SDDC Manager Restore fails at sub-task ExtractSDDCManagerBackup with error, 'SDDC Manager FIPS verification failed'
search cancel

SDDC Manager Restore fails at sub-task ExtractSDDCManagerBackup with error, 'SDDC Manager FIPS verification failed'

book

Article ID: 411385

calendar_today

Updated On:

Products

VMware Cloud Foundation

Issue/Introduction

When an SDDC-M is upgraded from version 5.x (with FIPS disabled) to 9.0.1, the upgrade process preserves the existing FIPS status. If the user then takes a backup and attempts to restore the SDDC-M using that backup, the restore operation fails at the sub-task ExtractSDDCManagerBackup with the error ''SDDC Manager FIPS verification failed, FIPS enablement of SDDC VM :True - FIPS enablement of Backup file:False".

 

Environment

VMware Cloud Foundation 9.x

Cause

Starting with version 9.0, greenfield SDDC-M deployments come with FIPS enabled by default. During a restore, when a user deploys a fresh SDDC-M from the OVA file, the new instance is FIPS-enabled. If the user then attempts to restore a backup taken on a FIPS-disabled SDDC-M to this FIPS-enabled SDDC-M, the restore fails because this operation is not supported.

Resolution

As a workaround, disable FIPS on the newly deployed SDDC-M prior to performing the restore.

Workaround:

1. Disable FIPS on SDDC-M by running the following steps:

  1. Download the attached disable-fips.sh script and copy it to /home/vcf on the SDDC-M.
  2. SSH into SDDC-M with the vcf user and then elevate to root 
  3. Navigate to the /home/vcf directory.

    cd /home/vcf

  4. Make the script executable

    chmod +x disable-fips.sh

  5. Run the script to disable FIPS (this will reboot the system):

    ./disable-fips.sh
  6. Wait for SDDC-Manager to become accessible after the reboot, then reconnect.

Sample Output:

root@sddc-manager [ /home/vcf ]# ./disable-fips.sh 
Migrating Java keystore into FIPS off mode
Import BCFKS keystore into a temporary PKCS12 keystore
Importing keystore /opt/vmware/vcf/commonsvcs/etc/vcf-ciphers.keystore to /home/vcf/vcf-ciphers-p12.keystore.temp...
Entry for alias shared-secret-key successfully imported.
Import command completed:  1 entries successfully imported, 0 entries failed or cancelled
Sep 23, 2025 7:03:43 AM org.bouncycastle.jcajce.provider.ProvPKCS12$PKCS12KeyStoreSpi engineLoad
INFO: extra in data 1.2.840.113549.1.12.10.1.5
Import PKCS12 keystore into a temporary JCEKS keystore
Importing keystore /home/vcf/vcf-ciphers-p12.keystore.temp to /home/vcf/vcf-ciphers-jceks.keystore.temp...
Entry for alias shared-secret-key successfully imported.
Import command completed:  1 entries successfully imported, 0 entries failed or cancelled

Replace the BCFKS keystore with the JCEKS keystore and remove the temporary files
Updating Java security to FIPS off mode
Disabling APPs FIPS flag
Disabling OS FIPS flag
Rebooting the system
root@sddc-manager [ /home/vcf ]# 
 SSH  10.0.0.4: session closed
Press any key to reconnect

2. Address a file existence check issue during restore by running the following steps:

  1. Download the attached fix-restore-file-check.sh script and copy it to /home/vcf on the SDDC-M.
  2. SSH into SDDC-M with the vcf user and then elevate to root 

  3. Navigate to the /home/vcf directory.

    cd /home/vcf

  4. Run the script to address the file existence check issue during restore:

    ./fix-restore-file-check.sh

  5. Proceed by re-running the SDDC-M restore operation.

Attachments

fix-restore-file-check.sh get_app
disable-fips.sh get_app
Powered by Wolken Software