vSphere Replication 8.5 has introduced FIPS support.
This article provides steps to enable vSphere Replication to run in FIPS compliant mode.
<Config> <vmacore> <ssl> <fips>true</fips> </ssl> </vmacore> </Config>
<Config> <vmacore> <ssl> <fips>true</fips> </ssl> </vmacore> </Config>
systemctl restart hms systemctl restart hbrsrv
... Example ... menuentry "Photon" { linux /$photon_linux root=$rootpartition $photon_cmdline coredump_filter=0x37 $systemd_cmdline fips=1 if [ -f /$photon_initrd ]; then initrd /$photon_initrd fi } ...
#Environment='CATALINA_OPTS=-Xms768m -Xmx1024m' # Uncomment to enable FIPS Environment='CATALINA_OPTS=-Xms768m -Xmx1024m -Djava.security.properties==/opt/vmware/dr-client/conf/vmware-override-java.security -Djava.ext.dirs=/opt/vmware/dr-client/lib/ext -Dorg.bouncycastle.jca.enable_jks=true -Dorg.bouncycastle.fips.approved_only=true'
<!-- Uncomment to enable FIPS mode. --> <Manager pathname="" secureRandomAlgorithm=""/>
keyStoreName=hms-keystore.bksIf you choose to use a truststore other than the default one, link to it should be added to /opt/vmware/dr-client/lib/ or /opt/vmware/dr-client/webapps/dr/WEB-INF/classes/. Keystore format should be BCFKS. To import it from JKS format use the following command:
$JAVA_HOME/bin/keytool -importkeystore -srckeystore <path-to-jks-keystore> -srcstoretype JKS -srcstorepass <keystorepass> -destkeystore <path-to-target-bks-keystore> -deststoretype BCFKS -deststorepass <keystorepass> -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath /opt/vmware/dr-client/lib/ext/bc-fips-1.0.2.jar
setfacl -m "u:tomcat:x" /path_to_keystore/ setfacl -m "u:tomcat:r" /path_to_keystore/keystore_file
systemctl daemon-reload; systemctl restart dr-client
#Environment='CATALINA_OPTS=-Xms128m -Xmx256m -XX:+PrintGCDetails -XX:+PrintGCDateStamps -XX:+PrintGCCause -XX:+UseGCLogFileRotation -XX:NumberOfGCLogFiles=5 -XX:GCLogFileSize=2m -Xloggc:/opt/vmware/drconfigui/logs/drconfigui-gc.log' # Uncomment to enable FIPS Environment='CATALINA_OPTS=-Xms128m -Xmx256m -Djava.security.properties==/opt/vmware/drconfigui/conf/vmware-override-java.security -Djava.ext.dirs=/opt/vmware/drconfigui/lib/ext -Dorg.bouncycastle.jca.enable_jks=true -Dorg.bouncycastle.fips.approved_only=true -XX:+PrintGCDetails -XX:+PrintGCDateStamps -XX:+PrintGCCause -XX:+UseGCLogFileRotation -XX:NumberOfGCLogFiles=5 -XX:GCLogFileSize=2m -Xloggc:/opt/vmware/drconfigui/logs/drconfigui-gc.log'
<!-- Uncomment to enable FIPS mode. --> <Manager pathname="" secureRandomAlgorithm=""/>
systemctl daemon-reload; systemctl restart drconfigui
cat /proc/cmdline
cat /proc/sys/crypto/fips_enabled
journalctl -u sshd -b 0 | grep "FIPS"
grep "FIPS" /var/log/vmware/dr/drconfig*
grep FIPS /var/log/vmware/hbrsrv.logNote: The output should contain a line with the following text '...Service is running in FIPS mode.'