Configure MongoDB for FIPS

New in version 2.6.

Overview

The Federal Information Processing Standard (FIPS) is a U.S. governmentcomputer security standard used to certify software modules andlibraries that encrypt and decrypt data securely. You can configureMongoDB to run with a FIPS 140-2 certified libraryfor OpenSSL. Configure FIPS to run by default or as needed from thecommand line.

Note

Starting in version 4.0, MongoDB disables support for TLS 1.0encryption on systems where TLS 1.1+ is available. Formore details, see Disable TLS 1.0.

Prerequisites

Important

A full description of FIPS and TLS/SSL is beyond the scope of this document.This tutorial assumes prior knowledge of FIPS and TLS/SSL.

  • Only MongoDB Enterprise edition supports FIPS mode. SeeInstall MongoDB Enterprise to download and installMongoDB Enterprise.

  • Your system must have an OpenSSL library configured with the FIPS140-2 module. At the command line, type openssl version toconfirm your OpenSSL software includes FIPS support.

  • For Red Hat Enterprise Linux 6.x (RHEL 6.x) or its derivatives suchas CentOS 6.x, the OpenSSL toolkit must be at leastopenssl-1.0.1e-16.el6_5 to use FIPS mode. To upgrade the toolkitfor these platforms, issue the following command:

  1. sudo yum update openssl
  • Some versions of Linux periodically execute a process to _prelink_dynamic libraries with pre-assigned addresses. This process modifiesthe OpenSSL libraries, specifically libcrypto. The OpenSSL FIPSmode will subsequently fail the signature check performed uponstartup to ensure libcrypto has not been modified sincecompilation.

To configure the Linux prelink process to not prelink libcrypto:

  1. sudo bash -c "echo '-b /usr/lib64/libcrypto.so.*' >>/etc/prelink.conf.d/openssl-prelink.conf"

Procedure

A. Configure MongoDB to use TLS/SSL

See Configure mongod and mongos for TLS/SSL for details about configuring yourdeployment to us TLS/SSL. Ensure that your certificate is FIPScompliant.

B. Run mongod or mongos instance in FIPS mode

Perform these steps after you Configure mongod and mongos for TLS/SSL.

Change configuration file.

To configure your mongod or mongos instance to useFIPS mode, shut down the instance and update the configuration file withthe net.tls.FIPSMode setting:

In MongoDB 4.2+:

  1. net:
  2.    tls:
  3.       FIPSMode: true

Although still available, the net.ssl.FIPSMode isdeprecated as of MongoDB 4.2.

In MongoDB 4.0 and earlier versions:

  1. net:
  2.    ssl:
  3.       FIPSMode: true

Start mongod or mongos instance with configuration file.

For example, run this command to start the mongod instance with its configuration file:

  1. mongod --config /etc/mongod.conf

C. Confirm that FIPS mode is running

Check the server log file for a message that FIPS is active:

  1. FIPS 140-2 mode activated

Additional Considerations

Starting in version 4.2, MongoDB removes the —sslFIPSModeoption for the following programs:

The programs will use FIPS compliant connections tomongod/mongos if themongod/mongos instances areconfigured to use FIPS mode.