SUSE Support

Here When You Need Us

Configuring xrdp for FIPS compliance

This document (000020310) is provided subject to the disclaimer at the end of this document.


SUSE Linux Enterprise Server 15
SUSE Linux Enterprise Server 12


Server has FIPS enabled following this article: TID000019432 - How to Enable FIPS on SLES

Remote desktop access is required. 

VNC services do not provide FIPS encryption.

RDP using the xrdp service does provide FIPS encryption and is the proper choice for FIPS enabled servers.


Installation and configuration of xrdp with FIPS mode enabled

1.  Register and update the server.

The SUSE server will need to be registered to the SUSE Customer Center (SCC), or to an appropriate update server such as SUSE Manager, SMT, or RMT.  Repositories on update servers should be recently mirrored and the SUSE server should be updated.  There are known issues with FIPS on earlier releases of the 12sp5 and 15sp2 operating systems.

2.  Install xrdp along with any dependencies.

# zypper install xrdp

If dependencies are required, allow the system to install all of them.

During the installation there may be a message related to generating RSA keys using OpenSSL.  It can be ignored.

3.  Edit appropriate entries in /etc/xrdp/xrdp.ini.

# vi /etc/xrdp/xrdp.ini

Locate the following entries and change the values to the following:

ssl_protocols=TLSv1.2, TLSv1.3

4.  Create a blank rsakeys.ini file.

cp /dev/null /etc/xrdp/rsakeys.ini

5.  Generate cert and key pem files.

openssl req -x509 -newkey rsa:2048 -nodes -keyout /etc/xrdp/key.pem -out /etc/xrdp/cert.pem -days 365

6.  Open firewall TCP ports 3389 (RDP) and 3350 (xrdp-sesman).

These ports can be opened for the public zone if needed, by going into
yast2-->Security and Users-->Firewall (or simply "yast2 firewall") and making the following changes:

Click on "Allowed Services".
From the "Service to Allow" drop down menu, select Remote Desktop Protocol.
Click the "Add" button and then Next and Finish.

Click on the "public" zone and then click on the "Ports" tab at the top.
In "TCP Ports" add the following entries.  Use a comma delemeter between entries:
3389, 3350
Click Accept

Alternatively, the changes can be made from the command-line in the following ways:

As the root user edit /etc/sysconfig/SuSEfirewall2
Locate the following line and add "xrdp" to the list of allowed services:


If there are other services listed, use a space as a delemeter like this:


After saving the file restart the service:
# systemctl restart SuSEfirewall2.service

The following command-line tool will add the entries to the configuration:
# firewall-cmd --zone=public --permanent --add-port=3389/tcp
# firewall-cmd --zone=public --permanent --add-port=3350/tcp
# systemctl restart firewalld.service

7.  Restart xrdp to enable new configuration.

# systemctl restart xrdp

8.  Connect using a FIPS enabled RDP client from Windows, Mac, or Linux

If connecting from SUSE Linux Enterprise, use the following commands based on the OS version:

xfreerdp /v: /encryption-methods:FIPS +glyph-cache

xfreerdp /v: /encryption-methods:FIPS


This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:000020310
  • Creation Date: 28-Jun-2021
  • Modified Date:13-May-2022
    • SUSE Linux Enterprise Server

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.