You are browsing documentation for an outdated version. See the latest documentation here.

FIPS 140-2

The Federal Information Processing Standard (FIPS) 140-2 is a federal standard defined by the National Institute of Standards and Technology. It specifies the security requirements that must be satisfied by a cryptographic module. The FIPS Kong Gateway package is FIPS 140-2 compliant. Compliance means that the software has met all of the rules of FIPS 140-2, but has not been submitted to a NIST testing lab for validation.

Kong Enterprise provides a FIPS 140-2 compliant package for Ubuntu 20.04 , Ubuntu 22.04, and Red Hat Enterprise 8 . This package provides compliance for the core Kong Gateway product .

The package replaces the primary library in Kong Gateway, OpenSSL, with BoringSSL, which at its core uses the FIPS 140-2 validated BoringCrypto for cryptographic operations.

Installing the Kong Gateway FIPS compliant package

Ubuntu

RHEL

The FIPS compliant Ubuntu 20.04 package can be installed using the package distinctively named kong-enterprise-edition-fips. To install the package follow these instructions:

  1. Set up the Kong APT repository:

    1.  echo "deb [trusted=yes] https://download.konghq.com/gateway-3.x-ubuntu-$(lsb_release -sc)/ \
    2.  default all" | sudo tee /etc/apt/sources.list.d/kong.list

  2. Update the repository:

    1.  sudo apt-get update

  3. Install the Kong Gateway FIPS package:

    1.  apt install -y kong-enterprise-edition-fips=3.1.1.3

The FIPS compliant Red Hat 8 package can be installed using the package distinctively named kong-enterprise-edition-fips. To install the package follow these instructions:

Package

Yum repo

  1. Download the FIPS package:

    1.  curl -Lo kong-enterprise-edition-fips-3.1.1.3.rpm \
    2.  $( rpm --eval "https://download.konghq.com/gateway-3.x-rhel-%{rhel}/Packages/k/kong-enterprise-edition-fips-3.1.1.3.rhel%{rhel}.amd64.rpm")

  2. Install the Kong Gateway FIPS package:

    1.  yum install kong-enterprise-edition-fips-3.1.1.3

  3. Set up the Kong Yum repository:

    1.  curl $(rpm --eval "https://download.konghq.com/gateway-3.x-rhel-%{rhel}/config.repo") | sudo tee /etc/yum.repos.d/kong.repo

  4. Install the Kong Gateway FIPS package:

    1.  yum install kong-enterprise-edition-fips-3.1.1.3

Configure FIPS

To start in FIPS mode, set the following variable to on in the kong.conf configuration file before starting Kong Gateway.

  1. fips = on # fips mode is enabled, causing incompatible ciphers to be disabled

You can also use an environment variable:

  1. export KONG_FIPS=on

Migrating from non-FIPS to FIPS mode and backwards is not supported.