Install and Configure the FIPS Compliant Package
This how-to guide explains how to install and configure the Kong Gateway FIPS-compliant package. After following the steps in this guide, you will have a FIPS-compliant Kong Gateway with FIPS mode enabled.
Installing a Kong Gateway FIPS compliant package
Ubuntu
RHEL
The FIPS-compliant Ubuntu 20.04 package can be installed using the package distinctively named kong-enterprise-edition-fips
. To install the package follow these instructions:
Set up the Kong APT repository:
curl -1sLf "https://packages.konghq.com/public/gateway-34/gpg..key" | gpg --dearmor >> /usr/share/keyrings/kong-gateway-34-archive-keyring.gpg
curl -1sLf "https://packages.konghq.com/public/gateway-34/config.deb.txt?distro=ubuntu&codename=$(lsb_release -sc)" > /etc/apt/sources.list.d/kong-gateway-34.list
Update the repository:
sudo apt-get update
Install the Kong Gateway FIPS package:
apt install -y kong-enterprise-edition-fips=3.4.0.0
The FIPS-compliant Red Hat 8 package can be installed using the package distinctively named kong-enterprise-edition-fips
. To install the package follow these instructions:
Package
Yum repo
Download the FIPS package:
curl -Lo kong-enterprise-edition-fips-3.4.0.0.rpm $(rpm --eval https://packages.konghq.com/public/gateway-34/rpm/el/%{rhel}/x86_64/kong-enterprise-edition-fips-3.4.0.0.el%{rhel}.x86_64.rpm)
Install the Kong Gateway FIPS package:
yum install kong-enterprise-edition-fips-3.4.0.0
Set up the Kong Yum repository:
curl -1sLf "https://packages.konghq.com/public/gateway-34/config.rpm.txt?distro=el&codename=$(rpm --eval '%{rhel}')" | sudo tee /etc/yum.repos.d/kong-gateway-34.repo
sudo yum -q makecache -y --disablerepo='*' --enablerepo='kong-gateway-34'
Install the Kong Gateway FIPS package:
yum install kong-enterprise-edition-fips-3.4.0.0
Configure FIPS
To start in FIPS mode, set the following configuration property to on
in the kong.conf
configuration file before starting Kong Gateway:
fips = on # fips mode is enabled, causing incompatible ciphers to be disabled
You can also set this configuration using an environment variable:
export KONG_FIPS=on
If you are migrating from Kong Gateway 3.1 to 3.2 in FIPS mode and are using the key-auth-enc plugin, you should send PATCH or POST requests to all existing key-auth-enc credentials to re-hash them in SHA256.
Migrating from non-FIPS to FIPS mode and backwards is not supported.