Starting in NSX 6.3.0, you can enable FIPS mode, which turns on the cipher suites that comply with FIPS.

Caution

When you upgrade from a version of NSX earlier than NSX 6.3.0 to NSX 6.3.0 or later, you must not enable FIPS mode before the upgrade is completed. Enabling FIPS mode before the upgrade is complete will interrupt communication between upgraded and not-upgraded components.

FIPS mode status in NSX components after upgrade to NSX 6.3.x.

NSX Component

FIPS Mode Status

NSX Manager

After upgrade to 6.3.x, FIPS mode on NSX Manager appliances is available and turned off. Do not enable FIPS until upgrade of all NSX components is complete, and FIPS has been enabled on all NSX Edge appliances.

NSX Controller cluster

After upgrade to 6.3.x, the NSX Controller cluster is FIPS compliant. This is not configurable.

NSX host cluster

After upgrade to 6.3.x, NSX host clusters are FIPS compliant. This is not configurable.

NSX Edge

After upgrade to 6.3.x, FIPS mode on NSX Edge appliances is available and turned off. Do not enable FIPS until upgrade of all NSX components is complete.

Guest Introspection service VM

After upgrade to 6.3.x, the Guest Introspection service VM is FIPS compliant. This is not configurable.

If you are upgrading to NSX 6.3.x and want to enable FIPS, you must complete the following steps:

1

Verify any partner solutions are FIPS mode certified. See the VMware Compatibility Guide at http://www.vmware.com/resources/compatibility/search.php?deviceCategory=security. Check the partner documentation for information.

2

Upgrade NSX Manager to NSX 6.3.0 or later.

3

Upgrade the NSX Controller cluster to NSX 6.3.0 or later.

4

Upgrade all host clusters running NSX workloads to NSX 6.3.0 or later.

5

Upgrade all NSX Edge appliances to NSX 6.3.0 or later.

6

If installed, upgrade Guest Introspection on all host clusters to NSX 6.3.0 or later.

7

Enable FIPS mode on NSX Edge appliances. See Change FIPS Mode on NSX Edge in the NSX Administration Guide.

8

Enable FIPS mode on the NSX Manager appliances. See Change FIPS Mode and TLS Settings on NSX Manager in the NSX Administration Guide.