VCSA-70-000077 - The vCenter Server must enable FIPS-validated cryptography.

Information

FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules use authentication that meets DOD requirements.

In vSphere 6.7 and later, ESXi and vCenter Server use FIPS-validated cryptography to protect management interfaces and the VMware Certificate Authority (VMCA).

vSphere 7.0 Update 2 and later adds additional FIPS-validated cryptography to vCenter Server Appliance. By default, this FIPS validation option is disabled and must be enabled.

Satisfies: SRG-APP-000172, SRG-APP-000179, SRG-APP-000224, SRG-APP-000231, SRG-APP-000412, SRG-APP-000514, SRG-APP-000555, SRG-APP-000600, SRG-APP-000610, SRG-APP-000620, SRG-APP-000630, SRG-APP-000635

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

From the vSphere Web Client, go to Developer Center >> API Explorer.

From the 'Select API' drop-down menu, select appliance.

Expand system/security/global_fips >> PUT.

In the response body under 'Try it out', paste the following:

{
'enabled': true
}

Click 'Execute'.

Note: The vCenter server reboots after FIPS is enabled or disabled.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_7-0_Y23M07_STIG.zip

Item Details

References: CAT|I, CCI|CCI-000197, CCI|CCI-000803, CCI|CCI-001188, CCI|CCI-001199, CCI|CCI-001967, CCI|CCI-002450, CCI|CCI-003123, Rule-ID|SV-256331r885604_rule, STIG-ID|VCSA-70-000077, Vuln-ID|V-256331

Plugin: VMware

Control ID: 9c0c28baebb5392effa7b5d29826564729c597d586be8b52c28df0e709935b3d