Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
The NSX-T Data Center platform utilizes several FIPS 140-2 cryptographic modules in both the Unified Appliance and the Edge Node Appliances, to run the platform in FIPS-compliant mode. FIPS validated modules are eventually sunset when the module reaches it expiry date or NIST/CMVP no longer re-validates certain module(s), and vendors replace those modules as necessary to maintain the FIPS compliancy of their platforms. You can find the NSX-T FIPS validated modules listed in our public documentation.
The VMware OpenSSL FIPS Object Module version 2.0.9, and its binding module VMware's VPN Crypto Module version 1.0, will be sunset on 1/29/2022 for the following versions of NSX-T Data Center: NSX-T Data Center 3.1.x NSX-T Data Center 3.0.x NSX-T Data Center 2.xThe validation certificates of the modules will be marked as historical. This does not mean that the overall FIPS-140 certificates for these modules have been revoked, rather it indicates that the certificates and the documentation posted with them are either more than 5 years old, or were moved to the historical list because of an algorithm transition.
To maintain FIPS compliance, the NSX-T Data Center versions listed below have replaced the sunset module and the dependent module with the VMware's VPN Crypto Module version 2.0 module, which is currently listed as ‘Review Pending’ in NIST/CMVP Module In Process (MIP) list available here - https://csrc.nist.gov/projects/cryptographic-module-validation-program/modules-in-process/modules-in-process-list. VMware expects this module to move to a validated status within the next few months.Customers with FIPS compliance requirements will need to deploy or upgrade their NSX-T Data Center deployments to the following version: NSX-T Data Center 3.2.0.1 – Greenfield/Upgraded DeploymentsOr, customers may make a risk determination on whether to continue using the modules on the historical list based on their own assessment of where and how the module is used. Please note that VMware's VPN Crypto Module version 1.0 has a sunset date of 10/1/2024 but due to its bound module (OpenSSL 2.0.9) sunsetting on 1/29/2022, both of them will be moved to historical list.
Frequently Asked Questions:Q: Will my IPSEC VPN feature will stop functioning on 1/29/2022?A: No, the sunset of a FIPS validated module does not stop or affect the IPSEC VPN feature from running as intended.Q: If I upgrade to 3.2.0.1, will I lose my FIPS validation because the new module is 'In progress?'A: Since FIPS validation is a long process involving 8-12 months, the practice is to integrate the module in the product and claim "In-Progress" status. The module has gone through intense security review and testing by 3rd party accredited lab and is awaiting review and validation by CMVP.Q: What is the upgrade path for customers who have been using HotPatches / Express Patches on 2.5.x / 3.0.x and 3.1.xA: Upgrade paths will be provided when fixes are provided for these versions. However, a customer can follow the standard Upgrade Paths located here - https://interopmatrix.vmware.com/Upgrade?productId=175Q: Is the OpenSSL FIPS object module upgradable to the latest without having to upgrade to later versions of NSX-TA: No. The OpenSSL FIPS Object Module is not capable of being upgraded independently.Q: How does a customer know if his environment is subject to this issue. Is there a command line that customer can execute that would tell the version of OpenSSL FIPS Object Module is at 2.0.9 or is it based on NSX-T version numberA: There are no commands to run that will display the OpenSSL FIPS Object Module version. Any customer running any build of the main NSX-T versions listed in 'What is happening' are impacted.