Product Documentation

Configure FIPS with XenMobile

Feb 21, 2018


XenMobile Service server-side components are not FIPS 140-2 compliant.

Federal Information Processing Standards (FIPS) mode in XenMobile supports U.S. federal government customers by configuring the server to use only FIPS 140-2 certified libraries for all encryption operations. Installing your XenMobile server with FIPS mode ensures that all data at rest and data in transit for both the XenMobile client and server are fully compliant with FIPS 140-2.

Before installing a XenMobile Server in FIPS mode, you need to complete the following prerequisites.

  • You must use an external SQL Server 2012 or SQL Server 2014 for the XenMobile database. The SQL Server also must be configured for secure SSL communication. For instructions on configuring secure SSL communication to SQL Server, see the SQL Server Books Online.
  • Secure SSL communication requires that an SSL certificate be installed on your SQL Server. The SSL certificate can either be a public certificate from a commercial CA or a self-signed certificate from an internal CA. Note that SQL Server 2014 cannot accept a wildcard certificate. Citrix recommends, therefore, that you request an SSL certificate with the FQDN of the SQL Server.
  • If you use a self-signed certificate for SQL Server, you will need a copy of the root CA certificate that issued your self-signed certificate. The root CA certificate must be imported to the XenMobile server during installation.

Configuring FIPS mode

You can enable FIPS mode only during the initial setup of XenMobile server. It is not possible to enable FIPS after installation is complete. Therefore, if you plan on using FIPS mode, you must install the XenMobile server with FIPS mode from the start. In addition, if you have a XenMobile cluster, all cluster nodes must have FIPS enabled; you cannot have a mix of FIPS and non-FIPS XenMobile servers in the same cluster.

There is a Toggle FIPS mode option in the XenMobile command-line interface that is not for production use. This option is intended for non-production, diagnostic use and is not supported on a production XenMobile server.

1. During initial setup, enable FIPS mode.

2. Upload the root CA certificate for your SQL Server. If you used a self-signed SSL certificate rather than a public certificate on your SQL Server, choose Yes for this option and then do one of the following:

a. Copy and paste the CA certificate.

b. Import the CA certificate. To import the CA certificate, you must post the certificate to a website that is accessible from the XenMobile server via an HTTP URL. For details, see Uploading the certificate to XenMobile.

3. Specify the server name and port of your SQL Server, the credentials for logging into SQL Server, and the database name to create for XenMobile.

Note: You can use either a SQL logon or an Active Directory account to access SQL Server, but the logon you use must have the DBcreator role.

4. To use an Active Directory account, enter the credentials in the format domain\username.

5. Once these steps are complete, proceed with the XenMobile initial setup.

To confirm that the configuration of FIPS mode is successful, log on to the XenMobile command-line interface. The phrase In FIPS Compliant Mode appears in the logon banner.

Importing Certificates

The following procedure describes how to configure FIPS on XenMobile by importing the certificate, which is required when you use a VMware hypervisor.

SQL Prerequisites

1. The connection to the SQL instance from XenMobile needs to be secure and must be SQL Server version 2012 or SQL Server 2014. To secure the connection, see How to enable SSL encryption for an instance of SQL Server by using Microsoft Management Console.

2. If the service does not restart properly, check the following:Open Services.msc.

a. Copy the logon account information used for the SQL Server service.

b. Open MMC.exe on the SQL Server.

c. Go to File > Add/Remove Snap-in and then double-click the certificates item to add the certificates snap-in. Select the computer account and local computer in the two pages on the wizard.

d. Click OK.

e. Expand Certificates (Local Computer) > Personal > Certificates and find the imported SSL certificate.

f. Right-click the imported certificate (selected in the SQL Server Configuration Manager) and then click All Tasks > Manage Private Keys.

g. Under Group or User names, click Add.

h. Enter the SQL service account name you copied in the earlier step.

i. Clear the Allow Full Control option. By default the service account will be given both Full control and Read permissions, but it only needs to be able to read the private key.

j. Close MMC and start the SQL service.

3. Ensure the SQL service is started correctly.

Internet Information Services (IIS) Prerequisites

1. Download the rootcert (base 64).

2. Copy the rootcert to the default site on the IIS server, C:\inetpub\wwwroot.

3. Check the Authentication check box for the default site.

4. Set Anonymous to enabled.

5. Select the Failed Request Tracking rules check box.

6. Ensure that .cer is not blocked.

7. Browse to the location of the .cer in an Internt Explorer browser from the local server, http://localhost/certname.cer. The root cert text should appear in the browser.

8. If the root cert does not appear in the Internet Explorer browser, make sure that ASP is enabled on the IIS server as follows.

a. Open Server Manager.

b. Navigate to the wizard in Manage > Add Roles and Features.

c. In the server roles, expand Web Server (IIS), expand Web Server, expand Application Development and then select ASP.

d. Click Next until the install completes.

9. Open Internet Explorer and browse to http://localhost/cert.cer.

For more information, see Web Server (IIS).


You can use the use the IIS instance of the CA for this procedure.

Importing the Root Certificate During Initial FIPS Configuration

When you complete the steps to configure XenMobile for the first time in the command-line console, you must complete these settings to import the root certificate. For details on the installation steps, see Installing XenMobile.

  • Enable FIPS: Yes
  • Upload Root Certificate: Yes
  • Copy(c) or Import(i): i
  • Enter HTTP URL to import: http://FQDN of IIS server/cert.cer
  • Server: FQDN of SQL Server
  • Port: 1433
  • User name: Service account which has the ability to create the database (domain\username).
  • Password: The password for the service account.
  • Database Name: This is a name you choose.

Enable FIPS mode on mobile devices

By default, FIPS mode is disabled on mobile devices. To enable FIPS mode, go to Settings > Client Properties, edit the Enable FIPS Mode property, and set the value to true. For more information, see Client properties