How Do I Change FIPS Mode by using the vRealize Suite Lifecycle Manager REST API
VMware products support the Federal Information Processing Standard or FIPS so that they can be certified for use in government departments and regulated industries. You can use the API to change FIPS mode for vRealize Suite Lifecycle Manager, vRealize Automation, vRealize Operations Manager, and vRealize Log Insight.
What is FIPS Compliance?
A product is FIPS 140-2 compliant when all security related issues of cryptography and random number generation use CMVP Validated Crypto Modules. To be FIPS compliant, most VMware products only make calls to the OpenSSL or Bouncy Castle libraries.
You can enable or disable FIPS mode in vRealize Suite Lifecycle Manager. You can only enable FIPS mode in vRealize Suite products.
How do I enable FIPS mode in vRealize Suite Lifecycle Manager?
You can enable FIPS mode in vRealize Suite Lifecycle Manager during installation or after. You enable FIPS during installation using the OVA file and selecting FIPS property in all install steps. You enable FIPS after installation by using the API.
- Verify that you are running vRealize Suite Lifecycle Manager 8.2 or later.
- Verify that all general Day 2 prerequisites have been satisfied. See Performing Day 2 operations using vRealize Suite Lifecycle Manager APIs.
curl -X POST\ '$url/lcm/locker/api/fips' \ -H 'Authorization: Basic YWRtaW5AbG9jYWw6VGhpc0lzUGFzc3dvcmQ=' \ -H 'Content-Type: application/json' -d '{ "enabled": true, "state": "ENABLED", "description": "", "request": null } | jq "."
{ "enabled": false, "state": "CHANGING", "description": "Enabling FIPS mode for vRealize Suite Lifecycle Manager appliance and services.", "request": { "requestId": "23dre7d7-1413-4ce3-b277-b0eba2adba9b" }
How do I disable FIPS mode in vRealize Suite Lifecycle Manager before I upgrade?
curl -X POST\ '$url/lcm/locker/api/fips' \ -H 'Authorization: Basic YWRtaW5AbG9jYWw6VGhpc0lzUGFzc3dvcmQ=' \ -H 'Content-Type: application/json' -d '{ "enabled": false, "state": "DISABLED", "description": "", "request": null } | jq "."
{ "enabled": true, "state": "CHANGING", "description": "Disabling FIPS mode for vRealize Suite Lifecycle Manager appliance and services.", "request": { "requestId": "5e239981-15d6-4e00-859d-2f0645a856" }
How do I enable FIPS mode in vRealize Suite products?
You can enable FIPS mode in version 8.3 or later of vRealize Automation, vRealize Operations Manager or vRealize Log Insight. After enabling, you cannot disable FIPS mode in vRealize Suite products.
For vRealize Automation, you can only enable FIPS mode during product installation. Day 2 enablement is not supported.
Before enabling FIPS mode in any vRealize Suite product, verify that all general installation prerequisites have been satisfied. See Prerequisites for Installing and Importing Products.
How do I enable FIPS mode during product installation?
"fipsMode":"\true\""
fipsMode
parameter added to the vRealize
Operations Manager installation, the complete request appears as
follows.curl -X POST \ '$url/lcm/lcops/api/v2/environments' \ -H 'Authorization: Basic YWRtaW5AbG9jYWw6VGhpc0lzUGFzc3dvcmQ=' \ -H 'Content-Type: application/json' \ -d '{ "environmentName": "vrops_large_deployments", "infrastructure": { "properties": { "dataCenterVmid": "ee6ce426-ca13-4e56-ad9e-c34a4d3d90c2", "regionName": "default", "zoneName": "default", "vCenterName": "LCM-VC2", "vCenterHost": "lcm-vc2.sqa.local", "vcUsername": "[email protected]", "vcPassword": "", "acceptEULA": "true", "enableTelemetry": "true", "adminEmail": "[email protected]", "defaultPassword": "", "certificate": "", "cluster": "Datacenter#Cluster-01", "storage": "ISCSI-15TB-04", "folderName": "", "resourcePool": "", "diskMode": "thin", "network": "infra-traffic-1024", "masterVidmEnabled": "false", "dns": "10.141.66.213,10.118.183.252", "domain": "sqa.local", "gateway": "10.196.57.253", "netmask": "255.255.254.0", "searchpath": "sqa.local", "timeSyncMode": "ntp", "ntp": "ntp1.eng.vmware.com", "isDhcp": "false" } }, "products": [ { "id": "vrops", "version": "8.0.1", "properties": { "licenseRef": "locker:license:eab62-bc21-643cf0b9cafa:license", "certificate": "locker:certificate:f4e98b983:vmware", "productPassword": "locker:password:d21-d9de2c10:VMware1!", "disableTls": "", "timeSyncMode": "ntp", "masterVidmEnabled": false, "ntp": "ntp1.eng.vmware.com", "affinityRule": false, "configureAffinitySeparateAll": "true", "deployOption": "large" "fipsMode" : "true" }, "clusterVIP": { "clusterVips": [] }, "nodes": [ { "type": "remotecollector", "properties": { "vmName": "vrops-remotecollector", "hostName": "sqa.local", "deployOption": "smallrc", "ip": "4.4.4.4", "gateway": "2.2.2.2", "domain": "2.2.2.2", "searchpath": "2.2.2.2", "dns": "10.141.66.213", "netmask": "2.2.2.2", "extendedStorage": "", "timeZone": "", "ntp": "", "vCenterHost": "lcm-vc1.sqa.local", "cluster": "Datacenter-01#Cluster-01", "resourcePool": "", "folderName": "", "network": "dvs-55-Network-314b11d9-c958-4aa2-af98-cd5439a970d7", "storage": "ISCSI-15TB-02", "diskMode": "thin", "contentLibraryItemId": "", "vCenterName": "lcm-vc1", "vcUsername": "[email protected]", "vcPassword": "locker:password:4984d8e4-825b-4694-99cf-db80b41b5ac2:vc-password" } }, { "type": "master", "properties": { "vmName": "mastervmname", "hostName": "lcm-57-68.sqa.local", "ip": "10.196.57.68" } }, { "type": "replica", "properties": { "vmName": "replicavmname", "hostName": "lcm-12-34.sqa.local", "ip": "10.196.12.34" } }, { "type": "data", "properties": { "vmName": "datavmname", "hostName": "lcm-12-35.sqa.local", "ip": "10.196.12.35" } } ] } ] }' | jq "."
For the steps to take after the installation request, see Deploy your Products using the vRealize Suite Lifecycle Manager API.
How do I enable FIPS mode in products as part of Day 2 operations?
curl -X GET \ '$url/lcm/lcops/api/v2/environments' \ -H 'Authorization: Basic YWRtaW5AbG9jYWw6VGhpc0lzUGFzc3dvcmQ=' \ -H 'Content-Type: application/json' \ }' | jq "."
vrops
product and assign variables for the
environmentId
and the
productId
.environmentId = "<environmentId_value_from_response>" productId = "vrops"
curl -X POST \ '$url/lcm/lcops/api/v2/environments/$environmentId/products/$productId/fips' \ -H 'Authorization: Basic YWRtaW5AbG9jYWw6VGhpc0lzUGFzc3dvcmQ=' \ -H 'Content-Type: application/json' \ -d '{ "fipsMode" : "\true\"" }' | jq "."
{ "requestId": "a0d8d8cd-ac87-4b5c-ba8b-7a0173c56b55" }