How Do I Change FIPS Mode by using the
VMware Aria Suite Lifecycle REST
API
VMware Aria Suite Lifecycle
REST
APIVMware products support the Federal
Information Processing Standard or FIPS so that they can be certified for use in government
departments and regulated industries. You can use the API to change FIPS mode for
VMware Aria Suite Lifecycle
, VMware Aria Automation
, VMware Aria Operations
, and VMware Aria Operations for Logs
. What is FIPS Compliance?
A product is FIPS 140-2 compliant when all security related issues of cryptography and
random number generation use CMVP Validated Crypto Modules. To be FIPS compliant, most
VMware products only make calls to the OpenSSL or Bouncy Castle libraries.
You can enable or disable FIPS mode in
VMware Aria Suite Lifecycle
. You can
only enable FIPS mode in VMware Aria Suite
products.How do I enable FIPS mode in
VMware Aria Suite Lifecycle?
VMware Aria Suite Lifecycle
?You can enable FIPS mode in
VMware Aria Suite Lifecycle
during installation or
after. You enable FIPS during installation using the OVA file and selecting FIPS property in
all install steps. You enable FIPS after installation by using the API.Before enabling FIPS mode:
- Verify that you are runningVMware Aria Suite Lifecycle8.2 or later.
- Verify that all general Day 2 prerequisites have been satisfied. See Performing Day 2 operations usingVMware Aria Suite Lifecycle APIs.
To enable FIPS mode after installation, use the
following
request.
curl -X POST\ '$url/lcm/locker/api/fips' \ -H 'Authorization: Basic YWRtaW5AbG9jYWw6VGhpc0lzUGFzc3dvcmQ=' \ -H 'Content-Type: application/json' -d '{ "enabled": true, "state": "ENABLED", "description": "", "request": null } | jq "."
A snippet from a successful response shows that
the FIPS mode is changing, and provides a request ID that you can use to check the status of
the request through completion.
{ "enabled": false, "state": "CHANGING", "description": "Enabling FIPS mode for vRealize Suite Lifecycle Manager appliance and services.", "request": { "requestId": "23dre7d7-1413-4ce3-b277-b0eba2adba9b" }
How do I disable FIPS mode in
VMware Aria Suite Lifecycle before I
upgrade?
VMware Aria Suite Lifecycle
before I
upgrade?Before you upgrade
VMware Aria Suite Lifecycle
, use the API to disable
FIPS mode because the upgrade process uses the vCenter Service Appliance Management
Interface (VAMI) and problems can occur with the VAMI when FIPS mode is enabled. To disable
FIPS mode before you upgrade, use the following request.
curl -X POST\ '$url/lcm/locker/api/fips' \ -H 'Authorization: Basic YWRtaW5AbG9jYWw6VGhpc0lzUGFzc3dvcmQ=' \ -H 'Content-Type: application/json' -d '{ "enabled": false, "state": "DISABLED", "description": "", "request": null } | jq "."
A snippet from a successful response shows that
the FIPS mode is changing, and provides a request ID that you can use to check the status of
the request through completion.
{ "enabled": true, "state": "CHANGING", "description": "Disabling FIPS mode for vRealize Suite Lifecycle Manager appliance and services.", "request": { "requestId": "5e239981-15d6-4e00-859d-2f0645a856" }
How do I enable FIPS mode in
VMware Aria Suite products?
VMware Aria Suite
products?You can enable FIPS mode in version 8.3 or
later of
VMware Aria Automation
, VMware Aria Operations
or VMware Aria Operations for Logs
. After enabling, you cannot
disable FIPS mode in VMware Aria Suite
products.For
VMware Aria Automation
, you can only enable FIPS mode during product installation. Day 2
enablement is not supported. Before enabling FIPS mode in any
VMware Aria Suite
product, verify that all
general installation prerequisites have been satisfied. See Prerequisites for Installing and Importing Products.How do I enable FIPS mode during
product installation?
To enable FIPS mode during product
installation, you add a parameter in the products section of the request
payload.
"fipsMode":"\true\""
For example, with the
fipsMode
parameter added to the VMware Aria Operations
installation, the complete request appears as
follows.curl -X POST \ '$url/lcm/lcops/api/v2/environments' \ -H 'Authorization: Basic YWRtaW5AbG9jYWw6VGhpc0lzUGFzc3dvcmQ=' \ -H 'Content-Type: application/json' \ -d '{ "environmentName": "vrops_large_deployments", "infrastructure": { "properties": { "dataCenterVmid": "ee6ce426-ca13-4e56-ad9e-c34a4d3d90c2", "regionName": "default", "zoneName": "default", "vCenterName": "LCM-VC2", "vCenterHost": "lcm-vc2.sqa.local", "vcUsername": "autouser@vsphere.local", "vcPassword": "", "acceptEULA": "true", "enableTelemetry": "true", "adminEmail": "abc@vmware.com", "defaultPassword": "", "certificate": "", "cluster": "Datacenter#Cluster-01", "storage": "ISCSI-15TB-04", "folderName": "", "resourcePool": "", "diskMode": "thin", "network": "infra-traffic-1024", "masterVidmEnabled": "false", "dns": "10.141.66.213,10.118.183.252", "domain": "sqa.local", "gateway": "10.196.57.253", "netmask": "255.255.254.0", "searchpath": "sqa.local", "timeSyncMode": "ntp", "ntp": "ntp1.eng.vmware.com", "isDhcp": "false" } }, "products": [ { "id": "vrops", "version": "8.0.1", "properties": { "licenseRef": "locker:license:eab62-bc21-643cf0b9cafa:license", "certificate": "locker:certificate:f4e98b983:vmware", "productPassword": "locker:password:d21-d9de2c10:VMware1!", "disableTls": "", "timeSyncMode": "ntp", "masterVidmEnabled": false, "ntp": "ntp1.eng.vmware.com", "affinityRule": false, "configureAffinitySeparateAll": "true", "deployOption": "large" "fipsMode" : "true" }, "clusterVIP": { "clusterVips": [] }, "nodes": [ { "type": "remotecollector", "properties": { "vmName": "vrops-remotecollector", "hostName": "sqa.local", "deployOption": "smallrc", "ip": "4.4.4.4", "gateway": "2.2.2.2", "domain": "2.2.2.2", "searchpath": "2.2.2.2", "dns": "10.141.66.213", "netmask": "2.2.2.2", "extendedStorage": "", "timeZone": "", "ntp": "", "vCenterHost": "lcm-vc1.sqa.local", "cluster": "Datacenter-01#Cluster-01", "resourcePool": "", "folderName": "", "network": "dvs-55-Network-314b11d9-c958-4aa2-af98-cd5439a970d7", "storage": "ISCSI-15TB-02", "diskMode": "thin", "contentLibraryItemId": "", "vCenterName": "lcm-vc1", "vcUsername": "devuser@vsphere.local", "vcPassword": "locker:password:4984d8e4-825b-4694-99cf-db80b41b5ac2:vc-password" } }, { "type": "master", "properties": { "vmName": "mastervmname", "hostName": "lcm-57-68.sqa.local", "ip": "10.196.57.68" } }, { "type": "replica", "properties": { "vmName": "replicavmname", "hostName": "lcm-12-34.sqa.local", "ip": "10.196.12.34" } }, { "type": "data", "properties": { "vmName": "datavmname", "hostName": "lcm-12-35.sqa.local", "ip": "10.196.12.35" } } ] } ] }' | jq "."
For the steps to take after the installation
request, see Deploy your Products using theVMware Aria Suite Lifecycle API.
How do I enable FIPS mode in products
as part of Day 2 operations?
To enable FIPS mode for a product after
installation, you first get the environment ID of the product by using the following
command.
curl -X GET \ '$url/lcm/lcops/api/v2/environments' \ -H 'Authorization: Basic YWRtaW5AbG9jYWw6VGhpc0lzUGFzc3dvcmQ=' \ -H 'Content-Type: application/json' \ }' | jq "."
Check the response for an environment that
includes the product that you are updating. For example, to enable FIPS mode in
VMware Aria Operations
, look for the environment
that includes the vrops
product and assign variables for the
environmentId
and the
productId
.environmentId = "<environmentId_value_from_response>" productId = "vrops"
To enable FIPS mode for
VMware Aria Operations
, use the following command
.curl -X POST \ '$url/lcm/lcops/api/v2/environments/$environmentId/products/$productId/fips' \ -H 'Authorization: Basic YWRtaW5AbG9jYWw6VGhpc0lzUGFzc3dvcmQ=' \ -H 'Content-Type: application/json' \ -d '{ "fipsMode" : "\true\"" }' | jq "."
A snippet from a successful response provides a
request ID that you can use to check the status of the request through completion.
{ "requestId": "a0d8d8cd-ac87-4b5c-ba8b-7a0173c56b55" }