VMware Unified Access Gateway 3.3.1 Fails to Start Blast Services in FIPS Mode

A bug exists in the FIPS version of the VMware Unified Access Gateway 3.3.1 appliance that causes the local Blast services to fail to properly initialize due to a cipher suite mismatch between local services on the appliance. The issue appears to be exclusive to the 3.3.1 release, as the issue did not exist in 3.3.0 and is said to be patched in 3.4.0.

To resolve the issue, a single line needs to be edited in a configuration file on the appliance.

Open the following file in an editor:
/opt/vmware/gateway/lib/bsg/absg.properties

Locate the line for ‘localHttpsCipherSpec’ and replace it with the following:
localHttpsCipherSpec=!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES

Save the file. Disable and enable the Blast service in the web administration UI. Restart the appliance.