Enable FIPS mode manually in the Site Recovery Manager appliance

1. Three(3) configuration files need to be edited
   1. /opt/vmware/srm/conf/drconfig.xml
   2. /opt/vmware/srm/conf/vmware-dr.template.xml
   3. /opt/vmware/srm/conf/vmware-dr.xml (Optional) If the appliance is configured.
2. Edit the three(3) configuration files in step 1 for the Site Recovery Manager services and add the following tag:

   <Config>
       <vmacore>
           <ssl>
               <fips>true</fips>
           </ssl>
       </vmacore>
   </Config>

2. As root user edit the kernel cmdline
   1. Open /boot/grub/grub.cfg.
   2. Locate the menuentry entry.
   3. In each menuentry append at the end of the line that starts with linux.
      • fips=1
   4. Save the file.
3. Start UI in strict mode:
   1. Edit /usr/lib/systemd/system/dr-client.service - comment out the existing Environment='CATALINA_OPTS=-Xms768m -Xmx1024m' and uncomment the one under # Uncomment to enable FIPS. The file fragment should look like this:

      #Environment='CATALINA_OPTS=-Xms768m -Xmx1024m'
      # Uncomment to enable FIPS
      Environment='CATALINA_OPTS=-Xms768m -Xmx1024m -Djava.security.properties==/opt/vmware/dr-client/conf/vmware-override-java.security -Djava.ext.dirs=/opt/vmware/dr-client/lib/ext -Dorg.bouncycastle.jca.enable_jks=true -Dorg.bouncycastle.fips.approved_only=true'

   2. Uncomment the <Manager> tag in /opt/vmware/dr-client/conf/context.xml - the file fragment with the tag should look like this:

      <!-- Uncomment to enable FIPS mode.                                   -->
      <Manager pathname="" secureRandomAlgorithm=""/>

   3. Edit /opt/vmware/dr-client/lib/h5dr.properties and modify keyStoreName to point to BCFKS format keystore which contains root CA certificates. The property should look like this:

      keyStoreName=h5dr.keystore.bks

   4. Choose java truststore - this is the store which contains root CA certificates. Link to the choosen truststore must be added to /opt/vmware/dr-client/lib/ or /opt/vmware/dr-client/webapps/dr/WEB-INF/classes/.

      $JAVA_HOME/bin/keytool -importkeystore -srckeystore <path-to-jks-keystore> -srcstoretype JKS -srcstorepass <keystorepass> -destkeystore <path-to-target-bks-keystore> -deststoretype BCFKS -deststorepass <keystorepass> -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath /opt/vmware/dr-client/lib/ext/bc-fips-1.0.2.jar

      NOTE: the keystore file you use should have Others: Read permission
4. Start Config UI in strict mode:
   1. Edit /usr/lib/systemd/system/drconfigui.service - comment out the existing Environment='CATALINA_OPTS=-Xms768m -Xmx1024m' and uncomment the one under # Uncomment to enable FIPS. The file fragment should look like this:

      #Environment='CATALINA_OPTS=-Xms768m -Xmx1024m'
      # Uncomment to enable FIPS
      Environment='CATALINA_OPTS=-Xms768m -Xmx1024m -Djava.security.properties==/opt/vmware/drconfigui/conf/vmware-override-java.security -Djava.ext.dirs=/opt/vmware/drconfigui/lib/ext -Dorg.bouncycastle.jca.enable_jks=true -Dorg.bouncycastle.fips.approved_only=true'
      

   2. Uncomment the <Manager> tag in /opt/vmware/drconfigui/conf/context.xml - the file fragment with the tag should look like this:

      <!-- Uncomment to enable FIPS mode.                                   -->
      <Manager pathname="" secureRandomAlgorithm=""/>

5. Reboot the appliance.

Validate FIPS mode is enabled

• Validate the kernel commandline.
  • cat /proc/cmdline
• Validate that kernel has enabled FIPS mode.
  • cat /proc/sys/crypto/fips_enabled
• Validate that SSHD has enabled FIPS mode.
  • journalctl -u sshd -b 0 | grep "FIPS"
• Validate  that dr-configurator has enabled Fips mode.
  • journalctl -u dr-configurator -b 0 | grep "FIPS"
• Validate that vmware-dr has enabled FIPS mode.
  • journalctl -u srm-server -b 0 | grep "FIPS"