VMware Site Recovery Manager 8.8

8.8 8.7 8.6
简体中文 Deutsch Español Français Italiano 日本語 한국어 繁體中文 English

How do I activate FIPS on the
Site Recovery Manager
 appliance

This topic outlines the necessary task that you must perform to activate Federal Information Processing Standards (FIPS) mode on the
Site Recovery Manager
 appliance.
Make sure to use trusted certificates when deploying your environment.
The certificate file format
PKCS#12
 is not supposrted in the Certificates configuration in FIPS mode. The
PKCS#12
 file format uses non-FIPS compliant algorithms as a standart specification.
  1. Edit the configuration files for the
    Site Recovery Manager
     services.
    1. Navigate to
      /opt/vmware/dr/conf/drconfig.xml
      , open the file and change the following setting.
      <Config>
    <vmacore>
        <ssl>
            <fips>true</fips>
        </ssl>
    </vmacore>
</Config>
    2. Navigate to
      /opt/vmware/srm/conf/vmware-dr.template.xml
      , open the file and change the following setting.
      <Config>
    <vmacore>
        <ssl>
            <fips>true</fips>
        </ssl>
    </vmacore>
</Config>
    3. If the appliance is configured, edit the
      /opt/vmware/srm/conf/vmware-dr.xml
       file.
      <Config>
    <vmacore>
        <ssl>
            <fips>true</fips>
        </ssl>
    </vmacore>
</Config>
  2. Start the
    Site Recovery Manager
     services in strict mode.
    1. Edit
      /usr/lib/systemd/system/dr-configurator.service
      . Uncomment the lines under
      # Uncomment to enable FIPS
      .
      The file fragment must look like this.
      # Uncomment to enable FIPS
Environment=OPENSSL_MODULES=/opt/vmware/dr/lib/ossl-modules
Environment=OPENSSL_CONF=/opt/vmware/etc/dr/ssl/openssl.cnf
    2. Edit
      /usr/lib/systemd/system/srm-server.service
      . Uncomment the lines under
      # Uncomment to enable FIPS
      .
      The file fragment must look like this.
      # Uncomment to enable FIPS
Environment=OPENSSL_MODULES=/opt/vmware/dr/lib/ossl-modules
Environment=OPENSSL_CONF=/opt/vmware/etc/dr/ssl/openssl.cnf
    3. Restart the
      dr-configurator
       and the
      srm-server
      . Run the following commands.
      systemctl daemon-reload
systemctl restart dr-configurator
systemctl restart srm-server
  3. Log in the appliance as
    root
     user and edit the kernel cmdline.
    1. Open
      /boot/grub/grub.cfg
      .
    2. Locate the
      menuentry
       entry.
    3. Append the following at the end of the line in each
      menuentry
       that starts with
      linux
      .
      fips=1
    4. Save the file.
  4. Start the Config UI in strict mode.
    1. Edit
      /usr/lib/systemd/system/drconfigui.service
      . Comment out the existing
      Environment='CATALINA_OPTS=-Xms768m -Xmx1024m'
       and uncomment the lines under
      # Uncomment to enable FIPS
      .
      The file fragment must look like this.
      Environment=JRE_HOME=/usr/java/jre-vmware
# Comment when enable FIPS
# Environment='CATALINA_OPTS=-Xms768m -Xmx1024m'
# Uncomment to enable FIPS
Environment='SERVICE_CLASSPATH=$CATALINA_BASE/lib/ext/*'
Environment='CATALINA_OPTS=-Xms768m -Xmx1024m -Djava.security.properties==/opt/vmware/dr-client/conf/vmware-override-java.security -Dorg.bouncycastle.jca.enable_jks=true -Dorg.bouncycastle.fips.approved_only=true'
    2. Uncomment the
      <Manager>
       tag in the
      /opt/vmware/drconfigui/conf/context.xml
       file.
      The file fragment with the tag must look like this. 
      <!-- Uncomment to enable FIPS mode.          -->
<Manager pathname="" secureRandomAlgorithm=""/>
    3. Restart the drconfigui service if FIPS is already enabled for the appliance.
      systemctl daemon-reload; systemctl restart drconfigui
  5. Start the UI in strict mode.
    1. Edit
      /usr/lib/systemd/system/dr-client.service
      . Comment out the existing
      Environment='CATALINA_OPTS=-Xms768m -Xmx1024m'
       and uncomment the lines under
      # Uncomment to enable FIPS
      .
      The file fragment must look like this.
      Environment=JRE_HOME=/usr/java/jre-vmware
# Comment when enable FIPS
# Environment='CATALINA_OPTS=-Xms768m -Xmx1024m'
# Uncomment to enable FIPS
Environment='SERVICE_CLASSPATH=$CATALINA_BASE/lib/ext/*'
Environment='CATALINA_OPTS=-Xms768m -Xmx1024m -Djava.security.properties==/opt/vmware/dr-client/conf/vmware-override-java.security -Dorg.bouncycastle.jca.enable_jks=true -Dorg.bouncycastle.fips.approved_only=true'
    2. Uncomment the
      <Manager>
       tag in the
      /opt/vmware/dr-client/conf/context.xml
       file.
      The file fragment with the tag must look like this. 
      <!-- Uncomment to enable FIPS mode.              -->
<Manager pathname="" secureRandomAlgorithm=""/>
    3. Edit the
      /opt/vmware/dr-client/lib/h5dr.properties
       file and modify parameters to point to BCFKS format keystore and truststore with root CA certificates.
      The property must look like this. 
      drTrustStorePass=<same as keyStorePass>
drTrustStoreName=h5dr.truststore.bks
keyStoreName=h5dr.keystore.bks
      If you choose to use a truststore other than the default one, you must add a link to the truststore in
      /opt/vmware/dr-client/lib/
       or
      /opt/vmware/dr-client/webapps/dr/WEB-INF/classes/
      . The keystore format must be BCFKS. To import it from JKS format use the following command. 
      $JAVA_HOME/bin/keytool -importkeystore -srckeystore <path-to-jks-keystore> -srcstoretype JKS -srcstorepass <keystorepass> -destkeystore <path-to-target-bks-keystore> -deststoretype BCFKS -deststorepass <keystorepass> -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath /opt/vmware/dr-client/lib/ext/bc-fips-1.0.2.3.jar
      The keystore and truststore files you use must have
      Others: Read
       permission. After reconfiguring the appliance you must reedit the file
      /opt/vmware/dr-client/lib/h5dr.properties
       according the rules above.
    4. Restart the dr-client service if FIPS is already enabled for the appliance.
      systemctl daemon-reload; systemctl restart dr-client
  6. Start the UI plugin (dr-client-plugin) in strict mode.
    1. Edit
      /usr/lib/systemd/system/dr-client-plugin.service
      . Comment out the existing
      Environment='CATALINA_OPTS=-Xms768m -Xmx1024m'
       and uncomment the lines under
      # Uncomment to enable FIPS
      .
      The file fragment must look like this.
      Environment=JRE_HOME=/usr/java/jre-vmware
# Comment when enable FIPS
# Environment='CATALINA_OPTS=-Xms768m -Xmx1024m'
# Uncomment to enable FIPS
Environment='SERVICE_CLASSPATH=$CATALINA_BASE/lib/ext/*'
Environment='CATALINA_OPTS=-Xms768m -Xmx1024m -Djava.security.properties==/opt/vmware/dr-client/conf/vmware-override-java.security -Dorg.bouncycastle.jca.enable_jks=true -Dorg.bouncycastle.fips.approved_only=true'
    2. Uncomment the
      <Manager>
       tag in the
      /opt/vmware/dr-client-plugin/conf/context.xml
       file.
      The file fragment with the tag must look like this. 
      <!-- Uncomment to enable FIPS mode.          -->
<Manager pathname="" secureRandomAlgorithm=""/>
    3. Restart the dr-client-plugin service if FIPS is already enabled for the appliance.
      systemctl daemon-reload; systemctl restart dr-client-plugin
  7. Start the REST API service (dr-rest) in strict mode.
    1. Edit
      /usr/lib/systemd/system/dr-rest.service
      . Comment out the existing
      Environment='CATALINA_OPTS=-Xms768m -Xmx1024m'
       and uncomment the lines under
      # Uncomment to enable FIPS
      .
      The file fragment must look like this. 
      Environment=JRE_HOME=/usr/java/jre-vmware
# Comment when enable FIPS
# Environment='CATALINA_OPTS=-Xms768m -Xmx1024m'
# Uncomment to enable FIPS
Environment='SERVICE_CLASSPATH=$CATALINA_BASE/lib/ext/*'
Environment='CATALINA_OPTS=-Xms768m -Xmx1024m -Djava.security.properties==/opt/vmware/dr-client/conf/vmware-override-java.security -Dorg.bouncycastle.jca.enable_jks=true -Dorg.bouncycastle.fips.approved_only=true'
    2. Uncomment the
      <Manager>
       tag in the
      /opt/vmware/dr-rest/conf/context.xml
       file.
      The file fragment with the tag must look like this. 
      <!-- Uncomment to enable FIPS mode.          -->
<Manager pathname="" secureRandomAlgorithm=""/>
    3. Restart the dr-rest service if FIPS is already enabled for the appliance.
      systemctl daemon-reload; systemctl restart dr-rest
  8. Reboot the appliance.
    Make sure that the
    systemctl daemon-reload
     command is executed at least once after making the modifications and before rebooting the appliance.
    SSHD will read that the kernel has enabled FIPS mode and will activate it too. There is no need to edit anything in the sshd configuration.
Validate that FIPS mode is activated.

Content feedback and comments