Dell VxRail Security Configuration Guide

FIPS mode

Enabling FIPS mode helps to configure higher-level restrictions at an operating system level. For example, communication protocols supporting cryptographic agility do not announce ciphers that the system refuses when selected. VxRail Manager VM running in FIPS mode enforces that any TLS 1.2 connection must use the EMS extension (RFC 7627) because it requires the FIPS 140-3 standard. Legacy clients that do not support EMS or TLS 1.3 cannot connect to VxRail Manager servers running in FIPS mode. VxRail Manager VM in FIPS mode as the client cannot connect to servers that support only TLS 1.2 without EMS.

Enable FIPS mode on your VxRail Manager VM only when required to meet compliance rules. Otherwise, do not run your systems in FIPS mode.

Unless you are required to use FIPS mode, consider the following reasons to not enable FIPS mode:

• FIPS mode is restrictive. FIPS mode enforces the use of specific validated cryptographic algorithms and specific certified binaries that implement these validated algorithms. You must use only the certified binaries.
• Upgrades may break functionality. For example, upgrading the software stack may include updates to the underlying cryptographic module which could affect the compliance and functionality of the solution.
• Administering FIPS is complex and requires significant expertise.

Enable or disable FIPS mode

For VxRail 8.0.331 and later, FIPS mode is disabled by default on the VxRail Manager VM to ensure better compatibility. There is a manual procedure to enable the FIPS mode for VxRail Manager VM. FIPS mode does not persist if you back up or restore a VM and must be enabled again if needed.

To enable or disable FIPS mode for the VxRail Manager, see KB 330812.