Supervisor Control Plane VMs in 9.0 and 8.0U3e do not have FIP Enabled after deployment
search cancel

Supervisor Control Plane VMs in 9.0 and 8.0U3e do not have FIP Enabled after deployment

book

Article ID: 403390

calendar_today

Updated On:

Products

Tanzu Kubernetes Runtime

Issue/Introduction

Security scanners may show FIPS as disabled on the Supervisor Control Plane VM's on 9.0 and 8.0U3e deployments. 

When ssh-ed into the Supervisor Control Plane VM's the fips_enabled value is 0.

cat /proc/sys/crypto/fips_enabled
0

Environment

Issue only occurs on these two versions. 

vSphere Supervisor 9.0 

vSphere Supervisor packaged in 8.0u3e (Supervisor version 0.1.11) 

 

Cause

FIPS flag is set too late in the boot process for photon to set it correctly. 

Resolution

Issue is fixed in Async Supervisor version 9.0.0.0100 and will be fixed in a future release of vSphere 8.0. 

 

The only workaround is to reboot the Supervisor Control Plane VM's (SV VMs). There are 2 ways to do this. 

1.Through ESXi Client (RECOMMENDED) 

  • Find the host that the VM lives on and log into the ESXi host direct as root ( https://<ESXi_hostname_or_ip>/ui ).
  • Then right click the SV VM and reboot guestOS (Do not click reset) 
  • Reboot the VM's one at a time. Make sure the previous node comes all the way before rebooting the next one. Status of each SV VM can be viewed from the Workload Management->Supervisors Menu from vSphere. 

2. SSH into the SV VM's and reboot them.

  • Follow this kb to gather the credentials for the SV VM. The ip address's can be gathered via the vSphere Client and clicking on the VM's and looking at the summary tab.
  • Run "reboot" to reboot the VM's one at a time. Make sure the previous node comes all the way before rebooting the next one. Status of each SV VM can be viewed from the Workload Management->Supervisors Menu from vSphere. 

 

Powered by Wolken Software