart drconfigui (only if FIPS has already been enabled for the appliance, otherwise skip this step):
      systemctl daemon-reload; systemctl restart drconfigui
  5. Reboot the appliance
    Note: SSHD will read that the kernel has enabled FIPS mode and will activate it too. No need to edit anything in the sshd configuration.

Validate FIPS mode is enabled

  • Validate the kernel command line

    cat /proc/cmdline

  • Validate that kernel has enabled FIPS mode

    cat /proc/sys/crypto/fips_enabled

  • Validate that SSHD has enabled FIPS mode

    journalctl -u sshd -b 0 | grep "FIPS"

  • Validate that dr-configurator has enabled Fips mode

    grep "FIPS" /var/log/vmware/dr/drconfig*

  • Validate that vmware-dr has enabled FIPS mode

    grep "FIPS" /var/log/vmware/srm/vmware-dr*

  • Validate UI strict mode

    • All UI features should be available and work as expected
Powered by Wolken Software