On this page本页内容
The Federal Information Processing Standard (FIPS) is a U.S. government computer security standard used to certify software modules and libraries that encrypt and decrypt data securely. You can configure MongoDB to run with a FIPS 140-2 certified library for OpenSSL. Configure FIPS to run by default or as needed from the command line.
A full description of FIPS and TLS/SSL is beyond the scope of this document. This tutorial assumes prior knowledge of FIPS and TLS/SSL.
MongoDB and FIPS
FIPS is property of the encryption system and not the access control system. However, if your environment requires FIPS compliant encryption and access control, you must ensure that the access control system uses only FIPS-compliant encryption.
MongoDB’s FIPS support covers the way that MongoDB uses SSL/TLS libraries for network encryption, SCRAM authentication, and x.509 authentication. If you use Kerberos or LDAP authentication, you must ensure that these external mechanisms are FIPS-compliant.
Note
Starting in version 4.0, MongoDB disables support for TLS 1.0 encryption on systems where TLS 1.1+ is available. For more details, see Disable TLS 1.0.
FIPS mode is only available with MongoDB Enterprise edition. See Install MongoDB Enterprise to download and install MongoDB Enterprise.
FIPS mode is supported on the following platforms:
| Platform | TLS/SSL library |
|---|---|
| Linux | OpenSSL |
| Windows | Secure Channel (SChannel) |
| macOS | Secure Transport |
Select the tab below for your platform:
Your Linux system must have an OpenSSL library configured with the FIPS 140-2 module in order to support FIPS mode for MongoDB.
openssl-1.0.1e-16.el6_5 to use FIPS mode. To upgrade the OpenSSL library on these platforms, run the following command:
libcrypto. The OpenSSL FIPS mode will subsequently fail the signature check performed upon startup to ensure libcrypto has not been modified since compilation.
To configure the Linux prelink process to not prelink libcrypto, run the following command:
Once you have configured your Linux system to support FIPS-compliant operation, follow the steps below to configure your mongod or mongos instance to operate in FIPS mode.
See Configure mongod and mongos for TLS/SSL for details about configuring your deployment to use TLS/SSL. Ensure that your certificate is FIPS-compliant.
Perform these steps after you Configure mongod and mongos for TLS/SSL.
To configure your mongod or mongos instance to use FIPS mode, shut down the instance and update the configuration file with the net.tls.FIPSMode setting:
In MongoDB 4.2+:
Although still available, the net.ssl.FIPSMode is deprecated as of MongoDB 4.2.
In MongoDB 4.0 and earlier versions:
Check the server log file for a message that FIPS is active:
Microsoft provides the following resource on configuring FIPS mode for Windows 10 and Windows Server 2016 or later:
➤ FIPS 140-2 Validation on Windows
Once you have configured your Windows system to support FIPS-compliant operation, follow the steps below to configure your mongod or mongos instance to operate in FIPS mode.
See Configure mongod and mongos for TLS/SSL for details about configuring your deployment to use TLS/SSL. Ensure that your certificate is FIPS-compliant.
Perform these steps after you Configure mongod and mongos for TLS/SSL.
To configure your mongod or mongos instance to use FIPS mode, shut down the instance and update the configuration file with the net.tls.FIPSMode setting:
In MongoDB 4.2+:
Although still available, the net.ssl.FIPSMode is deprecated as of MongoDB 4.2.
In MongoDB 4.0 and earlier versions:
Check the server log file for a message that FIPS is active:
Supported versions of macOS are FIPS-compliant by default. Check the documentation for your version of macOS to verify its compliance status. For example, Apple provides the following resource for macOS 10.14:
➤ Apple FIPS Cryptographic Modules for 10.14
On compliant versions of macOS, follow the steps below to configure your mongod or mongos instance to operate in FIPS mode.
See Configure mongod and mongos for TLS/SSL for details about configuring your deployment to use TLS/SSL. Ensure that your certificate is FIPS-compliant.
Perform these steps after you Configure mongod and mongos for TLS/SSL.
To configure your mongod or mongos instance to use FIPS mode, shut down the instance and update the configuration file with the net.tls.FIPSMode setting:
In MongoDB 4.2+:
Although still available, the net.ssl.FIPSMode is deprecated as of MongoDB 4.2.
In MongoDB 4.0 and earlier versions:
Check the server log file for a message that FIPS is active: