Configure MongoDB for FIPS¶
The Federal Information Processing Standard (FIPS) is a U.S. government computer security standard used to certify software modules and libraries that encrypt and decrypt data securely. You can configure MongoDB to run with a FIPS 140-2 certified library for OpenSSL. Configure FIPS to run by default or as needed from the command line.
A full description of FIPS and TLS/SSL is beyond the scope of this document. This tutorial assumes prior knowledge of FIPS and TLS/SSL.
FIPS is property of the encryption system and not the access control system. However, if your environment requires FIPS compliant encryption and access control, you must ensure that the access control system uses only FIPS-compliant encryption.
MongoDB's FIPS support covers the way that MongoDB uses SSL/TLS libraries for network encryption, SCRAM authentication, and x.509 authentication. If you use Kerberos or LDAP authentication, you must ensure that these external mechanisms are FIPS-compliant.
Starting in version 4.0, MongoDB disables support for TLS 1.0 encryption on systems where TLS 1.1+ is available. For more details, see Disable TLS 1.0.
FIPS mode is supported on the following platforms:
Secure Channel (SChannel)
Select the tab below for your platform:
Your Linux system must have an OpenSSL library configured with the FIPS 140-2 module in order to support FIPS mode for MongoDB.
Verify that your OpenSSL software includes FIPS support by running the following command:
For Red Hat Enterprise Linux 6.x (RHEL 6.x) or its derivatives such as CentOS 6.x, the OpenSSL toolkit must be at least version
openssl-1.0.1e-16.el6_5to use FIPS mode. To upgrade the OpenSSL library on these platforms, run the following command:
sudo yum update openssl
Some versions of Linux periodically execute a process to prelink dynamic libraries with pre-assigned addresses. This process modifies the OpenSSL libraries, specifically
libcrypto. The OpenSSL FIPS mode will subsequently fail the signature check performed upon startup to ensure
libcryptohas not been modified since compilation.
To configure the Linux prelink process to not prelink
libcrypto, run the following command:
sudo bash -c "echo '-b /usr/lib64/libcrypto.so.*' >>/etc/prelink.conf.d/openssl-prelink.conf"
A. Configure MongoDB to use TLS/SSL¶
mongos for TLS/SSL for details about configuring your
deployment to use TLS/SSL. Ensure that your certificate is
B. Run MongoDB instance in FIPS mode¶
Perform these steps after you Configure
mongos for TLS/SSL.
Change configuration file.¶
In MongoDB 4.2+:
net: tls: FIPSMode: true
In MongoDB 4.0 and earlier versions:
net: ssl: FIPSMode: true
C. Confirm that FIPS mode is running¶
Check the server log file for a message that FIPS is active:
FIPS 140-2 mode activated
Starting in version 4.2, MongoDB removes the
option for the following programs: