Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
Connection Servers in the same POD deployed with different FIPS modes configurations are unable to communicate. Recent Connection Server software deployment installation logs contain lines similar to: (C:\ProgramData\VMware\logs\vmmsi.log_YYYYMMDD_xxxxxx.log ) contain "VDM_FIPS_ENABLED = 0" Registry Key "HKLM\Software\VMware, Inc.\VMware VDM\FipsMode" Value: 1 if installed or 0 if not installed The View Admin console will not come up on a Connection Server if deployed into a Horizon View POD with FIPS mode enabled, but FIPS mode was not selected as an option during deployment on this server, Messages similar to the following are seen in connection server logs :vdm-logs/debug-YYYY-MM-DD-XXXXXX.txt 2023-01-26T17:55:00.942-05:00 DEBUG (10E8-13D0) <Outbound JMS Error Responder Thread> [JMSRouter] Error creating topic config for topic: IceTunnelTopic com.vmware.vdi.logger.Logger.debug(Logger.java:44) javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1002) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385) Messages similar to the following are seen in vdm-logs/messagebus/info.log: 2023-01-26 17:55:58.351/[NioTCPListener, swiftlet=sys$jms, port=4002]/INFORMATION/connection accepted: 127.0.0.1 2023-01-26 17:55:58.374/127.0.0.1:53240/NioHandler/INFORMATION/SSL Handshake exception, initiating delayed EXIT (1000ms): javax.net.ssl.SSLHandshakeException: no cipher suites in common 2023-01-26 17:55:59.401/127.0.0.1:53240/NioHandler/INFORMATION/close
To identify if an existing Connection Server / Security Server has FIPS mode enabled in order to confirm all deployed Connection Server / Security Server components are operating with FIPS mode enabled (or disabled).
A non-functional environment is expected when Connection Servers are deployed in different FIPS mode configurations. If a FIPS mode deployment is intended, all Connection Servers and View Agents are expected to also be in FIPS mode.If a FIPS mode deployment is not intended, all Connection Servers and View Agents are expected to not be deployed in FIPS mode.
View Desktops must run the same FIPS mode configuration as all the Connection Servers.Switching FIPS mode deployments may require that View Agent software be redeployed to match the FIPS mode deployment model.
Before deploying a Connection Server or Security Server in FIPS mode, FIPS mode must be enabled at the Windows OS level. More information from Microsoft on FIPS can be found here:FIPS 140-2 Validation Typically FIPS mode configuration is deployed by GPO, it can also be turned on by setting the following registry key: HKLM\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\Enabled = 1 Confirm your intended deployment configuration (FIPS mode enabled/disabled).Identify Connection Server(s) / Security Server(s) that were deployed with incorrect FIPS mode configuration.Uninstall Connection Server / Security Server software on those serversReinstall Connection Server / Security Server software and deploy with the correct FIPS mode configuration.
If a Connection Server was deployed with FIPS mode enabled, you can expect to see log messages from the log-YYYY-MM-DD.txt (or debug-YYYY-MM-DD.txt) file that look like the following: INFO (0D4C-165C) <localhost-startStop-1> [ServerConfigurationFilter] Broker started in FIPS modeINFO (155C-1734) <Thread-2> [Ice] Server started in FIPS mode If FIPS is enabled in the GuestOS (regardless of if FIPS was enabled when the Connection Server / Security Server was deployed), you can expect to see the following log entry in log-YYYY-MM-DD.txt (or debug-YYYY-MM-DD.txt): INFO (1240-2ED8) <MessageFrameWorkDispatch> [MessageFrameWork] KeyVault: Initiating in FIPS mode To reiterate, the "KeyVault: Initiating in FIPS mode" log message is only an indication that the GuestOS has FIPS enabled. It does not suggest (and should not be used to indicate) that the Connection Server was deployed with FIPS enabled.