UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The vCenter Server must enable FIPS-validated cryptography.


Overview

Finding ID Version Rule ID IA Controls Severity
V-256331 VCSA-70-000077 SV-256331r885604_rule High
Description
FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules use authentication that meets DOD requirements. In vSphere 6.7 and later, ESXi and vCenter Server use FIPS-validated cryptography to protect management interfaces and the VMware Certificate Authority (VMCA). vSphere 7.0 Update 2 and later adds additional FIPS-validated cryptography to vCenter Server Appliance. By default, this FIPS validation option is disabled and must be enabled. Satisfies: SRG-APP-000172, SRG-APP-000179, SRG-APP-000224, SRG-APP-000231, SRG-APP-000412, SRG-APP-000514, SRG-APP-000555, SRG-APP-000600, SRG-APP-000610, SRG-APP-000620, SRG-APP-000630, SRG-APP-000635
STIG Date
VMware vSphere 7.0 vCenter Security Technical Implementation Guide 2023-03-01

Details

Check Text ( C-60006r885602_chk )
From the vSphere Web Client, go to Developer Center >> API Explorer.

From the "Select API" drop-down menu, select appliance.

Expand system/security/global_fips >> GET.

Click "Execute" and then "Copy Response"  to view the results.

Example response:

{
"enabled": true
}

If global FIPS mode is not enabled, this is a finding.
Fix Text (F-59949r885603_fix)
From the vSphere Web Client, go to Developer Center >> API Explorer.

From the "Select API" drop-down menu, select appliance.

Expand system/security/global_fips >> PUT.

In the response body under "Try it out", paste the following:

{
"enabled": true
}

Click "Execute".

Note: The vCenter server reboots after FIPS is enabled or disabled.