The vCenter Server must enable FIPS-validated cryptography.

An XCCDF Rule

Description

<VulnDiscussion>FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules use authentication that meets DOD requirements. In vSphere 6.7 and later, ESXi and vCenter Server use FIPS-validated cryptography to protect management interfaces and the VMware Certificate Authority (VMCA). vSphere 7.0 Update 2 and later adds additional FIPS-validated cryptography to vCenter Server Appliance. By default, this FIPS validation option is disabled and must be enabled. Satisfies: SRG-APP-000172, SRG-APP-000179, SRG-APP-000224, SRG-APP-000231, SRG-APP-000412, SRG-APP-000514, SRG-APP-000555, SRG-APP-000600, SRG-APP-000610, SRG-APP-000620, SRG-APP-000630, SRG-APP-000635</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-258917r934409_rule
Severity: High
References: CCI-000197 CCI-000803 CCI-001188 CCI-001199 CCI-001967 CCI-002450 CCI-003123
Updated: 17 days ago

From the vSphere Web Client go to Developer Center >> API Explorer.

From the "Select API" drop-down menu, select appliance.

Expand system/security/global_fips >> PUT.
In the response body under "Try it out" paste the following:

{
    "enabled": true
}

Click "Execute".

or

From a PowerCLI command prompt while connected to the vCenter server, run the following command:

$spec = Initialize-SystemSecurityGlobalFipsUpdateSpec -Enabled $true; Invoke-SetSystemGlobalFips -SystemSecurityGlobalFipsUpdateSpec $spec

Note: The vCenter server reboots after FIPS is enabled or disabled.

The vCenter Server must enable FIPS-validated cryptography.

Description

Remediation - Manual Procedure