OPTIONS
翻译或纠错本页面

Configure MongoDB for FIPS

2.6 新版功能.

概述

The Federal Information Processing Standard (FIPS) is a U.S. government computer security standard used to certify software modules and libraries that encrypt and decrypt data securely. You can configure MongoDB to run with a FIPS 140-2 certified library for OpenSSL. Configure FIPS to run by default or as needed from the command line.

Prerequisites

Only the MongoDB Enterprise version supports FIPS mode. Download and install MongoDB Enterprise to use FIPS mode.

Your system must have an OpenSSL library configured with the FIPS 140-2 module. At the command line, type openssl version to confirm your OpenSSL software includes FIPS support.

For Red Hat Enterprise Linux 6.x (RHEL 6.x) or its derivatives such as CentOS 6.x, the OpenSSL toolkit must be at least openssl-1.0.1e-16.el6_5 to use FIPS mode. To upgrade the toolkit for these platforms, issue the following command:

sudo yum update openssl

Some versions of Linux periodically execute a process to prelink dynamic libraries with pre-assigned addresses. This process modifies the OpenSSL libraries, specifically libcrypto. The OpenSSL FIPS mode will subsequently fail the signature check performed upon startup to ensure libcrypto has not been modified since compilation.

To configure the Linux prelink process to not prelink libcrypto:

sudo bash -c "echo '-b /usr/lib64/libcrypto.so.*' >>/etc/prelink.conf.d/openssl-prelink.conf"

Procedure

Configure MongoDB to use SSL

See Configure mongod and mongos for SSL for details about configuring OpenSSL.

Run mongod or mongos instance in FIPS mode

Perform these steps after you Configure mongod and mongos for SSL.

1

Change configuration file.

To configure your mongod or mongos instance to use FIPS mode, shut down the instance and update the configuration file with the following setting:

net:
   ssl:
      FIPSMode: true
2

Start mongod or mongos instance with configuration file.

For example, run this command to start the mongod instance with its configuration file:

mongod --config /etc/mongodb.conf

For more information about configuration files, see Configuration File Options.

Confirm FIPS mode is running

Check the server log file for a message FIPS is active:

FIPS 140-2 mode activated