Navigation
This is an upcoming (i.e. in progress) version of the manual.

Configure MongoDB for FIPS

New in version 2.6.

Overview

The Federal Information Processing Standard (FIPS) is a U.S. government computer security standard used to certify software modules and libraries that encrypt and decrypt data securely. You can configure MongoDB to run with a FIPS 140-2 certified library for OpenSSL. Configure FIPS to run by default or as needed from the command line.

MongoDB and FIPS

FIPS is property of the encryption system and not the access control system. However, if your environment requires FIPS compliant encryption and access control, you must ensure that the access control system uses only FIPS-compliant encryption.

MongoDB’s FIPS support covers the way that MongoDB uses OpenSSL for network encryption, SCRAM authentication, and x.509 authentication. If you use Kerberos or LDAP authentication, you must ensure that these external mechanisms are FIPS-compliant.

Note

Starting in version 4.0, MongoDB disables support for TLS 1.0 encryption on systems where TLS 1.1+ is available. For more details, see Disable TLS 1.0.

Prerequisites

Important

A full description of FIPS and TLS/SSL is beyond the scope of this document. This tutorial assumes prior knowledge of FIPS and TLS/SSL.

  • Only MongoDB Enterprise edition supports FIPS mode. See Install MongoDB Enterprise to download and install MongoDB Enterprise.

  • Your system must have an OpenSSL library configured with the FIPS 140-2 module. At the command line, type openssl version to confirm your OpenSSL software includes FIPS support.

  • For Red Hat Enterprise Linux 6.x (RHEL 6.x) or its derivatives such as CentOS 6.x, the OpenSSL toolkit must be at least openssl-1.0.1e-16.el6_5 to use FIPS mode. To upgrade the toolkit for these platforms, issue the following command:

    sudo yum update openssl
    
  • Some versions of Linux periodically execute a process to prelink dynamic libraries with pre-assigned addresses. This process modifies the OpenSSL libraries, specifically libcrypto. The OpenSSL FIPS mode will subsequently fail the signature check performed upon startup to ensure libcrypto has not been modified since compilation.

    To configure the Linux prelink process to not prelink libcrypto:

    sudo bash -c "echo '-b /usr/lib64/libcrypto.so.*' >>/etc/prelink.conf.d/openssl-prelink.conf"
    

Procedure

A. Configure MongoDB to use TLS/SSL

See Configure mongod and mongos for TLS/SSL for details about configuring your deployment to us TLS/SSL. Ensure that your certificate is FIPS compliant.

B. Run mongod or mongos instance in FIPS mode

Perform these steps after you Configure mongod and mongos for TLS/SSL.

1

Change configuration file.

To configure your mongod or mongos instance to use FIPS mode, shut down the instance and update the configuration file with the net.tls.FIPSMode setting:

In MongoDB 4.2+:

net:
   tls:
      FIPSMode: true

Although still available, the net.ssl.FIPSMode is deprecated as of MongoDB 4.2.

In MongoDB 4.0 and earlier versions:

net:
   ssl:
      FIPSMode: true
2

Start mongod or mongos instance with configuration file.

For example, run this command to start the mongod instance with its configuration file:

mongod --config /etc/mongod.conf

C. Confirm that FIPS mode is running

Check the server log file for a message that FIPS is active:

FIPS 140-2 mode activated

Additional Considerations

Starting in version 4.2, MongoDB removes the --sslFIPSMode option for the following programs:

The programs will use FIPS compliant connections to mongod/mongos if the mongod/mongos instances are configured to use FIPS mode.