DCLI is compliant with the Federal Information Processing Standards (FIPS), but the
FIPS mode is not enabled by default. You can enable the FIPS mode by modifying the DCLI
script.
For its cryptographic algorithms, DCLI relies on the OpenSSL library, which is used
by default from the Python interpreter. OpenSSL has FIPS versions that provide the
option to run in a mode, which prevents using algorithms that are not compliant with
FIPS. However, by default Python does not include a FIPS version of OpenSSL. To turn
on the FIPS mode in OpenSLL, you must have a Python interpreter build with a FIPS
version of OpenSSL.
Procedure
-
Find the location of the DCLI
script.
- If you are using Linux or Mac OS, run the following
command.
which dcli
- If you are using Windows, run the following
command.
where dcli
-
Open the DCLI script file by using a text editor.
-
Locate the following line in the script.
from vmware.vapi.client.dcli.cli import main
-
Add the following lines after the line you located.
import ctypes
libcrypto = ctypes.CDLL("libcrypto.so.1.0.0")
fips_mode = libcrypto.FIPS_mode
fips_mode.argtypes = []
fips_mode.restype = ctypes.c_int
fips_mode_set = libcrypto.FIPS_mode_set
fips_mode_set.argtypes = [ctypes.c_int]
fips_mode_set.restype = ctypes.c_int
fips_mode_set(1)
- (Optional)
Verify whether the FIPS mode is enabled by printing to the console when running
DCLI.
Replace the
fips_mode_set(1) line with the following
lines.
print("FIPS_mode(): {:d}".format(fips_mode()))
print("FIPS_mode_set(1): {:d}".format(fips_mode_set(1)))
print("FIPS_mode(): {:d}".format(fips_mode())) - (Optional)
Verify that you receive a proper
error message when calling an MD5 algorithm, which is not compliant with
FIPS.
Add the following lines after the last lines you
added.
import hashlib
print("SHA1: {:s}".format(hashlib.sha1(text).hexdigest()))
print("MD5: {:s}".format(hashlib.md5(text).hexdigest())) -
Save the changes you made to the DCLI script.