D2N1
Contributor
Contributor

Activate FIPS Mode on vRLI

Hi guys

 

I just bumped into a very strange behaviour after enabling FIPS Mode on vRLI 8.4.0 - so I wanted you to let you know the details before you go ahead and activate this Mode as well.

 

After the upgrade to version 8.4.0 (we were on 8.3.0) you have the option to Activate FIPS Mode under the Administration tab in vRLI (Configuration -> General). We wanted to activate this for security reasons. We use Active Directory as authentication method on vRLI.

 

So, we did a snapshot of the vRLI appliance first (lucky me!), activated the FIPS Mode and waited. (Note that after you activate the FIPS Mode, the appliance will restart but the Web UI stays) After the restart was complete we were not able to login through the Web UI anymore. We tried with several AD-accounts but had no luck. The only way was to login through SSH with the local admin account. After collecting a support bundle we reverted to the latest snapshot and everything worked fine again. The VMware Support had a look at the logs and found following very strange entry in runtime.log:

 

com.vmware.loginsight.rbac.RBACException: User [abcdefghi] not found in domain yyyyyy.xx.

 

We than doublechecked the settings under Administration -> Management > Access Control and under “Users and Groups” there was still an entry of a user that did not exist anymore (he left the company a couple of months ago). So it looks like that after enabling FIPS Mode, vRLI checks for all the accounts that you see in this view and if there is no such user in you AD environment, FIPS mode prevents you from logging in. After removing this user we did another attempt and now it worked as expected. Finally we are able to use vRLI as usual with FIPS mode enabled.

 

I do not know if this behaviour is also seen if you use VMware Identity Manager as Authetnication method. However, just make sure you clean up the entries under Access Control before activating FIPS Mode.

 

Please note that after enabling FIPS Mode you cannot disable it. You have to take a snapshot first and revert back if anything fails. So keep in mind to test every usual usage after anbeling FIPS mode before deleting the Snapshot. You can find a bit more details on the product documentation at https://docs.vmware.com/en/vRealize-Log-Insight/8.4/com.vmware.log-insight.administration.doc/GUID-3...

 

I hope this post helped you.

Cheers, Daniel

0 Kudos
0 Replies