FIPS: Empty VNC password in FIPS mode

ALTER TABLE `cloud`.`vm_instance` MODIFY COLUMN `vnc_password` varchar(255) COMMENT 'vnc password';

engine/schema/src/main/resources/META-INF/db/schema-41810to41900.sql

@@ -323,3 +323,6 @@ CALL `cloud`.`IDEMPOTENT_ADD_COLUMN`('cloud.quarantined_ips', 'remover_account_i
 -- Explicitly add support for VMware 8.0b (8.0.0.2), 8.0c (8.0.0.3)
 INSERT IGNORE INTO `cloud`.`hypervisor_capabilities` (uuid, hypervisor_type, hypervisor_version, max_guests_limit, security_group_enabled, max_data_volumes_limit, max_hosts_per_cluster, storage_motion_supported, vm_snapshot_enabled) values (UUID(), 'VMware', '8.0.0.2', 1024, 0, 59, 64, 1, 1);
 INSERT IGNORE INTO `cloud`.`hypervisor_capabilities` (uuid, hypervisor_type, hypervisor_version, max_guests_limit, security_group_enabled, max_data_volumes_limit, max_hosts_per_cluster, storage_motion_supported, vm_snapshot_enabled) values (UUID(), 'VMware', '8.0.0.3', 1024, 0, 59, 64, 1, 1);
+
+-- Allow empty VNC password in FIPS mode
+ALTER TABLE `cloud`.`vm_instance` MODIFY COLUMN `vnc_password` varchar(255) COMMENT 'vnc password';

server/src/main/java/com/cloud/consoleproxy/AgentHookBase.java

@@ -159,7 +159,9 @@ public AgentControlAnswer onConsoleAccessAuthentication(ConsoleAccessAuthenticat
         }
 
         String sid = cmd.getSid();
-        if (sid == null || !sid.equals(vm.getVncPassword())) {
+        if (StringUtils.isBlank(vm.getVncPassword())) {
+            s_logger.info("VM VNC password is null. VM is probably running in a FIPS-compliant CloudStack environment");
+        } else if (sid == null || !sid.equals(vm.getVncPassword())) {
             s_logger.warn("sid " + sid + " in url does not match stored sid.");
             return new ConsoleAccessAuthenticationAnswer(cmd, false);
         }

server/src/main/java/com/cloud/vm/UserVmManagerImpl.java

@@ -8432,6 +8432,9 @@ public Boolean getDestroyRootVolumeOnVmDestruction(Long domainId){
     }
 
     private void setVncPasswordForKvmIfAvailable(Map<String, String> customParameters, UserVmVO vm){
+        if (isFIPS()) {
+            return;
+        }
         if (customParameters.containsKey(VmDetailConstants.KVM_VNC_PASSWORD)
                 && StringUtils.isNotEmpty(customParameters.get(VmDetailConstants.KVM_VNC_PASSWORD))) {
             vm.setVncPassword(customParameters.get(VmDetailConstants.KVM_VNC_PASSWORD));

services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyNoVNCHandler.java

@@ -25,6 +25,7 @@
 
 import com.cloud.consoleproxy.util.Logger;
 
+import org.apache.commons.lang3.StringUtils;
 import org.eclipse.jetty.server.Request;
 import org.eclipse.jetty.websocket.api.Session;
 import org.eclipse.jetty.websocket.api.annotations.OnWebSocketClose;
@@ -98,8 +99,12 @@ public void onConnect(final Session session) throws IOException, InterruptedExce
         long ajaxSessionId = 0;
         int port;
 
-        if (host == null || portStr == null || sid == null)
+        if (host == null || portStr == null) {
             throw new IllegalArgumentException();
+        }
+        if (StringUtils.isBlank(sid)) {
+            s_logger.info("sid is null. VM is probably running in a FIPS-compliant CloudStack environment");
+        }
 
         try {
             port = Integer.parseInt(portStr);

utils/src/main/java/com/cloud/utils/component/ManagerBase.java

@@ -19,10 +19,22 @@
 
 package com.cloud.utils.component;
 
+import java.security.NoSuchAlgorithmException;
+import java.security.SecureRandom;
+
 public class ManagerBase extends ComponentLifecycleBase implements ComponentMethodInterceptable {
     public ManagerBase() {
         super();
         // set default run level for manager components
         setRunLevel(ComponentLifecycle.RUN_LEVEL_COMPONENT_BOOTSTRAP);
     }
+
+    public boolean isFIPS() {
+        try {
+            SecureRandom.getInstance("NativePRNG");
+            return false;
+        } catch (NoSuchAlgorithmException ex) {
+            return true;
+        }
+    }
 }